When using TCP load balancing with HAProxy, does all outbound traffic flow through the LB?

Solution 1:

HAProxy (like many load balancers) generally maintain two conversations. The Proxy has a session (tcp in this case) with the client, and another session with the server. Therefore with proxies you end up seeing 2x the connections on the load balancer. Therefore all traffic flows through the load balancer.

When it comes to scaling across multiple load balancers I don't think you need to. But a practical and fairly easy way to do this is use something like keepalived with two floating IPs and round robin DNS between those two IPs. With keepalived, if one of the load balancers goes down the other would hold both IPs, so you get high availability this way. That being said, I think you will be fine with one active haproxy instance with your load.

HAProxy scales very well. An an example, the Stack Exchange network use web sockets which maintain open TCP connections. While I am posting this we have 143,000 established TCP sockets on a VMware virtual machine with no issues. The CPU usage on the VM is around 7%.

With this sort of setup with HAProxy make sure you set maxconn high enough. Here is some example HAProxy config to get you started:

frontend fe_websockets
        bind 123.123.123.123:80
        mode tcp
        log global
        option tcplog
        timeout client 3600s
        backlog 4096
        maxconn 50000
        default_backend be_nywebsockets

backend be_nywebsockets
        mode  tcp
        option log-health-checks
        option redispatch
        option tcplog
        balance roundrobin
        server web1 10.0.0.1:1234
        server web2 10.0.0.2:1234
        timeout connect 1s
        timeout queue 5s
        timeout server 3600s

Solution 2:

Yes, all traffic should normally pass through the load balancer. The requests are received by the load balancer and the responses are sent back to the load balancer which sends them back to the clients.

For choosing the right tool, I don't have much experience about the other options. I am using haproxy and it is really good and stable and can handle a large amount of traffic. Also, its ACLs capabilities are great.

Solution 3:

There is a possibility to use and configure DSR (Direct Server Return) but this has nothing to do with the Loadbalancer but is configured in the tcp-stack (routing tables). We've been using this for a large video streaaming portal. Although it works it will give you significant amounts of headache regarding the complexity of routing necessary.

Thus I would not recommend to use this technique without considering use and drawbacks very thoroughly.

Maybe there are some hints to get started there:

  • http://www.remsys.com/blog/configuring-dsr-on-the-alteon-load-balancers
  • http://community.brocade.com/docs/DOC-1650

Have fun!