There are a couple of terms in the realm of server load balancing (application delivery controllers) that can be somewhat confusing, because either there are multiple names for the same concept, or the same name means multiple concepts. I’m going to go over a few, to see if it helps clear things up a bit:
SNAT (Source NAT)
Source NAT is a term that are most often used to refer to two similar yet distinct concepts:
- An IP address (or pool of IP addresses), typically on a publicly routed address space, used to allow servers behind a load balancer, typically on a non-routed RFC1918 address space, to make outbound connections to the Internet.
- An IP address (or pool of IP addresses) that resides on the load balancer used to make connections to the web server, making it appear that all requests come from the load balancer (as opposed to the actual client IP). Another term used in this scenario is full-NAT.
Scenario 1 Example: Let’s say you have a couple of web servers sitting on a non-routed IP address space (such as 192.168.1.0/24). The load balancer is handling inbound NAT, NATing from the public Internet to the private address space. However, the servers also need to be able to make outbound connections. That is, connections that originate from the servers to some IP address on the public Internet (to download Microsoft patches, for example). To do this, you would set up a public IP address on the load balancer to act as a source NAT, the very same way a Linksys wireless router would. To hosts on the Internet, it would appear as if the connections were coming from this source NAT IP.
Scenario 2 Example: Because of some network or other logistical requirement, you cannot make the load balancer the default gateway of the servers. The very basics of load balancing require that you make sure traffic hits the load balancer on the way out (with the exception of DSR). The solution is to use a source NAT IP on the load balancer to proxy requests. This makes it look like all the HTTP connections and requests are coming from the load balancer. It doesn’t matter what the default gateway of the servers is, so long as there’s IP connectivity to the servers. The servers don’t even need to be on the same subnet as the load balancer with a source NAT. This can cause problems with some web logging applications (there are solutions to this), but it often greatly simplifies how a load balancer is placed in a network.
Persistence
When persistence is mentioned in the context of load balancing, it’s a pretty familiar term. Also referred to as sticky or server affinity, it’s the process of bypassing the normal load balancing algorithm and sending a given user to the same server each time that user makes a request. This is a requirement for web applications that are stateful (and the vast majority of them are).
Persistence is also a term used in the HTTP protocol, and it means something very different than load balancer persistence. With HTTP persistence, multiple requests are made through the same TCP connection, and it’s part of the HTTP 1.1 specification. In HTTP 1.0, a separate TCP connection was made for each object fetched. This meant that an HTML page with 20 images on it would require 21 separate TCP connections (20 images + HTML page).
This was rather wasteful, since the objects could be as small as a kilobyte or two. With HTTP 1.1, persistence allowed multiple objects pulled per page, so only 1 TCP connection would be required to pull a page and its 20 images.
Transparent
Transparent can mean a couple of different things depending on what specific concept you’re talking about. With several load balancer products, the term transparent is used to refer to whether or not the true source IP address of a client is preserved or hidden.
- Transparent: The source IP address of the client is preserved. Web servers see connections coming from the actual clients. This is also referred to as half-NAT.
- Non-transparent: The source IP address of the client is not preserved. Web servers see connections coming from a source NAT IP address on the load balancer. This is also referred to as full-NAT.
Transparent is called half-NAT, because either the source IP address or the destination IP address is changed by the load balancer, but not both. Non-transparent is called full-NAT because both the source and destination IP addresses are changed.
Transparent can also mean how the load balancer is deployed in a network. In the firewall world, a “transparent firewall” is a firewall that is setup like a load balancer in bridge-mode. It intercepts traffic purely by being in the Layer 2 path, instead of the Layer 3. This is sometimes used in load balancer terminology, but not often.
If you have any other terms that you might be confused with, drop me a line and I’ll see if I can’t make a post out of it: tony [at] lbdigest [dot] com.
Sometimes, we called it Reverse NAT if real server want to make outbound connections, which typically on a non-routed RFC1918 address space.