How to Configure L4 and L7 Load Balancing

Tula provides two load balancing engines: nftlb for Layer 4 (TCP/UDP) and HAProxy for Layer 7 (HTTP/HTTPS). Each operates at a different layer of the network stack and serves different use cases. This guide explains when to use each and walks through the configuration of both.

Choosing Between L4 and L7

Use this decision tree to determine the right mode:

• Need to inspect, route, or modify HTTP traffic? Use L7 (HAProxy) for access to HTTP headers, URLs, cookies, and content-based routing.
• Need maximum throughput with minimal latency? Use L4 (nftlb). It operates at the kernel level without parsing application-layer content.
• Non-HTTP protocol? (databases, SMTP, custom TCP/UDP) Use L4 (nftlb).
• Need SSL termination with HTTP routing? Use L7 (HAProxy).
• Need Direct Server Return? Use L4 (nftlb). DSR is only available at Layer 4.

In many architectures, L4 and L7 work together -- an L4 VIP can front multiple HAProxy instances for horizontal scaling.

Configuring Layer 4 Load Balancing (nftlb)

Step 1: Create an L4 VIP

1. Navigate to Load Balancing > Virtual IPs and click Add VIP.
2. Configure the following:
   • Name: A descriptive name (e.g., database-pool).
   • IP Address: The virtual IP address clients will connect to.
   • Port: The listening port. Use a specific port (e.g., 3306) or * to forward all ports.
   • Protocol: Select TCP or UDP.
   • Mode: Select NAT (default, full proxy) or DSR (direct server return).
   • Algorithm: Choose a scheduling algorithm:
     • Round Robin -- Equal distribution, suitable for uniform backends.
     • Least Connections -- Routes to the backend with the fewest active connections. Best when request processing times vary.
     • Weighted Round Robin -- Like round robin but respects backend weight values. Use when backends have different capacities.
     • Source Hash -- Pins clients to a specific backend based on source IP. Provides basic session affinity.
3. Click Save.

Step 2: Add Backends

1. Navigate to Backends and click Add Backend.
2. For each backend, configure: Name, IP Address, Port, Weight (relative traffic share, default 1), and State (Active to include in the pool).
3. Repeat for all backend servers and click Save.

Step 3: Configure Health Checks

1. In the VIP configuration, navigate to Health Checks.
2. Enable health checking and set:
   • Check Type: TCP verifies that the port is open and accepting connections.
   • Interval: How often to check (e.g., every 5 seconds).
   • Timeout: How long to wait for a response (e.g., 3 seconds).
   • Threshold: Consecutive failures before removing a backend (e.g., 3).
3. Click Save.

Configuring Layer 7 Load Balancing (HAProxy)

Step 1: Create an L7 VIP

1. Navigate to Load Balancing > Virtual IPs and click Add VIP.
2. Configure: Name (e.g., web-frontend), IP Address, Port (typically 80 or 443), Protocol (HTTP or HTTPS -- for HTTPS, assign an SSL certificate), and Algorithm (Round Robin, Least Connections, Source IP affinity, or URI hash for cache-friendly distribution).
3. Click Save.

Step 2: Add Backends

1. Navigate to the Backends section and add servers as described for L4 above.
2. L7 backends have additional options:
   • SSL Backend: Enable if the backend expects HTTPS connections (re-encryption).
   • Cookie Value: Set a unique value for cookie-based persistence.

Step 3: Configure Path-Based Routing (Optional)

L7 VIPs can route traffic to different backend groups based on the request path:

1. Navigate to Routing Rules within the VIP configuration.
2. Click Add Rule.
3. Configure the rule:
   • Match Type: Select Path (URL prefix or regex).
   • Pattern: The URL pattern to match (e.g., /api/ or /static/).
   • Backend Group: Select the target backend group for matching requests.
4. Rules are evaluated in order. Place more specific rules first.
5. Click Save.

Step 4: Configure HTTP Health Checks

L7 health checks can validate application responses, not just TCP connectivity:

1. Navigate to Health Checks in the VIP configuration.
2. Configure the check:
   • Check Type: Select HTTP.
   • Path: The URL path to check (e.g., /health).
   • Expected Status: The HTTP status code that indicates a healthy backend (e.g., 200).
   • Interval, Timeout, and Threshold: As with L4.
3. Click Save.

Applying and Verifying

1. Click Apply Configuration in the top navigation bar to activate your changes.
2. Navigate to Monitoring > Statistics to observe real-time traffic distribution, connection counts, and backend health status.
3. Send test requests and verify correct behaviour:

# Test L4
nc -zv <vip-address> <port>

# Test L7
curl -v http://<vip-address>/

4. Check that backends show as healthy and that traffic is distributed according to the configured algorithm and weights.