14.2.2 SDNS Load Balancing Methods
The following load balancing methods are supported by SDNS function:
- Global Round Robin (GRR)
- VIP-based Weighted Global Round Robin (VWGRR)
- Global Connection Overflow (GCO)
- Global Least Connection (GLC)
- IP Overflow (IPO)
- Proximity (Proximity)
- Region (Region)
14.2.2.1 GRR
When using the Global Round Robin (GRR) method, SDNS routes traffic to all participating members in a round robin fashion (See RR section of SLB methods for more details). When a user requests a service, the DNS query goes to SDNS servers. HTTP proxy cache servers will regularly report its local virtual service and link load/health information to SDNS servers. When a member receives such a message, it will re-calculate its round robin list. The maximum number of the returned IPs defaults to 3.
14.2.2.2 VWGRR
VIP-based Weighted Global Round Robin (VWGRR) is similar to GRR with the exception that each VIP is assigned a weight (i.e. the number of DNS hits). The traffic does not go to the next VIP until the DNS hits exceed the configured weight. After that, it moves on to the next VIP.
When a member receives status report from other members, it will re-calculate its VWGRR list. The returned times of the host IP addresses equal to the weight value of the first returned IP. The maximum number of the returned IPs defaults to 3.
14.2.2.3 GCO
Global Connection Overflow (GCO) defines an overflow chain for a domain name. An overflow chain consists of different members. Each member is assigned a weight (the number of active TCP connections on the member). Network traffic is routed to the first FortiBalancer appliance in the overflow chain until the number of active TCP connections exceeds the maximum number configured for that appliance. Additional traffic overflows to the next member in the overflow chain, which can also overflow to the next one, and so on. An overflow chain has a default member (the last one). If all members are overflow, future traffic is routed to the default member. When an overflow member becomes under overflow, future traffic will be routed back to the first underflow FortiBalancer appliance in the chain. According to whether the number of the members in an overflow chain exceeds the maximum value of TCP connections or not, the host IPs on different members will be chosen. This method is useful to make sure no members (except the last one) are hosting too many TCP connections.
14.2.2.4 GLC
The Global Least Connection (GLC) algorithm will route traffic to the member that has the least number of TCP connections (See SLB LC for more information on this method). The host IP addresses on this member will be returned.
14.2.2.5 IPO
For a host name, there may be multiple related IP addresses. The client needs to set the priority for each IP address by using the “llb dns host” command. In the VWGRR method, the last argument of the “llb dns host” command means the weight of an IP address. For the IP Overflow (IPO) method, the last argument of the “llb dns host” command means the priority. IPO method will resolve a host name to the related healthy IP address with the highest priority.
14.2.2.6 Proximity
When the Proximity method is configured for a host, all the queries for this host will be resolved based on a proximity algorithm. The resolving result depends on the distance between the client and the servers. The traffic will be routed to the client’s nearest server. If the host method of a domain name is configured as “proximity”, proximity and site distance should be configured by using the “sdns proximity” command and “sdns site distance” command. When a domain name is resolved, the request will be located in a site according to the source IP address and priority of the request packets. It will be directed to the appropriate site according to the site distance, and the host IP addresses on the members in this site will be returned.
14.2.2.7 Region
When the Region method is configured for a host name, “pool” should be created for the domain name and “rule” should be added to “pool”. Besides, “proximity” should be configured by using the “sdns proximity” command. When a domain name is being resolved, firstly the request will be located to a site/region (pool) according to the source IP address and the priority of the request packets. Then the request will find the corresponding pool according to the priority which can be configured when the site/region is being configured. The host IP addresses will be returned according to the rule defined by the pool.
14.2.3 SDNS Member
Actually, a member is an FortiBalancer appliance. A member can be configured to be an SDNS server or an HTTP proxy cache server. It also can be configured to be an SDNS server and an HTTP proxy cache server at the same time.
Note: The SDNS members on the FortiBalancer 6.x version cannot cooperate with those on the FortiBalancer 8.x version since the data is encrypted in different formats. It is highly recommended that the FortiBalancer appliances configured as the SDNS sites be running the same software version.
14.2.4 SDNS Site
A site is a location which includes one or more members. A pool can be corresponding to a site. The commands related to “sdns site” work only when they are configured on SDNS servers. On HTTP proxy cache servers, these commands are invalid although they can be configured.
14.2.5 SDNS Proximity
Administrators can use the command “sdns proximity” to define proximity rules which are used to determine the site or region which a request source IP address belongs to.
SDNS Proximity supports IP region. Administrators are allowed to import pre-defined IP region table via HTTP, FTP or Local File method, and then execute the command “sdns proximity ipregion” to apply the imported IP region table. This will generate a large number of proximity rules, without making complex configurations. Administrators are also allowed to export the IP region table via FTP URL or Local File method.
To define the IP region files, the following entries should be included:
- IP subnet (in CIDR format)
- Country name (optional, up to 7 bytes)
- Brief description (optional, up to 63 bytes)
These items must be separated with a “Tab”. For example:
| 27.8.0.0/13 | CN China Unicom Chongqing Province network |
| 27.36.0.0/14 | CN China Unicom Guangdong province network |
Note: By default, there are three predefined IP region tables including “predefined_cernet”, “predefined_cnc” and “predefined_ct”. It is recommended not to use the same name with the default predefined IP region tables. The routes and proximity rules configured for IP region exist as a whole in the system. Administrators cannot change or remove a single route or a rule.
14.2.6 SDNS Overflow
Only when the host method of a domain name is configured as “gco”, which is configured by using the command “sdns host method”, the overflow commands can work.
14.2.7 SDNS Region
Currently, SDNS region is only used in SDNS region method. Logically, “region” is a unit defined for classification management. A region can include one or more regions or sites and the lowest leaf node managed by a region is “site”. Both region and site can be corresponding to a pool, and the logical classification ability of a region is designed for “pool” requirement. A pool name should be a region or a site name. Region commands must be used on SDNS servers. They are invalid on HTTP proxy cache servers.
14.2.8 SDNS Disaster Recovery Group
Disaster Recovery (DR) is defined by Disaster Recovery Group (DRG). A DRG contains two sub groups. One subgroup serves as the primary and the other as the standby. Each subgroup may contain one or more sites, while each site contains one or more FortiBalancer appliances. All the primary sites have higher priorities for being used as SDNS servers than the standby sites.
14.2.9 SDNS Bandwidth Management
Currently, bandwidth management only works with the SDNS region method. With bandwidth management, SDNS can limit the bandwidth of a member, site, region and IP, and collect the traffic statistics on a member, site, region and IP, and balance the Web requests to different sites and regions based on the current bandwidth usage.
Four kinds of bandwidth management are supported:
- Bandwidth of a member (based on all the packets to or from the member)
- Bandwidth of a site (sum of the bandwidth of all the members in this site)
- Bandwidth of a region (sum of the bandwidth of all the sites or regions in this region)
- Bandwidth of an IP address (based on the packets for the specified IP)
The system will collect the traffic of a domain name. The collected domain name traffic can be the domain name traffic of a site or region. When the DNS resolving is being done, the domain name traffic of the site or region will be considered. If the domain name traffic exceeds the configured bandwidth limit, it is considered that the DNS resolving will be done on the parent region of this region or site until the default region. If under the default region the host traffic still exceeds the bandwidth limit, this DNS resolving will return the host IPs by the method “round robin”.( A pool is corresponding to a region or site. All the above is only used under the condition that the host method is “region”.) Please note: if an SDNS member is configured as a “DNS” member, the SLB configuration on this member should be disabled; otherwise the bandwidth data will not be collected from proxy.
14.2.10 SDNS Pool
Currently, SDNS pool only works with the SDNS region method. When a host method of a domain name is configured as “region” by using the command “sdns host method” and the domain name is being resolved, “pool” is used. A pool contains a series of IP addresses, and a pool name is the same as a region or site name. The priority of a site or region is also the priority of a pool. IP addresses and rules can be added into a pool.
In SDNS, six pool methods are supported as follows:
Round Robin (rr)
If three IP addresses are in a pool, and round robin is chosen as pool method, the traffic will go to the next IP address in the order [1,2,3, 1, 2, 3…].
Weighted Round Robin (wrr)
Weighted Round Robin is similar to RR with the exception that each IP address is assigned a weight (i.e. the number of DNS hits) via the “sdns pool ip” command. The traffic does not go to the next IP address in a pool until the DNS hits exceed the configured weight. After that, it moves on to the next IP address.
IP Overflow (ipo)
In a pool, there may be multiple IP addresses. The client needs to set the priority for each IP address by using the “sdns pool ip” command. For “IPO” pool method, the last argument of the “sdns pool ip” command means the priority. IPO methods will resolve a host name to the related healthy IP address with the highest priority.
Hash IP (hi)
SDNS selects an IP address from all the IP addresses in a pool according to a hash number for the local DNS. The hash number is calculated via a hash function. As long as the hash number has the same value, the same IP address will be returned.
Persistent IP (pi)
When the SDNS server receives the first query request from a local DNS server, it will return the first IP address in the SDNS pool and record the returned IP address and the local DNS server’s IP address. Hereafter, the recorded IP address will always be returned as response to the same query request until the local DNS times out. A timeout value shall be set for the local DNS in this pool method by using the command “sdns persistent timeout”. In the meantime, the SDNS server counts the number of times an IP address is returned. When the number exceeds the weight value of the IP address, the SDNS server will return the next IP address as response to the query request from the unrecorded local DNS servers.
Simple Network Management Protocol (snmp)
By using the SNMP protocol, the SDNS server will collect the running status information of load balancing appliances or application servers at specified interval. The information collected includes six types: CPU usage, memory usage, total concurrent connections, new connections, throughput and user-defined SNMP service.
Since each commonly used SNMP service has a general OID (there might be a group of OIDs for throughput), besides the system defined SNMP services, users can also self-define the OID of the SNMP services as they need. This greatly facilitates the user of administrators.
When the SDNS server sends SNMP requests to the load balancing appliances or application servers to check their running status, the load balancing appliances or application servers will return the requested status information to the SDNS server. The information will be saved on the SDNS server and used together with the DNS resolving policies configured on the SDNS server for DNS resolving.
Note: The SDNS SNMP service can only be configured in the address pool of the load balancing appliances or application servers which are configured with the “region” method.
Figure 14-3 SDNS SNMP
The SNMP protocol is used to collect status information of load balancing appliances or application servers. To ensure the security of information exchange, users can configure the SNMP community required by the load balancing appliances or application servers by using the command “sdns snmp ip”. Each appliance will report their status to the SDNS server. Upon receiving such status report, the SDNS server will re-calculate the IP priority information it saves for DNS resolving.
If only one SNMP service has been selected, in the “des” mode, the SDNS server will resolve the domain name to the IP address with the highest SNMP service value; while in the “asc” mode, the SDNS server will resolve the domain name to the IP address with the lowest SNMP service value. If multiple SNMP services have been selected, users need to execute the command “sdns pool snmp” to set a weight value for each SNMP service.
The weight value of each host can be calculated according to the following formula:
metric = snmp service1 * weight1 + snmp service2 * weight2 + snmp service3 * weight3
The SDNS server will do DNS resolving based on the SNMP service value and configured weight value, and the IP address of the load balancing appliance or application server in the optimal status will be selected.
14.2.11 SDNS Pool Switchover
If the “region” method is configured for a domain name and the SDNS pool of the domain name adopts the “IP overflow (IPO)” method, the SDNS module will automatically select the IP address with the highest priority from the SDNS pool when resolving the domain name. Provided that the resolved IP address becomes unavailable, the IP address with the second highest priority available in the SDNS pool will be resolved. However, the new resolved IP address may not be the desired IP address. To solve this issue, the FortiBalancer appliance supports manually switching the resolved IP address to the desired IP address according to actual requirements.
In addition, when the resolved IP address switching is required for multiple domain names, you can add these domain names to a group and switch the resolved IP addresses for a group of domain names in batch.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!