Due to the increasing shortage of IP address space and security in IPv4, many networks use reserved IP addresses (10.0.0.0/255.0.0.0, 172.16.0.0
/Route 128.0.0 and 192.168.0.0/255.255.0.0) [64, 65,
66]. These addresses are not used on the Internet, but are reserved for internal networks. When hosts in the internal network need to access the Internet or be accessed by the Internet
Network Address Translation,
To convert an internal address to an available external address on Internets. The principle of NAT is that after the packet header (target address, source address, and port) is modified correctly, the customer believes
They connect to an IP address, and the server groups of different IP addresses also think that they are directly connected to the customer. As a result, you can use the NAT method to change the parallel network service of different IP addresses into an IP address
.
The architecture 3.1 of VS/NAT is shown in. There is a scheduler in front of a group of servers, which are connected through the switch/hub. These servers provide the same network services
The same content, that is, no matter which server the request is sent to, the execution result is the same. The service content can be copied to the local hard disk of each server. It can be shared by a Network File System (such as NFS) or
It can be provided through a distributed file system.
Figure 3.1: Architecture of VS/NAT
The customer uses virtual IP
Address (virtual service IP address) when accessing the network service, the request message arrives at the scheduler. The scheduler schedules the request according to the connectionAlgorithmSelect a server from a group of real servers and set the destination address of the packets.
Virtual IP
Address is changed to the address of the selected server, the destination port of the message is changed to the corresponding port of the selected server, and the modified message is sent to the selected server. Meanwhile, the scheduler connects to the hash
This connection is recorded in the table. When the next packet of this connection arrives, you can obtain the address and port of the original selected server from the connection hash table and perform the same rewrite operation, and send the packets to the original selected service.
. When the Response Message from the real server passes through the scheduler, the scheduler changes the source address and source port of the packet to virtual IP.
Address and the corresponding port, and then send the message to the user. We introduce a state machine on the connection. Different packets will make the connection in different States, and different statuses have different timeout values. In TCP
In the connection, status migration is performed based on the standard TCP finite state machine. In UDP, only one UDP status is set. The timeout values in different states can be set. By default, the SYN status exceeds
For 1 minute, the established status times out for 15 minutes, the fin status times out for 1 minute, and the UDP status times out for 5 minutes. When the connection ends or times out, the scheduler starts the connection from
Delete the connection hash table.
In this way, the customer only sees the services provided on the virtual IP address, and the structure of the server cluster is transparent to the user. Apply the incremental adjustment checksum algorithm to adjust the TCP checksum value for the modified message, avoiding scanning the entire message to calculate the checksum overhead.
In some network services, they transmit IP addresses or port numbers in the packet data. If we only convert the IP address and port number of the packet header, this will cause inconsistency, the service is interrupted.
Therefore, for these services, you need to write corresponding application modules to convert the IP addresses or port numbers in the packet data. We know that the network services with this problem include FTP, IRC, H.323,
Cuseeme, Real Audio, real video, vxtreme/vosiac, vdolive, vivoactive, true
Speech, RSTP, PPTP, streamworks, NTT audiolink, NTT softwarevision, And Yamaha
Midplug, iChat pager, quake, and Diablo.
Next, we will give an example to illustrate VS/NAT, as shown in 3.2:
Figure 3.2: VS/NAT example
As shown in the following table, all traffic destined for the IP address 202.103.106.5 and port 80 is distributed to the Server Load balancer.
172.16.0.2: 80 and 172.16.0.3: 8000. The packet destined for 202.103.106.5: 21 is transferred to 172.16.0.3: 21.
. Packets sent to other ports are rejected.
| Protocol | Virtual IP Address | Port | Real IP Address | Port | Weight |
| TCP | 202.103.106.5 | 80 | 172.16.0.2 | 80 | 1 |
| 172.16.0.3 | 8000 | 2 | |||
| TCP | 202.103.106.5 | 21 | 172.16.0.3 | 21 | 1 |
In the following example, we can learn more about the packet rewrite process.
The following source and target addresses may be sent to the Web Service:
| Source | 202.100.1.2: 3456 | Dest | 202.103.106.5: 80 |
The scheduler selects a server from the scheduling list, for example, 172.16.0.3: 8000. The message is rewritten as the following address and sent to the selected server.
| Source | 202.100.1.2: 3456 | Dest | 172.16.0.3: 8000 |
The response packets returned from the server to the scheduler are as follows:
| Source | 172.16.0.3: 8000 | Dest | 202.100.1.2: 3456 |
The source address of the response message will be changed to the address of the virtual service, and then the message will be sent to the customer:
| Source | 202.103.106.5: 80 | Dest | 202.100.1.2: 3456 |
In this way, the customer thinks that the request is correct from the 202.103.106.5: 80 service, but does not know whether the request is handled by server 172.16.0.2 or server 172.16.0.3.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
