Port mappings of Layer 4 listeners
Port mappings of Layer 7 listeners
A gaming company deploys game servers ECS01 and ECS02 in the US (Silicon Valley) region by using a Network Load Balancer (NLB) backend server group. A multiplayer online game is deployed on the ECS instances. The battle logic processing module runs on port 8080, and the chat module runs on port 8090.
The company faces the following issues:
End users are located in multiple regions around the world. Due to the unstable Internet connections, network issues such as high latency, jitter, and packet loss often occur.
The game needs to distinguish different processing modules by using different ports and forward traffic on different ports to the corresponding backend modules.
The ports of the game servers are exposed, which poses security risks and complicates management.
To resolve the preceding issues, the gaming company plans to deploy GA. After the company deploys GA, requests can be routed to the nearest access point of Alibaba Cloud and reach the game server through the internal network of Alibaba Cloud. This shortens the transmission path over the Internet and reduces network issues such as high latency, jitter, and packet loss. By using the port mapping feature of GA, external requests are received on TCP ports 80 and 90, and forwarded to backend service ports 8080 and 8090. This implements port isolation of business modules and prevents exposure of internal service ports.
Prerequisites
An NLB instance is created. For more information, see Create an NLB instance.
A server group and a listener are created for the NLB instance. Multi-port listening is enabled for the server group and listener.
ECS01 and ECS02 are added to the NLB server group, and different service modules are deployed on ECS01 and ECS02 by using different ports.
In this example, the Alibaba Cloud Linux 3 operating system and NGINX are used to configure a test service that supports ports 8080 and 8090.
Commands for deploying a service on ECS01
Run the following command to install NGINX and deploy a test application:
yum install -y nginx
cd /usr/share/nginx/html/
echo "Hello World! This is ECS01, service running on port 8080." > index8080.html
echo "Hello World! This is ECS01, service running on port 8090." > index8090.html
Run the following command to go to the NGINX configuration file nginx.conf, configure the service modules of ports 8080 and 8090, and then save and exit the file.
vim /etc/nginx/nginx.conf
Configuration details:
http {
...
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index8080.html;
}
}
server {
listen 8090;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index8090.html;
}
}
}
Run the following command to restart the NGINX service:
systemctl restart nginx.service
The security groups of ECS01 and ECS02 allow requests to ports 8080 to 8090.
A CNAME record is configured for the service domain name that maps the service domain name to the CNAME of the NLB instance.
If you use a third-party DNS service, refer to the user guide provided by the service provider.
Procedure
Step 1: Configure basic information about an instance
In this example, a pay-as-you-go standard GA instance is used.
On the page of the GA console, click Create Standard Pay-as-you-go Instance.
In the Basic Instance Configuration step, configure the basic information and click Next.
Step 2: Configure an acceleration area
In the Configure Acceleration Area step, add an acceleration region, allocate bandwidth to the region, and then click Next.
In this example, the China (Hong Kong) region is used. The Acceleration Area parameter is set to China (Hong Kong) and the ISP Line Type parameter is set to BGP (Multi-ISP). You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add and manage acceleration areas.
Step 3: Configure a listener
In the Configure listeners step, configure the forwarding protocol and the port, and then click Next.
In this example, the Protocol parameter is set to TCP and the Port parameter must include ports 80 and 90. For example, you can enter 80-90. You can use the default values for other parameters or modify other parameters based on your business requirements. For more information about how to configure a listener, see Add and manage intelligent routing listeners.
Step 4: Configure an endpoint group and an endpoint
In the Configure an endpoint group step, configure the endpoint and click Next.
In this example, Region is set to US (Silicon Valley), Backend Service Type is set to NLB, and Backend Service is set to the NLB instance. In the Port Mapping section, configure the mappings between listener port 80 and endpoint port 8080 and between listener port 90 and endpoint port 8090. Then, read and select Compliance Commitments Regarding Cross-border Data Transfers. You can use the default values for other parameters or modify other parameters based on your business requirements. For more information about how to configure an endpoint group, see Add and manage intelligent routing listeners.
In the Configuration Review step, confirm the GA configurations and click Submit.
Step 5: Configure a CNAME record
Configure a CNAME record to map the service domain name to the CNAME assigned by the GA instance. This accelerates access to the service.
In this example, if you already created a CNAME record that points to the NLB instance, you can specify the China (Hong Kong) region when you add a CNAME record that points to the GA instance. If the CNAME record works as expected, apply the CNAME record to other regions or retain only the CNAME record that points to the GA instance.
On the Authoritative DNS Resolution page, find the domain name that you want to use and click DNS Settings in the Actions column.
Note
For a domain name that is not registered with Alibaba Cloud, you must add the domain name to the Alibaba Cloud DNS console before you can configure DNS records.
On the DNS Settings page, click Add DNS Record, configure a CNAME record, and then click OK.
In this example, the Record Type parameter is set to CNAME, the Hostname parameter is set to www, the DNS Request Source parameter is set to Asia_Hong Kong, and the Record Value parameter is set to the CNAME of the GA instance. For more information, see Add DNS records.
Step 6: Test the network connectivity
Verify the port mappings
On a computer in the China (Hong Kong) region, perform the following operations:
Verify the GA acceleration performance
In this example, the instant detection tool is used. Before and after GA is configured, the service domain name and the service port are detected to check the acceleration performance. For more information, see Use network detection tools to verify acceleration performance.
Enter http://<service domain name>:8080 to check the network latency before GA is used.
Before you perform the test, make sure that the DNS record points to the CNAME of the NLB instance.
You can view information such as the response time. The IP address in the resolution result is the public IP address assigned to the Internet-facing NLB instance. This indicates that the traffic is routed to NLB.
Enter http://<service domain name>:80 to check the network latency after GA is used.
Before you perform the test, make sure that the DNS record points to the CNAME of the GA instance.
The accelerated IP address of the GA instance is displayed in the resolution result. This indicates that traffic is routed to GA for acceleration.
The test results show that the network latency of data transmission from the China (Hong Kong) region to the US (Silicon Valley) region is reduced after GA is used.
Note
The acceleration performance of GA varies based on your service.
An enterprise deploys a highly available web service by using Application Load Balancer (ALB) in the US (Silicon Valley) region. The web service runs on HTTP port 8081 and provides services for end user in multiple regions around the world.
The enterprise faces the following issues:
Due to poor Internet quality, some users experience high network latency.
Data is transmitted in plaintext over HTTP and the requests that are destined for the website are not authenticated. Therefore, security risks may arise.
The web service runs on the custom 8081 port. End users cannot access the service through the standard HTTPS port 443.
To resolve the preceding issues and improve user experience, the enterprise uses GA. The enterprise uses the port mapping feature of GA to receive requests on HTTPS port 443 and forward the requests to the backend HTTP port 8081. This way, the requests are encrypted and the service is provided through the standard port 443.
Prerequisites
An ALB instance is created. For more information, see Create an ALB instance.
A server group and a listener are created for the ALB instance. For more information, see Create a server group and Add an HTTP listener.
ECS01 and ECS02 are added to the server group of the ALB instance, and a service that uses port 8081 is deployed on ECS01 and ECS02.
In this example, the Alibaba Cloud Linux 3 operating system and NGINX are used to configure a test service that supports ports 8081.
Commands for deploying a service on ECS01
Run the following command to install NGINX and deploy a test application:
yum install -y nginx
cd /usr/share/nginx/html/
echo "Hello World! This is ECS01, service running on port 8081." > index8081.html
Run the following command to go to the NGINX configuration file nginx.conf, configure the service module of ports 8081, and then save and exit the file.
vim /etc/nginx/nginx.conf
Configuration details:
http {
...
server {
listen 8081;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index8081.html;
}
}
}
Run the following command to restart the NGINX service:
systemctl restart nginx.service
The security groups of ECS01 and ECS02 allow requests to port 8081.
A CNAME record is configured for the service domain name that maps the service domain name to the CNAME of the ALB instance.
If you use a third-party DNS service, refer to the user guide provided by the service provider.
The required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information about how to create a certificate, see Get started with official certificates.
Procedure
Step 1: Configure basic information about an instance
In this example, a pay-as-you-go standard GA instance is used.
On the page of the GA console, click Create Standard Pay-as-you-go Instance.
In the Basic Instance Configuration step, configure the basic information and click Next.
Step 2: Configure an acceleration area
In the Configure Acceleration Area step, add an acceleration region, allocate bandwidth to the region, and then click Next.
In this example, the China (Hong Kong) region is used. The Acceleration Area parameter is set to China (Hong Kong) and the ISP Line Type parameter is set to BGP (Multi-ISP). You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add and manage acceleration areas.
Step 3: Configure a listener
In the Configure listeners step, configure the forwarding protocol and the port, and then click Next.
In this example, Protocol is set to HTTPS, Port is set to 443, and the SSL certificate of the domain name is selected from the Server Certificate drop-down list. You can use the default values for other parameters or modify other parameters based on your business requirements. For more information about how to configure a listener, see Add and manage intelligent routing listeners.
Step 4: Configure an endpoint group and an endpoint
In the Configure an endpoint group step, configure the endpoint and click Next.
In this example, Region is set to US (Silicon Valley), Backend Service Type is set to ALB, and Backend Service is set to the ALB instance. In the Port Mapping section, configure the mapping between the listener port 443 and the endpoint port 8081. Then, read and select Compliance Commitments Regarding Cross-border Data Transfers. You can use the default values for other parameters or modify other parameters based on your business requirements. For more information about how to configure an endpoint group, see Add and manage intelligent routing listeners.
In the Configuration Review step, confirm the GA configurations and click Submit.
Step 5: Configure a CNAME record
Configure a CNAME record to map the service domain name to the CNAME assigned by the GA instance. This accelerates access to the service.
In this example, if you already created a CNAME record that points to the ALB instance, you can specify the China (Hong Kong) region when you add a CNAME record that points to the GA instance. If the CNAME record works as expected, apply the CNAME record to other regions or retain only the CNAME record that points to the GA instance.
On the Authoritative DNS Resolution page, find the domain name that you want to use and click DNS Settings in the Actions column.
Note
For a domain name that is not registered with Alibaba Cloud, you must add the domain name to the Alibaba Cloud DNS console before you can configure DNS records.
On the DNS Settings page, click Add DNS Record, configure a CNAME record, and then click OK.
In this example, the Record Type parameter is set to CNAME, the Hostname parameter is set to www, the DNS Request Source parameter is set to Asia_Hong Kong, and the Record Value parameter is set to the CNAME of the GA instance. For more information, see Add DNS records.
Step 6: Test the network connectivity
Verify the port mappings
On a computer in the China (Hong Kong) region, use a browser to access https://<service domain name>:443. Refresh the browser multiple times. You can switch between ECS01 and ECS02, and you can access services on port 8081 by using port 443.
Verify the GA acceleration performance
In this example, the instant detection tool is used. Before and after GA is configured, the service domain name and the service port are detected to check the acceleration performance. For more information, see Use network detection tools to verify acceleration performance.
Enter http://<service domain name>:8081 to check the network latency before GA is used.
Before you perform the test, make sure that the DNS record points to the CNAME of the ALB instance.
You can view information such as the response time. The IP address in the resolution result is the public IP address assigned to the Internet-facing ALB instance. This indicates that the traffic is routed to ALB.
Enter https://<service domain name>:443 to check the network latency after GA is used.
Before you perform the test, make sure that the DNS record points to the CNAME of the GA instance.
The accelerated IP address of the GA instance is displayed in the resolution result. This indicates that traffic is routed to GA for acceleration.
The test results show that the network latency of data transmission from the China (Hong Kong) region to the US (Silicon Valley) region is reduced after GA is used.
Note
The acceleration performance of GA varies based on your service.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
