gRPC Load balancing, and Ingress Gateway

Adarsh Pandey | Sun 8th Dec, 2019

Load balancer

  1. Increase capacity of application server by distribute traffic to multiple instances
  2. Reliability of applications
  3. Generally grouped into 2 categories: Layer 4 and Layer 7
  4. Layer 4 is transport layer LB include protocols like TCP, IP, UDP, FTP
  5. Layer 7 is application layer LB include protocol like HTTP/s
  6. Server side LB like HAProxy, Nginx offer centralized load balancer where these server act like reverse proxy and LB traffic to destination application server.
  7. Client side LB like Ribbon offer load balancing from client end itself with help of service discovery tools (Zookeeper, Etcd, consul etc.)
  8. Both type of LB their own pros and con.
  9. In Nuclei we are using Layer 7 LB for gRPC with Envoy proxy. It is also act like client side load balancer. In Kubernetes, application and envoy proxy container reside into same pod and intercept all incoming and outgoing requests.
  10. Why Envoy proxy? It is providing out of the box solution e.g. security, load balancing and traffic management, observability. Hence, application code need not to worry about all these thing.

Envoy proxy load balancing. Proxy to Proxy while running in same pod as application service

Ingress Gateway

In micro service architecture there are three type of communication happening.

  1. Ingress: Traffic coming to cluster referred as Ingress. In case of Nuclei, Android/iOS call to server
  2. **Service-to-service: **one service call other service. In case of Nuclei, Recharge service calling to Checkout services (Cart, Order, Payment, Coupons etc.)
  3. **Egress: **Traffic going outside to cluster referred as Egress. (In case of Nuclei, services used to call third-party vendor/services (ClearTrip, Redbus etc.)

It is important to protect all services from outside world, and expose only those services which will be called from Android/iOS client rest service should be blocked by default. We are using Istio service mesh, having concept of VirtualService which help us to expose limited set of service to outside world.

Configuring ingress gateway for gRPC is little tricky. Lets see some example:

  1. Package in proto file is important in above service package name is com.gonuclei.grpc
  2. Create a Ingress Gateway, and assign VirtualService
  3. In virtual service, we are allowing package prefix to call from outside cluster.
  4. It will be block other requests, only allow services having package com.gonuclei.grpc
divider

Liked it? Why not share it with others