Proxy mode
First, here is an example of a typical load balancer set up set to use proxy mode. This mode is probably the most common type of load balancing. In this mode, the service pointss don't see the real source IP of the DNS client, they see the source IP of the private side of the load balancer.
Step | Source IP | Source MAC | Destination IP | Destination MAC |
1 | 10.0.0.1 | 00:01:aa:bb:cc:dd:01 | 10.0.0.10 | 00:01:aa:bb:cc:dd:0a |
2 | 10.0.0.11 | 00:01:aa:bb:cc:dd:0b | 10.0.0.100 | 00:01:aa:bb:cc:dd:64 |
3 | 10.0.0.100 | 00:01:aa:bb:cc:dd:64 | 10.0.0.11 | 00:01:aa:bb:cc:dd:0b |
4 | 10.0.0.10 | 00:01:aa:bb:cc:dd:0a | 10.0.0.1 | 00:01:aa:bb:cc:dd:01 |
In this example, the steps are as follows:
- The client sends a query to the VIP on the load balancers.
- The load balancer selects a server from the farm and initiates its own connection to the server.
- The server replies to the load balancer.
- The load balancer sends the reply to the client.
In this mode, there are two connections; one from the client to the load balancer’s public VIP, and one from the load balancer’s private IP to the server farm. The load balancer maintains the map of client side connections to server side connections and is basically performing NAT.
DSR mode
Now consider the following DSR mode load balancing example. In this mode, the client’s IP is passed through to the server farm. The connection to the servers isn't proxied.
Step | Source IP | Source MAC | Destination IP | Destination MAC |
1 | 10.0.0.1 | 00:01:aa:bb:cc:dd:01 | 10.0.0.10 | 00:01:aa:bb:cc:dd:0a |
2 | 10.0.0.1 | 00:01:aa:bb:cc:dd:01 | 10.0.0.10 | 00:01:aa:bb:cc:dd:64 |
3 | 10.0.010 | 00:01:aa:bb:cc:dd:64 | 10.0.0.1 | 00:01:aa:bb:cc:dd:01 |
In this example, the steps are as follows:
- The client sends a query to the VIP on the load balancer.
- The load balancer selects a server from the farm and passes the packet through unmodified with the exception of the MAC address.
- The server replies directly to the client through the default gateway (not back through load balancer).
The key to make this work is that the service points must be configured with the VIP as a secondary address that doesn't ARP. This is commonly implemented on the loopback (lo) interface. With this configuration, each service point is able to respond to packets that reach it using the VIP as the destination IP address. Because load balancing is done at Layer 2, and each request has the same destination IP address, all service points can respond in this way. This configuration allows reply traffic to return to the clients as if it originated from the load balancer’s public VIP.