Solved: Does a Windows Server need Load Balancer?

Lofty · 08-11-2021 08:55 AM

Several months ago I moved an enterprise web application from a dedicated GoDaddy server to GCS. I am using a single Compute Engine instance running Windows Server 2016. This is an older application so its coupled together with classic ASP, MySQL and IIS. The domains are pointed at a Google Load Balancer I setup that also handles the SSL certificates, the load balancer just forwards straight to the single CE instance. Over the last few months I've noticed my costs on the load balancer are substantial (approximately $50 per month) considering how I'm 'using' it.

My question is whether I can reduce my Load Balancer costs somehow or cut out the need for it entirely. I'm guessing if I point my domains directly at an external IP for my CE instance and then setup SSL certs on the Windows server that would be possible? Anything else I'm missing or any other recommendations?

alexmoore

Great question. Ultimately it is a risk/flexibility vs cost decision in my view. Certainly from a technical stand point there is nothing stopping you attaching a public IP to the VM instance itself and updating your DNS to point to that, at which point you could remove the load balancer. That would save you some of that cost. However it is worth keeping in mind a few points:

By using a Load Balancer you automatically inherit DDoS protection from Google Front Ends, providing a great baseline of protection, see: https://cloud.google.com/load-balancing/docs/load-balancing-overview#ddos
You have the option of integrated, free and auto-renewing SSL certificates: https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs
There are ways, with LetsEncrypt for example, to do this at the server level, but it adds some complexities and overhead - another thing to manage.
You may not be using it today (and there are some additional cost depending on features), but you also have the ability to add Cloud Armour rules for added protection, in particular I would call out OWASP top 10 risk mitigation as being a great one: https://cloud.google.com/armor/docs/common-use-cases#protect_your_deployment_against_application_lay...
Even if you don't use them today, having a load balancer already configured means you could quickly add the protection if you became a target for an attack for example or you discovered an application vulnerability you wanted to mitigate.
By removing the load balancer all requests are directly connecting to your server, if there was a security exploit on the operating systems network stack or applications you are using, the ability to connect directly potentially opens up increased avenues for attack, compared to when you are leveraging a proxy like a load balancer.
If you ever wanted to make changes or test a new version of your application, a load balancer gives you some flexibility to deploy a second VM with the changes, switch to it quickly and easily and switch back in case of issues, a pattern often referred to as blue/green, may or may not be relevant depending on how frequently you see changes, but can be useful, for more details see: https://cloud.google.com/architecture/application-deployment-and-testing-strategies#bluegreen_deploy...

Hopefully there a few thoughts for consideration. Despite not using a load balancer to balance load, you do have some benefits and flexibility through using one, but it really comes down to a cost, risk, flexibility business decision.

View solution in original post

alexmoore

Great question. Ultimately it is a risk/flexibility vs cost decision in my view. Certainly from a technical stand point there is nothing stopping you attaching a public IP to the VM instance itself and updating your DNS to point to that, at which point you could remove the load balancer. That would save you some of that cost. However it is worth keeping in mind a few points:

By using a Load Balancer you automatically inherit DDoS protection from Google Front Ends, providing a great baseline of protection, see: https://cloud.google.com/load-balancing/docs/load-balancing-overview#ddos
You have the option of integrated, free and auto-renewing SSL certificates: https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs
There are ways, with LetsEncrypt for example, to do this at the server level, but it adds some complexities and overhead - another thing to manage.
You may not be using it today (and there are some additional cost depending on features), but you also have the ability to add Cloud Armour rules for added protection, in particular I would call out OWASP top 10 risk mitigation as being a great one: https://cloud.google.com/armor/docs/common-use-cases#protect_your_deployment_against_application_lay...
Even if you don't use them today, having a load balancer already configured means you could quickly add the protection if you became a target for an attack for example or you discovered an application vulnerability you wanted to mitigate.
By removing the load balancer all requests are directly connecting to your server, if there was a security exploit on the operating systems network stack or applications you are using, the ability to connect directly potentially opens up increased avenues for attack, compared to when you are leveraging a proxy like a load balancer.
If you ever wanted to make changes or test a new version of your application, a load balancer gives you some flexibility to deploy a second VM with the changes, switch to it quickly and easily and switch back in case of issues, a pattern often referred to as blue/green, may or may not be relevant depending on how frequently you see changes, but can be useful, for more details see: https://cloud.google.com/architecture/application-deployment-and-testing-strategies#bluegreen_deploy...

Hopefully there a few thoughts for consideration. Despite not using a load balancer to balance load, you do have some benefits and flexibility through using one, but it really comes down to a cost, risk, flexibility business decision.