阿里云SLB負(fù)載均衡配置

一、概述

1.1 背景介紹

當(dāng)業(yè)務(wù)流量超過(guò)單臺(tái)服務(wù)器的承載能力，或者需要實(shí)現(xiàn)服務(wù)的高可用時(shí)，負(fù)載均衡成為必不可少的基礎(chǔ)設(shè)施。阿里云SLB（Server Load Balancer）作為國(guó)內(nèi)使用最廣泛的云負(fù)載均衡服務(wù)，承載著海量的互聯(lián)網(wǎng)流量。

某電商平臺(tái)在2024年雙十一期間，通過(guò)SLB集群承載了峰值每秒50萬(wàn)的請(qǐng)求量，后端服務(wù)器從日常的20臺(tái)彈性擴(kuò)展到200臺(tái)，整個(gè)過(guò)程對(duì)用戶(hù)透明，服務(wù)可用性達(dá)到99.99%。這得益于SLB的彈性擴(kuò)展能力、智能健康檢查和多可用區(qū)容災(zāi)設(shè)計(jì)。

SLB提供四層（TCP/UDP）和七層（HTTP/HTTPS）負(fù)載均衡能力。四層SLB適合需要極致性能的場(chǎng)景，七層SLB則提供更豐富的流量管理能力，如基于URL的路由、Cookie會(huì)話(huà)保持、HTTPS卸載等。

1.2 技術(shù)特點(diǎn)

多產(chǎn)品形態(tài)

阿里云負(fù)載均衡產(chǎn)品線(xiàn)包含三個(gè)產(chǎn)品：

CLB（Classic Load Balancer）：經(jīng)典負(fù)載均衡，支持四層和七層，技術(shù)成熟穩(wěn)定

ALB（Application Load Balancer）：應(yīng)用負(fù)載均衡，專(zhuān)注七層，支持更豐富的路由規(guī)則

NLB（Network Load Balancer）：網(wǎng)絡(luò)負(fù)載均衡，專(zhuān)注四層，超高性能

2025年的選型建議：新業(yè)務(wù)優(yōu)先考慮ALB/NLB，CLB作為存量業(yè)務(wù)的穩(wěn)定選擇。

彈性伸縮

SLB實(shí)例本身具備自動(dòng)彈性能力，無(wú)需手動(dòng)擴(kuò)容：

CLB性能保障型實(shí)例按規(guī)格計(jì)費(fèi)

ALB/NLB按實(shí)際使用量計(jì)費(fèi)，無(wú)需選擇規(guī)格

多可用區(qū)容災(zāi)

SLB支持跨可用區(qū)部署，當(dāng)主可用區(qū)故障時(shí)自動(dòng)切換到備可用區(qū)：

主備模式：一個(gè)主可用區(qū)，一個(gè)備可用區(qū)

多活模式（ALB）：多個(gè)可用區(qū)同時(shí)服務(wù)

健康檢查

SLB持續(xù)檢測(cè)后端服務(wù)器健康狀態(tài)：

四層健康檢查：TCP連接或UDP探測(cè)

七層健康檢查：HTTP/HTTPS請(qǐng)求

自動(dòng)隔離異常服務(wù)器，故障恢復(fù)后自動(dòng)加回

1.3 適用場(chǎng)景

1.4 環(huán)境要求

二、詳細(xì)步驟

2.1 準(zhǔn)備工作

VPC網(wǎng)絡(luò)規(guī)劃

在創(chuàng)建SLB之前，需要規(guī)劃好網(wǎng)絡(luò)架構(gòu)：

VPC: 10.0.0.0/8
├── 可用區(qū)A
│  ├── 公網(wǎng)子網(wǎng): 10.0.1.0/24 (SLB、NAT網(wǎng)關(guān))
│  └── 私網(wǎng)子網(wǎng): 10.0.10.0/24 (ECS實(shí)例)
├── 可用區(qū)B
│  ├── 公網(wǎng)子網(wǎng): 10.0.2.0/24 (SLB備份)
│  └── 私網(wǎng)子網(wǎng): 10.0.20.0/24 (ECS實(shí)例)
└── 可用區(qū)C
  └── 私網(wǎng)子網(wǎng): 10.0.30.0/24 (ECS實(shí)例擴(kuò)展)

后端服務(wù)器準(zhǔn)備

確保后端ECS實(shí)例運(yùn)行正常：

# 檢查Web服務(wù)狀態(tài)
systemctl status nginx

# 確認(rèn)端口監(jiān)聽(tīng)
ss -tlnp | grep':80|:443'

# 測(cè)試本地服務(wù)
curl -I http://localhost/health

# 檢查安全組規(guī)則（允許SLB健康檢查）
# 源地址：100.64.0.0/10（SLB健康檢查網(wǎng)段）
# 端口：業(yè)務(wù)端口

使用Terraform準(zhǔn)備基礎(chǔ)設(shè)施

# main.tf
provider "alicloud" {
 region = "cn-hangzhou"
}

# VPC
resource "alicloud_vpc" "main" {
 vpc_name  = "prod-vpc"
 cidr_block = "10.0.0.0/8"
}

# 交換機(jī) - 可用區(qū)A
resource "alicloud_vswitch" "zone_a" {
 vpc_id   = alicloud_vpc.main.id
 cidr_block = "10.0.10.0/24"
 zone_id  = "cn-hangzhou-h"
 vswitch_name = "prod-vsw-a"
}

# 交換機(jī) - 可用區(qū)B
resource "alicloud_vswitch" "zone_b" {
 vpc_id   = alicloud_vpc.main.id
 cidr_block = "10.0.20.0/24"
 zone_id  = "cn-hangzhou-i"
 vswitch_name = "prod-vsw-b"
}

# 安全組
resource "alicloud_security_group" "web" {
 name    = "web-sg"
 vpc_id   = alicloud_vpc.main.id
 description = "Security group for web servers"
}

# 安全組規(guī)則 - 允許SLB健康檢查
resource "alicloud_security_group_rule" "slb_health_check" {
 type       = "ingress"
 ip_protocol    = "tcp"
 port_range    = "80/80"
 security_group_id = alicloud_security_group.web.id
 cidr_ip      = "100.64.0.0/10"
 description    = "Allow SLB health check"
}

# ECS實(shí)例
resource "alicloud_instance" "web" {
 count      = 4
 instance_name  = "web-${count.index + 1}"
 image_id    = "aliyun_3_x64_20G_alibase_20231220.vhd"
 instance_type  = "ecs.g7.large"
 security_groups = [alicloud_security_group.web.id]
 vswitch_id   = count.index % 2 == 0 ? alicloud_vswitch.zone_a.id : alicloud_vswitch.zone_b.id

 system_disk_category = "cloud_essd"
 system_disk_size   = 40

 tags = {
  Environment = "prod"
  Role    = "web"
 }
}

2.2 核心配置

創(chuàng)建CLB實(shí)例

通過(guò)控制臺(tái)創(chuàng)建：

登錄SLB控制臺(tái) -> 實(shí)例管理 -> 創(chuàng)建負(fù)載均衡

選擇配置：

實(shí)例類(lèi)型：傳統(tǒng)型負(fù)載均衡CLB

實(shí)例規(guī)格：性能保障型（根據(jù)業(yè)務(wù)選擇）

網(wǎng)絡(luò)類(lèi)型：公網(wǎng)/私網(wǎng)

主可用區(qū)：cn-hangzhou-h

備可用區(qū)：cn-hangzhou-i

通過(guò)Terraform創(chuàng)建：

# CLB實(shí)例
resource "alicloud_slb_load_balancer" "main" {
 load_balancer_name = "prod-clb"
 address_type    = "internet"
 load_balancer_spec = "slb.s3.medium"
 vswitch_id     = alicloud_vswitch.zone_a.id
 master_zone_id   = "cn-hangzhou-h"
 slave_zone_id   = "cn-hangzhou-i"

 tags = {
  Environment = "prod"
 }
}

# HTTP監(jiān)聽(tīng)
resource "alicloud_slb_listener" "http" {
 load_balancer_id     = alicloud_slb_load_balancer.main.id
 backend_port       = 80
 frontend_port       = 80
 protocol         = "http"
 bandwidth         = -1
 sticky_session      = "on"
 sticky_session_type    = "insert"
 cookie_timeout      = 86400
 health_check       = "on"
 health_check_type     = "http"
 health_check_uri     = "/health"
 health_check_connect_port = 80
 healthy_threshold     = 3
 unhealthy_threshold    = 3
 health_check_timeout   = 5
 health_check_interval   = 2
 health_check_http_code  = "http_2xx,http_3xx"
 x_forwarded_for {
  retrive_slb_ip = true
  retrive_slb_id = true
 }
 gzip        = true
 request_timeout   = 60
 idle_timeout    = 15
}

創(chuàng)建ALB實(shí)例

ALB更適合現(xiàn)代Web應(yīng)用：

# ALB實(shí)例
resource "alicloud_alb_load_balancer" "main" {
 vpc_id         = alicloud_vpc.main.id
 address_type      = "Internet"
 address_allocated_mode = "Dynamic"
 load_balancer_name   = "prod-alb"
 load_balancer_edition = "Standard"
 load_balancer_billing_config {
  pay_type = "PayAsYouGo"
 }
 zone_mappings {
  vswitch_id = alicloud_vswitch.zone_a.id
  zone_id  = "cn-hangzhou-h"
 }
 zone_mappings {
  vswitch_id = alicloud_vswitch.zone_b.id
  zone_id  = "cn-hangzhou-i"
 }
}

# 服務(wù)器組
resource "alicloud_alb_server_group" "main" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "prod-server-group"
 server_group_type = "Instance"

 health_check_config {
  health_check_connect_port = 80
  health_check_enabled   = true
  health_check_host     = "$SERVER_IP"
  health_check_http_version = "HTTP1.1"
  health_check_interval   = 2
  health_check_method    = "GET"
  health_check_path     = "/health"
  health_check_protocol   = "HTTP"
  health_check_timeout   = 5
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx", "http_3xx"]
 }

 sticky_session_config {
  sticky_session_enabled = true
  sticky_session_type  = "Insert"
  cookie_timeout     = 86400
 }
}

# 添加后端服務(wù)器
resource "alicloud_alb_server_group_server_attachment" "main" {
 count      = 4
 server_group_id = alicloud_alb_server_group.main.id
 server_id    = alicloud_instance.web[count.index].id
 server_ip    = alicloud_instance.web[count.index].private_ip
 server_type   = "Ecs"
 port      = 80
 weight     = 100
}

# 監(jiān)聽(tīng)器
resource "alicloud_alb_listener" "http" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTP"
 listener_port    = 80
 listener_description = "HTTP Listener"
 default_actions {
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.main.id
   }
  }
 }
}

配置HTTPS監(jiān)聽(tīng)

# 上傳SSL證書(shū)
resource "alicloud_slb_server_certificate" "main" {
 name        = "prod-cert"
 server_certificate = file("${path.module}/certs/server.crt")
 private_key    = file("${path.module}/certs/server.key")
}

# HTTPS監(jiān)聽(tīng)（CLB）
resource "alicloud_slb_listener" "https" {
 load_balancer_id     = alicloud_slb_load_balancer.main.id
 backend_port       = 80
 frontend_port       = 443
 protocol         = "https"
 bandwidth         = -1
 server_certificate_id   = alicloud_slb_server_certificate.main.id
 tls_cipher_policy     = "tls_cipher_policy_1_2"
 sticky_session      = "on"
 sticky_session_type    = "insert"
 cookie_timeout      = 86400
 health_check       = "on"
 health_check_uri     = "/health"
 healthy_threshold     = 3
 unhealthy_threshold    = 3
 health_check_timeout   = 5
 health_check_interval   = 2
 health_check_http_code  = "http_2xx,http_3xx"
 x_forwarded_for {
  retrive_slb_ip = true
  retrive_slb_id = true
 }
 gzip      = true
 request_timeout = 60
 idle_timeout  = 15
}

# HTTP重定向到HTTPS
resource "alicloud_slb_listener" "http_redirect" {
 load_balancer_id = alicloud_slb_load_balancer.main.id
 frontend_port  = 80
 protocol     = "http"
 bandwidth    = -1
 listener_forward = "on"
 forward_port   = 443
}

ALB HTTPS配置（推薦）

# 創(chuàng)建HTTPS監(jiān)聽(tīng)（ALB）
resource "alicloud_alb_listener" "https" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTPS"
 listener_port    = 443
 listener_description = "HTTPS Listener"

 certificates {
  certificate_id = alicloud_slb_server_certificate.main.id
 }

 default_actions {
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.main.id
   }
  }
 }
}

# HTTP到HTTPS重定向規(guī)則
resource "alicloud_alb_rule" "http_to_https" {
 rule_name  = "http-to-https"
 listener_id = alicloud_alb_listener.http.id
 priority  = 1

 rule_conditions {
  type = "Header"
  header_config {
   key  = "X-Forwarded-Proto"
   values = ["http"]
  }
 }

 rule_actions {
  order = 1
  type = "Redirect"
  redirect_config {
   protocol  = "HTTPS"
   port    = "443"
   http_code = "301"
  }
 }
}

2.3 啟動(dòng)和驗(yàn)證

驗(yàn)證SLB狀態(tài)

# 使用阿里云CLI查看SLB狀態(tài)
aliyun slb DescribeLoadBalancers 
  --RegionId cn-hangzhou 
  --LoadBalancerId lb-xxx

# 查看監(jiān)聽(tīng)狀態(tài)
aliyun slb DescribeLoadBalancerListeners 
  --RegionId cn-hangzhou 
  --LoadBalancerId lb-xxx

# 查看后端服務(wù)器健康狀態(tài)
aliyun slb DescribeHealthStatus 
  --RegionId cn-hangzhou 
  --LoadBalancerId lb-xxx 
  --ListenerPort 80

測(cè)試負(fù)載均衡效果

# 獲取SLB公網(wǎng)IP
SLB_IP=$(aliyun slb DescribeLoadBalancers 
  --LoadBalancerId lb-xxx 
  --output cols=Address | tail -1)

# 測(cè)試HTTP請(qǐng)求
curl -I http://${SLB_IP}/

# 多次請(qǐng)求觀察負(fù)載均衡效果
foriin{1..10};do
  curl -s http://${SLB_IP}/server-info | jq'.hostname'
done

# 測(cè)試會(huì)話(huà)保持
# 使用相同cookie多次請(qǐng)求，應(yīng)該路由到同一后端
curl -c cookie.txt http://${SLB_IP}/
foriin{1..5};do
  curl -b cookie.txt -s http://${SLB_IP}/server-info | jq'.hostname'
done

# 測(cè)試HTTPS
curl -I https://www.example.com/

# 測(cè)試健康檢查
# 停止一臺(tái)后端服務(wù)器的服務(wù)
ssh web-1"systemctl stop nginx"
# 等待健康檢查失?。s10秒）
sleep 15
# 檢查后端服務(wù)器狀態(tài)
aliyun slb DescribeHealthStatus 
  --LoadBalancerId lb-xxx 
  --ListenerPort 80

壓力測(cè)試

# 使用wrk進(jìn)行壓力測(cè)試
wrk -t12 -c400 -d30s http://${SLB_IP}/

# 使用ab測(cè)試
ab -n 10000 -c 100 http://${SLB_IP}/

# 觀察SLB監(jiān)控指標(biāo)
# 控制臺(tái) -> SLB -> 監(jiān)控 -> 查看QPS、連接數(shù)、流量等

三、示例代碼和配置

3.1 完整配置示例

生產(chǎn)級(jí)ALB完整配置

# variables.tf
variable "region" {
 default = "cn-hangzhou"
}

variable "environment" {
 default = "prod"
}

variable "domain" {
 default = "example.com"
}

# main.tf
terraform {
 required_providers {
  alicloud = {
   source = "aliyun/alicloud"
   version = "~> 1.210"
  }
 }
}

provider "alicloud" {
 region = var.region
}

# 獲取可用區(qū)
data "alicloud_zones" "available" {
 available_resource_creation = "VSwitch"
}

# VPC
resource "alicloud_vpc" "main" {
 vpc_name  = "${var.environment}-vpc"
 cidr_block = "10.0.0.0/8"
}

# 交換機(jī)
resource "alicloud_vswitch" "main" {
 count    = 2
 vpc_id    = alicloud_vpc.main.id
 cidr_block  = "10.0.${count.index + 1}0.0/24"
 zone_id   = data.alicloud_zones.available.zones[count.index].id
 vswitch_name = "${var.environment}-vsw-${count.index + 1}"
}

# ALB實(shí)例
resource "alicloud_alb_load_balancer" "main" {
 vpc_id         = alicloud_vpc.main.id
 address_type      = "Internet"
 address_allocated_mode = "Dynamic"
 load_balancer_name   = "${var.environment}-alb"
 load_balancer_edition = "Standard"

 load_balancer_billing_config {
  pay_type = "PayAsYouGo"
 }

 modification_protection_config {
  status = "ConsoleProtection"
  reason = "Production ALB"
 }

 dynamic "zone_mappings" {
  for_each = alicloud_vswitch.main
  content {
   vswitch_id = zone_mappings.value.id
   zone_id  = zone_mappings.value.zone_id
  }
 }

 tags = {
  Environment = var.environment
  ManagedBy  = "terraform"
 }
}

# 默認(rèn)服務(wù)器組
resource "alicloud_alb_server_group" "default" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-default-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = 80
  health_check_host     = "$SERVER_IP"
  health_check_http_version = "HTTP1.1"
  health_check_interval   = 2
  health_check_method    = "GET"
  health_check_path     = "/health"
  health_check_protocol   = "HTTP"
  health_check_timeout   = 5
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx", "http_3xx"]
 }

 sticky_session_config {
  sticky_session_enabled = true
  sticky_session_type  = "Insert"
  cookie_timeout     = 86400
 }

 tags = {
  Environment = var.environment
 }
}

# API服務(wù)器組
resource "alicloud_alb_server_group" "api" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-api-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = 8080
  health_check_path     = "/api/health"
  health_check_protocol   = "HTTP"
  health_check_interval   = 2
  health_check_timeout   = 5
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx"]
 }

 sticky_session_config {
  sticky_session_enabled = false
 }
}

# 靜態(tài)資源服務(wù)器組
resource "alicloud_alb_server_group" "static" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-static-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = 80
  health_check_path     = "/static/health.txt"
  health_check_protocol   = "HTTP"
  health_check_interval   = 5
  health_check_timeout   = 5
  healthy_threshold     = 2
  unhealthy_threshold    = 2
  health_check_codes    = ["http_2xx"]
 }

 sticky_session_config {
  sticky_session_enabled = false
 }
}

# HTTPS監(jiān)聽(tīng)
resource "alicloud_alb_listener" "https" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTPS"
 listener_port    = 443
 listener_description = "Production HTTPS"

 certificates {
  certificate_id = alicloud_ssl_certificates_service_certificate.main.id
 }

 default_actions {
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.default.id
   }
  }
 }
}

# HTTP監(jiān)聽(tīng)（重定向到HTTPS）
resource "alicloud_alb_listener" "http" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTP"
 listener_port    = 80
 listener_description = "HTTP to HTTPS redirect"

 default_actions {
  type = "Redirect"
  redirect_config {
   protocol = "HTTPS"
   port   = "443"
   http_code = "301"
  }
 }
}

# 轉(zhuǎn)發(fā)規(guī)則 - API路由
resource "alicloud_alb_rule" "api" {
 rule_name  = "api-route"
 listener_id = alicloud_alb_listener.https.id
 priority  = 10

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/api/*"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.api.id
   }
  }
 }
}

# 轉(zhuǎn)發(fā)規(guī)則 - 靜態(tài)資源路由
resource "alicloud_alb_rule" "static" {
 rule_name  = "static-route"
 listener_id = alicloud_alb_listener.https.id
 priority  = 20

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/static/*", "/assets/*", "*.css", "*.js", "*.png", "*.jpg"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.static.id
   }
  }
 }
}

# 轉(zhuǎn)發(fā)規(guī)則 - 添加響應(yīng)頭
resource "alicloud_alb_rule" "security_headers" {
 rule_name  = "security-headers"
 listener_id = alicloud_alb_listener.https.id
 priority  = 1

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/*"]
  }
 }

 rule_actions {
  order = 1
  type = "InsertHeader"
  insert_header_config {
   key     = "X-Content-Type-Options"
   value    = "nosniff"
   value_type = "UserDefined"
  }
 }

 rule_actions {
  order = 2
  type = "InsertHeader"
  insert_header_config {
   key     = "X-Frame-Options"
   value    = "SAMEORIGIN"
   value_type = "UserDefined"
  }
 }

 rule_actions {
  order = 3
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.default.id
   }
  }
 }
}

# 輸出
output "alb_dns_name" {
 value = alicloud_alb_load_balancer.main.dns_name
}

output "alb_id" {
 value = alicloud_alb_load_balancer.main.id
}

NLB四層負(fù)載均衡配置

# NLB實(shí)例
resource "alicloud_nlb_load_balancer" "main" {
 load_balancer_name = "${var.environment}-nlb"
 load_balancer_type = "Network"
 address_type    = "Internet"
 address_ip_version = "Ipv4"
 vpc_id       = alicloud_vpc.main.id

 zone_mappings {
  vswitch_id = alicloud_vswitch.main[0].id
  zone_id  = alicloud_vswitch.main[0].zone_id
 }
 zone_mappings {
  vswitch_id = alicloud_vswitch.main[1].id
  zone_id  = alicloud_vswitch.main[1].zone_id
 }
}

# 服務(wù)器組
resource "alicloud_nlb_server_group" "main" {
 server_group_name = "${var.environment}-nlb-sg"
 server_group_type = "Instance"
 vpc_id      = alicloud_vpc.main.id
 scheduler     = "Wrr"
 protocol     = "TCP"

 health_check {
  health_check_enabled     = true
  health_check_type      = "TCP"
  health_check_connect_port  = 0
  healthy_threshold      = 2
  unhealthy_threshold     = 2
  health_check_connect_timeout = 5
  health_check_interval    = 10
 }

 connection_drain      = true
 connection_drain_timeout  = 60
 preserve_client_ip_enabled = true
}

# TCP監(jiān)聽(tīng)
resource "alicloud_nlb_listener" "tcp" {
 listener_protocol   = "TCP"
 listener_port     = 3306
 listener_description  = "MySQL Proxy"
 load_balancer_id    = alicloud_nlb_load_balancer.main.id
 server_group_id    = alicloud_nlb_server_group.main.id
 idle_timeout      = 900
 proxy_protocol_enabled = false
}

# UDP監(jiān)聽(tīng)（游戲服務(wù)）
resource "alicloud_nlb_listener" "udp" {
 listener_protocol  = "UDP"
 listener_port    = 27015
 listener_description = "Game Server"
 load_balancer_id   = alicloud_nlb_load_balancer.main.id
 server_group_id   = alicloud_nlb_server_group.game.id
}

3.2 實(shí)際應(yīng)用案例

案例一：電商大促高可用架構(gòu)

某電商平臺(tái)日常流量約5000 QPS，雙十一峰值預(yù)估50000 QPS。

架構(gòu)設(shè)計(jì)：

          ┌─────────────────────────────────────┐
          │      DNS (GTM)         │
          │  主站: www.example.com      │
          └─────────────┬───────────────────────┘
                 │
      ┌─────────────────────┼─────────────────────┐
      ▼           ▼           ▼
  ┌───────────────┐   ┌───────────────┐   ┌───────────────┐
  │ ALB (杭州)  │   │ ALB (上海)  │   │ ALB (北京)  │
  │ 主可用區(qū)A/B │   │ 主可用區(qū)A/B │   │ 主可用區(qū)A/B │
  └───────┬───────┘   └───────┬───────┘   └───────┬───────┘
      │           │           │
  ┌───────┼───────┐   ┌───────┼───────┐   ┌───────┼───────┐
  ▼    ▼    ▼   ▼    ▼    ▼   ▼    ▼    ▼
┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐
│ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10│
│ AZ-A ││ AZ-B ││ AZ-C ││ AZ-A ││ AZ-B ││ AZ-C ││ AZ-A ││ AZ-B ││ AZ-C │
└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘

關(guān)鍵配置：

多地域部署：GTM實(shí)現(xiàn)地域調(diào)度，用戶(hù)就近訪(fǎng)問(wèn)

多可用區(qū)：每個(gè)地域ALB跨3個(gè)可用區(qū)

彈性伸縮：ECS配合ESS自動(dòng)擴(kuò)縮容

# ESS彈性伸縮組
resource "alicloud_ess_scaling_group" "web" {
 min_size      = 10
 max_size      = 200
 scaling_group_name = "prod-web-asg"
 vswitch_ids    = alicloud_vswitch.main[*].id

 # 關(guān)聯(lián)ALB服務(wù)器組
 alb_server_group {
  alb_server_group_id = alicloud_alb_server_group.default.id
  weight       = 100
  port        = 80
 }
}

# 擴(kuò)容規(guī)則 - QPS觸發(fā)
resource "alicloud_ess_scaling_rule" "scale_out" {
 scaling_group_id = alicloud_ess_scaling_group.web.id
 scaling_rule_name = "scale-out-qps"
 scaling_rule_type = "TargetTrackingScalingRule"
 target_value   = 1000 # 每實(shí)例目標(biāo)QPS
 metric_name    = "ALBQPSPerInstance"
}

# 縮容規(guī)則
resource "alicloud_ess_scaling_rule" "scale_in" {
 scaling_group_id = alicloud_ess_scaling_group.web.id
 scaling_rule_name = "scale-in"
 scaling_rule_type = "SimpleScalingRule"
 adjustment_type  = "QuantityChangeInCapacity"
 adjustment_value = -2
 cooldown     = 300
}

案例二：微服務(wù)API網(wǎng)關(guān)

使用ALB作為微服務(wù)的統(tǒng)一入口，實(shí)現(xiàn)基于路徑的路由。

# 服務(wù)器組定義
locals {
 services = {
  user = {
   path   = "/api/user/*"
   port   = 8001
   priority = 10
  }
  order = {
   path   = "/api/order/*"
   port   = 8002
   priority = 20
  }
  product = {
   path   = "/api/product/*"
   port   = 8003
   priority = 30
  }
  payment = {
   path   = "/api/payment/*"
   port   = 8004
   priority = 40
  }
 }
}

# 為每個(gè)服務(wù)創(chuàng)建服務(wù)器組
resource "alicloud_alb_server_group" "services" {
 for_each = local.services

 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-${each.key}-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = each.value.port
  health_check_path     = "/health"
  health_check_protocol   = "HTTP"
  health_check_interval   = 2
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx"]
 }
}

# 為每個(gè)服務(wù)創(chuàng)建路由規(guī)則
resource "alicloud_alb_rule" "services" {
 for_each = local.services

 rule_name  = "${each.key}-route"
 listener_id = alicloud_alb_listener.https.id
 priority  = each.value.priority

 rule_conditions {
  type = "Path"
  path_config {
   values = [each.value.path]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.services[each.key].id
   }
  }
 }
}

案例三：灰度發(fā)布配置

# 生產(chǎn)服務(wù)器組
resource "alicloud_alb_server_group" "prod" {
 server_group_name = "prod-sg"
 # ... 配置省略
}

# 灰度服務(wù)器組
resource "alicloud_alb_server_group" "canary" {
 server_group_name = "canary-sg"
 # ... 配置省略
}

# 灰度規(guī)則 - 按Header路由
resource "alicloud_alb_rule" "canary_header" {
 rule_name  = "canary-by-header"
 listener_id = alicloud_alb_listener.https.id
 priority  = 5

 rule_conditions {
  type = "Header"
  header_config {
   key  = "X-Canary"
   values = ["true"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.canary.id
   }
  }
 }
}

# 灰度規(guī)則 - 按百分比路由
resource "alicloud_alb_rule" "canary_weight" {
 rule_name  = "canary-by-weight"
 listener_id = alicloud_alb_listener.https.id
 priority  = 100

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/*"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.prod.id
    weight     = 90
   }
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.canary.id
    weight     = 10
   }
  }
 }
}

四、最佳實(shí)踐和注意事項(xiàng)

4.1 最佳實(shí)踐

性能優(yōu)化

選擇合適的實(shí)例規(guī)格

CLB規(guī)格選擇參考：
- slb.s1.small: 最大連接數(shù)5000, QPS 1000
- slb.s2.small: 最大連接數(shù)50000, QPS 5000
- slb.s2.medium: 最大連接數(shù)100000, QPS 10000
- slb.s3.small: 最大連接數(shù)200000, QPS 20000
- slb.s3.medium: 最大連接數(shù)500000, QPS 50000
- slb.s3.large: 最大連接數(shù)1000000, QPS 100000

ALB/NLB按量付費(fèi)，無(wú)需選擇規(guī)格。

優(yōu)化健康檢查配置

# 推薦配置
health_check_config {
 health_check_interval   = 2  # 檢查間隔2秒
 health_check_timeout   = 5  # 超時(shí)5秒
 healthy_threshold     = 3  # 連續(xù)3次成功視為健康
 unhealthy_threshold    = 3  # 連續(xù)3次失敗視為不健康
}

# 故障檢測(cè)時(shí)間 = interval × unhealthy_threshold = 6秒
# 恢復(fù)檢測(cè)時(shí)間 = interval × healthy_threshold = 6秒

啟用連接復(fù)用

# 后端Nginx配置，支持HTTP Keep-Alive
upstream backend {
  keepalive 100; # 保持100個(gè)長(zhǎng)連接
}

server {
  location / {
    proxy_http_version 1.1;
    proxy_set_header Connection "";
  }
}

安全加固

TLS配置

# 使用安全的TLS策略
tls_cipher_policy = "tls_cipher_policy_1_2"

# TLS 1.2+，禁用弱加密套件
# 支持的策略：
# - tls_cipher_policy_1_0: 兼容性最好，安全性最低
# - tls_cipher_policy_1_1: 禁用SSLv3
# - tls_cipher_policy_1_2: 僅TLS 1.2，推薦
# - tls_cipher_policy_1_2_strict: TLS 1.2，更嚴(yán)格的加密套件
# - tls_cipher_policy_1_2_strict_with_1_3: TLS 1.2/1.3，最安全

訪(fǎng)問(wèn)控制

# ALB訪(fǎng)問(wèn)控制
resource "alicloud_alb_acl" "whitelist" {
 acl_name = "office-whitelist"

 acl_entries {
  entry    = "1.2.3.0/24"
  description = "Office Network"
 }
 acl_entries {
  entry    = "4.5.6.0/24"
  description = "VPN Gateway"
 }
}

# 關(guān)聯(lián)到監(jiān)聽(tīng)
resource "alicloud_alb_listener" "admin" {
 # ...
 acl_config {
  acl_type = "White"
  acl_relations {
   acl_id = alicloud_alb_acl.whitelist.id
  }
 }
}

DDoS防護(hù)

# 關(guān)聯(lián)DDoS高防
resource "alicloud_ddoscoo_instance" "main" {
 name       = "prod-ddos"
 bandwidth     = 30
 base_bandwidth  = 30
 service_bandwidth = 100
 port_count    = 50
 domain_count   = 50
}

高可用配置

跨可用區(qū)部署

# 至少2個(gè)可用區(qū)
zone_mappings {
 vswitch_id = alicloud_vswitch.zone_a.id
 zone_id  = "cn-hangzhou-h"
}
zone_mappings {
 vswitch_id = alicloud_vswitch.zone_b.id
 zone_id  = "cn-hangzhou-i"
}

后端服務(wù)器分布

# 后端服務(wù)器均勻分布在多個(gè)可用區(qū)
resource "alicloud_instance" "web" {
 count   = 6
 vswitch_id = element(alicloud_vswitch.main[*].id, count.index % 2)
 # 實(shí)例0,2,4在AZ-A，實(shí)例1,3,5在AZ-B
}

故障轉(zhuǎn)移測(cè)試

# 模擬可用區(qū)故障
# 1. 停止一個(gè)可用區(qū)的所有實(shí)例
# 2. 觀察SLB自動(dòng)切換到其他可用區(qū)
# 3. 驗(yàn)證服務(wù)可用性

4.2 注意事項(xiàng)

健康檢查配置注意事項(xiàng)

# 確保后端健康檢查端點(diǎn)正常
# 1. 返回2xx或3xx狀態(tài)碼
# 2. 響應(yīng)時(shí)間<健康檢查超時(shí)時(shí)間
# 3. 檢查路徑存在且可訪(fǎng)問(wèn)

# 檢查示例
curl -I http://backend-server/health
# 期望輸出: HTTP/1.1 200 OK

會(huì)話(huà)保持注意事項(xiàng)

會(huì)話(huà)保持類(lèi)型選擇：
- Insert Cookie: SLB植入Cookie，后端無(wú)感知
- Rewrite Cookie: SLB重寫(xiě)后端返回的Cookie
- Server Cookie: 使用后端指定的Cookie

注意：
1. Insert Cookie需要客戶(hù)端支持Cookie
2. 移動(dòng)端APP需要正確處理Cookie
3. 會(huì)話(huà)保持可能導(dǎo)致負(fù)載不均衡

五、故障排查和監(jiān)控

5.1 故障排查

健康檢查故障排查

# 步驟1: 確認(rèn)安全組規(guī)則
aliyun ecs DescribeSecurityGroupAttribute 
  --SecurityGroupId sg-xxx 
  --Direction ingress | grep 100.64

# 步驟2: 從SLB健康檢查網(wǎng)段模擬檢查
# 在同VPC的ECS上執(zhí)行
curl -I http://backend-ip:80/health

# 步驟3: 檢查后端服務(wù)狀態(tài)
ssh backend-server"systemctl status nginx"
ssh backend-server"curl -I localhost/health"

# 步驟4: 檢查SLB監(jiān)聽(tīng)配置
aliyun slb DescribeLoadBalancerHTTPListenerAttribute 
  --LoadBalancerId lb-xxx 
  --ListenerPort 80

連接問(wèn)題排查

# 檢查SLB連接數(shù)
aliyun cms DescribeMetricLast 
  --Namespace acs_slb_dashboard 
  --MetricName ActiveConnection 
  --Dimensions'[{"instanceId":"lb-xxx"}]'

# 檢查后端連接數(shù)
ss -s
netstat -an | grep ESTABLISHED | wc -l

# 檢查T(mén)IME_WAIT
netstat -an | grep TIME_WAIT | wc -l

# 優(yōu)化內(nèi)核參數(shù)（后端服務(wù)器）
cat >> /etc/sysctl.conf <

	

	性能問(wèn)題排查

	
# 檢查SLB QPS和延遲
aliyun cms DescribeMetricList 
  --Namespace acs_slb_dashboard 
  --MetricName Qps 
  --Dimensions'[{"instanceId":"lb-xxx"}]'
  --StartTime"2025-01-09T0000Z"
  --EndTime"2025-01-09T2359Z"

# 檢查后端響應(yīng)時(shí)間
aliyun cms DescribeMetricList 
  --Namespace acs_slb_dashboard 
  --MetricName Rt 
  --Dimensions'[{"instanceId":"lb-xxx"}]'

# 使用curl測(cè)試響應(yīng)時(shí)間
curl -w"@curl-format.txt"-o /dev/null -s http://slb-ip/
# curl-format.txt內(nèi)容:
# time_namelookup: %{time_namelookup}

# time_connect: %{time_connect}

# time_appconnect: %{time_appconnect}

# time_pretransfer: %{time_pretransfer}

# time_redirect: %{time_redirect}

# time_starttransfer: %{time_starttransfer}

# time_total: %{time_total}



	

	5.2 性能監(jiān)控

	云監(jiān)控配置

	
# 創(chuàng)建報(bào)警規(guī)則
resource "alicloud_cms_alarm" "slb_qps" {
 name  = "slb-qps-high"
 project = "acs_slb_dashboard"
 metric = "Qps"

 dimensions = {
  instanceId = alicloud_slb_load_balancer.main.id
 }

 escalations_critical {
  statistics     = "Average"
  comparison_operator = ">="
  threshold      = "50000"
  times        = 3
 }

 contact_groups = ["ops-team"]
 period     = 60
}

resource "alicloud_cms_alarm" "slb_5xx" {
 name  = "slb-5xx-high"
 project = "acs_slb_dashboard"
 metric = "StatusCode5xx"

 dimensions = {
  instanceId = alicloud_slb_load_balancer.main.id
  port    = "443"
 }

 escalations_critical {
  statistics     = "Sum"
  comparison_operator = ">="
  threshold      = "100"
  times        = 3
 }

 contact_groups = ["ops-team"]
 period     = 60
}

resource "alicloud_cms_alarm" "unhealthy_servers" {
 name  = "slb-unhealthy-servers"
 project = "acs_slb_dashboard"
 metric = "UnhealthyServerCount"

 dimensions = {
  instanceId = alicloud_slb_load_balancer.main.id
  port    = "443"
 }

 escalations_critical {
  statistics     = "Average"
  comparison_operator = ">="
  threshold      = "1"
  times        = 2
 }

 contact_groups = ["ops-team"]
 period     = 60
}


	

	關(guān)鍵監(jiān)控指標(biāo)

				指標(biāo)名稱(chēng)
			

				說(shuō)明
			

				告警閾值建議
		

				Qps
			

				每秒請(qǐng)求數(shù)
			

				>80%規(guī)格上限
		

				ActiveConnection
			

				活躍連接數(shù)
			

				>80%規(guī)格上限
		

				NewConnection
			

				新建連接數(shù)
			

				>80%規(guī)格上限
		

				TrafficRX/TX
			

				流入/流出流量
			

				>80%帶寬
		

				StatusCode5xx
			

				5xx錯(cuò)誤數(shù)
			

				>1%總請(qǐng)求
		

				StatusCode4xx
			

				4xx錯(cuò)誤數(shù)
			

				>5%總請(qǐng)求
		

				Rt
			

				平均響應(yīng)時(shí)間
			

				>500ms
		

				UnhealthyServerCount
			

				不健康服務(wù)器數(shù)
			

				>=1
		

	Grafana儀表板

	
{
"panels": [
  {
  "title":"QPS趨勢(shì)",
  "type":"graph",
  "datasource":"aliyun-cms",
  "targets": [
    {
    "namespace":"acs_slb_dashboard",
    "metric":"Qps",
    "dimensions": {"instanceId":"$slb_id"}
    }
   ]
  },
  {
  "title":"響應(yīng)時(shí)間",
  "type":"graph",
  "targets": [
    {
    "namespace":"acs_slb_dashboard",
    "metric":"Rt"
    }
   ]
  },
  {
  "title":"HTTP狀態(tài)碼分布",
  "type":"piechart",
  "targets": [
    {"metric":"StatusCode2xx"},
    {"metric":"StatusCode3xx"},
    {"metric":"StatusCode4xx"},
    {"metric":"StatusCode5xx"}
   ]
  },
  {
  "title":"后端服務(wù)器健康狀態(tài)",
  "type":"stat",
  "targets": [
    {"metric":"HealthyServerCount"},
    {"metric":"UnhealthyServerCount"}
   ]
  }
 ]
}


	

	5.3 備份與恢復(fù)

	配置導(dǎo)出

	
#!/bin/bash
# export-slb-config.sh

REGION="cn-hangzhou"
OUTPUT_DIR="./slb-backup/$(date +%Y%m%d)"
mkdir -p${OUTPUT_DIR}

# 導(dǎo)出SLB實(shí)例配置
aliyun slb DescribeLoadBalancers 
  --RegionId${REGION}
  --output json >${OUTPUT_DIR}/slb-instances.json

# 導(dǎo)出監(jiān)聽(tīng)配置
forlb_idin$(jq -r'.LoadBalancers.LoadBalancer[].LoadBalancerId'${OUTPUT_DIR}/slb-instances.json);do
  aliyun slb DescribeLoadBalancerListeners 
    --LoadBalancerId${lb_id}
    --output json >${OUTPUT_DIR}/listener-${lb_id}.json

 # 導(dǎo)出后端服務(wù)器配置
  aliyun slb DescribeVServerGroups 
    --LoadBalancerId${lb_id}
    --output json >${OUTPUT_DIR}/vserver-groups-${lb_id}.json
done

# 導(dǎo)出證書(shū)
aliyun slb DescribeServerCertificates 
  --RegionId${REGION}
  --output json >${OUTPUT_DIR}/certificates.json

echo"Backup completed:${OUTPUT_DIR}"


	

	使用Terraform管理配置

	
# 導(dǎo)入現(xiàn)有資源到Terraform
terraform import alicloud_slb_load_balancer.main lb-xxx
terraform import alicloud_slb_listener.http lb-xxx80

# 生成配置
terraform show -no-color > imported-config.tf

# 驗(yàn)證配置
terraform plan


	

	災(zāi)難恢復(fù)流程

	
# 1. 創(chuàng)建新的SLB實(shí)例（使用Terraform或控制臺(tái)）
terraform apply

# 2. 配置DNS切換
aliyun alidns UpdateDomainRecord 
  --RecordId xxx 
  --RR www 
  --Type A 
  --Value 

# 3. 驗(yàn)證新SLB正常工作
curl -I http://new-slb-ip/

# 4. 更新CDN回源配置（如有）
aliyun cdn ModifyCdnDomainConfig 
  --DomainName www.example.com 
  --Sources'[{"content":"new-slb-ip","type":"ipaddr","priority":"20","port":80}]'


	

	六、總結(jié)

	6.1 技術(shù)要點(diǎn)回顧

	本文詳細(xì)介紹了阿里云SLB負(fù)載均衡的配置和最佳實(shí)踐：

	產(chǎn)品選型：CLB適合存量業(yè)務(wù)，ALB適合七層應(yīng)用，NLB適合高性能四層場(chǎng)景

	高可用設(shè)計(jì)：跨可用區(qū)部署、健康檢查、后端服務(wù)器分布

	HTTPS配置：證書(shū)管理、TLS策略、HTTP重定向

	流量管理：基于路徑/Header的路由、會(huì)話(huà)保持、灰度發(fā)布

	安全加固：訪(fǎng)問(wèn)控制、DDoS防護(hù)、安全組配置

	監(jiān)控告警：關(guān)鍵指標(biāo)監(jiān)控、異常告警、性能分析

	6.2 進(jìn)階學(xué)習(xí)方向

	GTM全局流量管理：多地域多活架構(gòu)

	DCDN全站加速：SLB與CDN聯(lián)動(dòng)

	WAF Web應(yīng)用防火墻：七層安全防護(hù)

	服務(wù)網(wǎng)格：ALB與ASM集成

	Kubernetes Ingress：ALB作為K8s入口

	6.3 參考資料

	阿里云SLB官方文檔: https://help.aliyun.com/product/27537.html

	ALB文檔: https://help.aliyun.com/product/211127.html

	NLB文檔: https://help.aliyun.com/product/439469.html

	Terraform阿里云Provider: https://registry.terraform.io/providers/aliyun/alicloud/latest

	附錄

	A. 命令速查表

				操作
			

				命令
		

				查看SLB實(shí)例
			

				aliyun slb DescribeLoadBalancers
		

				查看監(jiān)聽(tīng)
			

				aliyun slb DescribeLoadBalancerListeners --LoadBalancerId lb-xxx
		

				查看健康狀態(tài)
			

				aliyun slb DescribeHealthStatus --LoadBalancerId lb-xxx
		

				添加后端服務(wù)器
			

				aliyun slb AddBackendServers --LoadBalancerId lb-xxx --BackendServers '[...]'
		

				設(shè)置權(quán)重
			

				aliyun slb SetBackendServers --LoadBalancerId lb-xxx --BackendServers '[...]'
		

				上傳證書(shū)
			

				aliyun slb UploadServerCertificate --ServerCertificate ... --PrivateKey ...
		

	B. 配置參數(shù)詳解

	監(jiān)聽(tīng)參數(shù)

				參數(shù)
			

				默認(rèn)值
			

				說(shuō)明
		

				bandwidth
			

				-1
			

				帶寬峰值，-1表示不限制
		

				request_timeout
			

				60
			

				請(qǐng)求超時(shí)時(shí)間（秒）
		

				idle_timeout
			

				15
			

				空閑連接超時(shí)（秒）
		

				gzip
			

				on
			

				是否開(kāi)啟Gzip壓縮
		

	健康檢查參數(shù)

				參數(shù)
			

				默認(rèn)值
			

				說(shuō)明
		

				health_check_interval
			

				2
			

				檢查間隔（秒）
		

				health_check_timeout
			

				5
			

				超時(shí)時(shí)間（秒）
		

				healthy_threshold
			

				3
			

				健康閾值
		

				unhealthy_threshold
			

				3
			

				不健康閾值
		

	C. 術(shù)語(yǔ)表

				術(shù)語(yǔ)
			

				說(shuō)明
		

				CLB
			

				Classic Load Balancer，經(jīng)典負(fù)載均衡
		

				ALB
			

				Application Load Balancer，應(yīng)用負(fù)載均衡
		

				NLB
			

				Network Load Balancer，網(wǎng)絡(luò)負(fù)載均衡
		

				VServer Group
			

				虛擬服務(wù)器組，后端服務(wù)器分組
		

				Listener
			

				監(jiān)聽(tīng)，定義端口和協(xié)議
		

				Health Check
			

				健康檢查，檢測(cè)后端服務(wù)器狀態(tài)
		

				Session Persistence
			

				會(huì)話(huà)保持，同一客戶(hù)端路由到同一后端
		

				Forwarding Rule
			

				轉(zhuǎn)發(fā)規(guī)則，基于條件的路由