VLB stands for vivo load balance. As the IDC traffic entrance of vivo Internet services, vivo load balancing undertakes the public network traffic of many important services. This article explores the performance optimization of VLB's seven-layer load VUA HTTPS to obtain the best forwarding performance. 1. Overall architecture of vivo VLB▲ Figure 1 vivo VLB overall architecture The core of the VLB overall architecture includes: a four-layer load VGW based on DPDK, a seven-layer load VUA based on Apache APISIX and NGINX extended functions, and a unified management and operation platform. Its main features are:
This article provides an overview of two methods for optimizing the SSL/TLS performance of Layer 7 load VUAs in VLB:
2. VUA Layer 7 Load Balancing2.1 Introduction to VUAAt present, the biggest pain point of the company's access layer is dynamic upstream, dynamic routing, dynamic certificates, traffic grayscale, blacklist and whitelist, dynamic scheduling, log query and tracking, etc. In order to support the sustainable development of the company's business, especially the comprehensive containerization of the business, it is urgent to build a unified access platform that integrates the current online NGINX cluster and Ingress NGINX to carry the company's web, mobile, partners, internal systems, and IOT device traffic, align the industry's access layer capabilities, and ensure the smooth development of the business. VUA definition: vivo Unified Access. vivo unified access layer is a secondary development based on APISIX-2.4. 2.2 VUA Architecture▲ Figure 2 APISIX architecture (Image source: Github-apache/apisix)
Figure 3 VUA architecture 3. QAT Acceleration TechnologyIntel QuickAssist Technology OpenSSL Engine (QAT_Engine) supports hardware acceleration and optimized software based on vectorized instructions. This feature started with the 3rd Generation Intel® Xeon® Scalable Processors, providing users with more options to accelerate their workloads. 3.1 Asynchronous ArchitectureVUA has expanded the asynchronous event processing mechanism for asynchronous hardware engines based on NGINX's native asynchronous processing framework. The overall interaction process is shown in the following figure:
3.2 Overview of QAT Component Architecture
3.3 QAT_HW and QAT_SWQAT_HW is based on the QAT hardware accelerator card and uses the QAT driver linked in the qatengine.so library through the OpenSSL engine. QAT_SW is based on QAT software acceleration, using crypto_mb and ipsec_mb libraries linked in qatengine.so library through OpenSSL engine. Based on Intel AVX-512 integer multiply-add (IFMA) operation buffer library, when user builds instruction support qat_sw, operations are performed through multiple requests maintained in batch queues, and batch requests are submitted to up to 8 Crypto Multi-buffer APIs using OpenSSL asynchronous infrastructure, which process them in parallel using AVX512 vector instructions. Intel® QAT software acceleration mainly for asymmetric PKE and AES-GCM, RSA supports key sizes 2048, 3072, 4096, AES128-GCM, AES192-GCM and AES256-GCM. If the platform supports both QAT_HW and QAT_SW, the default is to use QAT hardware acceleration for asymmetric algorithms and symmetric chained ciphers, and QAT software acceleration for symmetric GCM ciphers. If the platform does not have QAT hardware support, it will use QAT_SW acceleration to implement asymmetric algorithms supported in qatengine. The following diagram illustrates the high-level software architecture of QAT_Engine. Applications such as NGINX and HAProxy are common applications that interface with OpenSSL. OpenSSL is a toolkit for TLS/SSL protocols, and starting with version 1.1.0, it has developed a modular system to plug in device-specific engines. As mentioned above, there are two independent internal entities in QAT_Engine through which acceleration can be performed. ▲ (Image source: Github-intel/QAT_Engine) 4. Comparison of performance improvements of optimization solutions4.1 QAT_HWThis solution uses the Intel 8970 accelerator card for testing and uses RSA certificates for HTTPS encryption and decryption. (1) Test method The execution machine deploys the VUA adapted to the QAT engine, and the packet test machine performs stress testing and packet injection. After the CPU load reaches 100%, the new QPS comparison of the VUA after QAT optimization is obtained. (2) Test scenario (3) Comparison of local test data Performance comparison using QAT accelerator card The QAT card optimization solution uses VUA to test HTTPS traffic and compares it with the OpenSSL software encryption and decryption scenario:
The performance improvement brought by this optimization solution mainly depends on:
4.2 QAT_SWThis solution uses the icelake 6330 model (supporting AVX512 instruction set) for testing and uses RSA certificates for HTTPS encryption and decryption. (1) Test method The execution machine deploys the VUA adapted to the instruction set optimization, and the packet test machine performs stress testing and packet injection. After the CPU load reaches 100%, the new QPS comparison of the VUA after the instruction set optimization is obtained. (2) Test network (3) Comparison of local test data Performance comparison using instruction set optimization Instruction set optimization solution, HTTPS traffic service is tested through VUA, and compared with the scenario of using openssl software encryption and decryption:
The performance improvement brought by this optimization solution mainly depends on:
V. Summary and ThoughtsUp to now, vivo VLB has supported both Exar acceleration cards and Intel QAT hardware and software instruction set acceleration solutions in the field of software and hardware acceleration, successfully realizing autonomous control of core network components and laying a solid foundation for building a high-performance gateway architecture to empower the industry. In the future, vivo VLB will continue to build an access layer gateway capability system.
|
<<: Choosing the right communication mode for your IoT project
>>: Why you don't understand HTTPS
For cross-border e-commerce sellers in 2019, the ...
Labs Guide The User Plane Function (UPF) is an im...
RepriseHosting is a low-cost US server provider f...
[51CTO.com original article] Recently, at the Hua...
EtherNetservers is a foreign VPS hosting company ...
Since the official implementation of the "nu...
Ramnode also released a promotion during this yea...
Whose product is 5G private network? A new report...
The Chinese New Year is getting closer and closer...
According to the latest forecast by Gartner, the ...
RackNerd New Year 2024 packages are divided into ...
Not long ago, an online experience store with &qu...
In the era of globalization, airports have become...
TmhHost recently launched a Double 12 promotion, ...
HTTPS is now widely used. While it brings securit...