Anypoint Platform - Dedicated Load Balancers presentation that was used for Amsterdam Meetup on 5th of October.
What is a Load Balancer?
Differences between Shared and Dedicated Load Balancers
How to create a Dedicated Load Balancer
Tips and Tricks
3. Introductions
●About the organizer: Fatih Turgut
○ Moved to the Netherlands 2 years ago, Living in Amsterdam, married, 1 daughter.
○ 10+ Years in IT, last 6 years with Mulesoft. MCIA, MCPA.
○ Sr. Consultant at Devoteam for the last 2 years. Recent assignments; Intergamma, RTL,
Sodexo, Accell IT
●About the sponsor: Devoteam
○ Devoteam is a leading consulting firm focused on digital strategy, tech platforms, data and
cybersecurity.
○ With 25 years’ experience and more than 10,000 employees across Europe, the Middle East
and Africa, Devoteam promotes responsible tech for people and works to create better change.
4. Cloudhub Dedicated Load Balancers
What is a Load Balancer?
● Efficiently distributing incoming network traffic across a group of servers or applications.
○ Maximizes speed and capacity utilization and ensures that no server is overworked or
overwhelmed.
5. Mulesoft Cloudhub
● CloudHub is a cloud-based integration platform as a service (iPaaS) that enables developers to
integrate and orchestrate applications and services. These applications and services are run on
one or more instances of MuleSoft which is known as Workers. CloudHub provides a load
balancing service for all integrations. We can use the default load balancing service (SLB) or
obtain a dedicated load balancer.
6. Shared Load Balancer
● As the name suggests, a ‘Shared’ Load Balancer is shared between all the CloudHub
customers and it sits outside of the Client’s VPC.
● There is one SLB clustered instance in each CloudHub region that serves all the CloudHub
customers in that AWS region.Therefore, SLB can only be used to balance the calls for the
external-facing APIs, it can’t be used for balancing the load between your internal workers.
7. Dedicated Load Balancer
● Dedicated Load Balancer (DLB) is an
optional component of the Anypoint
Platform that enables you to route
external and internal HTTP and HTTPS
traffic to multiple Mule applications
deployed in your VPC.
● DLB sits inside of your VPC and while
routing incoming traffic, it will route to
8091 and 8092 ports.
● You will have more control over it, like
scalability, vanity domain, your very own
SSL certificates, and two-way TLS
configuration.
8. Technical Aspects of DLB
● Every DLB can be associated with only one VPC.
● Each DLB by default runs in a highly available configuration with 2 workers.
● Each worker size is configured as 2 vCores + 3.5 GB Memory. This won't consume the vCores
from CloudHub vCore subscription.
● Scalable horizontally but not vertically.
● Every entitlement includes 2 workers. So for every 2 workers you need 1 DLB licence.
● 1 DLB can be configured with max 8 workers.
● Connect timeout is 4 seconds per worker (4 times it tries for a TCP handshake and waits for 1
second per try). If the attempt fails for one worker, it gets another IP from the internal DNS for
subsequent workers. When there are no more workers left, it responds with a Connect Timeout.
10. Public and Private Exposure
● Default 2 workers, so 2 Public and 2 Private IPs are assigned.
● Public IP addresses can be set as static
● Private IP addresses can not be assigned static IPs. It randomly gets assigned to two of the
CIDR range of the VPC.
● Private IP addresses naturally can be called only from your internal network. That means only by
the Mule applications that runs on the same VPC or over the VPN tunnel if exists.
● You can limit the IPs that can access to the DLB with Allowlist. Its default is 0.0.0.0/0 , basically
anywhere.
11. DNS Structure and Mappings
● 2 DNS is associated with your DLB regardless of worker counts. 1 DNS is for public facing and
resolves to your public IPs of DLB, and the other one is for internal facing and resolves to your
internal IPs of DLB.
● Public DNS naming convention is: <lb-name>.<sub-domain-for-anypointdns>.anypointdns.net
● Private DNS naming convention is: internal-<lb-name>.<sub-domain-for-
anypointdns>.anypointdns.net
● We can mask the default DNS of Anypoint Platform with a SSL Certificate and DNS CNAME
Record. DNS A record is not advised even though you use static IPs.
12. DLB Properties and Options
● Allowlisted CIDRs - Default 0.0.0.0/0
● Timeout in Seconds - Response Timeout Default 300 Seconds
● Connect Timeout - 4 seconds (4 times it tries for a TCP handshake and waits for 1 second per try
per worker)
● Inbound HTTP Mode:
○ Mode Off
○ Mode On
○ Mode Redirect
● Static IP
● Keep URL Encoding - Non-ASCII chars to ASCII; %20 (space) and %23 (#)
● Support TLS 1.0 - Not advised. Last resort.
● Upstream TLS 1.2 - Force the TLS 1.2 from DLB to Mule worker
● Forward Client Certificate*
13. SSL Certificates
A dedicated load balancer must have at least one certificate associated with it in order to create it.
● Certificates must be pem-encoded.
● The private Key has to be unencrypted.
● All the key attributes and bag attributes must be removed.
● Files must contain the entire certificate chain and that chain has to be ordered sequentially.
If those are sent to you separately you can simply append them to a text editor. The order of
the certificates in the file must be:
○ Certificate for the DLB
○ Certificates for intermediate CAs
○ Certificate for the root CA
14. Creating the SSL Certificate
● We are going to use OpenSSL
● If you already have Git for Windows, you may simply go to the Git installation directory, find
usrbinopenssl.exe and run it or run the Git Bash and use the “OpenSSL” command.
● A third option would be to add the git OpenSSL path to the environment variables so you
can access OpenSSL from cmd and anywhere.
Create cert&key: openssl req -x509 -newkey rsa:2048 -keyout dlbk.pem -out dlbcert.pem -days 365
Decrypt key: openssl rsa -in dlbk.pem -out undlbk.pem
A Record is not suggested because if the DLB is upscaled or downscaled we need to update the A record again.
We will go into the details of creating a certificate