VoltMesh’s Load Balancing is a centrally managed globally distributed load balancer and proxy with service discovery, health checking, application micro-segmentation, and application policy providing the most advanced implementation of edge load-balancer with ingress/egress capability for any service mesh. Service discovery integrates with multiple registries like Kubernetes, Consul, or DNS along with health checking support for http/https, tcp, custom, etc. End-point health is distributed to all the sites where the virtual service is exposed using extensions to the BGP protocol and this provides us with valuable insight on how to globally distribute the load balancing function. Support for both TLS and mutual-TLS for authentication with policy-based authorization on the proxy provides the capability to enforce end-to-end security of application traffic. In addition, the proxy gives the ability to terminate user traffic in the Volterra global network and use a persistent connection to serving end-points to accelerate and load balance to the most optimal end-point. It is “out-of-the-box” ready and accessible when Volterra Node or Cluster is deployed or using Volterra’s Global Network.
If you are interested in further details of how the features described in this guide work, read more below in Concepts.
Intro to VoltMesh Load Balancing
With Volterra Node or Cluster deployments or Volterra’s Global Network, you have the ability to leverage VoltMesh and VoltStack services as simple add-ons. This section discusses specifically the VoltMesh Load Balancing features.
VoltMesh Load Balancing Features
Global Load Balancing (GSLB, Anycast)
VoltMesh global infrastructure provides initial network-level load-balancing using anycast to all VitualHosts hosted by Volterea’s network cloud or enterprises private/public and edge clouds. GSLB functionality enables application and business logic load-balancing. GSLB load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. Additional functionality includes client optimized delivery using application & service availability (health-checks, more below), performance, custom policies such as geography and regulations (GDPR, etc.). All policy and configurations are centrally managed from Volterra Console with a VIP being exposed on a Customer site (cloud or edge), Volterra global infrastructure (Network Cloud) or both.
Service Discovery & Health Checks
Service endpoints are discovered and can be made securely accessible on Volterra’s Global Infrastructure, and/or a customer Public/Private and Edge cloud or. Service discovery integrations supported today include DNS, Kubernetes, and Hashicorp Consul. All discovered or configured endpoints and VIPs are automatically probed for explicit (configured) or implicit (i..e latency, error rate, response times, etc.) health checks. The global visibility of endpoints and availability allow for optimized load balancing of clients to services.
HTTPS (TLS/mTLS) & TCP Proxy
VoltMesh VirtualHost load balancing supports multiple proxy functions including TCP Proxy, TCP Proxy with SNI, HTTP Proxy and HTTPS Proxy. Support for TLS/mTLS is available via downstream (clients to virtualhost) or upstream (virtualhost to endpoints). Domains TLS certificate can be securely hosted with Volterra’s unique solution called Blindfold and/or integration to external secrets management solutions such as Hashicorp Vault .
In additional to GSLB traffic management functionality, rich HTTP/HTTPS routing functionality is available. Matching on parameters such as URLs, headers, query parameters, HTTP methods, etc. are available. Customization to matching is also available using Volterra’s Programmable v8 engine. Routing options based on matched criteria include send a direct response, change of protocol, add/remove headers, timeouts/retries, send to WAF (Web Application Firewall), endpoint selection/grouping, etc.
Dynamic Reverse Proxy & HTTP Connect
VoltMesh proxy supports automatic and dynamic discovery of endpoints via our dynamic reverse proxy, in which traffic is attracted to our proxy and discovery of the endpoint destination is processed dynamically at the proxy, minimizing infrastructure configuration and operations. Destinations can be configured using VirtualHost with wildcards, and discovery is triggered based on what the client or application is accessing (supporting HTTP/TCP-with-SNI). Manual configuration for clients or applications to send the traffic via the proxy is supported using HTTP CONNECT to tunnel traffic to the proxy.
Service Policy & Application Microsegmentation
Application microsegmentation per virtualhost and services in a namespace using an intent based service policy (L7), enabling enhanced Application Security matching with regex-based label selectors, client IP or ASN lists, actions of allowing, deny (with future options to rate-limit or custom using Java v8 chrome engine).