This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Planning migration of our self-managed HAProxy instance to Load Balancing

Posted on 07-05-2024 07:29 AM
maxxer
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi.

We're planning the migration of our HAProxy setup with a managed Load Balanced service.
We currently have "one" application serving several purposes using different hostnames, even different TLDs. Grouped by wildcard, we're around 12 host items (app.domain.com, app.domain.ee, publicwebsite.com, ee.publicwebsite.com). I've been reading the docs for a couple of days and I'm stuck with two main blocking points: LB's frontends and SSL certificate.

We're oriented to implement Global external Application Load Balancer.

The goal of this post is to understand if we're approaching the best solution for our needs. Commends and amendments are welcome. Thanks

SSL Certificates

According to Cert Docs:

Google-managed certificates are supported with the following load balancers:

  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • External proxy Network Load Balancer (with a target SSL proxy)

We created a DNS authorization and activated it, then we created two certificates, a wildcard (*.somedomain.com) and a third level one (someapp.somedomain.com), and they're both marked as Active.

MOkr90pB

Sadly, when I create a new Global external Application Load Balancer, I'm unable to select any of those certs. I'm instead only allowed to pick Classic certs.

Unfortunately, Classic certs can be activated when the hostname matches the external DNS, and this requires a downtime we cannot afford, having to migrate production traffic.

The only resort is to have self-managed SSL certs. We did want to remove manual actions, but this seems the only viable way so far.

Frontends & IP

Let's assume we figure out the certificates and we have them, one LB frontend is bond to a single SSL certificate, and a single IP address can be bound to only one combination of port/service.

This means, to implement the LB for all our 12 FQDNs, I need to create 12 frontends and 12 IP addresses.
To my understanding, each LB has a limitation of 10 frontends, this means I would need to create at least two LBs.

To reduce the required FEs we could group multiple FQDNs in a single certificate. It's a longer process (with DNS Authorization, as we'd like to have 0 downtime), but could reduce the overall setup complexity.

1 0 231
Topic Labels
0 REPLIES 0
Top Labels in this Space
Top Solution Authors
View all