Are you using a load balancer?
I'd like to put a best practice together but would like some Community input. Usually the MWG is administered by one person/team, and the load balancer is administered by another. Having a best practice will make it easier for both sides to get the information they need.
ProxyHA (best practice here) on MWG is an option for a lot of environments, but there's always a place for external load balancers too.
If you have a load balancer, what mode are you using? In my experience the best experience was Direct routing or NAT mode, but there are limiting factors with network configuration.
- Direct Routing / Server Return mode = Load balancer simply routes the packets directly to the upstream MWG. Client IP is obtained from the source IP in the packets.
- NAT mode = Upstream MWG must be in segmented network with load balancer as the default gateway. Client IP is obtained from source IP in packets.
- Source NAT mode = Load balancer acts as a proxy and sends traffic to upstream MWG must parse X-Forwarded-For to get client IP. It seems that XFF can be unreliable.
- Any modes I'm missing?
What mode is MWG configured in?
- Direct Proxy mode - This would work for NAT mode or Source NAT mode
- Direct Proxy mode with L2 - Would work with Direct routing, NAT mode, and source NAT mode
- Transparent router mode - Would work with Direct routing, NAT mode, and source NAT mode
- Is there anything strange about the configuration? e.g. I had to configure MWG in Transparent router mode with the LB as the gateway.
- Did you have any seemingly strange routing problems?
What health checks do you have configured? I'm guessing the possible responses would be:
- Ping test - Simple ping to proxy IP, if it fails, other tests should determine action, if ping fails but port test succeeds it doesnt really matter that that the ping failed
- Port test - Verify proxy port is open, failover if port check fails
- Application level test - Send an actual HTTP request to the proxy and check for a certain response code or response body
- Example Application level test? Here is an example of what I have from F5:
GET / HTTP/1.0\r\nHost: www.google.com\r\nUser-Agent: F5-Proxy-Pac-Check\r\nConnection: close\r\n\r\n
How is persistence for client connections configured?
I'm imagining that there is a 5 minute inactivity timeout, whereby the load balancer will send all traffic from a certain source IP to the same proxy until there is 5 minutes of inactivity (this is how MWG's built in ProxyHA works).
Related Community threads: