Migrating services from an NLB load balancer with an instance group as a target to an L7 ALB load balancer using Terraform
- Service migration recommendations
- Create an infrastructure
- Test the L7 load balancer
- Migrate the user load from the network load balancer to the L7 load balancer
Service migration recommendations
-
In addition to DDoS protection at OSI L7 using Yandex Smart Web Security, we recommend enabling DDoS protection at L3-L4. To do this, reserve a public static IP address with DDoS protection in advance and use this address for the L7 load balancer's listener.
If the network load balancer's listener already uses a public IP address with DDoS protection, you can save it and use it for the L7 load balancer.
If the network load balancer's listener uses a public IP address without DDoS protection, DDoS protection at L3-L4 when migrating to an L7 load balancer can only be achieved by changing the public IP for your service.
When using L3-L4 DDoS protection, configure a trigger threshold for the L3-L4 protection mechanisms aligned with the amount of legitimate traffic to the protected resource. To set up this threshold, contact support.
Also, set the MTU value to
1450for the targets downstream of the load balancer. For more information, see Setting up MTU when enabling DDoS protection.
-
We recommend performing migration during the hours when the user load is at its lowest. The migration process for a VM group changes the integration with the target group and migrates the public IP address from the network load balancer to the L7 load balancer. Your service will be unavailable during this period. The downtime depends on the number of VMs in the group, deployment policy settings and may take from several minutes to tens of minutes under normal conditions.
-
When using an L7 load balancer, requests to backends come with the source IP address from the range of internal IP addresses of the subnets specified when creating the L7 load balancer. The original IP address of the request source (user) is specified in the
X-Forwarded-Forheader. If you want to log public IP addresses of users on the web server, reconfigure it.
-
See the autoscaling and resource units in the L7 load balancer.
Create an infrastructure
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.
-
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download a configuration file to the same working directory based on the protocol you are using:
HTTP: alb-vm-http.tf configuration file.
HTTPS: alb-vm-https.tf configuration file.
These files describe:
- Subnets for the L7 load balancer.
- Security group for the L7 load balancer.
- Static address for the L7 load balancer.
- Importing a TLS certificate to Certificate Manager (if
HTTPSis used).
- Smart Web Security security profile.
- Target group, backend group, and HTTP router for the L7 load balancer.
- L7-balancer.
-
-
In the configuration file, set the following custom properties:
-
Specify the values for the variables:
domain_name: Your service domain name.
network_id: ID of the network containing the VMs from the network load balancer's target group.
certificate(for
HTTPS): Path to the self-signed custom certificate.
private_key(for
HTTPS): Path to the private key file.
-
-
For the
yandex_alb_target_groupresource, add as many
targetsections as there are virtual machines in your network load balancer's target group.
resource "yandex_alb_target_group" "alb-target-group" { ... target { subnet_id = "<subnet_ID>" ip_address = "<VM_1_internal_IP_address>" } target { subnet_id = "<subnet_ID>" ip_address = "<VM_2_internal_IP_address>" } ... target { subnet_id = "<subnet_ID>" ip_address = "<VM_N_internal_IP_address>" } }
Where:
subnet_id: ID of the subnet the VM is located in.
ip_address: Internal IP address of the VM, specified in the target group of your network load balancer.
-
-
If your service needs one and the same backend resource processing requests within a single user session, enable session affinity for the backend group by uncommenting the section for the
yandex_alb_backend_groupresource.
session_affinity { connection { source_ip = true } }
-
-
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.
-
-
Specify the autoscaling settings in the L7 load balancer:
- In the management console, select the folder where you created the L7 load balancer.
- Select Application Load Balancer.
- Click the name of the load balancer in question.
- Click and select Edit.
- Under Autoscaling settings, set a limit on the number of resource units.
Test the L7 load balancer
-
Wait until the L7 load balancer goes
Active.
-
Go to the new L7 load balancer and select Health checks on the left. Make sure you get
HEALTHYfor all the L7 load balancer's health checks.
-
Run a test request to the service through the L7 load balancer, for example, using one of these methods:
-
Add this record to the
hostsfile on your workstation:
<L7_load_balancer_public_IP_address> <service_domain_name>. Delete the record after the test.
-
Execute the request using cURL depending on the protocol type:
curl http://<service_domain_name> \ --resolve <service_domain_name>:<service_port>:<public_IP_address_of_L7_load_balancer>
curl https://<service_domain_name> \ --resolve <service_domain_name>:<service_port>:<public_IP_address_of_L7_load_balancer>
-
Migrate the user load from the network load balancer to the L7 load balancer
Warning
Backend VMs will be recreated during the migration process.
If the network load balancer's listener uses a public IP address without DDoS protection, memorize the current health check settings for the target group in the network load balancer before proceeding to the next step.
-
Change the integration with the target group for the VM group:
- In the management console, select the folder containing your VM group.
- Select Compute Cloud.
- In the left-hand panel, select Instance groups.
- Select the group to update.
- In the top-right corner of the page, click Edit.
- Under Integration with Application Load Balancer, enable Create target group.
- Specify the name of the L7 load balancer target group and, optionally, other target group settings.
- Click Save.
When changing the VM group:
- VMs in the group are automatically recreated.
- Targets are removed from the network load balancer target group, and the user load is distributed among the remaining targets. The service becomes partially unavailable to users through the network load balancer during this period.
- After all targets are deleted, the target group is deleted. The service becomes unavailable through the network load balancer.
Proceed to the next step without waiting for the VM group change to end.
-
In the L7 load balancer backend group, change the backend target group. Specify only the target group created in the previous step.
As you perform the operation specified in the previous step, VMs from the VM group will be automatically added to the L7 load balancer target group.
-
Select one of the options to further migrate the user load from the network load balancer to the L7 load balancer depending on whether the network load balancer listener has a public IP address with or without DDoS protection:
- The network load balancer listener uses a public IP address with DDoS protection. During migration, the public IP address for your service will remain the same.
- The network load balancer listener uses a public IP address without DDoS protection. During migration, the public IP address for your service will change.
The network load balancer listener uses a public IP address with DDoS protection
-
Delete the listener in the network load balancer to release the static public IP address.
-
In the L7 load balancer, assign to the listener the public IP address previously used by the network load balancer:
-
Open the configuration file you used to create the L7 load balancer (
alb-vm-http.tfor
alb-vm-https.tf).
-
In the load balancer description, change the
addressparameter value under
listener.endpoint.address.external_ipv4_address:
resource "yandex_alb_load_balancer" "<load_balancer_name>" { ... listener { ... endpoint { address { external_ipv4_address { address = <service_public_IP_address> } } ports = [ <service_port> ] } } }
Where
addressis the public IP address previously used by the network load balancer.
-
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yesin the terminal and press Enter.
-
-
-
After the IP addresses changes, your service will again be available through the L7 load balancer. Monitor the L7 load balancer's user load from the load balancer statistics charts.
-
Delete the now free static public IP address you selected when creating the L7 load balancer.
-
Open the configuration file you used to create the L7 load balancer (
alb-vm-http.tfor
alb-vm-https.tf).
-
Delete the
yandex_vpc_addressresource description from the file:
resource "yandex_vpc_address" "static-address" { description = "Static public IP address for the Application Load Balancer" name = "alb-static-address" external_ipv4_address { zone_id = "ru-central1-a" ddos_protection_provider = "qrator" } }
-
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yesin the terminal and press Enter.
-
-
-
(Optional) Delete the network load balancer after migrating the user load to the L7 load balancer.
The network load balancer listener uses a public IP address without DDoS protection
-
Monitor the condition of the network load balancer's targets. Wait until the targets are automatically deleted from the target group.
-
Create a target group for the network load balancer. Add the VMs recreated when changing the VM group.
-
In network load balancer, connect the target group created in the previous step. When connecting the target group, configure the health checks the original target group had.
-
Wait until the VM health checks in the network load balancer target group get the
Healthystatus. This will make your service once again available through the network load balancer.
-
To migrate user load from a network load balancer to an L7 load balancer, in the DNS service of your domain's public zone, change the A record value for the service domain name to the public IP address of the L7 load balancer. If the public domain zone was created in Yandex Cloud DNS, change the record using this guide.
Note
The propagation of DNS record updates depends on the time-to-live (TTL) value and the number of links in the DNS request chain. This process can take a long time.
-
As the DNS record updates propagate, follow the increase of requests to the L7 load balancer from the load balancer statistics charts.
-
Follow the decrease of the network load balancer load using the
processed_bytesand
processed_packetsload balancer metrics. You can create a dashboard to visualize these metrics. The absence of load on the network load balancer for a prolonged period of time indicates that the user load has been transferred to the L7 load balancer.
-
(Optional) Delete the network load balancer after migrating the user load to the L7 load balancer.