Glad you enjoy it! Thanks Bahaa

Agreed

I think the data here is URL u just entered in the browser which gives IP address so doesn't make sense if you don't want to see them this URL for privacy reasons

❤️❤️ that is awesome 👏 thank you for your kind words and glad you enjoyed the content 🙏🙏

@@hnasr still counting, after learning from all the linked and suggested videos I'm finally seeing the first video of websockets for which I initially came 😂 came for websockets became network engineer and more aware back-end engineer ur awesome dude I have no words for the content quality and availability

Thanks Jeetendra!! appreciate it

Glad you like them! thanks Erlad!

Hi, could you please share any documentation to verify this information

Absolutey true. I just captured packets on the interfaced where HAProxy runs and it turns out it uses different TCP connections for the backend servers.

Iliasbhal aww 😊 thank you so much I am glad you enjoy the content

العفو

Your concerns are totally valid. If there are too many concurrent connections, it can throttle the load balancer itself bringing down the overall availability of the system. Hence, heavy traffic applications like Google and Facebook opt for distributed load balancing where the load balancer is not a single server. Google offers one such service called GCLB-Google cloud load balancer. You can find some info on it here:landing.google.com/sre/workbook/chapters/managing-load/

may be you would have found your answer, if not, see keepalived video of Hussein. You will get an idea Edit : keywords VIP ( virtual ip ), VRRP

Yeah I was a bit confused about the '1 tcp connection' pro that was called out for Layer 4 LBs. The only way this could work is if you had 2 sockets for each logical connection. One for the client connection, and one for the back-end server connection. As soon as the proxy accepts a client connection it must store that socket along with a new socket connection to which ever back-end server was chosen. Bytes just get copied between the receive and send buffers of the socket pairs. All this ip swapping is automatically done through the socket API abstraction. The same would have to happen for layer 7 LBs. Afaik, the only difference is that Layer7 LBs deserialize the http protocol. One huge benefit is per. http request routing, which can help even out load across your backends.

Textras I have not! Didn’t know about it thanks for sharing.. I only discussed HTTP 1.1 smuggling. I wouldn’t worry about h2 clear text though since most h2 setups are secure

@@hnasr saw it here twitter.com/theBumbleSec/status/1303305853525725184?s=19

It is actually a serious one if you backend supports h2c, I need to discuss this thanks for sharing!

Thanks Brian, I talked about DOS here kzbin.info/www/bejne/anqapYONbdSZaMk

PK CC you guys are awesome! Of course I will make videos on topic you guys interested in. Ill just adjust priorities. Hope you enjoy it and thanks for commenting ! Stay awesome 😎

If you are an office fan You will like this http/2 video kzbin.info/www/bejne/nIeugaV6p6qqiqs

You think? kzbin.info/www/bejne/nIeugaV6p6qqiqs

TLDR?

that cracked me up lol

Thanks George! Glad it was

Kristen n charles

Glad you like them!

Thanks 😊 haproxy tutorial is requested a lot! Ill need to make it soon. Have so much other videos on my backlog

Ismail Yushaw hi , unfortunately I don’t didnt discuss that.. however all load balancers are similar. Some picks different design choices Check out this playlist Load Balancing kzbin.info/aero/PLQnljOFTspQWdgYcGXCTkjda8vd2jWJYt

@@hnasr I hope you can do something similar to that of traefik

Rico Agung Firmansyah Thanks 🙏 I use google slides

Glad you liked it

I go in details about this here kzbin.info/www/bejne/r53OcpZvrNJ-nsU kzbin.info/www/bejne/fWmZkqt9m9OKl8k

@@hnasr thank you

Fantastic question. Layer 7 load balancer must terminate TLS while Layer 4 load balancer doesn’t have to. L4 LB can terminate TLS means serve the certificate from the LB, which means it can decrypt and look at the content. It can also decides to Passthrough the TLS. Hello all the way to the backend which means it is end to end encryption and cert is served from Backend

I'm wondering abaut that either. It's so weird.

thanks and apologies for the red dot, I try to get better as I make more videos

@@hnasr but overall great work. keep'em coming. it's been so fun and informational watching your videos. right to the point with demos. I teach in college part time and I wish I could be as a good speaker as you.

Thank you Peng for your kind words. I find making videos help improve my skills. I still need lots of work, particularly getting to the point quicker

That is 100% true thanks for mentioning this, TLS termination can happen in layer 4 (tls handshake will happen between client and proxy) this is as oppose to TLS pass through which the proxy merely forwards the TLS hello all the way to the backend

Thanks Nafas!

Good question! LB starts and establishes a connection B1 to backend1 and B2 to backend2 Client establishes connection C1 with LB. Client sends a request on C1, LB receive it, looks at the content, perhaps changes it and then send the request on B1. LB wait for B1 to respond, once it gets back the result, it sends back the result to client. all this the client is synchronously waiting.. Client sends another request on C1, LB receive it, looks at the content, perhaps changes it and then send the request on B2 (because of round robin algorithm) .. same thing hope this helps

Good question! One implementation is to keep a table of what sourceIP goes to what Destination IP so it can map it. This is called NAT (network address translation) check out the NAT video I did How Network Address Translation is used on Layer 4 Load Balancing and Port forwarding

That is correct. Layer 4 Proxying maps client requests on the same TCP connection to always go to the same host on the backend. That being said the browser (with HTTP/1.1 specifically ) opens multiple TCP connections to a single host. So if you make a request to the site it can go to a TCP connection which will go to Host A but then you can make another request to the same site but browser will use another TCP connection which will land on another Host B.. I explain this in details here kzbin.info/www/bejne/r53OcpZvrNJ-nsU

@@hnasr So a client can establish 2 tcp connections with the same layer 4 load balancer. Even though for both of the tcp connections, the IP address of the client and the IP address : port of the server(layer 4 load balancer) are the same. How would the layer4 load balancer distinguish between the two tcp connections to always route the first tcp connection request and subsequent communication to host A and the second tcp connection request and subsequent communication to host B respectively. What parameter, tag, or any other information is different between the two tcp connections for the layer 4 load balancer to make this decision.

Glad you enjoyed it!

You can set the timeouts as needed check out the video here kzbin.info/www/bejne/p4rRcmV6e6p4gtk

Sanil Khurana Correct a gateway act like a layer 4 NAT proxy. I wouldn’t use the word load balancer for a router because it doesn’t perform that task..

@@hnasr Thanks for the reply! Definitely, an interesting topic and I would look a lot more into it(probably starting with your NAT videos and layer 4, layer 7 load balancing videos) and I love the fact that you take the time to reply to comments.

All of these are interesting questions! Plus it helps other people reading the comments! (Like if you are reading this and getting value)

Marta Zagrajek thanks! Not yet, didnt make a dedicated haproxy video, its on the list of videos to make I made one about nginx though. Next up is websockets 🕸

@@hnasr I will keep waiting ;)

Both l4 and l7

A very interesting insights lets unpack it the backend network interface of HAProxy must live in the same network as backend servers. Probably I am imagining a network switch between them. One port going from HAP to the switch, and from the switch to each backend server. So now the numbers. If we assumed defaults 1 Gbps for all ports. Than haproxy can upload and download 1 Gb per second (~128 MB each second). so if two clients concurrently requested to fetch a resource that is 128MB In size, from HAP, the first request goes to backend 1 the second goes to backend 2. But it will take HAProxies two full seconds to download this resource from each server (assuming no caching) So yes! a 2Gbps uplink:dnlink HAProxy will download the two resources concurrently in 1 second (50%) faster. And to answer your final question, yes if server 1 and 2 uploaded 1 TB each, then HAProxy will have “downloaded” 2TB. Thanks! Let me know if I missed something

You are 100% correct. In a Layer 4 proxying once the TCP connection is established, all packets sent to the reverse proxy on that connection are streamed to the same backend causing a “sticky” session. That is a disadvantage that prevents proper distributions of load. Apologies if my rephrasing in the video was confusing. And thanks for clarifying this 🙏

Filippo Machi Thanks Filippo! Man i just love these questions because they make me think 💭 Ok so short answer is you can use a layer 4 load balancer with SSE and websockets much easier and reliable than a layer 7 load balancer. Not saying you cannot do it with L7LB But you need to find a load balancer that actually supports that. Here is why: layer 4 load balancer will NAT the tcp connection to final destination server and exchange packets in a single connection. So the server can send information to the load balancer and load balancer will simply NAT things to the client. So if i make an HTTP GET request to a L4 LB, first i try to establish a tcp connection with LB, LB will actually build a table and change the packet ip address destination to one of the backend servers, and forward the packet, and then simply acts like a gateway(kinda like how your router works) and now one your tcp connection is established you are tethered to one server .. so any http request on the same tcp will ALWAYS go to the same backend server.. unless you establish a new session. That is why SSE and websockets work normally since they are stateful like that.. However with layer 7 LB as we explained in the video, the client connects to the load balancer first so thats one tcp connection and the load balancer will establish another tcp connection to the backend server. So if I make a simple HTTP request to the layer 7 load balancer, my final destination as a client is the load balancer, The load balancer will then block my request (synchronously) and make the request to one of the backend servers, get the result, unblock me and return the result. So in this case most load balancers are really waiting for a request from clients ... but what happen if all of a sudden the server started to send something to the load balancer? (Server side events) what does that mean? How does the layer 7 load balancer know what client to forward the request to ? Smart load balancers might actually build a table and start mapping ip addresses to client ports. Other load balancers might make the backend server respond to the client directly So you see how complex it is to do layer 7, you can use layer 4 LB, The only thing is you will get a sticky load balancer to a single server per client session. i need to do more research and videos on this topic very interesting.. Hope that helps!

@@hnasr thanks a lot for answering my question, let me know if you perform further research or video regarding this topic :)

Jexxie Woo thanks 🙏 I did notice that after i posted the video. Thankfully nothing in the chopped screen is important. Appreciate your comment ! And ill make sure to avoid that in the future.

Haproxy periodically does a health check against the backends and see if they are alive. And if they are not they remove it from the backend pool

Douglas Mendez Correct, think about your WIFI router , if you connect to google from your mobile phone (on wifi) it is a single TCP connection between you and Google .( not a tcp connection between you and router and between the router and google) despite the router actually making the connection on your behalf because it has the public ip address. Your router uses NAT. A layer 4 load balancer that uses NAT function the same way.

@@hnasr Just curious, i might not be making any sense also. So, Routers do not work at layer 4 so they actually don't concern with TCP. But does a client communicate with Layer 4 LB (HAProxy) without a layer 4 protocol? If it uses TCP, then there should be a TCP connection between the client and the LB? Apologies if i am completely going off.

Thanks Fujin for your message! I use canva because I suck at photoshop haha hope that helps

Thanks man.

It depends on your backend if the backend supports TLS then IIS should really do a TLS Passthrough not termination (since you said its layer 4 LB) the certificate being served will be the backend not the LB If the backend doesn’t support TLS then it the LB will do a TLS termination and serves its certificate instead. The traffic on the backend will be unencrypted might not be desirable

Andrew Pelletier thanks for noticing! Thats my bad thats next week’s video and since its scheduled its set as private for some reason. Weird that youtube actually show it on the list. Let me remove it.