Introduction
Acronis Cyber Infrastructure has built-in capability for service failover via DNS round-robin, which can be used as basic failover and load balancing. For complex environments HAProxy might be used to build a scalable and redundant load balancing platform which can be easily moved or migrated and is independent from Acronis Cyber Infrastructure. Another advantage of this approach is that HAProxy will act as the public / private network connection point and Acronis Cyber Infrastructure nodes can operate in a fully isolated private network.
HAProxy
HAProxy is a free, fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites. Over the years it has become the de-facto standard open source load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.
Examples
1. Simple Configuration (Backup Gateway)
In the example below Acronis Cyber Infrastructure is running on 5 nodes, WebCP is running under its own HA and Acronis Backup Gateway is running on all 5 nodes. It is a basic version which will simply do a round-robin of each incoming connection. It emulates DNS-RR.
# global configuration section.
global
maxconn 32768
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
quiet
# default configuration and timeouts.
defaults
log global
retries 10
maxconn 32768
timeout connect 30s
timeout server 1d
timeout client 1d
timeout queue 1d
timeout tarpit 1d
# service for 'Backup Gateway' redirect.
listen abgw
bind *:44445
mode tcp
server srv1 192.168.1.11:44445
server srv2 192.168.1.12:44445
server srv3 192.168.1.13:44445
server srv4 192.168.1.14:44445
server srv5 192.168.1.15:44445
2. Usual Configuration with health checks (WebCP, Backup Gateway and S3)
In the example below Acronis Cyber Infrastructure is running on 5 nodes, WebCP is running under its own HA, Acronis Backup Gateway is running on all 5 nodes and S3 is running on 3 nodes. It is more advanced round-robin configuration as it does regular health checks of the destination and will not redirect any connection to it if it fails.
# global configuration section.
global
maxconn 32768
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
quiet
# default configuration and timeouts.
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 4096
# frontend for 'WebCP'.
frontend webcp
bind *:8888
mode tcp
default_backend backend-webcp
# frontend for 'S3'.
frontend s3
bind *:443
mode tcp
default_backend backend-s3
# frontend for 'Backup Gateway'.
frontend abgw
bind *:44445
mode tcp
default_backend backend-abgw
# backend for 'WebCP'.
backend backend-webcp
mode tcp
server management1 192.168.1.10:8888
# backend for 'S3'.
backend backend-s3
mode tcp
balance roundrobin
server object1 192.168.1.11:443
server object2 192.168.1.12:443
server object3 192.168.1.13:443
# backend for 'Backup Gateway'.
backend backend-abgw
mode tcp
timeout server 12h
balance source
server storage1 192.168.1.11:44445 check
server storage2 192.168.1.12:44445 check
server storage3 192.168.1.13:44445 check
server storage4 192.168.1.14:44445 check
server storage5 192.168.1.15:44445 check
3. Complex Configuration with health checks and SSL termination (WebCP, Backup Gateway and S3)
In the example below Acronis Cyber Infrastructure is running on 5 nodes, WebCP is running under its own HA, Acronis Backup Gateway is running on all 5 nodes and S3 is running on 3 nodes. It is more advanced round-robin configuration as it does regular health checks of the destination and will not redirect any connection to it if it fails. Also it will do SSL termination and mix WebCP and S3 into single external URL. Lastly it uses leastconn balancing algorithm to distribute the load in a simple way across the cluster nodes for HTTPS traffic and source for source based IP balancing accross Backup Gateway nodes.
# global configuration section.
global
maxconn 32768
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
quiet
# default configuration and timeouts.
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 4096
# frontend for 'WebCP' and 'S3' mixed on port 443.
frontend webcp-s3
bind *:443 ssl crt /etc/letsencrypt/live/acronis.com/fullchain.pem
mode http
use_backend backend-webcp if { hdr(host) -i webcp.as.acronis.com }
use_backend backend-s3 if { hdr(host) -i .s3.as.acronis.com }
# frontend for 'Backup Gateway'.
frontend abgw
bind *:44445
mode tcp
default_backend backend-abgw
# backend for 'WebCP'.
backend backend-webcp
server management1 192.168.1.10:8888
# backend for 'S3'.
backend backend-s3
mode tcp
balance leastconn
server object1 192.168.1.11:443
server object2 192.168.1.12:443
server object3 192.168.1.13:443
# backend for 'Backup Gateway'.
backend backend-abgw
mode tcp
timeout server 12h
balance source
server storage1 192.168.1.11:44445 check
server storage2 192.168.1.12:44445 check
server storage3 192.168.1.13:44445 check
server storage4 192.168.1.14:44445 check
server storage5 192.168.1.15:44445 check
Additional Information
With HAProxy it is possible to build complex setups and serve almost any usage scenario. In case of using http mode you can automatically show a company branded maintenance page while WebCP or S3 is not reachable. Beside this it is possible to use HAProxy for SSL termination and forward traffic either unencrypted or using self-signed certificates in the backend. However we do not recommend this type of setup.
The full documentation of all available configuration options can be found in a single document here.