计算引擎负载均衡器UDP / DNS响应被丢弃

时间:2013-12-28 23:06:27

标签: load-balancing google-compute-engine

已经测试了GCE和负载平衡功能 - 但是已经看到了一些意想不到的结果。

试用配置涉及在具有第三个测试实例的目标池中充当DNS解析器的2个实例。主机上还运行一个http服务器。未添加运行状况检查脚本。

  • 对单个实例公共IP的DNS请求(来自ANY) - 确定
  • 对单个实例公共IP的HTTP请求(来自ANY) - 确定
  • HTTP请求负载均衡IP(来自ANY) - 确定
  • DNS请求以平衡IP(来自目标池中的实例) - 确定
  • 负载均衡IP的DNS请求(来自同一网络中的实例 - 但不在目标池中) - NOK
  • DNS请求负载均衡IP(其他) - NOK

我可以在实例日志中看到DNS请求到达所有情况并均匀分布 - 尽管回复似乎没有回到发起者。

这种行为似乎出人意料。我玩会话亲和力的结果相似 - 尽管默认行为是最理想的选择。

碰壁了。有什么想法可以尝试吗?

有关设置的信息:

$ gcutil listhttphealthchecks
+------+------+------+
| name | host | port |
+------+------+------+

$ gcutil listtargetpools
+----------+-------------+
| name     | region      |
+----------+-------------+
| dns-pool | us-central1 |
+----------+-------------+

$ gcutil listforwardingrules
+---------+-------------+-------------+
| name    | region      | ip          |
+---------+-------------+-------------+
| dns-tcp | us-central1 | 8.34.215.45 |
+---------+-------------+-------------+
| dns-udp | us-central1 | 8.34.215.45 |
+---------+-------------+-------------+
| http    | us-central1 | 8.34.215.45 |
+---------+-------------+-------------+

$ gcutil getforwardingrule dns-udp
+---------------+----------------------------------+
| name          | dns-udp                          |
| description   |                                  |
| creation-time | 2013-12-28T12:28:05.816-08:00    |
| region        | us-central1                      |
| ip            | 8.34.215.45                      |
| protocol      | UDP                              |
| port-range    | 53-53                            |
| target        | us-central1/targetPools/dns-pool |
+---------------+----------------------------------+

$ gcutil gettargetpool dns-pool
+------------------+-------------------------------+
| name             | dns-pool                      |
| description      |                               |
| creation-time    | 2013-12-28T11:48:08.896-08:00 |
| health-checks    |                               |
| session-affinity | NONE                          |
| failover-ratio   |                               |
| backup-pool      |                               |
| instances        | us-central1-a/instances/dns-1 |
|                  | us-central1-b/instances/dns-2 |
+------------------+-------------------------------+

[@dns-1 ~]$ curl "http://metadata/computeMetadata/v1/instance/network-interfaces/?recursive=true" -H "X-Google-Metadata-Request: True"
[{"accessConfigs":[{"externalIp":"162.222.178.116","type":"ONE_TO_ONE_NAT"}],"forwardedIps":["8.34.215.45"],"ip":"10.240.157.97","network":"projects/763472520840/networks/default"}]

[@dns-2 ~]$ curl "http://metadata/computeMetadata/v1/instance/network-interfaces/?recursive=true" -H "X-Google-Metadata-Request: True"
[{"accessConfigs":[{"externalIp":"8.34.215.162","type":"ONE_TO_ONE_NAT"}],"forwardedIps":["8.34.215.45"],"ip":"10.240.200.109","network":"projects/763472520840/networks/default"}]

$ gcutil getfirewall dns2
+---------------+------------------------------------+
| name          | dns2                               |
| description   | Allow the incoming service traffic |
| creation-time | 2013-12-28T10:35:18.185-08:00      |
| network       | default                            |
| source-ips    | 0.0.0.0/0                          |
| source-tags   |                                    |
| target-tags   |                                    |
| allowed       | tcp: 53                            |
| allowed       | udp: 53                            |
| allowed       | tcp: 80                            |
| allowed       | tcp: 443                           |
+---------------+------------------------------------+

实例是CentOS并禁用了他们的iptables防火墙。

从目标池中的实例回复

@dns-1 ~]$ nslookup test 8.34.215.45 | grep answer
Non-authoritative answer:
@dns-1 ~]$

目标池中其他实例的回复

@dns-2 ~]$ nslookup test 8.34.215.45 | grep answer
Non-authoritative answer:
@dns-2 ~]$

负载均衡IP上目标池中的实例不是没有回复。然而,它得到了所有其他接口的回复

@dns-3 ~]$ nslookup test 8.34.215.45 | grep answer
@dns-3 ~]$ 
@dns-3 ~]$ nslookup test 8.34.215.162 | grep answer
Non-authoritative answer:
@dns-3 ~]$ nslookup test 10.240.200.109 | grep answer
Non-authoritative answer:
@dns-3 ~]$ nslookup test 10.240.157.97 | grep answer
Non-authoritative answer:
@dns-3 ~]$ nslookup test 162.222.178.116 | grep answer
Non-authoritative answer:

- 更新 - 添加了运行状况检查,以便实例不会标记为UNHEALTHY。但得到了相同的结果。

$ gcutil gettargetpoolhealth dns-pool
+-------------------------------+-------------+--------------+
| instance                      | ip          | health-state |
+-------------------------------+-------------+--------------+
| us-central1-a/instances/dns-1 | 8.34.215.45 | HEALTHY      |
+-------------------------------+-------------+--------------+
| us-central1-b/instances/dns-2 | 8.34.215.45 | HEALTHY      |
+-------------------------------+-------------+--------------+

- 更新 - 看起来DNS服务没有使用与请求相同的IP进行响应。这肯定是它似乎没有响应的原因。 

0.000000 162.222.178.130 -> 8.34.215.45  DNS 82 Standard query 0x5323  A test.internal
2.081868 10.240.157.97 -> 162.222.178.130 DNS 98 Standard query response 0x5323  A 54.122.122.227

1 个答案:

答案 0 :(得分:1)

看起来DNS服务没有使用与请求相同的IP进行响应。这肯定是它似乎没有响应的原因。

0.000000 162.222.178.130 -> 8.34.215.45  DNS 82 Standard query 0x5323  A test.internal
2.081868 10.240.157.97 -> 162.222.178.130 DNS 98 Standard query response 0x5323  A 54.122.122.227
相关问题
最新问题