Best practices for manually migrating Layer 4 listeners from CLB to NLB - Server Load Balancer

Compared with Classic Load Balancer (CLB), Network Load Balancer (NLB) supports higher-performance Layer 4 load balancing capabilities. NLB also supports a large number of concurrent connections, SSL offloading for TCP traffic, and connection throttling. If your growing business requires features with higher performance, higher stability, and higher scalability, you can migrate Layer 4 listeners from your CLB instance to an NLB instance to support high-concurrency services.

Key features

After you migrate workloads from CLB to NLB, NLB provides the following features:

High concurrency: Each NLB instance supports up to 100 million concurrent connections and 100 Gbit/s of bandwidth. NLB can withstand a large number of concurrent connections from Internet of Things (IoT) devices.
Automatic scaling: NLB automatically scales in or scales out resources based on business requirements, without the need to manually change the instance specification.
Multi-port listening: NLB supports the multi-port listening feature, which can process all network traffic within a specified port range. This feature is ideal for scenarios that require a large number of ports or dynamic ports.
Various IPv6 features: NLB supports various IPv6 features, including dual-stack networking, IPv6-to-IPv4 forwarding, and IPv6-to-IPv6 forwarding.

Common scenarios

You can migrate workloads from CLB to NLB in the following scenarios:

A large number of concurrent connections, such as instant messaging and IoT device management.
Automatic resource scaling based on traffic spikes, such as e-commerce sales promotion activities that expect large traffic fluctuations.
A large number of ports for processing data in different scenarios, such as online games, video conference systems, and online education platforms.
Network resource scale-out, such as IPv4-to-IPv6 migration.

Examples

The following figure shows an example. A company created an Internet-facing CLB instance in the China (Hangzhou) region. A TCP listener is configured for the CLB instance. The CLB instance uses a domain name to provide services. When clients access www.example.cn, the requests are forwarded to the CLB instance based on the A record. The CLB instance forwards the requests to ECS01 and ECS02 based on the scheduling algorithm.

As business develops, the company needs to migrate workloads from the CLB instance to an NLB instance to support IoT services. To ensure service stability, the company does not want to change the IP addresses of the backend servers or the domain name that is used to provide services. In this case, the company can create an NLB instance in the China (Hangzhou) region and apply the same configurations as the CLB instance to the NLB instance. Then, the company can specify weights for DNS records to migrate workloads from the CLB instance to the NLB instance.

Precautions

CLB and NLB use the pay-as-you-go billing method. The billable items and billing rules of CLB and NLB are different. After you migrate workloads from CLB to NLB, the billing may change. For more information, see the following topics:
- Pay-as-you-go CLB
- NLB billing rules
The NLB instance and backend servers of the CLB instance must be in the same virtual private cloud (VPC). The NLB instance and CLB instance must use the same backend servers.
IPv4 CLB instances can be migrated to IPv4 or dual-stack NLB instances. IPv6 CLB instances can be migrated only to dual-stack NLB instances.

Prerequisites

A TCP listener and a backend server are configured for the CLB instance. An A record is configured for the CLB instance to provide services through the domain name. For more information, see Overview.
Two Elastic Compute Service (ECS) instances ECS01 and ECS02 are created as backend servers. Applications are deployed on ECS01 and ECS02. For more information about how to create ECS instances, see Create an instance on the Custom Launch tab.
Note
- If the CLB instance uses a UDP listener, configure a UDP listener for the NLB instance when you migrate workloads from the CLB instance to the NLB instance.
- Prepare two test servers, one for traffic testing before the migration and the other for traffic testing during the migration. You can also use existing servers for testing. In this example, the servers run the 64-bit Alibaba Cloud Linux 3.2104 64 operating system.
The following commands show how to deploy applications on ECS01 and ECS02:
Commands for deploying an application on ECS01
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  this is ESC01." > index.html
```
Commands for deploying an application on ECS02
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  this is ESC02." > index.html
```

Click to view CLB and NLB parameter settings

Parameter	CLB	NLB
Network type	Internet-facing Service IP address: 112.XX.XX.26	Internet-facing Domain name: nlb-h8z2851bv87*******.cn-hangzhou.nlb.aliyuncs.com
Domain names mapped by DNS records	`www.example.cn`	`www.example.cn`
Listener protocol	TCP (port `80`)	TCP (port `80`)
Backend servers	ECS01 and ECS02	ECS01 and ECS02

Step 1: Create an NLB instance

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click Create NLB.

On the NLB (Pay-As-You-Go) International Site page, configure the parameters and click Buy Now. The following table describes only some of the parameters. Other parameters use the default values.

Parameter	Description
Region	Select the region where you want to create an NLB instance. In this example, China (Hangzhou) is selected.
Network Type	In this example, Internet is selected. Note If you select Intranet, an NLB instance that uses two virtual IP addresses (VIPs) supports 10 Gbit/s of bandwidth for private connections, 100,000 new connections, and 1.5 million concurrent connections. In addition, NLB instances support automatic scaling, which can increase the bandwidth up to 50 Gbit/s.
IP Version	Select an IP version for the ALB instance. In this example, IPv4 is selected.
VPC	Select the VPC where you want to deploy the NLB instance.
Zone	Select zones and vSwitches. In this example, Hangzhou Zone H, Hangzhou Zone I, and a vSwitch in each zone are selected.
Associate with EIP Bandwidth Plan	In this example, Associate with EIP Bandwidth Plan is selected and an Internet Shared Bandwidth instance is selected. If you do not have an Internet Shared Bandwidth instance, click Purchase EIP Bandwidth Plan and complete the payment. Note If your workloads expect a large volume of Internet traffic: You can associate the NLB instance with an Internet Shared Bandwidth instance. The maximum bandwidth of the NLB instance is determined by the maximum bandwidth of the Internet Shared Bandwidth instance. If you do not associate the NLB instance with an Internet Shared Bandwidth instance, the NLB instance uses a pay-as-you-go elastic IP address (EIP) by default. In this case, the maximum bandwidth of the NLB instance is 400 Mbit/s, which is not a guaranteed service term. It only indicates the maximum bandwidth that the NLB instance can reach. After you purchase an NLB instance, you can associate it with an Internet Shared Bandwidth instance. For more information, see Modify the maximum bandwidth of an Internet-facing NLB instance.

Step 2: Create a server group for the NLB instance

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
In the left-side navigation pane, choose NLB > Server Group.
On the Server Group page, click Create Server Group.

In the Create Server Group dialog box, configure the parameters and click Create. The following table describes only some of the parameters. Other parameters use the default values.

Parameter	Description
Server Group Type	Select the type of the server group that you want to create. In this example, Server is selected.
Server Group Name	Enter a name for the server group.
VPC	Select the VPC of the NLB instance from the drop-down list. Only servers in the VPC of the NLB instance can be added to the server group.
Backend Server Protocol	Select a backend protocol. In this example, TCP is selected.
Configure Health Check	Health checks are enabled by default. In this example, the default setting is used.

Click the ID of the server group to go to the Backend Servers tab.
Click Add Backend Server. In the Add Backend Server panel, select ECS01 and ECS02 and click Next.
In the Ports/Weights step, enter port 80, retain the default weight, and then click OK.

Step 3: Create a TCP listener

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click the ID of the NLB instance that you want to manage.
Click the Listener tab and then click Quick Create Listener.

In the Quick Create Listener dialog box, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Listener Protocol	In this example, TCP is selected.
Listener Port	In this example, port `80` is specified.
Server Group	In this example, Server Type is selected and the sever group created in Step 2 is selected.

Step 4: Test network traffic

Log on to the Internet-facing Linux server that is used for traffic testing before the migration.
Run the following command to modify the hosts file:
```
sudo vi /etc/hosts
```
1. Press the I key to enter the edit mode. Add a record that maps the IP address of the NLB instance to the domain name.
```
47.XX.XX.101 www.example.cn
```
1. After you complete the modifications, press the Esc key, enter :wq, and then press the Enter key to save and close the file.
Note
This step maps the domain name www.example.cn to a specified EIP, such as 47.XX.XX.101, of the NLB instance and overwrites the existing DNS record. Before the migration, you must test whether requests from the domain name can access the NLB instance.
Run the following command to test whether requests from the domain name can access the NLB instance: If Telnet is not installed, run the yum install -y telnet command to install Telnet.
```
telnet www.example.cn 80  # The TCP listener port 80
```
If you receive a response packet that contains Connected to nlb-..., requests from the domain name can be forwarded to the backend servers.
View the operation log of the NLB instance.
1. Log on to the NLB console.
2. In the left-side navigation pane, choose NLB > Operation Log.
3. On the Operation Log page, set the Event Name parameter to GetLoadBalancerAttribute and click Query.
4. Click the icon to the left of the event and then click Event Details. You can find the requestParameterJson and LoadBalancerId fields to view the operation log data of the NLB instance.

Step 5: Migrate workloads to the NLB instance

The following figure shows how CLB processes requests. A TCP listener is configured for the CLB instance, which is accessible from multiple domain names. In this example, the domain name example.cn is used.

Warning

Before you perform the migration, compare the configurations of the CLB and NLB instances. To prevent unexpected events during the migration, make sure that the CLB and NLB instances use the same configurations and that the configurations are fully tested.
We recommend that you perform the migration during off-peak hours.

An A record is configured for the CLB instance to map the service domain name to the IP address of the CLB instance.

The configurations of the NLB instance are tested. In this example, Alibaba Cloud DNS is used to describe how to migrate workloads from the CLB instance to the NLB instance. The following procedure shows how to migrate workloads from CLB to NLB. For more information about Alibaba Cloud DNS, see Public Authoritative DNS Resolution.

Step 1: Configure a temporary domain name for the CLB instance

We recommend that you configure a CNAME record for the NLB instance. To configure DNS records with different weights, add a CNAME record to the temporary domain name to map the temporary domain name to the service IP address of the CLB instance.

Note

To configure weights for different DNS records of the same domain name, the DNS records must be of the same type and have the same hostname and ISP line. The following record types are supported: A, CNAME, and AAAA.

Log on to the Alibaba Cloud DNS console.
On the Authoritative DNS Resolution page, click the domain name www.example.cn.

On the DNS Settings tab, click Add DNS Record. In the Add DNS Record panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Record Type	The type of the DNS record. In this example, CNAME is selected from the drop-down list.
Hostname	Enter the prefix of your domain name. In this example, `www` is entered.
DNS Request Source	The region in which the domain name visitor is located and the carrier network that the domain name visitor uses. In this example, Default is selected.
Record Value	Enter the temporary domain name. In this example, `web0.example.cn` is used.
TTL	Select a TTL value for the CNAME record to be cached on the DNS server. In this example, the default value is used.

On the DNS Settings tab, find the A record that points to the IP address of the CLB instance and click Modify in the Actions column.
In the Modify DNS Record panel, modify the value of the Hostname parameter and click OK. In this example, the Hostname parameter is set to web0. The other parameters are not modified.

Step 2: Configure a CNAME for the NLB instance

Note

You can also configure an A record to map the domain name to the VIP of a zone.

Log on to the NLB console.
In the top navigation bar, select the region of the NLB instance. In this example, the NLB instance is created in the China (Hangzhou) region.
Find the NLB instance and copy the domain name of the NLB instance.

To create a CNAME record, perform the following operations:

Log on to the Alibaba Cloud DNS console.
Find the domain name that you want to manage and click Configure in the Actions column. In this example, the domain name is the domain name of the CLB instance.
On the DNS Settings page, click Add Record.

In the Add DNS Record panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Record Type	The type of the DNS record. In this example, CNAME is selected from the drop-down list.
Hostname	Enter the prefix of the domain name. In this example, `www` is entered.
DNS Request Source	The region in which the domain name visitor is located and the carrier network that the domain name visitor uses. In this example, Default is selected.
Record Value	Enter the CNAME, which is the domain name of the NLB instance.
TTL	Select a TTL value for the CNAME record to be cached on the DNS server. In this example, the default value is used.

Note

New CNAME records immediately take effect. Modifications to a CNAME record take effect when the TTL of the CNAME record ends, which is 10 minutes by default.
If the CNAME record that you want to create conflicts with an existing record, specify another domain name.

Step 3: Specify weights for the DNS records and perform a canary release

On the Authoritative DNS Resolution page, click the ID of the domain name that you want to manage.
Click the Weight Settings tab, find the domain name, and then click Set Weight in the Actions column.
To configure weights for different DNS records of the same domain name, the DNS records must be of the same type and have the same hostname and ISP line. The following record types are supported: A, CNAME, and AAAA.
In the Set Weight panel, specify weights for the DNS records of the CLB and NLB instances. Set the weight of the DNS record for the CLB instance to 100. Set the weight of the DNS record for the NLB instance to 0.
Gradually reduce the weight of the DNS record for the CLB instance and gradually increase the weight of the DNS record for the NLB instance. Make sure that your services are not affected.
Log on to the Linux client that is used to perform the migration and run the dig command multiple times to test network traffic after the migration.
```
dig www.example.cn
```

The following figures show the results. The results show that requests are forwarded to the CLB or NLB instance based on the weights of the DNS records.

流量测试0.png

Step 4: Migrate all workloads from the CLB instance to the NLB instance

Gradually reduce the weight of the DNS record for the CLB instance to 0, and gradually increase the weight of the DNS record for the NLB instance to 100. Then, all workloads are migrated from the CLB instance to the NLB instance. After all persistent connections on the CLB instance are closed and requests are no longer sent to the CLB instance, you can release the CLB instance after a proper period of time. For more information about how to release a CLB instance, see Release a CLB instance.

The following figure shows how the NLB instance processes requests after the migration is complete.

If your DNS service provider does not allow you to specify a weight for CNAME records, click to view an alternative migration solution.

Advanced features

NLB supports stronger load balancing capabilities at Layer 4 than CLB. Some features of NLB may work in a different way than CLB. For more information about NLB, NLB quotas, NLB limits, and DDoS mitigation, and how to get started with NLB, see the following topics:

Overview of NLB instances
Limits
Use NLB to balance loads for IPv4 services and Use NLB to implement load balancing for IPv6 services
By default, NLB supports basic DDoS mitigation capabilities. For more information, see What is Anti-DDoS Origin?

The following table describes the differences in the advanced features between CLB and NLB.

Feature	CLB	NLB
Server group management	Default server groups, vServer groups, and primary/secondary server groups are supported.	Server groups are supported.
One-way authentication	Certificates issued by Alibaba Cloud and third-party certificates are supported. For more information, see Configure one-way authentication for HTTPS requests.	You can deploy an NLB instance as an ingress to distribute network traffic and configure an SSL certificate. This way, the TCP/SSL listener of the NLB instance decrypts encrypted traffic into plaintext traffic and distributes the plaintext traffic to backend servers. For more information, see Use NLB to enable SSL offloading over TCP (one-way authentication).
Mutual authentication	Certificates issued by Alibaba Cloud and third-party certificates are supported. For more information, see Configure mutual authentication on an HTTPS listener.	You can deploy an NLB instance as an ingress to distribute network traffic and configure an SSL certificate and a CA certificate. This way, the TCP/SSL listener of the NLB instance authenticates both the server and the client before communication can be established. For more information, see Use NLB to enable SSL offloading over TCP (mutual authentication).
Multi-port listening	Not supported	Multi-port listening allows NLB to monitor and respond to all network traffic within a specified port range because a single listener can forward network traffic on multiple ports. This simplifies configurations and O&M and minimizes security risks. For more information, see Enable multi-port listening and forwarding for NLB.
Security	Access control based on whitelists and blacklists is supported. For more information, see Access control.	Access control on listeners and ports based on security groups, and access control based on whitelists and blacklists are supported. For more information, see the following topics: Use security groups to implement fine-grained access control based on listeners and ports Use security groups as blacklists or whitelists

FAQ

Which configurations of the CLB and NLB instances must remain unchanged before and after the migration?
The region, network type, listener protocol, and backend servers must remain unchanged. The NLB instance must be in the same VPC as the CLB instance. The NLB instance and the CLB instance can be in different zones.
What are the differences between the certificates used by CLB and those used by NLB?
CLB supports encrypted transmission over HTTPS. NLB supports TCP connections encrypted by SSL. CLB supports certificates issued by Alibaba Cloud and third-party certificates. The certificates used by NLB are managed by Alibaba Cloud Certificate Management Service.
- For more information about how to upload certificates for CLB instances, see Upload certificates.
- For more information about how to upload certificates for NLB instances, see Purchase SSL certificates and Upload an SSL certificate.
What are the differences in access control between CLB and NLB?
- CLB supports access control for listeners. You can configure different access control lists (ACLs) for different listeners. For more information, see Access control.
- NLB uses security groups to control access based on protocols, ports, and IP addresses. For more information, see Add an NLB instance to a security group.
What are the differences in domain name resolution between CLB and NLB?
- CLB uses A records to resolve custom domain names to the IP addresses of CLB instances.
- For NLB instances:
  - To allow access to your services in a more convenient manner, we recommend that you use CNAME records to map custom domain names to the domain name of your NLB instance.
  - To resolve a custom domain name to a specific IP address, we recommend that you use an A record to resolve the custom domain name to the IP address of the NLB instance.

References

For more information about the differences in features, billing, and benefits between CLB and NLB, see What is SLB?

For more information about the introduction, basic configurations, features, and billing of CLB and NLB, see the following topics:

CLB instance	NLB instance
What is CLB? Benefits Limits Overview CLB billing overview	What is NLB? Benefits Limits Use an NLB instance to serve IPv4 services Use an NLB instance to serve IPv6 services NLB billing overview