tencent cloud

Feedback

Configuring gRPC Support for Layer-7 Protocols

Last updated: 2024-10-10 16:49:41
    gRPC is a high-performance, open-source software framework developed by Google based on the HTTP 2.0 transport layer protocol. The framework provides methods for configuring and managing network devices in multiple programming languages. This document describes how to configure gRPC health check for the HTTPS listener of a CLB instance to forward client gRPC requests to real servers that use the gRPC protocol.

    Use Cases

    When a client sends HTTPS requests to access real servers that use the gRPC protocol, you can configure gRPC health check for the HTTPS listener of the CLB instance to implement the access.
    

    Prerequisites

    You have created a VPC. For more information, see Creating VPC.
    You have created a CVM instance (used as a real server) in the VPC, and deployed a gRPC service on the instance. For more information, see Creating Instances via Images.
    You have purchased a CLB instance. For more information, see Creating CLB Instances.

    Use Limits

    This feature is supported only by CLB but not classic CLB.
    This feature is not supported by CLB for IPv6 and CLB for IPv6 with layer-7 mixed binding enabled.
    This feature is only supported by VPC but not classic networks.
    Real servers do not support SCF. (Support for the gRPC protocol within the SCF target is required.)

    Directions

    Step 1. Configure a listener

    1. Log in to the CLB console and click Instance management in the left sidebar.
    2. Select your region in the top-left corner of the Instance management page and click Configure listener in the Operation column of your CLB instance.
    
    3. Under HTTP/HTTPS listener, click Create and configure the HTTPS listener in the pop-up window.
    3.1 Create a listener
    Parameter
    Description
    Example
    Name
    Listener name.
    test-https-443
    Listening protocol and port
    Listening protocol: HTTPS is used in this example.
    Listening port: The port used to receive requests and forward them to a real server. Port range: 1-65535.
    The listening port must be unique in the same CLB instance.
    HTTPS:443
    Enable persistent connection
    Once this feature is enabled, persistent connections will be used between a CLB instance and real servers, and the CLB instance will no longer pass through the source IP address that can be obtained from XFF. To ensure normal forwarding, enable the "Allow Traffic by Default" feature in the CLB security group or allow 100.127.0.0/16 in the CVM security group.
    Note:
    Once this feature is enabled, the number of the connections between a CLB instance and real servers will fluctuate in the range of [QPS,QPS*60], subject to the connection reuse rate. If there is a limit on the maximum number of connections, we recommend you be cautious when enabling this feature. This feature is currently in beta test. To try it out, submit a ticket.
    The IP range 100.64.0.0/10 is already allowed as the health check source IP. You don't need to allow IPs within this range again.
    Disabled
    Enable SNI
    If SNI is enabled, multiple domain names of a listener can be configured with different certificates; if it is disabled, multiple domain names of a listener can be configured with one certificate only.
    Disabled
    SSL parsing
    One-way authentication and mutual authentication are supported. CLB takes over the overheads of SSL encryption and decryption to guarantee the access security.
    One-way authentication
    Server certificate
    You can select an existing certificate in the SSL Certificate Service console or upload a certificate.
    Select an existing certificate.
    3.2 Create a forwarding rule
    Parameter
    Description
    Example
    Domain name
    Forwarding domain name:
    Length: 1 to 80 characters.
    A domain name cannot start with underscores (_).
    Exact and wildcard domain names are supported.
    Regular expressions are supported.
    For detailed configuration rules, see Layer-7 Domain Name Forwarding and URL Rules.
    www.example.com
    Default Domain
    If all domain names of a listener are not matched, the system distributes requests to the default domain name, making default access controllable.
    Each listener can be configured with one default domain name only.
    Enabled
    HTTP 2.0
    After HTTP 2.0 is enabled, CLB instances can receive HTTP 2.0 requests. CLB instances access real servers over HTTP 1.1 no matter what HTTP version the client uses to access CLB instances.
    Enabled
    QUIC
    After QUIC is enabled, a client can establish a QUIC connection with a CLB instance. If the QUIC connection fails due to negotiation between the client and the CLB instance, HTTPS or HTTP/2 will be used. However, the CLB instance and the real server still use the HTTP 1.x protocol. For more information, see Using QUIC Protocol on CLB.
    Enabled
    URL
    Forwarding URL:
    Length: 1 to 200 characters.
    Regular expressions are supported.
    For detailed configuration rules, see Layer-7 Domain Name Forwarding and URL Rules.
    /index
    Balancing method
    For HTTPS listeners, CLB supports three scheduling algorithms: weighted round robin (WRR), weighted least connections (WLC), and IP Hash.
    WRR: Requests are distributed to real servers in sequence based on their weights. This algorithm performs scheduling based on the number of new connections. Servers with higher weights are more likely to be scheduled and servers with the same weight process the same number of connections.
    WLC: Loads of servers are estimated based on the number of active connections to the servers. This algorithm performs scheduling based on server loads and weights. For servers with the same weight, those have less loads are more likely to be scheduled.
    IP Hash: This algorithm uses a request source IP address as the Hash key to locate the corresponding server in the static hash table. If a server is available and not overloaded, requests will be distributed to it; otherwise, a null value will be returned.
    WRR
    Backend Protocol
    Backend protocol is used between a CLB instance and a real server:
    If HTTP is selected as the backend protocol, the HTTP service must be deployed on the real server.
    If HTTPS is selected as the backend protocol, the HTTPS service must be deployed on the real server. In this case, encryption and decryption of the HTTPS service will consume more resources on the real server.
    If gRPC is selected as the backend protocol, the gRPC service must be deployed on the real server. You can select gRPC as the backend forwarding protocol only when HTTP2.0 is enabled and QUIC is disabled.
    gRPC
    Get client IP
    Enabled by default.
    Enabled
    Gzip compression
    Enabled by default.
    Enabled
    3.3 Configure HTTPS health check (see HTTPS Health Check Overview)
    3.4 Configure session persistence
    Parameter
    Description
    Example
    Session persistence
    After session persistence is enabled, a CLB listener will distribute access requests from the same client to the same real server.
    TCP session persistence is implemented based on client IP address. The access requests from the same IP address are forwarded to the same real server.
    Session persistence can be enabled for WRR scheduling but not WLC scheduling.
    Enabled
    Hold Time
    Session persistence is terminated if there are no new requests in the connection within the specified duration.
    Value range: 30-3600 seconds
    30 seconds

    Step 2. Bind a real server

    1. On the Listener management page, select the created listener HTTPS:443. Click + on the left to expand the domain names and URL paths, select the desired URL path, and view the real servers bound to the path on the right of the listener.
    2. Click Bind, select the target real server, and configure the server port and weight in the pop-up window.
    Note:
    If you set Default port first and then select real servers, the port of every real server is the default port.

    Step 3. Configure a security group (optional)

    You can configure a CLB security group to isolate public network traffic. For more information, see Configuring a CLB Security Group.

    Step 4. Modify or delete a listener (optional)

    If you need to modify or delete a created listener, click the listener on the Listener management page and click
    
    for modification or
    
    for deletion.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support