Router connection load balancing

Support General Questions
1

Hi There,

I have a question about Ziti Edge Tunnel connections to Edge Routers. I can't seem to find the answer in any documentation.

I have a HA Ziti system consisting of 3 Controllers and 2 public Edge Routers. I'm running v1.5.0 on the infrastructure and ZET v1.5.4.

I see that this bug has been resolved now and the maxConnections parameter seems to operate as expected. When i set maxConnections to 1 my ZET clients connect to only 1 of my 2 ER's however, it's always the same ER.

For example. Below are my two public ER's.

root@ziti-controller-3:~# ziti edge list edge-routers
╭────────────┬───────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME              │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼───────────────────┼────────┼───────────────┼──────┼────────────┤
│ G2IiRuAojO │ edge-router-detof │ true   │ true          │    0 │            │
│ VCdd4uApjO │ edge-router-zexag │ true   │ true          │    0 │            │
╰────────────┴───────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-2 of 2

And below shows that my ZET clients are only ever connecting to edge-router-detof.

root@ziti-controller-3:~# ziti edge list terminators 'limit 500'
╭────────────────────────┬──────────────┬───────────────────┬─────────┬────────────────────────┬────────────────────────────────────┬──────┬────────────┬──────────────╮
│ ID                     │ SERVICE      │ ROUTER            │ BINDING │ ADDRESS                │ IDENTITY                           │ COST │ PRECEDENCE │ DYNAMIC COST │
├────────────────────────┼──────────────┼───────────────────┼─────────┼────────────────────────┼────────────────────────────────────┼──────┼────────────┼──────────────┤
│ 104mBfIUTpVC1TFKUUqPZh │ lifeboat.ssh │ edge-router-detof │ edge    │ 104mBfIUTpVC1TFKUUqPZh │ container-1564.lifeboat.controller │    0 │ default    │            0 │
│ 10QBjYfNvJE71t5VfxiYe1 │ lifeboat.ssh │ edge-router-detof │ edge    │ 10QBjYfNvJE71t5VfxiYe1 │ container-1536.lifeboat.controller │    0 │ default    │            0 │
│ 10dduew7PaK40X9Rld7wqd │ lifeboat.ssh │ edge-router-detof │ edge    │ 10dduew7PaK40X9Rld7wqd │ container-278.lifeboat.controller  │    0 │ default    │            0 │
│ 10odWLDF7mvm9RZBjjMfdZ │ lifeboat.ssh │ edge-router-detof │ edge    │ 10odWLDF7mvm9RZBjjMfdZ │ container-235.lifeboat.controller  │    0 │ default    │            0 │
│ 10pe8knP6R77AsNgmuTcX4 │ lifeboat.ssh │ edge-router-detof │ edge    │ 10pe8knP6R77AsNgmuTcX4 │ container-1893.lifeboat.controller │    0 │ default    │            0 │
│ 10rJZPWGE9F13ENiTiJCfh │ lifeboat.ssh │ edge-router-detof │ edge    │ 10rJZPWGE9F13ENiTiJCfh │ container-708.lifeboat.controller  │    0 │ default    │            0 │
│ 11LRWgKfFErVttgaXWmkzP │ lifeboat.ssh │ edge-router-detof │ edge    │ 11LRWgKfFErVttgaXWmkzP │ container-474.lifeboat.controller  │    0 │ default    │            0 │
│ 11TtG1SR3YhyuSPt8Yy0Kx │ lifeboat.ssh │ edge-router-detof │ edge    │ 11TtG1SR3YhyuSPt8Yy0Kx │ container-440.lifeboat.controller  │    0 │ default    │            0 │
│ 11UzBgolmvg1tFw3u4JHOc │ lifeboat.ssh │ edge-router-detof │ edge    │ 11UzBgolmvg1tFw3u4JHOc │ container-1730.lifeboat.controller │    0 │ default    │            0 │
│ 12P6oxq3StA0vBQVfOYH8Y │ lifeboat.ssh │ edge-router-detof │ edge    │ 12P6oxq3StA0vBQVfOYH8Y │ container-915.lifeboat.controller  │    0 │ default    │            0 │
│ 12UyPuTeycrdWEhieGWcok │ lifeboat.ssh │ edge-router-detof │ edge    │ 12UyPuTeycrdWEhieGWcok │ container-555.lifeboat.controller  │    0 │ default    │            0 │
│ 12V2Sox0bQWaJ4gHkSChdP │ lifeboat.ssh │ edge-router-detof │ edge    │ 12V2Sox0bQWaJ4gHkSChdP │ container-921.lifeboat.controller  │    0 │ default    │            0 │
│ 1307VNR0goEDVFgIA19daK │ lifeboat.ssh │ edge-router-detof │ edge    │ 1307VNR0goEDVFgIA19daK │ container-763.lifeboat.controller  │    0 │ default    │            0 │
│ 13onipn7gzBjlq5hVumAP4 │ lifeboat.ssh │ edge-router-detof │ edge    │ 13onipn7gzBjlq5hVumAP4 │ container-1527.lifeboat.controller │    0 │ default    │            0 │
│ 13y3qmKQJkqAdhr5UX3BCN │ lifeboat.ssh │ edge-router-detof │ edge    │ 13y3qmKQJkqAdhr5UX3BCN │ container-762.lifeboat.controller  │    0 │ default    │            0 │
│ 14xSdZbJy4hp7CPKm3gauR │ lifeboat.ssh │ edge-router-detof │ edge    │ 14xSdZbJy4hp7CPKm3gauR │ container-665.lifeboat.controller  │    0 │ default    │            0 │
...

Do i need to worry about this ?

I can confirm that ER edge-router-zexag works as expected by stopping ER edge-router-detof. I observe the ZET clients creating terminators on ER edge-router-zexag.

Is there configuration i can apply that will spread the connection load evenly across the available Edge Routers ?

2

The tunneler will generally pick the lowest latency router to connect to first. In your case it looks like all the tunnelers are picking the same ER. I would recommend setting the max connections to two. That way, each tunneler will be hosting via both ERs. Clients will then be able to pick whichever one is best, and load balancing will happen per circuit.

Let me know if that makes sense.
Paul

2 Likes
3

Thanks @plorenz.

Interestingly, i have just installed the same service configuration on a non HA OpenZiti system and i see terminators are spread far more evenly across my two Edge Routers.

4

That's interesting that it's different. The controllers don't influence where terminators are created, that's at the discretion of the SDK/tunnelers, so I'm guessing the latencies were closer on that day, or there was something else going on with the router that never got terminators in the HA setup.

Cheers,
Paul