How to configure and use the Haporxy in pivotal Cloud Foundry (bottom)

The previous article wrote about the use of Haproxy's own lb and certificates, which is mainly about safety and reliability.

Multi-tiered load balancing meets security and business needs

Enterprise Security and Firewall policy is a disaster for PCF, of course, the current version has availability zone to cover this demand, but the following requirements are still difficult to achieve: PCF deployed in the production network, but need to be Internet access, The security policy only allows the DMZ network to provide services to the outside, so there is a need to take off the pants fart is the PCF can be accessed from the Internet. On the basis of the above example, both App1 and APP2 require Internet access (the available load Balancer devices 50.60.70.100 and 50.60.70.101 in the DMZ network will be fixed):
First get the IP of a DMZ segment, such as 50.60.70.80, open the Load balancer device 50.60.70.100 and 50.60.70.101 to access the PCF's external IP 10.20.30.41 80 and 443 ports, 10.20.30.41 of 80 and 443 ports on the DMZ load balancer device with a load balancer of 50.60 .70.80 of 80 and 443, 50.60.70.80 80 and 443 ports NAT into the public network 80 and 443, and return the required domain names (such as app1.bjsdns.mydomain.com, App2.bjsdns.mydomain.com, etc.), in DNS to put app1.bjsdns.mydomain.com, App2.bjsdns.mydomain.com do alias into app1.mydomain.com and app2.mydomain.com, it's done.

Let CF work with a common Tomcat application service

For private PAAs within the enterprise, the most worrying technology in PCF is the operating environment architecture of the PCF (including load balancing and auto-elasticity). The following scenario masks the risk of new technology uncertainties associated with using Internet technology, making it possible for private PAAs to serve real-time business systems. This solution enables user-unaware failure recovery by balancing application service load to IaaS resources to ensure that there is a problem with the entire operational environment framework for PCF. Specific details are as follows:
1. Deploy the same application code in a PCF (such as allocating 10 application instances, assuming the app name is App1) and multiple tomcat nodes (such as 2) deployed separately using an IAAS virtual machine.
2. Create a domain (such as mydomain.com) using the following command in the PAAs, create an app domain name (app1.mydomain.com), bind the app domain name (app1.mydomain.com bind to the app App1):

cf create-domain org1 mydomain.comcf map-route app1 mydomain.com -n app1

3, configure virtual service (such as 50.60.70.80) in the Load Balancer device, its corresponding real The service is the ingress IP for the PAAs environment (such as 10.20.30.41) and other Tomcat nodes that are deployed separately using the IaaS virtual machine, with the weight of the individual tomcat node being the weight of the 1,paas ingress IP for the number of application instances allocated for this application (10).
4. Configure the application domain name (app1.mydomain.com) in DNS as virtual service IP (50.60.70.80) on the load balancer device.
5. When user access app1.mydomain.com,dns resolves to a load balancer device, the load balancer will load the request to a separate tomcat or PAAs Ingress IP based on policy and weight, and if it is on the PAAs Ingress IP, the PAAs will parse it based on the domain name accessed by the client and, depending on the policy, Request the route to the application App1 10 application instances.

How to configure and use the Haporxy in pivotal Cloud Foundry (bottom)