F5® Distributed Cloud Mesh’s Load Balancing is a centrally managed globally distributed load balancer and proxy with service discovery, health checking, application micro-segmentation, and application policy providing the most advanced implementation of edge load-balancer with ingress/egress capability for any service mesh. Service discovery integrates with multiple registries like Kubernetes, Consul, or DNS along with health checking support for http/https, tcp, custom, etc. End-point health is distributed to all the sites where the virtual service is exposed using extensions to the BGP protocol and this provides us with valuable insight on how to globally distribute the load balancing function. Support for both TLS and mutual-TLS for authentication with policy-based authorization on the proxy provides the capability to enforce end-to-end security of application traffic. In addition, the proxy gives the ability to terminate user traffic in the F5 Distributed Cloud global network and use a persistent connection to serving end-points to accelerate and load balance to the most optimal end-point. It is “out-of-the-box” ready and accessible when F5 Distributed Cloud Node or Cluster is deployed or using the Global Network.
If you are interested in further details of how the features described in this guide work, read more below in Concepts.
Introduction to Mesh Load Balancing
With the Node or Cluster deployments or the Global Network, you have the ability to leverage Mesh and F5® Distributed Cloud App Stack services as simple add-ons. This section discusses specifically the Mesh Load Balancing features.
Mesh Load Balancing Features
Global Load Balancing (GSLB, Anycast)
- Mesh global infrastructure provides initial network-level load-balancing using anycast to all VitualHosts hosted by F5 Distributed Cloud's network cloud or enterprises private/public and edge clouds. GSLB functionality enables application and business logic load-balancing. GSLB load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. Additional functionality includes client optimized delivery using application & service availability (health-checks, more below), performance, custom policies such as geography and regulations (GDPR, etc.). All policy and configurations are centrally managed from F5® Distributed Cloud Console with a VIP being exposed on a Customer site (cloud or edge), the global infrastructure (Network Cloud) or both.
Service Discovery & Health Checks
- Service endpoints are discovered and can be made securely accessible on F5 Distributed Cloud’s Global Infrastructure, and/or a customer Public/Private and Edge cloud or. Service discovery integrations supported today include DNS, Kubernetes, and Hashicorp Consul. All discovered or configured endpoints and VIPs are automatically probed for explicit (configured) or implicit (i..e latency, error rate, response times, etc.) health checks. The global visibility of endpoints and availability allow for optimized load balancing of clients to services.
HTTPS (TLS/mTLS) & TCP Proxy
Mesh VirtualHost load balancing supports multiple proxy functions including TCP Proxy, TCP Proxy with SNI, HTTP Proxy and HTTPS Proxy. Support for TLS/mTLS is available via downstream (clients to virtualhost) or upstream (virtualhost to endpoints). Domains TLS certificate can be securely hosted with F5 Distributed Cloud’s unique solution called Blindfold and/or integration to external secrets management solutions such as Hashicorp Vault.
- In additional to GSLB traffic management functionality, rich HTTP/HTTPS routing functionality is available. Matching on parameters such as URLs, headers, query parameters, HTTP methods, etc. are available. Customization to matching is also available using F5 Distributed Cloud’s Programmable v8 engine. Routing options based on matched criteria include send a direct response, change of protocol, add/remove headers, timeouts/retries, send to WAF (Web Application Firewall), endpoint selection/grouping, etc.
Dynamic Reverse Proxy & HTTP Connect
- Mesh proxy supports automatic and dynamic discovery of endpoints via our dynamic reverse proxy, in which traffic is attracted to our proxy and discovery of the endpoint destination is processed dynamically at the proxy, minimizing infrastructure configuration and operations. Destinations can be configured using VirtualHost with wildcards, and discovery is triggered based on what the client or application is accessing (supporting HTTP/TCP-with-SNI). Manual configuration for clients or applications to send the traffic via the proxy is supported using HTTP CONNECT to tunnel traffic to the proxy.
Service Policy & Application Microsegmentation
- Application microsegmentation per virtualhost and services in a namespace using an intent based service policy (L7), enabling enhanced Application Security matching with regex-based label selectors, client IP or ASN lists, actions of allowing, deny (with future options to rate-limit or custom using Java v8 chrome engine).
The following concepts are used for Mesh Load Balancing features. Click on each one to learn more: