cancel
Showing results for 
Search instead for 
Did you mean: 

HW load balanced DXL hub in a DMZ

Hello community,

Does anyone have experience or success with putting a pair of DXL brokers (configured as a hub) behind a hardware based load balancer in a DMZ deployment scenario?    If so, I'd be curious to know the right settings for the DXL Topology configs under Menu, Server Settings, DXL Topology.

A completely hypothetical and yet to be tested config / scenario I'm considering would be something along the lines of this:

System Name: brokerA.something.local

Published System Name: dxl.company.com

IP Address: 10.0.0.10

Published IP Address: 1.2.3.4

Port: 8883

System Name: brokerB.something.local

Published System Name: dxl.company.com

IP Address: 10.0.0.11

Published IP Address: 1.2.3.4

Port: 8883

These two brokers would then become a DXL hub sitting behind a hardware based load balancer listening on a NAT'd internal IP behind a firewall but exposed as a public IP of 1.2.3.4 also resolving publicly to dxl.company.com

The benefits to this (if it works) would be:

  1. more evenly balanced distribution of DXL connections across the hub.  Maybe? e.g. 90K endpoints are distributed somewhat evenly 45K/45K
  2. fewer public IP addresses consumed to facilitate having the service.
  3. fewer domain names published (reducing the publicly visible footprint / knowledge of the infrastructure, # of hosts, etc.)
  4. easer to scale.  Additional brokers & hubs could be added behind the HW based LB's without change to public IP / DNS footprint.

Does anyone know if this would be a technically supported deployment configuration?  Would it work for DXL but break TIE? etc.   Not looking to integrate ATD, so no need factor in for file submissions to TIE, just basic TIE client queries coming in from off-network hosts needing to hit a DXL broker.

Thanks,

ryan

0 Kudos
1 Reply
xspader
Level 10

Re: HW load balanced DXL hub in a DMZ

I would think that would be perfectly possible. Just have to make sure that you set the new published details under the server settings. I haven't had to do both as we have far less clients and do not require 2 in the DMZ, but I don't see why this technically wouldn't be possible

0 Kudos