On Load Balancers
A load balancer might seem like a natural component for a highly available architecture. Directory services are highly available by design, however. When used with directory services, a load balancer can do more harm than good.
The Problem
DS servers rely on data replication for high availability with tolerance for network partitions. The directory service continues to allow both read and write operations when the network is down. As a trade off, replication provides eventual consistency, not immediate consistency.
A load balancer configured to distribute connections or requests equitably across multiple servers can therefore cause an application to get an inconsistent view of the directory data. This problem arises in particular when a client application uses a pool of connections to access a directory service:
-
The load balancer directs a write request from the client application to a first server.
The write request results in a change to directory data.
The first server replicates the change to a second server, but replication is not instantaneous.
-
The load balancer directs a subsequent read request from the client application to a second server.
The read request arrives before the change has been replicated to the second server.
As a result, the second server returns the earlier view of the data. The client application sees data that is different from the data it successfully changed!
The following sequence diagram illustrates the race condition:
When used in failover mode, also known as active/passive mode, this problem is prevented. However, the load balancer adds network latency while reducing the number of directory servers actively used. This is unfortunate, since the directory server replicas are designed to work together as a pool.
Unlike many load balancers, ForgeRock Identity Platform software has the capability to account for this situation, and to balance the request load appropriately across multiple directory servers.
Recommendations
Apply the following recommendations in your directory service deployments:
- Client is a ForgeRock Identity Platform 7.1 component
-
Do not use a load balancer between ForgeRock Identity Platform components and the DS directory service.
ForgeRock Identity Platform components use the same software as DS directory proxy to balance load appropriately across multiple directory servers.
Examples of platform components include AM and IDM.
- Client opens a pool of connections to the directory service
-
Do not use a load balancer between the client and the DS directory service.
Configure the client application to use multiple directory servers.
- Client and server are DS replicas
-
Never use a load balancer for replication traffic.
- Client can only access a single directory server
-
Consider using DS directory proxy server to provide a single point of entry and balance load. Alternatively, use a load balancer in failover or active/passive mode.
- Client only ever opens a single connection to the directory service
-
Consider using DS directory proxy server to provide a single point of entry and balance load. Alternatively, use a load balancer in failover or active/passive mode.