New AWS UDP Load Balancing for Network Load Balancer (opens in new tab)

(aws.amazon.com)

132 pointsbryanh6y ago32 comments

32 comments

This is a Big Deal because it enables support for QUIC, which is now being standardized as HTTP/3.

To work around the TCP head of line blocking problem (among others) QUIC aises UDP.

QUIC does some incredible patching over legacy decisions in the TCP and IP stack to make things faster, more reliable especially on mobile networks, and more secure.

Here’s a great summary from Fastly on what QUIC means for the Internet: https://www.fastly.com/blog/why-fastly-loves-quic-http3

mark2426y ago

This is big for making services which rely on DNS much easier to roll out in a container environment (ECS, EKS, etc). Traditionally we've had to create custom AMI images, use CloudFormation to keep them running with EIPs, and then have those EIPs be part of runtime configuration for our services.

not_kurt_godel6y ago

One "downside" of AWS is we've rolled a lot of custom solutions like this, at significant time/expense, only to have them be made obsolete by eventual native feature support. So we get left with a mixture of legacy systems using the custom solution and newer ones using native support and it makes things more complicated. It's actually a good problem to have in many ways, and basically unavoidable in many circumstances, but an interesting dynamic nonetheless. Reminds me of interstellar wait calculation[0] - do we defer dependent features until there's native support, or forge ahead knowing there's a likelihood of being 'overtaken'?

[0] https://en.m.wikipedia.org/wiki/Interstellar_travel#Wait_cal...

joemag6y ago

Another way to look at it: customers like you, who build custom work arounds to some problem, influence our decision that a particular problem is important enough to be solved.

1 more reply

cortesoft6y ago

Nothing is forcing you to switch from your custom solution to the native support. If you don't switch, you are in the same situation as if they native solution was never invented.

1 more reply

otterley6y ago

Can you elaborate a bit on your architecture? I'd love to understand what your use case is.

In most architectures I've seen where containers are involved, the rendezvous point between external clients and containerized services is an external proxy (i.e., a load balancer), and the only DNS lookup required by such clients is of the proxy itself, so no DNS UDP traffic needs to be sent into the cluster. In K8S we call this proxy an "ingress."

Is the situation that you want to expose the cluster's internal DNS to the outside world to avoid having to configure ingress? Or is it something else?

mark2426y ago

Containers that require custom DNS queries about incoming connections from a non-HTTP service (we're using the NLB for this), using a caching DNS server that isn't publicly accessible.

geggam6y ago

I could see an SRV record style of load balancing being done on containers optimizing that layer by reducing a hop

robohoe6y ago

I wonder if the AWS Route53 VPC resolvers work in that same way for internal VPC DNS resolution.

Jedd6y ago

Related - has anyone done much with UDP load balancing on prem?

We're starting to hit performance and HA walls with ingesting Netflows from edge routers - you can only nominate one target, and using Elasticsearch / Logstash there are some hard limits.

Would AWS be appropriating nginx under the hood here?

nullwasamistake6y ago

Lots of people use IPVS but the more efficient modes don't work on AWS. Generally why most that need a LOT of traffic use a cloud provider for regular servers and their own servers in CoLo for heavy stuff.

With how Amazon likes to use OSS in their services I'm pretty sure their UDP load balancer are in fact just using IPVS

colmmacc6y ago

NLB is built on top of AWS HyperPlane, a hybrid system that has components distributed in our Nitro security system, and pseudo-central components that keep flow-tracking state. It's different from IPVS.

Jedd6y ago

Interesting, thanks. Hadn't considered this option before, and will do some more exploring, though I note on the IPVS page they say:

"For scheduling UDP datagrams, IPVS load balancer records UDP datagram scheduling with configurable timeout, and the default UDP timeout is 300 seconds. Before UDP connection timeouts, all UDP datagrams from the same socket (protocol, ip address and port) will be directed to the same server."

I'm hopeful / confident that affinity can be fully de-tuned here, as we're looking at around 5-10k UDP Netflows per second from a given router that need to be distributed to a set of receivers.

1 more reply

stock_toaster6y ago

Nice! I wonder if this is a preparatory step for future quick/http3 support?

johannnishant6y ago

That's great! Any idea what Load balancing algorithm this would use?

We have a need for some stickiness in the load balancer (for example: UDP Packets from a source must be routed to the same instance, at least for a short while)

mcpherrinm6y ago

It's documented as:

> For UDP traffic, the load balancer selects a target using a flow hash algorithm based on the protocol, source IP address, source port, destination IP address, and destination port. A UDP flow has the same source and destination, so it is consistently routed to a single target throughout its lifetime. Different UDP flows have different sources, so they can be routed to different targets.

From the NLB docs at https://docs.aws.amazon.com/elasticloadbalancing/latest/netw...

zedpm6y ago

This is great news, and something I’ve been requesting for years. I manage an IoT backend based on CoAP, which is typically UDP-based. I’ve looked at Nginx support for UDP, but a managed load balancer is much more appealing.

celim3076y ago

Same story here, getting NGINX to help even with highest support tiers was a PIA too

api6y ago

Apparently if the target is the instance ID this can preserve public source IP and port. That can be a big deal for e.g. bootstrap nodes for P2P networks.

jedisct16y ago

Can be nice for games, QUIC and DNSCrypt.

dnautics6y ago

Curious: How does one generally load balance udp? Drop packets? Slow them down?

bboreham6y ago

It means taking a set of packets sent to one address and spreading them across multiple servers to share out the load.

dnautics6y ago

oh, geez. Thank you. Somehow I was thinking about throttling, not load balancing.

matsur6y ago

A plug for our (Cloudflare's) product — we support managed load balancing for UDP as well.

- https://blog.cloudflare.com/spectrum-for-udp-ddos-protection...

- https://blog.cloudflare.com/introducing-spectrum-with-load-b...

jbarham6y ago

Looks cool but if the product is only available for "Enterprise" customers and the pricing is "Request Quote" that means it's expensive. At least the AWS pricing is published.

TrueDuality6y ago

Sweet. Now add support for multiple ports on a single service[1] and this load balancer might actually become useful.

[1]: https://github.com/aws/containers-roadmap/issues/104

encoderer6y ago

ALB !== NLB

cameroncooper6y ago

With NLB targetting EC2 you can only specify one port per target group. To achieve multiple ports going to a single instance (or autoscaling group) you need to have one listener and target group per port.

TrueDuality6y ago

It effects both (and that ticket is about both if go through the comments).

j / k navigate · click thread line to collapse

32 comments

wikibob6y ago

This is a Big Deal because it enables support for QUIC, which is now being standardized as HTTP/3.

To work around the TCP head of line blocking problem (among others) QUIC aises UDP.

QUIC does some incredible patching over legacy decisions in the TCP and IP stack to make things faster, more reliable especially on mobile networks, and more secure.

Here’s a great summary from Fastly on what QUIC means for the Internet: https://www.fastly.com/blog/why-fastly-loves-quic-http3

mark2426y ago

not_kurt_godel6y ago

[0] https://en.m.wikipedia.org/wiki/Interstellar_travel#Wait_cal...

joemag6y ago

Another way to look at it: customers like you, who build custom work arounds to some problem, influence our decision that a particular problem is important enough to be solved.

1 more reply

cortesoft6y ago

Nothing is forcing you to switch from your custom solution to the native support. If you don't switch, you are in the same situation as if they native solution was never invented.

1 more reply

otterley6y ago

Can you elaborate a bit on your architecture? I'd love to understand what your use case is.

Is the situation that you want to expose the cluster's internal DNS to the outside world to avoid having to configure ingress? Or is it something else?

mark2426y ago

Containers that require custom DNS queries about incoming connections from a non-HTTP service (we're using the NLB for this), using a caching DNS server that isn't publicly accessible.

geggam6y ago

I could see an SRV record style of load balancing being done on containers optimizing that layer by reducing a hop

robohoe6y ago

I wonder if the AWS Route53 VPC resolvers work in that same way for internal VPC DNS resolution.

Jedd6y ago

Related - has anyone done much with UDP load balancing on prem?

We're starting to hit performance and HA walls with ingesting Netflows from edge routers - you can only nominate one target, and using Elasticsearch / Logstash there are some hard limits.

Would AWS be appropriating nginx under the hood here?

nullwasamistake6y ago

With how Amazon likes to use OSS in their services I'm pretty sure their UDP load balancer are in fact just using IPVS

colmmacc6y ago

Jedd6y ago

Interesting, thanks. Hadn't considered this option before, and will do some more exploring, though I note on the IPVS page they say:

I'm hopeful / confident that affinity can be fully de-tuned here, as we're looking at around 5-10k UDP Netflows per second from a given router that need to be distributed to a set of receivers.

1 more reply

stock_toaster6y ago

Nice! I wonder if this is a preparatory step for future quick/http3 support?

johannnishant6y ago

That's great! Any idea what Load balancing algorithm this would use?

We have a need for some stickiness in the load balancer (for example: UDP Packets from a source must be routed to the same instance, at least for a short while)

mcpherrinm6y ago

It's documented as:

From the NLB docs at https://docs.aws.amazon.com/elasticloadbalancing/latest/netw...

zedpm6y ago

celim3076y ago

Same story here, getting NGINX to help even with highest support tiers was a PIA too

api6y ago

Apparently if the target is the instance ID this can preserve public source IP and port. That can be a big deal for e.g. bootstrap nodes for P2P networks.

jedisct16y ago

Can be nice for games, QUIC and DNSCrypt.

dnautics6y ago

Curious: How does one generally load balance udp? Drop packets? Slow them down?

bboreham6y ago

It means taking a set of packets sent to one address and spreading them across multiple servers to share out the load.

dnautics6y ago

oh, geez. Thank you. Somehow I was thinking about throttling, not load balancing.

matsur6y ago

A plug for our (Cloudflare's) product — we support managed load balancing for UDP as well.

- https://blog.cloudflare.com/spectrum-for-udp-ddos-protection...

- https://blog.cloudflare.com/introducing-spectrum-with-load-b...

jbarham6y ago

Looks cool but if the product is only available for "Enterprise" customers and the pricing is "Request Quote" that means it's expensive. At least the AWS pricing is published.

TrueDuality6y ago

Sweet. Now add support for multiple ports on a single service[1] and this load balancer might actually become useful.

[1]: https://github.com/aws/containers-roadmap/issues/104

encoderer6y ago

ALB !== NLB

cameroncooper6y ago

TrueDuality6y ago

It effects both (and that ticket is about both if go through the comments).

j / k navigate · click thread line to collapse