SlideShare a Scribd company logo

HAProxy as Egress Controller

Julien Pivotto
Julien Pivotto

HAProxy is used in an unusual way to control egress traffic for healthcare services in Belgium. It initiates TLS connections to external partners, identifies requests through customized URLs, and applies access controls and service level agreements (SLAs) through backends. This provides visibility, reliability, and flexibility in calls to dozens of partners handling millions of daily messages between systems. Advanced features like path rewriting and SNI alteration allow HAProxy to masquerade requests while maintaining encryption. Configuration management keeps things maintainable as new partners and SLAs are added over time.

1 of 47
Download to read offline
Julien Pivotto Inuits.eu Open Source Consultant @roidelapluie roidelapluie@inuits.eu HAProxy as Egress Controller HAProxyConf - November 12
Introduction Setting up the scene
HAProxy, the other way around We use HAProxy in a quite unusual way... ● send requests to the external world ● initialize TLS with the external world ● throttle requests to the external world
Context ● Healthcare services in Belgium ● Transmitting millions of messages everyday between different parties ○ Thousands of users ○ Dozens of partners ● Dozens of services: Monolith & Microservices ● Long lived services & technologies (> 10 years) ● SOAP-XML & REST-JSON
Challenges ● Ensure that transactions are successful ● Monitor and react upon failure at partners ● Provide a unified view over calls to the outside world ● Use modern technology (latest TLS versions, SNI), even with old apps ● Authenticate requests ● Make it easy for application owners to interact with the outside world
Architecture First things first
● HAProxy is isolated from Apps ● Only HAProxy has Internet Access
How HTTPS forward proxies work ● HTTPS forward proxies just open TCP sockets and pass them to clients ● Clients are in charge of all the TLS connection ● Proxies does not see the content of requests
Initiating TLS requests from HAProxy ● Client connects to HAProxy in TLS ● HAProxy connects to external partner in TLS
Identifying requests Instead of calling: https://www.example.com/helloworld Application “myback” will call: https://proxy.inuits.eu/myback/prod/example/prod/high/helloworld
Wait … What? Instead of calling: https://www.example.com/helloworld Application “myback” will call: https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld
Proxy URL composition https://proxy.inuits.eu/ <APP>/<ENV>/ <PARTNER>/<ENV>/<APP>/ <SLA>/ <PATH> Identifies the caller app - the partner app - the expected response time.
What the URL tells us ... https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld The application myback in production is calling the URI /helloworld of the service www of the partner example in production and expects an quick answer (high sla) If you can read one, you can read all of them.
First remarks ● Use HTTPS internally: ○ Before the HAProxy, direct HTTPS connections were made from the apps. ○ Everything that was encrypted stays encrypted in the new model. ● Applications need to change the URL they use to contact partners. ● This method “cuts” tls; there are two https connections (one to the HAProxy and one from the HAProxy).
Access Control
Easy Access control: IP-Based We use HAProxy’s ACL’s to define who are our clients. frontend proxy acl client:myback:prod src 172.21.132.0/25 acl client:myback:dev src 172.21.131.0/25 acl client:myback:acc src 172.21.130.0/25 acl client:legback:dev src 172.21.132.2 172.21.132.4 acl client:3rdapp:prod src 172.21.132.0/25 ACL Name = client:<application-name>:<application-env>
Who access what? Remember: https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld frontend proxy acl client:myback:prod src 172.21.132.0/25 acl partner:myback:prod:example:prod:www:high path_beg /myback/prod/example/prod/www/high use_backend example:prod:www:high if partner:myback:prod:example:prod:www:high client:myback:prod Use specific backend if: URL matches a known backend and comes from the app’s IP address
Where are we? ● The client identifies itself in the URL ● HAProxy checks that app is correct with the source IP address ○ Monitoring purpose ○ IP-Based ACL is not security ● The client identifies the partner, env, app it wants to reach ● A “SLA” is defined that redirects to a correctly configured backend
HAProxy features used so far... ● ACL with source IP address ● ACL with path_beg to match the start of the URI ● use_backend to specify the backend to use depending on conditions Note: in our case, “backend” is an external partner.
SLA’s
SLA’s are simply: setting timeouts Timeouts are set per backend in HAProxy. Some transactions are expected to last several minutes, other a few milliseconds. Defining those timeouts in each application is not practical, but you want safe values to avoid blocking your app because partners respond slowly.
Our “SLA” levels towards partners 1. Asynchronous calls: low - posting big files a. 301 s (client, server) b. 5 s (connect) 2. Normal calls: medium a. 31s (server) b. 5s (client) c. 1s (connect) 3. Synchronous calls: high - an end-user is waiting behind their screen a. 11s (server) b. 5s (client) c. 1s (connect) 4. Specific SLA for specific apps (3s up to 3000s)
1 backend / partner / sla backend example:prod:www:high timeout connect 1000 timeout client 5000 timeout server 11000 timeout http-request 5000 timeout queue 0s Each “SLA” requires a backend. We disable queuing.
Masquerading requests HAProxy isn’t a forward proxy!
How to make the request we want. Instead of calling: https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld We want to call: https://www.example.com/helloworld What needs to change? ● Hostname ● SNI ● Path
Altering the query backend example:prod:www:high balance first http-request set-header Host www.example.com reqrep ^([^ ]* )/[a-zA-Z0-9-]+/[a-z]+/example/prod/www/high[/]?(.*) 1/2 fullconn 20 server www www.example.com:443 maxconn 20 sni str(www.example.com) ssl ca-file /etc/ssl/certs/ca-bundle.crt resolvers mydns resolve-prefer ipv4
Step by step: changing URI From /myback/prod/example/prod/www/high/helloworld to /helloworld backend example:prod:www:high reqrep ^([^ ]* )/[a-zA-Z0-9-]+/[a-z]+/example/prod/www/high[/]?(.*) 1/2 reqrep will replace the http request line. 1 will be the METHOD and 2 the actual URI. From … POST /myback/prod/example/prod/www/high/helloworld To … POST /helloworld
Step by step: changing the hostname 2 different things: the HTTP host header + the SNI TCP header. SNI - TLS extension to specify hostname upon TLS negotiation. backend example:prod:www:high http-request set-header Host www.example.com server www www.example.com:443 sni str(www.example.com) ssl ca-file /etc/ssl/certs/ca-bundle.crt We validate partners certificate with OS CA bundle.
HAProxy features used... ● reqrep to alter request line and change URI ● http-request set-header to change/add a header ● The str() function to work with strings ● The sni instruction to tell HAProxy to do SNI with the backends Note: in our case, “backend” is not a “backend”, it is an external partner.
A word about DNS ...
Remember our backend? backend example:prod:www:high resolvers mydns resolve-prefer ipv4 resolvers mydns nameserver dns1 172.21.16.6:53 nameserver dns2 172.21.16.34:53 timeout resolve 1s timeout retry 1s resolve_retries 5 hold other 10s hold refused 10s hold nx 10s hold timeout 10s hold valid 300s hold obsolete 10s
Lessons learned about DNS ● When DNS resolution fails, error message in the logs in unclear ● HAProxy uses OS DNS resolution at startup, not resolvers ○ If a hostname is in /etc/hosts, HAProxy will accept the config, but the backend won’t work ○ Same can happen if local resolver (/etc/resolv.conf) != HAProxy resolvers section
Who needs DNS anyway? Real world scenario: ● Partner does not publish DNS entries ● Partner does not publish DNS entries … yet ● Partner uses the same hostname but with different IP addresses for different environments (don’t ask why...)
NO-DNS Scenario backend example:prod:www:high http-request set-header Host www.example.com server www 93.184.216.34:443 sni str(www.example.com) ssl ca-file /etc/ssl/certs/ca-bundle.crt With this configuration, no DNS entry is required. HAProxy will still alter the query to set hostname and do correct SNI.
Advanced topics
Canary releases Objective: redirect X % of requests to a new service at partner (requests stay the same) frontend proxy http-request set-path /myback/prod/example/prod/www2/high if { path /myback/prod/example/prod/www/high } { rand(100) lt 10 } If that is set before the ACL with use_backend, then this is the URI that those ACL will use, redirecting 10% of the traffic from www to www2.
Point in time roll out Objective: Partner informs us that on Sunday 10AM they will change URL/URI. Before: putting someone oncall to change all the apps at 10AM. Now: frontend proxy http-request set-path /myback/prod/example/prod/www2/high if { path /myback/prod/example/prod/www/high } { date() ge 1571558400 }
Advanced SSL Interesting SSL keywords: ● 2-way SSL with client certificate: crt <path to the crt file> ● Force a TLS version: force-tlsv12 ensures that we talk to backend only on TLS 1.2
Setup & maintenance
Configuration Management ● This setup produces a big file (4895 lines) ● But the input is minimal: ○ Who are the clients ○ Who are the partners ○ What are the SLA ● Then, we use ansible to mix them all ● Achievements: ○ Decouple the data from the config ○ Abstract HAProxy knowledge from developers, who just need to alter high level YAML files
Monitoring ● Make HAProxy log to a file ● Read the file, you will see: ○ client/env ○ partner/env ○ backend actually used (useful for canaries etc...) ○ status ○ duration ● We use: prometheus, grafana, HAProxy_exporter, mtail
mtail metrics Parsing HAProxy log file to get Prometheus metrics that match our URL model. sum(rate(http_requests_duration_ms_count{ partner="exemple",partner_env="prod",partner_service="www", client="myback",client_env="prod" }[5m])) by(code) github.com/roidelapluie/haproxy-egress
Conclusion
How we dit if ● Abstract configuration in simple concepts (client, partner, sla) for cfgmgmt ○ App maintainers provide simple input ○ Config management tools turn the input in a haproxy config file ● Putting correct monitoring in place (analyzing log files) ● Using advanced HAProxy features
The benefits ● Full understanding of egresses of our applications ● Detailed metrics about connectivity and response time of partners ● Quick alerts when partners are not responding ○ Identification of the apps ○ Quick evaluation of business impact ● Egress with a modern TLS stack (TLS 1.2) ● Unified timeouts / tcp retries rules ● Delegated 2-way-ssl ● DNS bypass, canary releases, date-triggered URL changes… ● Flexibility over requests without restarting the client apps!
Questions & Answers
Julien Pivotto Inuits.eu Open Source Consultant @roidelapluie roidelapluie@inuits.eu Thank you

Recommended

Velocity NYC 2016 - Containers @ Netflix
Velocity NYC 2016 - Containers @ NetflixVelocity NYC 2016 - Containers @ Netflix
Velocity NYC 2016 - Containers @ Netflix
aspyker
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
Treasure Data, Inc.
 
Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021
Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021
Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021
StreamNative
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
Discover Pinterest
 
Storage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on KubernetesStorage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on Kubernetes
DataWorks Summit
 
Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...
Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...
Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...
Amazon Web Services Korea
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 

Recommended

Velocity NYC 2016 - Containers @ Netflix
Velocity NYC 2016 - Containers @ NetflixVelocity NYC 2016 - Containers @ Netflix
Velocity NYC 2016 - Containers @ Netflix
aspyker
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
Treasure Data, Inc.
 
Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021
Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021
Apache BookKeeper State Store: A Durable Key-Value Store - Pulsar Summit NA 2021
StreamNative
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
Discover Pinterest
 
Storage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on KubernetesStorage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on Kubernetes
DataWorks Summit
 
Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...
Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...
Monitoring Kubernetes with Elasticsearch Services - Ted Jung, Consulting Arch...
Amazon Web Services Korea
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...
Flink Forward
 
Securing Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWiseSecuring Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWise
👨‍💻 Levani Kokhreidze
 
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
confluent
 
Application Monitoring using Open Source: VictoriaMetrics - ClickHouse
Application Monitoring using Open Source: VictoriaMetrics - ClickHouseApplication Monitoring using Open Source: VictoriaMetrics - ClickHouse
Application Monitoring using Open Source: VictoriaMetrics - ClickHouse
VictoriaMetrics
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
SATOSHI TAGOMORI
 
Apache Spark vs Apache Flink
Apache Spark vs Apache FlinkApache Spark vs Apache Flink
Apache Spark vs Apache Flink
AKASH SIHAG
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Christian Posta
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best Practices
DataWorks Summit/Hadoop Summit
 
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Flink Forward
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and Containers
SATOSHI TAGOMORI
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptx
wonyong hwang
 
End-to-end Streaming Between gRPC Services Via Kafka with John Fallows
End-to-end Streaming Between gRPC Services Via Kafka with John FallowsEnd-to-end Streaming Between gRPC Services Via Kafka with John Fallows
End-to-end Streaming Between gRPC Services Via Kafka with John Fallows
HostedbyConfluent
 
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
OpenStack Korea Community
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2
Chartbeat
 
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Amazon Web Services
 
Building Real-Time Travel Alerts
Building Real-Time Travel AlertsBuilding Real-Time Travel Alerts
Building Real-Time Travel Alerts
Timothy Spann
 
The new (is it really ) api stack
The new (is it really ) api stackThe new (is it really ) api stack
The new (is it really ) api stack
Red Hat
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
Teleport
 

More Related Content

What's hot

Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...
Flink Forward
 
Securing Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWiseSecuring Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWise
👨‍💻 Levani Kokhreidze
 
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
confluent
 
Application Monitoring using Open Source: VictoriaMetrics - ClickHouse
Application Monitoring using Open Source: VictoriaMetrics - ClickHouseApplication Monitoring using Open Source: VictoriaMetrics - ClickHouse
Application Monitoring using Open Source: VictoriaMetrics - ClickHouse
VictoriaMetrics
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
SATOSHI TAGOMORI
 
Apache Spark vs Apache Flink
Apache Spark vs Apache FlinkApache Spark vs Apache Flink
Apache Spark vs Apache Flink
AKASH SIHAG
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Christian Posta
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best Practices
DataWorks Summit/Hadoop Summit
 
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Flink Forward
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and Containers
SATOSHI TAGOMORI
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptx
wonyong hwang
 
End-to-end Streaming Between gRPC Services Via Kafka with John Fallows
End-to-end Streaming Between gRPC Services Via Kafka with John FallowsEnd-to-end Streaming Between gRPC Services Via Kafka with John Fallows
End-to-end Streaming Between gRPC Services Via Kafka with John Fallows
HostedbyConfluent
 
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
OpenStack Korea Community
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2
Chartbeat
 
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Amazon Web Services
 
Building Real-Time Travel Alerts
Building Real-Time Travel AlertsBuilding Real-Time Travel Alerts
Building Real-Time Travel Alerts
Timothy Spann
 

What's hot (20)

Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...
 
Securing Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWiseSecuring Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWise
 
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
Eventing Things - A Netflix Original! (Nitin Sharma, Netflix) Kafka Summit SF...
 
Application Monitoring using Open Source: VictoriaMetrics - ClickHouse
Application Monitoring using Open Source: VictoriaMetrics - ClickHouseApplication Monitoring using Open Source: VictoriaMetrics - ClickHouse
Application Monitoring using Open Source: VictoriaMetrics - ClickHouse
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
 
Apache Spark vs Apache Flink
Apache Spark vs Apache FlinkApache Spark vs Apache Flink
Apache Spark vs Apache Flink
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best Practices
 
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
 
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and Containers
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptx
 
End-to-end Streaming Between gRPC Services Via Kafka with John Fallows
End-to-end Streaming Between gRPC Services Via Kafka with John FallowsEnd-to-end Streaming Between gRPC Services Via Kafka with John Fallows
End-to-end Streaming Between gRPC Services Via Kafka with John Fallows
 
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2
 
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
 
Building Real-Time Travel Alerts
Building Real-Time Travel AlertsBuilding Real-Time Travel Alerts
Building Real-Time Travel Alerts
 

Similar to HAProxy as Egress Controller

The new (is it really ) api stack
The new (is it really ) api stackThe new (is it really ) api stack
The new (is it really ) api stack
Red Hat
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
Teleport
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
Albert Lombarte
 
JSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendJSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontend
Vlad Fedosov
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0
Mike Belshe
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
Simon J Mudd
 
HTTP
HTTPHTTP
HTTP
altaykarakus
 
Montreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptxMontreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptx
shubhamkalsi2
 
Bringing Learnings from Googley Microservices with gRPC - Varun Talwar, Google
Bringing Learnings from Googley Microservices with gRPC - Varun Talwar, GoogleBringing Learnings from Googley Microservices with gRPC - Varun Talwar, Google
Bringing Learnings from Googley Microservices with gRPC - Varun Talwar, Google
Ambassador Labs
 
JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...
JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...
JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...
JSFestUA
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
 
202107 - Orion introduction - COSCUP
202107 - Orion introduction - COSCUP202107 - Orion introduction - COSCUP
202107 - Orion introduction - COSCUP
Ronald Hsu
 
Zero Downtime JEE Architectures
Zero Downtime JEE ArchitecturesZero Downtime JEE Architectures
Zero Downtime JEE Architectures
Alexander Penev
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Graphs, parallelism and business cases
Graphs, parallelism and business casesGraphs, parallelism and business cases
Graphs, parallelism and business cases
DanBelibov1
 
Graphs, parallelism and business cases
Graphs, parallelism and business cases Graphs, parallelism and business cases
Graphs, parallelism and business cases
Daniel Toader
 
CN 6131(15) Module IV.docx
CN 6131(15) Module IV.docxCN 6131(15) Module IV.docx
CN 6131(15) Module IV.docx
AkhilMS30
 
CN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdfCN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdf
AsifSalim12
 
Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)
Brian Brazil
 
Meet with Meteor
Meet with MeteorMeet with Meteor
Meet with Meteor
Tahmina Khatoon
 

Similar to HAProxy as Egress Controller (20)

The new (is it really ) api stack
The new (is it really ) api stackThe new (is it really ) api stack
The new (is it really ) api stack
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
 
JSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendJSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontend
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
 
HTTP
HTTPHTTP
HTTP
 
Montreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptxMontreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptx
 
Bringing Learnings from Googley Microservices with gRPC - Varun Talwar, Google
Bringing Learnings from Googley Microservices with gRPC - Varun Talwar, GoogleBringing Learnings from Googley Microservices with gRPC - Varun Talwar, Google
Bringing Learnings from Googley Microservices with gRPC - Varun Talwar, Google
 
JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...
JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...
JS Fest 2019/Autumn. Влад Федосов. Technology agnostic microservices at SPA f...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
202107 - Orion introduction - COSCUP
202107 - Orion introduction - COSCUP202107 - Orion introduction - COSCUP
202107 - Orion introduction - COSCUP
 
Zero Downtime JEE Architectures
Zero Downtime JEE ArchitecturesZero Downtime JEE Architectures
Zero Downtime JEE Architectures
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Graphs, parallelism and business cases
Graphs, parallelism and business casesGraphs, parallelism and business cases
Graphs, parallelism and business cases
 
Graphs, parallelism and business cases
Graphs, parallelism and business cases Graphs, parallelism and business cases
Graphs, parallelism and business cases
 
CN 6131(15) Module IV.docx
CN 6131(15) Module IV.docxCN 6131(15) Module IV.docx
CN 6131(15) Module IV.docx
 
CN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdfCN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdf
 
Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)Prometheus and Docker (Docker Galway, November 2015)
Prometheus and Docker (Docker Galway, November 2015)
 
Meet with Meteor
Meet with MeteorMeet with Meteor
Meet with Meteor
 

More from Julien Pivotto

The O11y Toolkit
The O11y ToolkitThe O11y Toolkit
The O11y Toolkit
Julien Pivotto
 
What's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its Ecosystem
Julien Pivotto
 
Prometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is coming
Julien Pivotto
 
What's new in Prometheus?
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?
Julien Pivotto
 
Introduction to Grafana Loki
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana Loki
Julien Pivotto
 
Why you should revisit mgmt
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmt
Julien Pivotto
 
Observing the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From PrometheusObserving the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From Prometheus
Julien Pivotto
 
Monitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with PrometheusMonitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with Prometheus
Julien Pivotto
 
5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery
Julien Pivotto
 
Prometheus and TLS - an Introduction
Prometheus and TLS - an IntroductionPrometheus and TLS - an Introduction
Prometheus and TLS - an Introduction
Julien Pivotto
 
Powerful graphs in Grafana
Powerful graphs in GrafanaPowerful graphs in Grafana
Powerful graphs in Grafana
Julien Pivotto
 
YAML Magic
YAML MagicYAML Magic
YAML Magic
Julien Pivotto
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
Julien Pivotto
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
Julien Pivotto
 
Incident Resolution as Code
Incident Resolution as CodeIncident Resolution as Code
Incident Resolution as Code
Julien Pivotto
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
Julien Pivotto
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
Julien Pivotto
 
An introduction to Ansible
An introduction to AnsibleAn introduction to Ansible
An introduction to Ansible
Julien Pivotto
 
Jsonnet
JsonnetJsonnet
Jsonnet
Julien Pivotto
 

More from Julien Pivotto (20)

The O11y Toolkit
The O11y ToolkitThe O11y Toolkit
The O11y Toolkit
 
What's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its Ecosystem
 
Prometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is coming
 
What's new in Prometheus?
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?
 
Introduction to Grafana Loki
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana Loki
 
Why you should revisit mgmt
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmt
 
Observing the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From PrometheusObserving the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From Prometheus
 
Monitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with PrometheusMonitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with Prometheus
 
5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery
 
Prometheus and TLS - an Introduction
Prometheus and TLS - an IntroductionPrometheus and TLS - an Introduction
Prometheus and TLS - an Introduction
 
Powerful graphs in Grafana
Powerful graphs in GrafanaPowerful graphs in Grafana
Powerful graphs in Grafana
 
YAML Magic
YAML MagicYAML Magic
YAML Magic
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
 
Incident Resolution as Code
Incident Resolution as CodeIncident Resolution as Code
Incident Resolution as Code
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
 
An introduction to Ansible
An introduction to AnsibleAn introduction to Ansible
An introduction to Ansible
 
Jsonnet
JsonnetJsonnet
Jsonnet
 

Recently uploaded

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 

Recently uploaded (20)

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 

HAProxy as Egress Controller

  • 1. Julien Pivotto Inuits.eu Open Source Consultant @roidelapluie roidelapluie@inuits.eu HAProxy as Egress Controller HAProxyConf - November 12
  • 3. HAProxy, the other way around We use HAProxy in a quite unusual way... ● send requests to the external world ● initialize TLS with the external world ● throttle requests to the external world
  • 4. Context ● Healthcare services in Belgium ● Transmitting millions of messages everyday between different parties ○ Thousands of users ○ Dozens of partners ● Dozens of services: Monolith & Microservices ● Long lived services & technologies (> 10 years) ● SOAP-XML & REST-JSON
  • 5. Challenges ● Ensure that transactions are successful ● Monitor and react upon failure at partners ● Provide a unified view over calls to the outside world ● Use modern technology (latest TLS versions, SNI), even with old apps ● Authenticate requests ● Make it easy for application owners to interact with the outside world
  • 7. ● HAProxy is isolated from Apps ● Only HAProxy has Internet Access
  • 8. How HTTPS forward proxies work ● HTTPS forward proxies just open TCP sockets and pass them to clients ● Clients are in charge of all the TLS connection ● Proxies does not see the content of requests
  • 9. Initiating TLS requests from HAProxy ● Client connects to HAProxy in TLS ● HAProxy connects to external partner in TLS
  • 10. Identifying requests Instead of calling: https://www.example.com/helloworld Application “myback” will call: https://proxy.inuits.eu/myback/prod/example/prod/high/helloworld
  • 11. Wait … What? Instead of calling: https://www.example.com/helloworld Application “myback” will call: https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld
  • 13. What the URL tells us ... https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld The application myback in production is calling the URI /helloworld of the service www of the partner example in production and expects an quick answer (high sla) If you can read one, you can read all of them.
  • 14. First remarks ● Use HTTPS internally: ○ Before the HAProxy, direct HTTPS connections were made from the apps. ○ Everything that was encrypted stays encrypted in the new model. ● Applications need to change the URL they use to contact partners. ● This method “cuts” tls; there are two https connections (one to the HAProxy and one from the HAProxy).
  • 16. Easy Access control: IP-Based We use HAProxy’s ACL’s to define who are our clients. frontend proxy acl client:myback:prod src 172.21.132.0/25 acl client:myback:dev src 172.21.131.0/25 acl client:myback:acc src 172.21.130.0/25 acl client:legback:dev src 172.21.132.2 172.21.132.4 acl client:3rdapp:prod src 172.21.132.0/25 ACL Name = client:<application-name>:<application-env>
  • 17. Who access what? Remember: https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld frontend proxy acl client:myback:prod src 172.21.132.0/25 acl partner:myback:prod:example:prod:www:high path_beg /myback/prod/example/prod/www/high use_backend example:prod:www:high if partner:myback:prod:example:prod:www:high client:myback:prod Use specific backend if: URL matches a known backend and comes from the app’s IP address
  • 18. Where are we? ● The client identifies itself in the URL ● HAProxy checks that app is correct with the source IP address ○ Monitoring purpose ○ IP-Based ACL is not security ● The client identifies the partner, env, app it wants to reach ● A “SLA” is defined that redirects to a correctly configured backend
  • 19. HAProxy features used so far... ● ACL with source IP address ● ACL with path_beg to match the start of the URI ● use_backend to specify the backend to use depending on conditions Note: in our case, “backend” is an external partner.
  • 21. SLA’s are simply: setting timeouts Timeouts are set per backend in HAProxy. Some transactions are expected to last several minutes, other a few milliseconds. Defining those timeouts in each application is not practical, but you want safe values to avoid blocking your app because partners respond slowly.
  • 22. Our “SLA” levels towards partners 1. Asynchronous calls: low - posting big files a. 301 s (client, server) b. 5 s (connect) 2. Normal calls: medium a. 31s (server) b. 5s (client) c. 1s (connect) 3. Synchronous calls: high - an end-user is waiting behind their screen a. 11s (server) b. 5s (client) c. 1s (connect) 4. Specific SLA for specific apps (3s up to 3000s)
  • 23. 1 backend / partner / sla backend example:prod:www:high timeout connect 1000 timeout client 5000 timeout server 11000 timeout http-request 5000 timeout queue 0s Each “SLA” requires a backend. We disable queuing.
  • 25. How to make the request we want. Instead of calling: https://proxy.inuits.eu/myback/prod/example/prod/www/high/helloworld We want to call: https://www.example.com/helloworld What needs to change? ● Hostname ● SNI ● Path
  • 26. Altering the query backend example:prod:www:high balance first http-request set-header Host www.example.com reqrep ^([^ ]* )/[a-zA-Z0-9-]+/[a-z]+/example/prod/www/high[/]?(.*) 1/2 fullconn 20 server www www.example.com:443 maxconn 20 sni str(www.example.com) ssl ca-file /etc/ssl/certs/ca-bundle.crt resolvers mydns resolve-prefer ipv4
  • 27. Step by step: changing URI From /myback/prod/example/prod/www/high/helloworld to /helloworld backend example:prod:www:high reqrep ^([^ ]* )/[a-zA-Z0-9-]+/[a-z]+/example/prod/www/high[/]?(.*) 1/2 reqrep will replace the http request line. 1 will be the METHOD and 2 the actual URI. From … POST /myback/prod/example/prod/www/high/helloworld To … POST /helloworld
  • 28. Step by step: changing the hostname 2 different things: the HTTP host header + the SNI TCP header. SNI - TLS extension to specify hostname upon TLS negotiation. backend example:prod:www:high http-request set-header Host www.example.com server www www.example.com:443 sni str(www.example.com) ssl ca-file /etc/ssl/certs/ca-bundle.crt We validate partners certificate with OS CA bundle.
  • 29. HAProxy features used... ● reqrep to alter request line and change URI ● http-request set-header to change/add a header ● The str() function to work with strings ● The sni instruction to tell HAProxy to do SNI with the backends Note: in our case, “backend” is not a “backend”, it is an external partner.
  • 30. A word about DNS ...
  • 31. Remember our backend? backend example:prod:www:high resolvers mydns resolve-prefer ipv4 resolvers mydns nameserver dns1 172.21.16.6:53 nameserver dns2 172.21.16.34:53 timeout resolve 1s timeout retry 1s resolve_retries 5 hold other 10s hold refused 10s hold nx 10s hold timeout 10s hold valid 300s hold obsolete 10s
  • 32. Lessons learned about DNS ● When DNS resolution fails, error message in the logs in unclear ● HAProxy uses OS DNS resolution at startup, not resolvers ○ If a hostname is in /etc/hosts, HAProxy will accept the config, but the backend won’t work ○ Same can happen if local resolver (/etc/resolv.conf) != HAProxy resolvers section
  • 33. Who needs DNS anyway? Real world scenario: ● Partner does not publish DNS entries ● Partner does not publish DNS entries … yet ● Partner uses the same hostname but with different IP addresses for different environments (don’t ask why...)
  • 34. NO-DNS Scenario backend example:prod:www:high http-request set-header Host www.example.com server www 93.184.216.34:443 sni str(www.example.com) ssl ca-file /etc/ssl/certs/ca-bundle.crt With this configuration, no DNS entry is required. HAProxy will still alter the query to set hostname and do correct SNI.
  • 36. Canary releases Objective: redirect X % of requests to a new service at partner (requests stay the same) frontend proxy http-request set-path /myback/prod/example/prod/www2/high if { path /myback/prod/example/prod/www/high } { rand(100) lt 10 } If that is set before the ACL with use_backend, then this is the URI that those ACL will use, redirecting 10% of the traffic from www to www2.
  • 37. Point in time roll out Objective: Partner informs us that on Sunday 10AM they will change URL/URI. Before: putting someone oncall to change all the apps at 10AM. Now: frontend proxy http-request set-path /myback/prod/example/prod/www2/high if { path /myback/prod/example/prod/www/high } { date() ge 1571558400 }
  • 38. Advanced SSL Interesting SSL keywords: ● 2-way SSL with client certificate: crt <path to the crt file> ● Force a TLS version: force-tlsv12 ensures that we talk to backend only on TLS 1.2
  • 40. Configuration Management ● This setup produces a big file (4895 lines) ● But the input is minimal: ○ Who are the clients ○ Who are the partners ○ What are the SLA ● Then, we use ansible to mix them all ● Achievements: ○ Decouple the data from the config ○ Abstract HAProxy knowledge from developers, who just need to alter high level YAML files
  • 41. Monitoring ● Make HAProxy log to a file ● Read the file, you will see: ○ client/env ○ partner/env ○ backend actually used (useful for canaries etc...) ○ status ○ duration ● We use: prometheus, grafana, HAProxy_exporter, mtail
  • 42. mtail metrics Parsing HAProxy log file to get Prometheus metrics that match our URL model. sum(rate(http_requests_duration_ms_count{ partner="exemple",partner_env="prod",partner_service="www", client="myback",client_env="prod" }[5m])) by(code) github.com/roidelapluie/haproxy-egress
  • 44. How we dit if ● Abstract configuration in simple concepts (client, partner, sla) for cfgmgmt ○ App maintainers provide simple input ○ Config management tools turn the input in a haproxy config file ● Putting correct monitoring in place (analyzing log files) ● Using advanced HAProxy features
  • 45. The benefits ● Full understanding of egresses of our applications ● Detailed metrics about connectivity and response time of partners ● Quick alerts when partners are not responding ○ Identification of the apps ○ Quick evaluation of business impact ● Egress with a modern TLS stack (TLS 1.2) ● Unified timeouts / tcp retries rules ● Delegated 2-way-ssl ● DNS bypass, canary releases, date-triggered URL changes… ● Flexibility over requests without restarting the client apps!
  • 47. Julien Pivotto Inuits.eu Open Source Consultant @roidelapluie roidelapluie@inuits.eu Thank you