Home Lab - Load Balancing

Load Balancing


Load Balancing is one of the most paramount requirements of the Home Lab.  It also is something that wasn't covered by the Meraki MX64 or any of the other network gear.


Requirements:

  • Free or extremely cheap
  • Load Balancing at layer 4 or layer 7
  • Ability to have multiple 'services' using the same external IP
    • Redirect to a sub-VIP based on host header
  • Run as a virtual appliance
  • Fairly straight forward and easy to setup

With these requirements I narrowed the list down to:

I ended up selecting the Kemp LoadMaster.  The main reasons was no cost and extremely easy to use.  The F5 cost a bit, and I would need to spend a little bit of time remembering how things work, and HA Proxy and NGINX are also free but heavy on the learning curve.

I now have my firewall (Meraki) port forwarding 443 TCP/UDP to the Kemp LoadMaster.  One of the nice features of the Kemp when using a single name space is use a single master VIP for all traffic and content filtering rules to sub virtual servers. 

For instance I use a wildcard certificate *.virtualjpr.com and I created 1 master VIP on the Kemp. On the master VIP I have configured SSL re-encryption. In addition I created a Content Switching Rule. This content switching rule checks the host header for a regex pattern.  Using that specific Content rule the master Virtual Service (VIP) routes to a sub Virtual Service.  The SubVS is what contains the normal rules like real port, the real servers, and the healthcheck. 

This all allows me to use 1 public IP, with blank.virtualjpr.com hostnames for all of my VMware EUC services.  There is of course some exceptions where I can configure VMware Tunnel to run on 8443, and port forward on the firewall to a seperate Virtual Service on the load balancer.  

Here are some screenshots of my configuration.  It changes routinely but it should give a nice idea.

Main Virtual Service configuration which shows the subVS.


Properties of the main Virtual Service. Where you can see the SSL re-encryption shown.

More properties of the main Virtual Service. Here you can see under Advanced Properties the Content Switching is enabled. More on that below. At the very bottom of the screenshot you also see where to add the subVS.  I have them for the essential Workspace ONE components: AirWatch Console, Device Services, AirWatch Cloud Messaging, Workspace ONE Linux, Workspace ONE Windows, Horizon, and UAG (for Reverse Proxy Identity Bridging).

Here are the proerties of a SubVS specifically the AirWatch Device Services. Fairly straight forward. Add your healthcheck, add your real servers including ports.

This is a screenshot of the Content Rules created. Anything that shares port 443 on the outside needs a rule here with a unique DNS for the pattern matching.

Finally is a screenshot of the details of the AirWatch Device Services Content Matching Rule. 



Lastly I wanted to say kudos to Kemp for making their production quality Load Balancer available for free with very few restrictions.  https://freeloadbalancer.com/

Comments