Review of the "ELB Sandwich" design
- Is it always best to design?
- How can it impact performance, security & complexity?
Accelerating web-based applications
- Why HHP/2 is so much faster than HTTP 1.1
- Implementing HTTP/2 without changing your webservers.
- Simplifying certain SSL designs & lowering recurring costs.
- Solving unexpected application problems with ADCs.
* Presented at the Sydney AWS Meetup session 6th July 2016
http://www.meetup.com/AWS-Sydney/
Hosted and organised by PolarSeven - http://polarseven.com
5. Brocade
Not just a storage connectivity company any more…
• Focused on datacentre products: virtualised, software defined, or
hardware
• Acquired Vyatta, Inc. (2012)
• Acquired SteelApp from Riverbed (2015), subsequently relabelled
vADC
‒ Formerly known as Stingray
‒ Formerly known as Zeus Traffic Manager
(It’s had a few names)
5
6. Why vADC?
Hundreds of reasons to consider; here’s a few:
• TLS 1.2 support
• SNI support
• HTTP/2 (with proxying to
HTTP/1.1 if required)
• Compression
• Multi-provider cloud/hybrid
cloud
• Integrated WAF
• Compression
• DIY CDN – with flexibility (S3
frontend)
• Inline content manipulation
• etc…
6
10. HTTP/1.1 is s l o w
HTTP/1.1
‒ Many short-lived TCP
connections
• All subject to TCP slow start
• Potentially requiring SSL handshake per-
session
‒ Limited concurrent downloads
• 2-6 per domain (browser dependent)
‒ Lengthy text-based headers
• Same or very similar headers sent with
many requests & responses
‒ It’s old (1999)
Workarounds
‒ Domain sharding
‒ Image spriting & resource inlining
‒ Image sampling & conversion
‒ Cookie-less domains
‒ Geographic localisation (CDNs)
10
11. Latency is the enemy – not bandwidth
Decreasing round trip times or reducing round trips improves performance
11
Source: Mike Belshe & Ilya Grigorik, Google
12. HTTP/2 is faster than HTTP/1.x
HTTP/2
‒ Single, longer-lived TCP
connection per domain
‒ Multiplexing of content over
single TCP connections
‒ More efficient: headers
Things to be aware of
‒ Major browsers require TLS for
HTTP/2
‒ HTTP/2 & HTTP/1.1 can co-exist
‒ Does not improve single file
transfers
‒ Many of the HTTP/1.x developer
hacks are no longer required
12
13. If a picture tells a thousand words…
13
vTM = Brocade Virtual Traffic Manager
ELB = AWS Elastic Load Balancer
14. Page Load Time Comparisons
HTTP/2 vs HTTPS 1.1 for index.html + 96 small images
14
Delay (ms) HTTP/2 HTTPS 1.1 Faster?
0 438 ms 1,035 ms 233%
20 618 ms 1,590 ms 257%
50 750 ms 2,607 ms 348%
100 837 ms 3,484 ms 416%
200 1,199 ms 5,409 ms 451%
300 1,435 ms 7,971 ms 555%
Note: Base latency of 35ms from a residence in Sydney to AWS Sydney
15. Backbone latency from Sydney, Australia
15
150ms
121ms
100ms
131ms
300+ms
163ms
23ms
12ms
27ms
46ms
12ms
229ms
453ms
467ms
Mobile Latency
2G 150-300ms
3G 40-100ms
4G 20ms
17. Performance improvements with HTTP/2
How can the ELB Sandwich design impact performance and visibility?
17
External ELB
in HTTPS mode. SNAT
with XFF
HTTP/2 Gateway
Internal ELB
External ELB
in TCP mode.
SNAT with proxy protocol
HTTP 1.x
HTTP 1.1
HTTP 1.x & HTTP/2
HTTP 1.1
HTTP 1.x & HTTP/2
HTTP 1.1
HTTP/2 HTTP/2 HTTP/2
Note: Proxy/gateway must
support proxy protocol to
interpret real client IP
Note: Proxy/gateway sees the
real client IP directly
No External ELB
Clients talk directly to the
proxy/gateway
Elastic IP
21. • Fix embedded content
• Provide better scale
• Accelerate your web-based applications
ADCs can help to:
22. How to try vADC
• Download from http://brocade.com/vadc/
‒ Developer mode: 1Mbps throughput, all features available
• Use free trial AMI available from the marketplace:
https://goo.gl/iDZrGO
• Come talk to us!
22
23. Fill out the feedback form
and go in a draw to win a
drone today.
Drone to be Won Today!
This slide shows how traffic passes through the Traffic Manager, and where each logical function occurs.
[Click] TrafficScript allows you to act on a Request, [CLICK] A Response, or at the end of a transaction
Page 10
Page 12
Page 14
This rule is looking for any connection that don’t complete properly and flags the connections to be recorded in the detailed transaction tracing engine on the Traffic Manager for further investigation.
We can also put an entry in the log file with details of what happened.
Connection Completion rules are also useful for flagging other types of problems for more detailed connection tracing, for example:
- Log or Trace connections that took longer than 1000ms to complete;
- Log con
The http.request.get() function allows Traffic Manager to make an arbitrary connection to a remote HTTP service and do something with the reply. In this instance, you would get your application developers to expose an HTTP based query that allows the Traffic Manager to submit a FF number and get an HTTP response back with their FF Membership level.
We grab the FF number out of the customer’s login, look it up get their membership level.
Once we have this, we can apply different policies on the Traffic Manager like using a special pool or applying less restrictive bandwidth classes for example.