This mode is sometimes called reverse-proxy.
The load-balancer is in the middle of all transactions between the user and the server.
It maintains two separated TCP connections:
- One with the user: the load-balancer acts as a server. It takes requests and forward responses
- One with the server: the load-balancer acts as a user: it forward requests and get responses
This mode is the less intrusive in an architecture: nothing to change on any server or router.
TCP connection overview
The diagram shows clearly the two TCP connections maintained by the load-balancer.
As a consequence of the proxy mode, the server gets a connection from the load-balancer IP address and the server can only get the client IP address at the application level.
IE: HTTP X-Forwarded-For header.
Pros and cons
- not intrusive
- more secure: server aren’t reached directly
- allows protocol inspection and validation
- can load-balance services even if both client and server are in the same subnet
- backend servers only see one IP address: the one from the LB
- “slower” than layer 4 load-balancing (we speak about micro-seconds)
When use this mode?
- when you need application layer intelligence (content switching, etc…)
- in order to protect an application
- when the application does not care about the user IP (or can use the X-Forwarded-For header)