External DNS Load Balancing POC

I was doing a POC for external load balancing awhile back and decided to put some of the info here to hopefully help others on how it works. I tested several different companies but all setup pretty much the same way.

Goal:
We want to load balance “testlb.cordero.me “between the TPA Data Center and our DR Data Center.

URL to Test: testlb.cordero.me
TPA IP: 72.201.131.185 :Probing port 443
DR IP: 50.64.253.180 :Probing port 25

Probing is just a port test to see if the port is open or closed. You can obviously use whatever ports you want to monitor. I’m using a simple setup just to see if it works. For TPA I’m monitoring to see if port 443 is up. For DR I’m looking to see if port 25 is up. Like any other probe or load balancing device, you can get more detailed on the probes like to not only check for a port but also a specific response back.

Below I’ll go over the DNS setup since that could be the most confusing for people. The third-party portal side is the easy part.

Overview:
CNAME > LBFQDN-ON-THIRDPARTY-side

Example:
testlb.cordero.me that points to testlb.cordero.nsatc.net.

The CNAME is something you, the client setup. You point this to the LBFQDN.  This is the FQDN that your end users will use.
The LBFQDN is something that’s setup when you’re configuring your load balancing on the third-party portal side. The domain name origin is something you cannot change. So, it looks like this after:

One CNAME for testlb.cordero.me that points to testlb.[domain name origin given]

Testing Setup:
1. Create CNAME:
One CNAME for testlb.cordero.me that points to testlb.[domain name origin given]

testlb.cordero.me. 86400 IN CNAME testlb.cordero.nsatc.net.

2. On the third-party load balancer side I have the two locations load balanced using one CNAME.
-If the TPA is up hand out 72.201.131.185
-If the TPA goes down hand out 50.64.253.180
-If the TPA comes back up, hand out 72.201.131.185

3. Setup you PROBE device at the TPA to test. I used a laptop. The reason for using a laptop is because you can unplug it to trigger the PROBE to failover.
a. Configure a Public IP Address on the laptop: 72.201.131.185
b. Run a http server on port 443 so that the CLB can probe the device.  I used Python to do it.

python3 -m http.server 443

Third-Party Setup:
The Cloud setup is straight forward and I don’t have the screenshots for those. We ended up going with Akamai but all the Vendors we POC’ed were easy to setup.

Testing:
All I did for testing was control the port access via my laptop. This would trigger the failover.

A site I like to use to verify the failovers is:
https://www.digwebinterface.com/

What I like about the site above is that I can pick and choose which DNS servers I want to verify with. This is nice because I can check on the propagation.

NOTE:
One note I’d like to bring up. The TTL is configured on the third-party side to a very low value. This is the magic behind a fast failover. You do not edit these values and you DO NOT need to make your CNAME TTL low because it won’t make a difference.

More Stories
Microsoft Windows NIC Troubleshooting