This topic describes application delivery network solutions that are based on Alibaba Cloud. These solutions use load balancing technologies such as NLB and ALB, and Global Accelerator (GA) to provide efficient access to and optimize Internet services. The solutions are suitable for various server-side scenarios and industry customers.-Cloud Network Well-architected Design Guidelines-阿里云帮助中心

If your backend business system is deployed on Alibaba Cloud, you must ensure that visitors can easily and reliably access your services. This topic describes the network solution that connects visitors to your backend services, which is known as an application delivery network solution.

1. Background and concepts

1.1 What is an application delivery network?

The rise of the mobile Internet and microservices has accelerated the development of application delivery network technology. Every Internet application that we use relies on application delivery network technology.

First, let's examine the concept of an application delivery network from the perspective of the client-server access model.

1) Clients: Twenty years ago, wireless smart devices did not exist. Client devices were primarily personal computers that typically ran only a browser. Ten years ago, with the introduction of 4G mobile networks, increased bandwidth and speed enabled the proliferation of mobile applications and video apps, leading to a greater variety of clients. Today, users can install dozens of applications on their mobile devices for various purposes, such as social networking, payments, shopping, and video streaming.
2) Servers: A single application now offers an increasing number of features. For example, short video applications often include live streaming, e-commerce, and comment sections, while e-commerce applications have multiple sales channels. This complexity has driven the evolution of server architecture from single-threaded to multi-threaded and, finally, to microservices.
With numerous client applications and geographically distributed backend microservices, a mechanism is needed to ensure that every user action, such as a click or swipe, quickly reaches the correct backend service and receives a response. This is the role of an application delivery network. It connects clients and servers and provides key features such as network acceleration, load balancing, security protection, and observability.

Let's examine this process in more detail.

Consider the journey of a request packet from a client to a server. The data packet from the client application must pass through the client's TCP/IP protocol stack, which consists of the application, transport, and network layers, and then traverse the Internet and various network devices. After the packet reaches the server, it ascends the TCP/IP stack to reach the server-side process or microservice. During this transmission, application delivery network technology is used to help the packet find the correct service IP address (server), service port (service process), and URL (service component) and ensure that the packet is delivered quickly and accurately.

1.2 What does an application delivery network do?

1) Service discovery

The technologies and products used for service discovery vary based on the server type, such as ECS instances, containers, or on-premises servers, and the network layer, such as Layer 4 for TCP or UDP, or Layer 7 for HTTP or HTTPS.

2) Service connectivity

While routing and addressing provide connectivity at the IP layer, connectivity above the IP layer relies primarily on "proxies" because they offer not only network connectivity but also the following capabilities required for application delivery:

• TLS termination

• Load balancing

• Authentication and Authorization

• Tracing and logging

• Security

• Application traffic capture

• Acceleration

On Alibaba Cloud, different proxy products are available to provide service connectivity:

Therefore, you can use different proxy products to build different application delivery network solutions based on the server type, such as ECS instances, containers, or on-premises servers, and the network layer of the application service, such as Layer 4 for TCP or UDP, or Layer 7 for HTTP or HTTPS.

Note: The application delivery network solutions in this topic are specific to Internet-facing services. Internal application delivery networks for enterprises are beyond the scope of this topic.

2. Target customers

Internet industry customers

This includes industries that use the Internet for information exchange, service delivery, and product sales. Examples include e-commerce, social media, search engines, online entertainment, Internet of Things (IoT), and fintech.

These customers must first ensure that clients can discover and reliably access their services over the Internet.

Non-Internet industry (traditional enterprise) customers who use the Internet to access internal IT systems

With the development of Internet technology, internal enterprise information systems, such as Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Supply Chain Management (SCM), and Office Automation (OA), increasingly rely on Internet access to improve client accessibility.

These customers also access services over the Internet and need to address service discovery and connectivity challenges.

3. Solutions

This section describes different application delivery network solutions based on the server type, such as ECS instances, on-premises servers, or containers, and the network layer of the application service, such as Layer 4 for TCP or UDP, or Layer 7 for HTTP or HTTPS.

3.1 Application delivery network solution for ECS instances

1. Scenario and solution selection

Use ECS instances on Alibaba Cloud to host your web servers and applications. You can attach the ECS instances to an NLB instance and expose services to the Internet through the EIP and Layer 4 port of the NLB instance. For more information, see Figure 1.
Use ECS instances on Alibaba Cloud to host your web servers and applications. You can attach the ECS instances to an ALB instance and provide Internet access to URLs through the Layer 7 listener and forwarding rules of the ALB instance. For more information, see Figure 2.
If you require extensive Layer 7 self-development and customization, you can use a Layer 4 NLB instance with a self-managed Layer 7 proxy. You can attach the self-managed Layer 7 proxy to the NLB instance and provide Internet access through the EIP and Layer 4 port of the NLB instance. The self-managed Layer 7 proxy handles URL forwarding. For more information, see Figure 3.

2. NLB/ALB physical location selection

Region: We recommend that you deploy the NLB or ALB instance in the same region as the ECS instances. You can deploy the instance in a different region to accelerate access for clients in that region or if you require cross-region disaster recovery for your public-facing endpoint.
Zone: Use multiple zones. We recommend that you deploy the NLB or ALB instance in the same zones as the ECS instances to minimize same-zone forwarding latency.
Access to NLB/ALB: We recommend that you use the domain name provided by the NLB or ALB instance. If a zone fails, the virtual IP address (VIP) of the failed zone is automatically removed from DNS resolution.

3. Network between NLB/ALB and backend servers

We recommend that you deploy the resources in the same VPC. You can also use Transit Router (TR) to enable private network connectivity across VPCs or regions. For more information, see the topics on VPC network design and global network design.

4. Security protection design (Optional)

Security groups: You can add NLB and ALB instances to security groups to enforce access control using blacklists and whitelists.
VPC NACL: You can filter traffic to the VIPs of private NLB and ALB instances.
Anti-DDoS and WAF: You can attach Anti-DDoS and WAF to the EIPs of public NLB and ALB instances.

3.2 Application delivery network solution for on-premises servers (using Alibaba Cloud for public endpoint)

Scenario and solution selection

Use on-premises servers to host your web applications and expose services through a Layer 4 port. Use Alibaba Cloud as the Internet service endpoint. The NLB instance receives Internet traffic through an EIP or domain name and forwards requests to the on-premises servers. For more information, see Figure 1.
Use on-premises servers to host your web applications and expose services through a URL. Use Alibaba Cloud as the Internet service endpoint. Directly attach the on-premises servers to an ALB instance. The ALB instance provides Internet access to URLs through its Layer 7 listener and forwarding rules. The ALB instance receives Internet traffic through an EIP or domain name. For more information, see Figure 2.
Use on-premises servers to host your web applications and expose services through a URL. Use Alibaba Cloud as the Internet service endpoint. Attach a self-managed Layer 7 proxy that is deployed on Alibaba Cloud to an NLB instance. The NLB instance provides Internet access through its EIP and Layer 4 port. The self-managed Layer 7 proxy handles URL forwarding. The NLB instance receives Internet traffic through an EIP or domain name. For more information, see Figure 3.
Use on-premises servers to host your web applications and expose services through a URL. Use Alibaba Cloud as the Internet service endpoint. Attach a self-managed Layer 7 proxy that is deployed on-premises to an NLB instance. The NLB instance provides Internet access through its EIP and Layer 4 port. The self-managed Layer 7 proxy handles URL forwarding. The NLB instance receives Internet traffic through an EIP or domain name. For more information, see Figure 4.

1. NLB/ALB physical location selection

Region: We recommend that you deploy the NLB or ALB instance in the same region as the ECS instances. You can deploy the instance in a different region to accelerate access for clients in that region or if you require cross-region disaster recovery for your public-facing endpoint.
Zone: Use multiple zones. We recommend that you deploy the NLB or ALB instance in the same zones as the ECS instances to minimize same-zone forwarding latency.
Access to NLB/ALB: We recommend that you use the domain name provided by the NLB or ALB instance. If a zone fails, the VIP of the failed zone is automatically removed from DNS resolution.

2. Network between NLB/ALB and backend servers

We recommend that you deploy the resources in the same VPC. You can also use TR to enable private network connectivity across VPCs or regions. For more information, see the topics on VPC network design and global network design.
When you directly attach on-premises servers to an NLB instance, the source IP address of the packet is not preserved by default. You must use the PROXY protocol or TOA to transmit the source IP address.
When you directly attach on-premises servers to an ALB instance, the source IP address of the packet is not preserved by default. It must be transmitted in the X-Forwarded-For (XFF) HTTP header field.

3. Security protection design (Optional)

Security groups: You can add NLB and ALB instances to security groups to enforce access control using blacklists and whitelists.
VPC NACL: You can filter traffic to the VIPs of private NLB and ALB instances.
Anti-DDoS and WAF: You can attach Anti-DDoS and WAF to the EIPs of public NLB and ALB instances.

3.3 Application delivery network solution for container pods

Scenario and solution selection

Use pods in an Alibaba Cloud ACK cluster to host your web servers and applications. You can expose Layer 4 services through a LoadBalancer service. The NLB instance acts as the LoadBalancer and is managed by the Cloud Controller Manager (CCM) of the ACK cluster. For more information, see Figure 1.
Use pods in an Alibaba Cloud ACK cluster to host your web servers and applications. You can expose Layer 7 services through an ALB Ingress. The ALB instance receives Internet traffic through an EIP or domain name. For more information, see Figure 2.
Use pods in an Alibaba Cloud ACK cluster to host your web servers and applications. You can expose Layer 7 services through an Nginx Ingress. The NLB instance acts as a north-south gateway that exposes an EIP or domain name to direct Internet traffic to the Nginx Ingress. Use a self-managed Nginx Ingress for extensive customization. This option is suitable for customers who require complex features and have deep technical expertise. For more information, see Figure 3.
Use pods in an Alibaba Cloud ACK cluster to host your web servers and applications. You can expose Layer 7 services through an MSE Ingress. The NLB instance acts as a north-south gateway that exposes an EIP or domain name to direct Internet traffic to MSE. This option is suitable for customers who require complex Ingress features but do not want to perform operations and maintenance (O&M). For more information, see Figure 4.

1. Use an NLB instance as a LoadBalancer service to provide Layer 4 services

The Cloud Controller Manager (CCM) of the ACK cluster manages the NLB instance.
You can configure the NLB instance in the ACK console or using kubectl and a YAML script.
You can configure a wide range of load balancing features using annotations in the service YAML file. For more information, see Configure an NLB instance using annotations.
Note the quota limits for NLB instances. For more information, see Performance and limits.

2. Use an ALB instance as an Ingress service to provide Layer 7 services

The Alb-Ingress-Controller of the ACK cluster manages the ALB instance through AlbConfig (CRD). For more information, see ALB Ingress configuration reference.
Because an ALB instance provides a north-south traffic endpoint, load balancing, and high-availability capabilities, you do not need to create an additional LoadBalancer service.
Note the quota limits for ALB instances. For more information, see How ALB quotas are calculated.

3. Use an NLB instance as a north-south gateway to direct traffic to an Nginx Ingress Controller for Layer 7 services

The Nginx-Ingress-Controller of the ACK cluster manages the NLB instance. It creates a LoadBalancer service with the NLB instance to act as a north-south gateway that provides a north-south traffic endpoint, Layer 4 traffic load balancing, and cross-zone high availability.

4. Use an NLB instance as a north-south gateway to direct traffic to MSE for Layer 7 services

The MSE-Ingress-Controller of the ACK cluster manages the NLB instance. It creates a LoadBalancer service with the NLB instance to act as a north-south gateway that provides a north-south traffic endpoint, Layer 4 traffic load balancing, and cross-zone high availability.

3.4 WAN acceleration from client to SLB

Load balancing addresses service discovery and connectivity after access requests enter the Alibaba Cloud network. In some cases, a wide area network (WAN) acceleration solution is also needed to improve the network quality between the client and the load balancer.

Solution overview: Global Accelerator (GA) deploys reverse proxies in acceleration regions to route client traffic to the nearest point of presence (POP). It then uses Alibaba Cloud's global network, which features leased line connections with low packet loss, jitter, and latency, to transmit the traffic to the origin server. GA also automatically optimizes protocols such as TCP and HTTP.

1. GA instance billing method selection

Choose the subscription billing method for predictable workloads. Choose the pay-as-you-go billing method if usage is unpredictable or fluctuates significantly.

2. Connection type selection

CNAME record (Recommended): Create a CNAME record in your authoritative DNS server to point your business domain name to the accelerated domain name of the GA instance. The accelerated domain name supports intelligent DNS resolution by region. If an accelerated IP address becomes unreachable, GA automatically removes its DNS record to perform a switchover.
Accelerated IP address: The client directly accesses the accelerated IP address. This is suitable for businesses without a domain name. You can also create an A record in the authoritative DNS server to resolve to the accelerated IP address. This method requires a DNS service that supports intelligent resolution by region. If an accelerated IP address becomes unreachable, you must manually delete the A record or use a DNS service with health checks for an automatic switchover.

3. Acceleration region design

Acceleration region: Select one or more regions that are geographically close to your clients. If you are unsure, you can use the Internet access performance tool in the NIS console (Performance > Internet Access Performance) to measure public network quality.
Public network quality type: The default is BGP (Multi-ISP). To optimize traffic from outside the Chinese mainland to the Chinese mainland, select BGP (Premium).
Public network billing method: Choose pay-by-bandwidth for predictable workloads. Choose pay-by-data-transfer if usage is unpredictable or fluctuates significantly.

4. Listener design

Listener protocol: TCP, UDP, HTTP, and HTTPS are supported. Choose HTTP or HTTPS if different domain names or paths route to different origin servers. Choose TCP if they route to the same origin server.
Listener routing type: By default, the smart routing type is selected. The custom route type lets you create precise mappings from a listening port to a backend origin IP address and port. This is useful for scenarios such as assigning game or conference rooms based on ports.
Advanced features: If a service has multiple origin servers, you can use client affinity settings to route requests from the same client to the same origin server. You can also add HTTP header fields to include more client information, such as the client's source IP address.

5. Back-to-origin design

If your service has origin servers deployed in multiple regions for scenarios such as multi-region primary/secondary disaster recovery, multi-region load balancing, multi-region proximity-based client coverage, or smooth cross-region origin migration, you can use multi-region endpoint groups, priority settings, traffic scheduling percentages, and origin health checks.

6. Advanced forwarding policy design

After you create a listener, the system automatically creates a default forwarding rule and associates it with the default endpoint group.
If you need more specific forwarding conditions, such as domain name, path, HTTP header, HTTP request method, cookie, source IP, or query string, or more forwarding actions, such as forward to, redirect to, return fixed response, rewrite, write header, delete header, or drop/block traffic, you can customize forwarding policies and their matching priorities.

7. Cross-border network selection

Cross-border: The acceleration region and the origin server are in different locations, with one in the Chinese mainland and the other outside the Chinese mainland. GA provides two types of cross-border networks:
- Premium bandwidth: Uses BGP premium lines for cross-border networking with low load and less congestion.
- China Unicom leased line: Provides better performance than BGP premium lines. You need to apply for cross-border business compliance certification from China Unicom, and the origin domain name must have an ICP filing in the Chinese mainland.
If you use the pay-by-data-transfer billing method, premium bandwidth is used for cross-border connections by default. If your business is eligible, you can manually switch to a China Unicom leased line to improve acceleration performance.
If you use the pay-by-bandwidth billing method, eligible businesses need to manually purchase a cross-domain bandwidth plan (China Unicom leased line) to improve acceleration performance. Ineligible businesses can purchase a basic bandwidth plan with premium acceleration bandwidth.

8. Operations and maintenance (O&M) design (Optional and recommended)

GA access logs: You can enable access logs for a listener and endpoint group. Information such as the client source IP, client source port, destination IP, destination port, and acceleration region is recorded in SLS. SLS fees apply.
Monitoring and alerting: You can enable monitoring for metrics such as traffic and bandwidth for a GA instance and configure alerts.
Probing and diagnosis: After you configure and deploy a GA instance, you can use instance diagnosis to confirm that the deployment is correct. During business operations, you can enable origin probing to monitor service availability. If service availability drops, you can use network diagnosis to determine whether it is a network issue.

9. Security protection design (Optional)

GA access control lists: You can attach an access control policy group to each listener to implement a blacklist and whitelist mechanism.
Associate with Anti-DDoS: The accelerated IP addresses of a GA instance have Anti-DDoS Origin Basic enabled for free by default. On the instance details page, click the Acceleration Region tab, find the target accelerated IP address, and view the mitigation threshold in the Accelerated IP or Security Protection column.
Associate with WAF: You can deploy WAF between GA and the origin server for protection.

4. Product selection

4.1 SLB product comparison

SLB selection comparison	Classic Load Balancer (CLB)	Application Load Balancer (ALB)	Network Load Balancer (NLB)
Product positioning	First-generation load balancer. Feature development has stopped. Provides both Layer 4 and Layer 7 processing capabilities. Supports protocols such as TCP, UDP, HTTP, and HTTPS. Can be attached to ECS, Elastic Network Interface (ENI), and ECI instances.	Second-generation load balancer for Layer 7 application delivery. Powerful Layer 7 processing capabilities and a rich set of advanced routing features. Focuses on application-layer protocols such as HTTP, HTTPS, and QUIC. Can be attached to ECS, ENI, and ECI instances, private IP addresses, and Function Compute.	Second-generation load balancer for Layer 4 application delivery. Powerful Layer 4 processing capabilities and extensive attachment options. Supports protocols such as TCP, UDP, and TCP SSL. Can be attached to ECS, ENI, and ECI instances, and private IP addresses.
Performance	Based on a physical server architecture. A single instance supports up to 1 million concurrent connections. A single instance supports up to 50,000 queries per second (QPS). A single instance supports up to 5 Gbit/s of bandwidth. A single instance can be attached to up to 200 servers.	Based on a Network Functions Virtualization (NFV) stack and supports elastic scaling. A single instance supports up to 1 million QPS. A single instance supports up to 100 Gbit/s of bandwidth. A single instance can be attached to up to 1,000 servers.	Based on an NFV stack and supports elastic scaling. A single instance supports up to 100 million concurrent connections. A single instance supports up to 100 Gbit/s of bandwidth. A single instance can be attached to up to 1,000 backend servers.
Features	4. Basic Layer 7 capabilities Limited advanced features	Rich Layer 7 features, including content-based routing. HTTP header modification, redirection, rewrite, rate limiting, and more.	Rich Layer 4 features, including large-scale TCP SSL offloading. Supports full-port forwarding, IP target attachment, connection rate limiting, and more.
Reliability	Primary and secondary zones SLA of 99.95%	Active-Active Zone SLA of 99.995%	Dual-Primary Zone SLA of 99.995%
Cloud-native support	Can be integrated with Alibaba Cloud ACK or ACK Serverless (ASK) to act as a LoadBalancer.	Cloud-native Ingress gateway Supports traffic splitting, mirroring, canary releases, and blue-green deployments. Can be integrated with Alibaba Cloud ACK or ASK.	Can be integrated with Alibaba Cloud ACK or ASK to act as a LoadBalancer.
Typical scenarios	Scenario 1: Ensuring high availability for websites and systems within the same region. Scenario 2: Businesses that use both Layer 4 and Layer 7. Scenario 3: Implementing intra-city active-active or primary/secondary disaster recovery.	Scenario 1: High-performance automatic scaling for Layer 7 Internet applications. Scenario 2: High-traffic, low-latency for audio and video applications. Scenario 3: Canary and blue-green releases for cloud-native applications.	Scenario 1: High-traffic or high-concurrency Internet business endpoints. Scenario 2: IoT business endpoints for Internet of vehicles, smart homes, and more. Scenario 3: Active-active disaster recovery and on-premises to cloud endpoints.

4.2 Container Ingress service comparison

Dimension	Nginx Ingress	ALB Ingress
Positioning	A user-managed component. Offers high customizability to meet specific needs.	A fully managed Alibaba Cloud service that provides massive capacity, automatic scaling, and high availability, which eliminates O&M overhead. Rich features and deep integration with various cloud products. It also functions as a LoadBalancer, which reduces load balancing costs. It does not consume pod resources, which saves cluster costs.
Performance	Performance depends on manual tuning of system and Nginx parameters. You need to configure a reasonable number of replicas and resource limits.	A single instance supports up to 1 million QPS. A single instance supports tens of millions of maximum connections. Uses SSL hardware acceleration by default.
Configuration	Reloading the process is required for certificate changes, which can disrupt persistent connections. Non-certificate changes are applied using Lua for rolling updates. However, changes to Lua plugins require a process reload.	Uses the OpenAPI mechanism for highly efficient dynamic configuration. ALB supports hot configuration updates. Upgrades and downgrades do not require a reload, which ensures lossless forwarding for persistent connections.
Features	Supports HTTP and HTTPS protocols. Supports routing by domain name, URL, and HTTP header. Supports canary and blue-green releases.	Supports HTTP, HTTPS, QUIC, WebSocket, WSS, and gRPC protocols. Supports combinations of multiple forwarding conditions and actions, such as header, cookie, and weight. Supports route priority, bi-directional forwarding rules, and canary and blue-green releases.
Security	Supports HTTPS protocol. Supports blacklists and whitelists.	Supports end-to-end HTTPS, SNI for multiple certificates, RSA/ECC dual certificates, TLS 1.3, and TLS cipher suite selection. Integrates with Anti-DDoS by default. WAF protection can be enabled with a single click. Supports ACL blacklists and whitelists. Separates the control plane from the forwarding plane to prevent security vulnerabilities that can arise from shared containers.
O&M	You are responsible for all O&M tasks. Requires proactive configuration of specifications and performance tuning. Scaling is managed using the Horizontal Pod Autoscaler (HPA).	A fully managed service with no O&M overhead and a high SLA. No need to configure specifications. Supports massive capacity by default. Automatic scaling. Processing capacity scales automatically with business peaks.

5. Scenarios

This applies to any scenario that meets the following two conditions:

The backend service is deployed on Alibaba Cloud or on-premises and uses Alibaba Cloud to connect to the Internet.
Users need to access the backend service reliably, securely, and with high performance over the Internet.