Internet Endpoint Configuration (Valid starting 3-4 October 2020)



ATTENTION: Please note the following changes described in this document will take effect starting 3-4 October 2020.

Intro

This document explains how requests are processed in the new setup where we use internet facing loadbalancer NLB, which will directly forward requests to Nginx Ingress. AWS Network Load Balancer(NLB) is a technology introduced by AWS. For more details, please refer to the following: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html.

Switching to NLB is being done for the following reasons:

  • It improves connection speed and decrease connection delay.
  • Is more robust, as we will have one component less (haproxy), so probability of component failure will decrease.
  • Allows us to enable higher version of protocols for HTTP - HTTP/2; HTTP/3;SPDY and TLS - TLS 1.3.
  • Allows traffic mirroring, so security tools like IDS can be easily added.
  • Removes SPOF (single point of failure), which is now haproxy (each domain has its own haproxy in case of failure, domain is unavailable).

There will be a new architecture with NLB, as the internet endpoint will change some aspects of request processing. This is due to different reverse proxy used for processing. The following limitations are introduced:

  • All requests must be SNI enabled.
  • Maximum keep alive time in HTTP request will decrease from 10 minutes to 5 minutes.

SNI Requirement

The most significant change is in non-SNI request processing. TLS Server Name Indication (SNI) was introduced in 2004 to add flexibility to the TLS layer. More information as well as list of supported browsers/SDKs can be found here: https://en.wikipedia.org/wiki/Server_Name_Indication. All currently supported browsers and SDKs in recent versions are SNI-enabled.

If for any reason a non-SNI requests are sent by the customer, the requests will be redirected to the API domain (example: CLUSTER_ID.coresuite.com), even if they are sent to a different domain, for example eu.coresystems.com, they will be routed to eu.coresuite.com.

Example diagram:

As of 26 August 2020, there haven’t been any non-SNI connections over last 30 days.