Using Azure Load Balancer to Load-Balance Multiple Stream Managers

Prerequisites

Prerequisites For A Non-SSL Setup

  • Access to a domain management interface to be able to create a DNS CNAME record for the load balancer.A CNAME (Canonical Name), is used to create a friendly alias for the load balancer DNS.
  • Deploy one or more Stream Manager instances
  • Create the first Stream Manager per the instructions are given in the Stream Manager Azure deployment guide.
  • Create an image from that instance. Once you create an image the instance is generalized and cannot be used as a stream manager anymore. Thus after you are done creating the image, make sure to delete the instance.
  • Create one or more stream manager instances using the image for better redundancy & service availability.
  • The config files be identical between the two stream managers with one exception - the ## LOADBALANCING CONFIGURATION section.
  • Edit red5pro/webapps/streammanager/WEB-INF/red5-web.properties and modify ## LOADBALANCING CONFIGURATION streammanager.ip=, adding the Assigned IP address of the individual Stream Manager instance you are modifying. The value is used to uniquely identify a Stream Manager. Therefore you can use a public IP or private IP or even a unique non-existent IP like string (ex: 10.0.0.1).
  • Add each Stream Manager's public static IP address to the Database firewall rules found under the Connection Security option to allow each Stream Manager to access the database.
  • The network security group(s) of Stream Manager instances should be configured to allow HTTP traffic on port 5080.

Prerequisites For A SSL Enabled Setup

  • A wildcard SSL cert for the domain name that will be used to access services.
  • Access to a domain management interface to be able to create a DNS A record for the load balancer IP address to map it to a friendly hostname.
  • Deploy one or more Stream Manager instances
  • Create the first Stream Manager per the instructions that are given in the Stream Manager Azure deployment guide. Each Stream Manager instance should be configured for SSL using the wildcard certificate.Please refer to this document to configure SSL on your Red5 Pro Stream Manager.
  • Your Stream Manager network security group(s) should allow HTTP, HTTPS & WSS (if using WebRTC).
  • Create an image from that instance. Once you create an image the instance is generalized and cannot be used as a stream manager anymore. Thus after you are done creating the image, make sure to delete the instance.
  • Create one or more stream manager instances using the image for better redundancy & service availability.
  • The config files be identical between the two stream managers with one exception - the ## LOADBALANCING CONFIGURATION section.
  • Edit red5pro/webapps/streammanager/WEB-INF/red5-web.properties and modify ## LOADBALANCING CONFIGURATION streammanager.ip=, adding the Assigned IP address of the individual Stream Manager instance you are modifying. The value is used to uniquely identify a Stream Manager. Therefore you can use a public IP or private IP or even a unique non-existent IP like string (ex: 10.0.0.1).
  • Add each Stream Manager's private IP addresses(CIDR) to the Database security group to allow data access.
  • The security group(s) of Stream Manager instances should be configured to allow traffic on port 443, 8083 and 5080 (optional).

Additional Notes On SSL Enabled Setup

If you want to publish via WebRTC or iOS, you must set up the Stream Manager with a valid SSL certificate and use the Stream Manager SSL Proxy feature. Since the Azure load balancer does not have a provision to install a certificate at the load balancer itself, a few special steps need to be taken for creating a multi-stream manager, SSL enabled load-balanced setup.

  • Each Stream Manager that will be placed behind the load balancer should be configured with the wildcard SSL certificate.
  • The SSL configured Stream Manager instances need not have a domain name associated with them. However, they should be configured for receiving traffic on secure Red5 Pro ports ( HTTPS and WSS).
  • Your Stream Manager security group should allow HTTP, HTTPS & WSS to receive traffic from the Load Balancer.

Configuring multiple Stream Manager instances using a wildcard cert and creating a DNS A record in the same domain for the load balancer ensures that different Stream Manager instances behind the load balancer will not cause identity issues during traffic forwarding.

Prepare a Public Static IP For Load Balancer

Azure load balancer allows us to associate an IP with it. Having a stable IP address helps us create a DNS A record to map the IP address with a friendly domain name to consume services.

  • Navigate to the Azure portal
  • Navigate to Public IP Addresses.
  • Click on +Add
  • Fill in the relevant information for creating a new IP public addresses

    • Name: Provide a name to associate with your load balancer, such as loadbalancer-pip.
    • IP Version: Select IPv4
    • IP address assignment: Static
    • Idle Timeout: (Leave at default)
    • DNS name label: None (Leave at default)
    • Create an IPv6 address: Unchecked (Leave at default)
    • Subscription: Select your subscription (Use the same subscription that is used for AD access authentication)
    • Resource group: Select “Use existing” and select your autoscaling resource group.
    • Location: Select the region where the IP address will be reserved.
    • Click Create to create the IP address. It will take a few seconds to create the IP address resource.

    Remember to note this address in a safe place, since we will be creating a DNS A record against it.

    Reserve Static IP

Create Load Balancer

  • Navigate to Load Balancers.
  • Click on +Add
  • Fill in the relevant information for creating a new load balancer

    • Name: Provide a name to associate with your load balancer, such as streammanager-lb.
    • Type: Public
    • SKU: Basic (Leave at default)
    • Public IP address: Select Use Existing and select the public IP we created earlier for the load balancer.ie loadbalancer-pip.
    • Subscription: Select your subscription (Use the same subscription that is used for AD access authentication)
    • Resource group: Select “Use existing” and select your autoscaling resource group.
    • Location: Select the region where the IP address will be reserved.

    Create Load Balancer

    • Click Create to create the load balancer. It will take a few seconds to create the load balancer resource.

    Load balancer created

Create DNS A Record For Load Balancer

Once you have created your load balancer with a static IP, you should also create a DNS A record with your domain management interface to associate the load balancer IP addresses with a user-friendly DNS.

If you plan to configure your setup for SSL or need to support WebRTC over the load balancer, you need to make sure that the domain name used in the DNS record belongs to the same domain as the wildcard cert used to configure Stream Manager instances.

NOTE: Your autoscaling node's autoscale.xml file should use the DNS name to communicate with stream manager instance(s). See azure deployment guide for mode details.

Load balancer DNS A Record

Creating Backend Pools

Each load balancer can have one or more backend pool(s). A backend pool is used to define targets that the load balancer can route traffic to. Amongst the different types of targets that can be specified, there are Availability set, Single virtual machine and Virtual machine scale set. Out of these three, we will be using the Single virtual machine to create stream manager targets.

To create a backend pool:

  • Click select your Load Balancer
  • Select Backend Pools
  • Click on +Add
  • Fill in the relevant information for creating a new backend pool

    • Name: Provide a name for the backend pool. ex: streammanager-01-pool. You can use a numbering pattern when targeting multiple stream managers.
    • IP Version: Select IPv4
    • Associated To: Select Single virtual machine.
    • Target virtual machine: Select a running stream manager instance.
    • Target network IP configuration: Click Add a target network IP configuration.This will show a new field called Network IP configuration.
    • Network IP configuration.: Select the first default configuration in the dropdown by the name ipconfig.
    • Click OK to create the backend pool. It will take a few seconds to create the resource.

    For multiple stream manager instances, repeat the steps mentioned above to create additional backend pools

    Add Backend Pool

Creating Health Probes

Health probes are essential for the load balancer to determine that targets to route traffic to and what targets to avoid. A health probe is created to check the availability of a target defined using the backend pool. If a health check fails on a backend pool, the load balancer will not route traffic to it.

To create a health probe:

  • Click select your Load Balancer
  • Select Health Probes
  • Click on +Add
  • Fill in the relevant information for creating a new health probe

    • Name: Provide a name for the health probe. ex: streammanager-01-probe. You can use a numbering pattern when targeting multiple stream managers.
    • IP Version: IPv4
    • Protocol: Select HTTP
    • Port: Enter 5080. This will be the HTTP port of stream manager instance.
    • Path: Enter / (default). This is the root of the stream manager instance.
    • Interval: This is the amount of time between probe attempts.Leave it to default.
    • Unhealthy threshold.: This specifies the number of failures to judge an instance to be unhealthy. Leave it to default.
    • Click OK to create the health probe. It will take a few seconds to create the resource.

    A health probe targets a port-protocol combination to test. Therefore a single probe is sufficient for our use case since we will be testing server availability on the HTTP port (5080).

    Add Health Probe

Creating Load Balancing Rules

The final piece of the load balancer setup is a Load Balancing Rule. A rule specifies which port on the load balancer should route traffic to which port on a backend pool once the health probe has determined it to be healthy. For a load balanced multi-stream manager setup, we will need to create multiple rules. One for each ort-protocol combination that we need to handle the traffic on.

To create a load balancing rule for HTTP:

  • Click select your Load Balancer
  • Select Load Balancing Rules
  • Click on +Add
  • Fill in the relevant information for creating a new rule

    • Name: Provide the name for the rule as unsecure-http-01.
    • IP Version: IPv4
    • Frontend IP address: Select the load balancer static IP (identified by name loadbalancer-pip).
    • Protocol: Select TCP.
    • Port: Enter HTTP port 80 or 5080 as desired. This is the load balancer listener port. ie: The load balancer listens for traffic on thsi port.
    • Backend Port: Enter HTTP port 5080. This is the stream manager HTTP port. ie: The stream manager instance(s) listen for HTTP traffic on this port.
    • Backend Pool: Select a backend pool created earlier (ex: streammanager01-pool).
    • Session persistence: Set to NONE (Leave to default).
    • Idle Timeout: 4, (Leave to default).
    • Floating IP: Disabled, (Leave to default).
    • Click OK to save load balancing rule. It will take a few seconds to create the resource.

    The above steps help create a load balancer rule to accept traffic on HTTP port (80 or 5080) and forward it o the backend port (5080) of a Stream Manager instance defined by the selected backend pool.

    Create Loadbalancer Rule

    You can target additional ports by creating more appropriate load balancing rules by repeating the above steps for other ports. If you have more than one Stream Manager instances you have to repeat each load balancing rule for each of the backend pool that you intend to target.

    If you require WebRTC or just SSL in general, you should create a load balancing rules for the same on port 8083 & 443 respectively. See below for load balancing rules required for supporting different protocols and their ports.

Load Balancing Rules: add the following port maps as necessary

Load Balancer Rule Load Balancer Protocol Load Balancer Port Backend Port
secure-http-01 TCP 443 443
secure-websocket-01 TCP 8083 8083
unsecure-http-01 TCP 80 5080

Possible Loadbalancer Rules

Summary

  • Azure load balancers can have a static IP address associated with them. You can, therefore, create a friendly DNS A record to associate a hostname to the load balancer.
  • If you intend to support WebRTC or just need SSL on your load balanced setup, each Stream Manager should be configured for SSL using the wildcard certificate and the DNS A record should also be in the same domain as the wildcard cert.
  • If you have more than one Stream Manager instances you need to create the load balancer rules for each of backend pools explicitly.
  • Always access your services using the DNS associated with the load balancer. Never use the IP of the load balancer or any of the Stream Manager instances directly.

A load balancer rule will route traffic to an associated backend pool only if the health probe for the rule reports that the backend pool is healthy. Therefore you should wait for a little before you start using the load balancer service.

Load Balancer Port Forwarding

References: