阿里云SLB負(fù)載均衡配置

一、概述

1.1 背景介紹

當(dāng)業(yè)務(wù)流量超過單臺服務(wù)器的承載能力，或者需要實(shí)現(xiàn)服務(wù)的高可用時，負(fù)載均衡成為必不可少的基礎(chǔ)設(shè)施。阿里云SLB（Server Load Balancer）作為國內(nèi)使用最廣泛的云負(fù)載均衡服務(wù)，承載著海量的互聯(lián)網(wǎng)流量。

某電商平臺在2024年雙十一期間，通過SLB集群承載了峰值每秒50萬的請求量，后端服務(wù)器從日常的20臺彈性擴(kuò)展到200臺，整個過程對用戶透明，服務(wù)可用性達(dá)到99.99%。這得益于SLB的彈性擴(kuò)展能力、智能健康檢查和多可用區(qū)容災(zāi)設(shè)計。

SLB提供四層（TCP/UDP）和七層（HTTP/HTTPS）負(fù)載均衡能力。四層SLB適合需要極致性能的場景，七層SLB則提供更豐富的流量管理能力，如基于URL的路由、Cookie會話保持、HTTPS卸載等。

1.2 技術(shù)特點(diǎn)

多產(chǎn)品形態(tài)

阿里云負(fù)載均衡產(chǎn)品線包含三個產(chǎn)品：

CLB（Classic Load Balancer）：經(jīng)典負(fù)載均衡，支持四層和七層，技術(shù)成熟穩(wěn)定

ALB（Application Load Balancer）：應(yīng)用負(fù)載均衡，專注七層，支持更豐富的路由規(guī)則

NLB（Network Load Balancer）：網(wǎng)絡(luò)負(fù)載均衡，專注四層，超高性能

2025年的選型建議：新業(yè)務(wù)優(yōu)先考慮ALB/NLB，CLB作為存量業(yè)務(wù)的穩(wěn)定選擇。

彈性伸縮

SLB實(shí)例本身具備自動彈性能力，無需手動擴(kuò)容：

CLB性能保障型實(shí)例按規(guī)格計費(fèi)

ALB/NLB按實(shí)際使用量計費(fèi)，無需選擇規(guī)格

多可用區(qū)容災(zāi)

SLB支持跨可用區(qū)部署，當(dāng)主可用區(qū)故障時自動切換到備可用區(qū)：

主備模式：一個主可用區(qū)，一個備可用區(qū)

多活模式（ALB）：多個可用區(qū)同時服務(wù)

健康檢查

SLB持續(xù)檢測后端服務(wù)器健康狀態(tài)：

四層健康檢查：TCP連接或UDP探測

七層健康檢查：HTTP/HTTPS請求

自動隔離異常服務(wù)器，故障恢復(fù)后自動加回

1.3 適用場景

1.4 環(huán)境要求

二、詳細(xì)步驟

2.1 準(zhǔn)備工作

VPC網(wǎng)絡(luò)規(guī)劃

在創(chuàng)建SLB之前，需要規(guī)劃好網(wǎng)絡(luò)架構(gòu)：

VPC: 10.0.0.0/8
├── 可用區(qū)A
│  ├── 公網(wǎng)子網(wǎng): 10.0.1.0/24 (SLB、NAT網(wǎng)關(guān))
│  └── 私網(wǎng)子網(wǎng): 10.0.10.0/24 (ECS實(shí)例)
├── 可用區(qū)B
│  ├── 公網(wǎng)子網(wǎng): 10.0.2.0/24 (SLB備份)
│  └── 私網(wǎng)子網(wǎng): 10.0.20.0/24 (ECS實(shí)例)
└── 可用區(qū)C
  └── 私網(wǎng)子網(wǎng): 10.0.30.0/24 (ECS實(shí)例擴(kuò)展)

后端服務(wù)器準(zhǔn)備

確保后端ECS實(shí)例運(yùn)行正常：

# 檢查Web服務(wù)狀態(tài)
systemctl status nginx

# 確認(rèn)端口監(jiān)聽
ss -tlnp | grep':80|:443'

# 測試本地服務(wù)
curl -I http://localhost/health

# 檢查安全組規(guī)則（允許SLB健康檢查）
# 源地址：100.64.0.0/10（SLB健康檢查網(wǎng)段）
# 端口：業(yè)務(wù)端口

使用Terraform準(zhǔn)備基礎(chǔ)設(shè)施

# main.tf
provider "alicloud" {
 region = "cn-hangzhou"
}

# VPC
resource "alicloud_vpc" "main" {
 vpc_name  = "prod-vpc"
 cidr_block = "10.0.0.0/8"
}

# 交換機(jī) - 可用區(qū)A
resource "alicloud_vswitch" "zone_a" {
 vpc_id   = alicloud_vpc.main.id
 cidr_block = "10.0.10.0/24"
 zone_id  = "cn-hangzhou-h"
 vswitch_name = "prod-vsw-a"
}

# 交換機(jī) - 可用區(qū)B
resource "alicloud_vswitch" "zone_b" {
 vpc_id   = alicloud_vpc.main.id
 cidr_block = "10.0.20.0/24"
 zone_id  = "cn-hangzhou-i"
 vswitch_name = "prod-vsw-b"
}

# 安全組
resource "alicloud_security_group" "web" {
 name    = "web-sg"
 vpc_id   = alicloud_vpc.main.id
 description = "Security group for web servers"
}

# 安全組規(guī)則 - 允許SLB健康檢查
resource "alicloud_security_group_rule" "slb_health_check" {
 type       = "ingress"
 ip_protocol    = "tcp"
 port_range    = "80/80"
 security_group_id = alicloud_security_group.web.id
 cidr_ip      = "100.64.0.0/10"
 description    = "Allow SLB health check"
}

# ECS實(shí)例
resource "alicloud_instance" "web" {
 count      = 4
 instance_name  = "web-${count.index + 1}"
 image_id    = "aliyun_3_x64_20G_alibase_20231220.vhd"
 instance_type  = "ecs.g7.large"
 security_groups = [alicloud_security_group.web.id]
 vswitch_id   = count.index % 2 == 0 ? alicloud_vswitch.zone_a.id : alicloud_vswitch.zone_b.id

 system_disk_category = "cloud_essd"
 system_disk_size   = 40

 tags = {
  Environment = "prod"
  Role    = "web"
 }
}

2.2 核心配置

創(chuàng)建CLB實(shí)例

通過控制臺創(chuàng)建：

登錄SLB控制臺 -> 實(shí)例管理 -> 創(chuàng)建負(fù)載均衡

選擇配置：

實(shí)例類型：傳統(tǒng)型負(fù)載均衡CLB

實(shí)例規(guī)格：性能保障型（根據(jù)業(yè)務(wù)選擇）

網(wǎng)絡(luò)類型：公網(wǎng)/私網(wǎng)

主可用區(qū)：cn-hangzhou-h

備可用區(qū)：cn-hangzhou-i

通過Terraform創(chuàng)建：

# CLB實(shí)例
resource "alicloud_slb_load_balancer" "main" {
 load_balancer_name = "prod-clb"
 address_type    = "internet"
 load_balancer_spec = "slb.s3.medium"
 vswitch_id     = alicloud_vswitch.zone_a.id
 master_zone_id   = "cn-hangzhou-h"
 slave_zone_id   = "cn-hangzhou-i"

 tags = {
  Environment = "prod"
 }
}

# HTTP監(jiān)聽
resource "alicloud_slb_listener" "http" {
 load_balancer_id     = alicloud_slb_load_balancer.main.id
 backend_port       = 80
 frontend_port       = 80
 protocol         = "http"
 bandwidth         = -1
 sticky_session      = "on"
 sticky_session_type    = "insert"
 cookie_timeout      = 86400
 health_check       = "on"
 health_check_type     = "http"
 health_check_uri     = "/health"
 health_check_connect_port = 80
 healthy_threshold     = 3
 unhealthy_threshold    = 3
 health_check_timeout   = 5
 health_check_interval   = 2
 health_check_http_code  = "http_2xx,http_3xx"
 x_forwarded_for {
  retrive_slb_ip = true
  retrive_slb_id = true
 }
 gzip        = true
 request_timeout   = 60
 idle_timeout    = 15
}

創(chuàng)建ALB實(shí)例

ALB更適合現(xiàn)代Web應(yīng)用：

# ALB實(shí)例
resource "alicloud_alb_load_balancer" "main" {
 vpc_id         = alicloud_vpc.main.id
 address_type      = "Internet"
 address_allocated_mode = "Dynamic"
 load_balancer_name   = "prod-alb"
 load_balancer_edition = "Standard"
 load_balancer_billing_config {
  pay_type = "PayAsYouGo"
 }
 zone_mappings {
  vswitch_id = alicloud_vswitch.zone_a.id
  zone_id  = "cn-hangzhou-h"
 }
 zone_mappings {
  vswitch_id = alicloud_vswitch.zone_b.id
  zone_id  = "cn-hangzhou-i"
 }
}

# 服務(wù)器組
resource "alicloud_alb_server_group" "main" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "prod-server-group"
 server_group_type = "Instance"

 health_check_config {
  health_check_connect_port = 80
  health_check_enabled   = true
  health_check_host     = "$SERVER_IP"
  health_check_http_version = "HTTP1.1"
  health_check_interval   = 2
  health_check_method    = "GET"
  health_check_path     = "/health"
  health_check_protocol   = "HTTP"
  health_check_timeout   = 5
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx", "http_3xx"]
 }

 sticky_session_config {
  sticky_session_enabled = true
  sticky_session_type  = "Insert"
  cookie_timeout     = 86400
 }
}

# 添加后端服務(wù)器
resource "alicloud_alb_server_group_server_attachment" "main" {
 count      = 4
 server_group_id = alicloud_alb_server_group.main.id
 server_id    = alicloud_instance.web[count.index].id
 server_ip    = alicloud_instance.web[count.index].private_ip
 server_type   = "Ecs"
 port      = 80
 weight     = 100
}

# 監(jiān)聽器
resource "alicloud_alb_listener" "http" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTP"
 listener_port    = 80
 listener_description = "HTTP Listener"
 default_actions {
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.main.id
   }
  }
 }
}

配置HTTPS監(jiān)聽

# 上傳SSL證書
resource "alicloud_slb_server_certificate" "main" {
 name        = "prod-cert"
 server_certificate = file("${path.module}/certs/server.crt")
 private_key    = file("${path.module}/certs/server.key")
}

# HTTPS監(jiān)聽（CLB）
resource "alicloud_slb_listener" "https" {
 load_balancer_id     = alicloud_slb_load_balancer.main.id
 backend_port       = 80
 frontend_port       = 443
 protocol         = "https"
 bandwidth         = -1
 server_certificate_id   = alicloud_slb_server_certificate.main.id
 tls_cipher_policy     = "tls_cipher_policy_1_2"
 sticky_session      = "on"
 sticky_session_type    = "insert"
 cookie_timeout      = 86400
 health_check       = "on"
 health_check_uri     = "/health"
 healthy_threshold     = 3
 unhealthy_threshold    = 3
 health_check_timeout   = 5
 health_check_interval   = 2
 health_check_http_code  = "http_2xx,http_3xx"
 x_forwarded_for {
  retrive_slb_ip = true
  retrive_slb_id = true
 }
 gzip      = true
 request_timeout = 60
 idle_timeout  = 15
}

# HTTP重定向到HTTPS
resource "alicloud_slb_listener" "http_redirect" {
 load_balancer_id = alicloud_slb_load_balancer.main.id
 frontend_port  = 80
 protocol     = "http"
 bandwidth    = -1
 listener_forward = "on"
 forward_port   = 443
}

ALB HTTPS配置（推薦）

# 創(chuàng)建HTTPS監(jiān)聽（ALB）
resource "alicloud_alb_listener" "https" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTPS"
 listener_port    = 443
 listener_description = "HTTPS Listener"

 certificates {
  certificate_id = alicloud_slb_server_certificate.main.id
 }

 default_actions {
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.main.id
   }
  }
 }
}

# HTTP到HTTPS重定向規(guī)則
resource "alicloud_alb_rule" "http_to_https" {
 rule_name  = "http-to-https"
 listener_id = alicloud_alb_listener.http.id
 priority  = 1

 rule_conditions {
  type = "Header"
  header_config {
   key  = "X-Forwarded-Proto"
   values = ["http"]
  }
 }

 rule_actions {
  order = 1
  type = "Redirect"
  redirect_config {
   protocol  = "HTTPS"
   port    = "443"
   http_code = "301"
  }
 }
}

2.3 啟動和驗證

驗證SLB狀態(tài)

# 使用阿里云CLI查看SLB狀態(tài)
aliyun slb DescribeLoadBalancers 
  --RegionId cn-hangzhou 
  --LoadBalancerId lb-xxx

# 查看監(jiān)聽狀態(tài)
aliyun slb DescribeLoadBalancerListeners 
  --RegionId cn-hangzhou 
  --LoadBalancerId lb-xxx

# 查看后端服務(wù)器健康狀態(tài)
aliyun slb DescribeHealthStatus 
  --RegionId cn-hangzhou 
  --LoadBalancerId lb-xxx 
  --ListenerPort 80

測試負(fù)載均衡效果

# 獲取SLB公網(wǎng)IP
SLB_IP=$(aliyun slb DescribeLoadBalancers 
  --LoadBalancerId lb-xxx 
  --output cols=Address | tail -1)

# 測試HTTP請求
curl -I http://${SLB_IP}/

# 多次請求觀察負(fù)載均衡效果
foriin{1..10};do
  curl -s http://${SLB_IP}/server-info | jq'.hostname'
done

# 測試會話保持
# 使用相同cookie多次請求，應(yīng)該路由到同一后端
curl -c cookie.txt http://${SLB_IP}/
foriin{1..5};do
  curl -b cookie.txt -s http://${SLB_IP}/server-info | jq'.hostname'
done

# 測試HTTPS
curl -I https://www.example.com/

# 測試健康檢查
# 停止一臺后端服務(wù)器的服務(wù)
ssh web-1"systemctl stop nginx"
# 等待健康檢查失敗（約10秒）
sleep 15
# 檢查后端服務(wù)器狀態(tài)
aliyun slb DescribeHealthStatus 
  --LoadBalancerId lb-xxx 
  --ListenerPort 80

壓力測試

# 使用wrk進(jìn)行壓力測試
wrk -t12 -c400 -d30s http://${SLB_IP}/

# 使用ab測試
ab -n 10000 -c 100 http://${SLB_IP}/

# 觀察SLB監(jiān)控指標(biāo)
# 控制臺 -> SLB -> 監(jiān)控 -> 查看QPS、連接數(shù)、流量等

三、示例代碼和配置

3.1 完整配置示例

生產(chǎn)級ALB完整配置

# variables.tf
variable "region" {
 default = "cn-hangzhou"
}

variable "environment" {
 default = "prod"
}

variable "domain" {
 default = "example.com"
}

# main.tf
terraform {
 required_providers {
  alicloud = {
   source = "aliyun/alicloud"
   version = "~> 1.210"
  }
 }
}

provider "alicloud" {
 region = var.region
}

# 獲取可用區(qū)
data "alicloud_zones" "available" {
 available_resource_creation = "VSwitch"
}

# VPC
resource "alicloud_vpc" "main" {
 vpc_name  = "${var.environment}-vpc"
 cidr_block = "10.0.0.0/8"
}

# 交換機(jī)
resource "alicloud_vswitch" "main" {
 count    = 2
 vpc_id    = alicloud_vpc.main.id
 cidr_block  = "10.0.${count.index + 1}0.0/24"
 zone_id   = data.alicloud_zones.available.zones[count.index].id
 vswitch_name = "${var.environment}-vsw-${count.index + 1}"
}

# ALB實(shí)例
resource "alicloud_alb_load_balancer" "main" {
 vpc_id         = alicloud_vpc.main.id
 address_type      = "Internet"
 address_allocated_mode = "Dynamic"
 load_balancer_name   = "${var.environment}-alb"
 load_balancer_edition = "Standard"

 load_balancer_billing_config {
  pay_type = "PayAsYouGo"
 }

 modification_protection_config {
  status = "ConsoleProtection"
  reason = "Production ALB"
 }

 dynamic "zone_mappings" {
  for_each = alicloud_vswitch.main
  content {
   vswitch_id = zone_mappings.value.id
   zone_id  = zone_mappings.value.zone_id
  }
 }

 tags = {
  Environment = var.environment
  ManagedBy  = "terraform"
 }
}

# 默認(rèn)服務(wù)器組
resource "alicloud_alb_server_group" "default" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-default-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = 80
  health_check_host     = "$SERVER_IP"
  health_check_http_version = "HTTP1.1"
  health_check_interval   = 2
  health_check_method    = "GET"
  health_check_path     = "/health"
  health_check_protocol   = "HTTP"
  health_check_timeout   = 5
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx", "http_3xx"]
 }

 sticky_session_config {
  sticky_session_enabled = true
  sticky_session_type  = "Insert"
  cookie_timeout     = 86400
 }

 tags = {
  Environment = var.environment
 }
}

# API服務(wù)器組
resource "alicloud_alb_server_group" "api" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-api-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = 8080
  health_check_path     = "/api/health"
  health_check_protocol   = "HTTP"
  health_check_interval   = 2
  health_check_timeout   = 5
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx"]
 }

 sticky_session_config {
  sticky_session_enabled = false
 }
}

# 靜態(tài)資源服務(wù)器組
resource "alicloud_alb_server_group" "static" {
 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-static-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = 80
  health_check_path     = "/static/health.txt"
  health_check_protocol   = "HTTP"
  health_check_interval   = 5
  health_check_timeout   = 5
  healthy_threshold     = 2
  unhealthy_threshold    = 2
  health_check_codes    = ["http_2xx"]
 }

 sticky_session_config {
  sticky_session_enabled = false
 }
}

# HTTPS監(jiān)聽
resource "alicloud_alb_listener" "https" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTPS"
 listener_port    = 443
 listener_description = "Production HTTPS"

 certificates {
  certificate_id = alicloud_ssl_certificates_service_certificate.main.id
 }

 default_actions {
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.default.id
   }
  }
 }
}

# HTTP監(jiān)聽（重定向到HTTPS）
resource "alicloud_alb_listener" "http" {
 load_balancer_id   = alicloud_alb_load_balancer.main.id
 listener_protocol  = "HTTP"
 listener_port    = 80
 listener_description = "HTTP to HTTPS redirect"

 default_actions {
  type = "Redirect"
  redirect_config {
   protocol = "HTTPS"
   port   = "443"
   http_code = "301"
  }
 }
}

# 轉(zhuǎn)發(fā)規(guī)則 - API路由
resource "alicloud_alb_rule" "api" {
 rule_name  = "api-route"
 listener_id = alicloud_alb_listener.https.id
 priority  = 10

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/api/*"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.api.id
   }
  }
 }
}

# 轉(zhuǎn)發(fā)規(guī)則 - 靜態(tài)資源路由
resource "alicloud_alb_rule" "static" {
 rule_name  = "static-route"
 listener_id = alicloud_alb_listener.https.id
 priority  = 20

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/static/*", "/assets/*", "*.css", "*.js", "*.png", "*.jpg"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.static.id
   }
  }
 }
}

# 轉(zhuǎn)發(fā)規(guī)則 - 添加響應(yīng)頭
resource "alicloud_alb_rule" "security_headers" {
 rule_name  = "security-headers"
 listener_id = alicloud_alb_listener.https.id
 priority  = 1

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/*"]
  }
 }

 rule_actions {
  order = 1
  type = "InsertHeader"
  insert_header_config {
   key     = "X-Content-Type-Options"
   value    = "nosniff"
   value_type = "UserDefined"
  }
 }

 rule_actions {
  order = 2
  type = "InsertHeader"
  insert_header_config {
   key     = "X-Frame-Options"
   value    = "SAMEORIGIN"
   value_type = "UserDefined"
  }
 }

 rule_actions {
  order = 3
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.default.id
   }
  }
 }
}

# 輸出
output "alb_dns_name" {
 value = alicloud_alb_load_balancer.main.dns_name
}

output "alb_id" {
 value = alicloud_alb_load_balancer.main.id
}

NLB四層負(fù)載均衡配置

# NLB實(shí)例
resource "alicloud_nlb_load_balancer" "main" {
 load_balancer_name = "${var.environment}-nlb"
 load_balancer_type = "Network"
 address_type    = "Internet"
 address_ip_version = "Ipv4"
 vpc_id       = alicloud_vpc.main.id

 zone_mappings {
  vswitch_id = alicloud_vswitch.main[0].id
  zone_id  = alicloud_vswitch.main[0].zone_id
 }
 zone_mappings {
  vswitch_id = alicloud_vswitch.main[1].id
  zone_id  = alicloud_vswitch.main[1].zone_id
 }
}

# 服務(wù)器組
resource "alicloud_nlb_server_group" "main" {
 server_group_name = "${var.environment}-nlb-sg"
 server_group_type = "Instance"
 vpc_id      = alicloud_vpc.main.id
 scheduler     = "Wrr"
 protocol     = "TCP"

 health_check {
  health_check_enabled     = true
  health_check_type      = "TCP"
  health_check_connect_port  = 0
  healthy_threshold      = 2
  unhealthy_threshold     = 2
  health_check_connect_timeout = 5
  health_check_interval    = 10
 }

 connection_drain      = true
 connection_drain_timeout  = 60
 preserve_client_ip_enabled = true
}

# TCP監(jiān)聽
resource "alicloud_nlb_listener" "tcp" {
 listener_protocol   = "TCP"
 listener_port     = 3306
 listener_description  = "MySQL Proxy"
 load_balancer_id    = alicloud_nlb_load_balancer.main.id
 server_group_id    = alicloud_nlb_server_group.main.id
 idle_timeout      = 900
 proxy_protocol_enabled = false
}

# UDP監(jiān)聽（游戲服務(wù)）
resource "alicloud_nlb_listener" "udp" {
 listener_protocol  = "UDP"
 listener_port    = 27015
 listener_description = "Game Server"
 load_balancer_id   = alicloud_nlb_load_balancer.main.id
 server_group_id   = alicloud_nlb_server_group.game.id
}

3.2 實(shí)際應(yīng)用案例

案例一：電商大促高可用架構(gòu)

某電商平臺日常流量約5000 QPS，雙十一峰值預(yù)估50000 QPS。

架構(gòu)設(shè)計：

          ┌─────────────────────────────────────┐
          │      DNS (GTM)         │
          │  主站: www.example.com      │
          └─────────────┬───────────────────────┘
                 │
      ┌─────────────────────┼─────────────────────┐
      ▼           ▼           ▼
  ┌───────────────┐   ┌───────────────┐   ┌───────────────┐
  │ ALB (杭州)  │   │ ALB (上海)  │   │ ALB (北京)  │
  │ 主可用區(qū)A/B │   │ 主可用區(qū)A/B │   │ 主可用區(qū)A/B │
  └───────┬───────┘   └───────┬───────┘   └───────┬───────┘
      │           │           │
  ┌───────┼───────┐   ┌───────┼───────┐   ┌───────┼───────┐
  ▼    ▼    ▼   ▼    ▼    ▼   ▼    ▼    ▼
┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐┌──────┐
│ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10││ECS×10│
│ AZ-A ││ AZ-B ││ AZ-C ││ AZ-A ││ AZ-B ││ AZ-C ││ AZ-A ││ AZ-B ││ AZ-C │
└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘└──────┘

關(guān)鍵配置：

多地域部署：GTM實(shí)現(xiàn)地域調(diào)度，用戶就近訪問

多可用區(qū)：每個地域ALB跨3個可用區(qū)

彈性伸縮：ECS配合ESS自動擴(kuò)縮容

# ESS彈性伸縮組
resource "alicloud_ess_scaling_group" "web" {
 min_size      = 10
 max_size      = 200
 scaling_group_name = "prod-web-asg"
 vswitch_ids    = alicloud_vswitch.main[*].id

 # 關(guān)聯(lián)ALB服務(wù)器組
 alb_server_group {
  alb_server_group_id = alicloud_alb_server_group.default.id
  weight       = 100
  port        = 80
 }
}

# 擴(kuò)容規(guī)則 - QPS觸發(fā)
resource "alicloud_ess_scaling_rule" "scale_out" {
 scaling_group_id = alicloud_ess_scaling_group.web.id
 scaling_rule_name = "scale-out-qps"
 scaling_rule_type = "TargetTrackingScalingRule"
 target_value   = 1000 # 每實(shí)例目標(biāo)QPS
 metric_name    = "ALBQPSPerInstance"
}

# 縮容規(guī)則
resource "alicloud_ess_scaling_rule" "scale_in" {
 scaling_group_id = alicloud_ess_scaling_group.web.id
 scaling_rule_name = "scale-in"
 scaling_rule_type = "SimpleScalingRule"
 adjustment_type  = "QuantityChangeInCapacity"
 adjustment_value = -2
 cooldown     = 300
}

案例二：微服務(wù)API網(wǎng)關(guān)

使用ALB作為微服務(wù)的統(tǒng)一入口，實(shí)現(xiàn)基于路徑的路由。

# 服務(wù)器組定義
locals {
 services = {
  user = {
   path   = "/api/user/*"
   port   = 8001
   priority = 10
  }
  order = {
   path   = "/api/order/*"
   port   = 8002
   priority = 20
  }
  product = {
   path   = "/api/product/*"
   port   = 8003
   priority = 30
  }
  payment = {
   path   = "/api/payment/*"
   port   = 8004
   priority = 40
  }
 }
}

# 為每個服務(wù)創(chuàng)建服務(wù)器組
resource "alicloud_alb_server_group" "services" {
 for_each = local.services

 protocol     = "HTTP"
 vpc_id      = alicloud_vpc.main.id
 server_group_name = "${var.environment}-${each.key}-sg"
 server_group_type = "Instance"

 health_check_config {
  health_check_enabled   = true
  health_check_connect_port = each.value.port
  health_check_path     = "/health"
  health_check_protocol   = "HTTP"
  health_check_interval   = 2
  healthy_threshold     = 3
  unhealthy_threshold    = 3
  health_check_codes    = ["http_2xx"]
 }
}

# 為每個服務(wù)創(chuàng)建路由規(guī)則
resource "alicloud_alb_rule" "services" {
 for_each = local.services

 rule_name  = "${each.key}-route"
 listener_id = alicloud_alb_listener.https.id
 priority  = each.value.priority

 rule_conditions {
  type = "Path"
  path_config {
   values = [each.value.path]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.services[each.key].id
   }
  }
 }
}

案例三：灰度發(fā)布配置

# 生產(chǎn)服務(wù)器組
resource "alicloud_alb_server_group" "prod" {
 server_group_name = "prod-sg"
 # ... 配置省略
}

# 灰度服務(wù)器組
resource "alicloud_alb_server_group" "canary" {
 server_group_name = "canary-sg"
 # ... 配置省略
}

# 灰度規(guī)則 - 按Header路由
resource "alicloud_alb_rule" "canary_header" {
 rule_name  = "canary-by-header"
 listener_id = alicloud_alb_listener.https.id
 priority  = 5

 rule_conditions {
  type = "Header"
  header_config {
   key  = "X-Canary"
   values = ["true"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.canary.id
   }
  }
 }
}

# 灰度規(guī)則 - 按百分比路由
resource "alicloud_alb_rule" "canary_weight" {
 rule_name  = "canary-by-weight"
 listener_id = alicloud_alb_listener.https.id
 priority  = 100

 rule_conditions {
  type = "Path"
  path_config {
   values = ["/*"]
  }
 }

 rule_actions {
  order = 1
  type = "ForwardGroup"
  forward_group_config {
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.prod.id
    weight     = 90
   }
   server_group_tuples {
    server_group_id = alicloud_alb_server_group.canary.id
    weight     = 10
   }
  }
 }
}

四、最佳實(shí)踐和注意事項

4.1 最佳實(shí)踐

性能優(yōu)化

選擇合適的實(shí)例規(guī)格

CLB規(guī)格選擇參考：
- slb.s1.small: 最大連接數(shù)5000, QPS 1000
- slb.s2.small: 最大連接數(shù)50000, QPS 5000
- slb.s2.medium: 最大連接數(shù)100000, QPS 10000
- slb.s3.small: 最大連接數(shù)200000, QPS 20000
- slb.s3.medium: 最大連接數(shù)500000, QPS 50000
- slb.s3.large: 最大連接數(shù)1000000, QPS 100000

ALB/NLB按量付費(fèi)，無需選擇規(guī)格。

優(yōu)化健康檢查配置

# 推薦配置
health_check_config {
 health_check_interval   = 2  # 檢查間隔2秒
 health_check_timeout   = 5  # 超時5秒
 healthy_threshold     = 3  # 連續(xù)3次成功視為健康
 unhealthy_threshold    = 3  # 連續(xù)3次失敗視為不健康
}

# 故障檢測時間 = interval × unhealthy_threshold = 6秒
# 恢復(fù)檢測時間 = interval × healthy_threshold = 6秒

啟用連接復(fù)用

# 后端Nginx配置，支持HTTP Keep-Alive
upstream backend {
  keepalive 100; # 保持100個長連接
}

server {
  location / {
    proxy_http_version 1.1;
    proxy_set_header Connection "";
  }
}

安全加固

TLS配置

# 使用安全的TLS策略
tls_cipher_policy = "tls_cipher_policy_1_2"

# TLS 1.2+，禁用弱加密套件
# 支持的策略：
# - tls_cipher_policy_1_0: 兼容性最好，安全性最低
# - tls_cipher_policy_1_1: 禁用SSLv3
# - tls_cipher_policy_1_2: 僅TLS 1.2，推薦
# - tls_cipher_policy_1_2_strict: TLS 1.2，更嚴(yán)格的加密套件
# - tls_cipher_policy_1_2_strict_with_1_3: TLS 1.2/1.3，最安全

訪問控制

# ALB訪問控制
resource "alicloud_alb_acl" "whitelist" {
 acl_name = "office-whitelist"

 acl_entries {
  entry    = "1.2.3.0/24"
  description = "Office Network"
 }
 acl_entries {
  entry    = "4.5.6.0/24"
  description = "VPN Gateway"
 }
}

# 關(guān)聯(lián)到監(jiān)聽
resource "alicloud_alb_listener" "admin" {
 # ...
 acl_config {
  acl_type = "White"
  acl_relations {
   acl_id = alicloud_alb_acl.whitelist.id
  }
 }
}

DDoS防護(hù)

# 關(guān)聯(lián)DDoS高防
resource "alicloud_ddoscoo_instance" "main" {
 name       = "prod-ddos"
 bandwidth     = 30
 base_bandwidth  = 30
 service_bandwidth = 100
 port_count    = 50
 domain_count   = 50
}

高可用配置

跨可用區(qū)部署

# 至少2個可用區(qū)
zone_mappings {
 vswitch_id = alicloud_vswitch.zone_a.id
 zone_id  = "cn-hangzhou-h"
}
zone_mappings {
 vswitch_id = alicloud_vswitch.zone_b.id
 zone_id  = "cn-hangzhou-i"
}

后端服務(wù)器分布

# 后端服務(wù)器均勻分布在多個可用區(qū)
resource "alicloud_instance" "web" {
 count   = 6
 vswitch_id = element(alicloud_vswitch.main[*].id, count.index % 2)
 # 實(shí)例0,2,4在AZ-A，實(shí)例1,3,5在AZ-B
}

故障轉(zhuǎn)移測試

# 模擬可用區(qū)故障
# 1. 停止一個可用區(qū)的所有實(shí)例
# 2. 觀察SLB自動切換到其他可用區(qū)
# 3. 驗證服務(wù)可用性

4.2 注意事項

健康檢查配置注意事項

# 確保后端健康檢查端點(diǎn)正常
# 1. 返回2xx或3xx狀態(tài)碼
# 2. 響應(yīng)時間<健康檢查超時時間
# 3. 檢查路徑存在且可訪問

# 檢查示例
curl -I http://backend-server/health
# 期望輸出: HTTP/1.1 200 OK

會話保持注意事項

會話保持類型選擇：
- Insert Cookie: SLB植入Cookie，后端無感知
- Rewrite Cookie: SLB重寫后端返回的Cookie
- Server Cookie: 使用后端指定的Cookie

注意：
1. Insert Cookie需要客戶端支持Cookie
2. 移動端APP需要正確處理Cookie
3. 會話保持可能導(dǎo)致負(fù)載不均衡

五、故障排查和監(jiān)控

5.1 故障排查

健康檢查故障排查

# 步驟1: 確認(rèn)安全組規(guī)則
aliyun ecs DescribeSecurityGroupAttribute 
  --SecurityGroupId sg-xxx 
  --Direction ingress | grep 100.64

# 步驟2: 從SLB健康檢查網(wǎng)段模擬檢查
# 在同VPC的ECS上執(zhí)行
curl -I http://backend-ip:80/health

# 步驟3: 檢查后端服務(wù)狀態(tài)
ssh backend-server"systemctl status nginx"
ssh backend-server"curl -I localhost/health"

# 步驟4: 檢查SLB監(jiān)聽配置
aliyun slb DescribeLoadBalancerHTTPListenerAttribute 
  --LoadBalancerId lb-xxx 
  --ListenerPort 80

連接問題排查

# 檢查SLB連接數(shù)
aliyun cms DescribeMetricLast 
  --Namespace acs_slb_dashboard 
  --MetricName ActiveConnection 
  --Dimensions'[{"instanceId":"lb-xxx"}]'

# 檢查后端連接數(shù)
ss -s
netstat -an | grep ESTABLISHED | wc -l

# 檢查TIME_WAIT
netstat -an | grep TIME_WAIT | wc -l

# 優(yōu)化內(nèi)核參數(shù)（后端服務(wù)器）
cat >> /etc/sysctl.conf <

	

	性能問題排查

	
# 檢查SLB QPS和延遲
aliyun cms DescribeMetricList 
  --Namespace acs_slb_dashboard 
  --MetricName Qps 
  --Dimensions'[{"instanceId":"lb-xxx"}]'
  --StartTime"2025-01-09T0000Z"
  --EndTime"2025-01-09T2359Z"

# 檢查后端響應(yīng)時間
aliyun cms DescribeMetricList 
  --Namespace acs_slb_dashboard 
  --MetricName Rt 
  --Dimensions'[{"instanceId":"lb-xxx"}]'

# 使用curl測試響應(yīng)時間
curl -w"@curl-format.txt"-o /dev/null -s http://slb-ip/
# curl-format.txt內(nèi)容:
# time_namelookup: %{time_namelookup}

# time_connect: %{time_connect}

# time_appconnect: %{time_appconnect}

# time_pretransfer: %{time_pretransfer}

# time_redirect: %{time_redirect}

# time_starttransfer: %{time_starttransfer}

# time_total: %{time_total}



	

	5.2 性能監(jiān)控

	云監(jiān)控配置

	
# 創(chuàng)建報警規(guī)則
resource "alicloud_cms_alarm" "slb_qps" {
 name  = "slb-qps-high"
 project = "acs_slb_dashboard"
 metric = "Qps"

 dimensions = {
  instanceId = alicloud_slb_load_balancer.main.id
 }

 escalations_critical {
  statistics     = "Average"
  comparison_operator = ">="
  threshold      = "50000"
  times        = 3
 }

 contact_groups = ["ops-team"]
 period     = 60
}

resource "alicloud_cms_alarm" "slb_5xx" {
 name  = "slb-5xx-high"
 project = "acs_slb_dashboard"
 metric = "StatusCode5xx"

 dimensions = {
  instanceId = alicloud_slb_load_balancer.main.id
  port    = "443"
 }

 escalations_critical {
  statistics     = "Sum"
  comparison_operator = ">="
  threshold      = "100"
  times        = 3
 }

 contact_groups = ["ops-team"]
 period     = 60
}

resource "alicloud_cms_alarm" "unhealthy_servers" {
 name  = "slb-unhealthy-servers"
 project = "acs_slb_dashboard"
 metric = "UnhealthyServerCount"

 dimensions = {
  instanceId = alicloud_slb_load_balancer.main.id
  port    = "443"
 }

 escalations_critical {
  statistics     = "Average"
  comparison_operator = ">="
  threshold      = "1"
  times        = 2
 }

 contact_groups = ["ops-team"]
 period     = 60
}


	

	關(guān)鍵監(jiān)控指標(biāo)

				指標(biāo)名稱
			

				說明
			

				告警閾值建議
		

				Qps
			

				每秒請求數(shù)
			

				>80%規(guī)格上限
		

				ActiveConnection
			

				活躍連接數(shù)
			

				>80%規(guī)格上限
		

				NewConnection
			

				新建連接數(shù)
			

				>80%規(guī)格上限
		

				TrafficRX/TX
			

				流入/流出流量
			

				>80%帶寬
		

				StatusCode5xx
			

				5xx錯誤數(shù)
			

				>1%總請求
		

				StatusCode4xx
			

				4xx錯誤數(shù)
			

				>5%總請求
		

				Rt
			

				平均響應(yīng)時間
			

				>500ms
		

				UnhealthyServerCount
			

				不健康服務(wù)器數(shù)
			

				>=1
		

	Grafana儀表板

	
{
"panels": [
  {
  "title":"QPS趨勢",
  "type":"graph",
  "datasource":"aliyun-cms",
  "targets": [
    {
    "namespace":"acs_slb_dashboard",
    "metric":"Qps",
    "dimensions": {"instanceId":"$slb_id"}
    }
   ]
  },
  {
  "title":"響應(yīng)時間",
  "type":"graph",
  "targets": [
    {
    "namespace":"acs_slb_dashboard",
    "metric":"Rt"
    }
   ]
  },
  {
  "title":"HTTP狀態(tài)碼分布",
  "type":"piechart",
  "targets": [
    {"metric":"StatusCode2xx"},
    {"metric":"StatusCode3xx"},
    {"metric":"StatusCode4xx"},
    {"metric":"StatusCode5xx"}
   ]
  },
  {
  "title":"后端服務(wù)器健康狀態(tài)",
  "type":"stat",
  "targets": [
    {"metric":"HealthyServerCount"},
    {"metric":"UnhealthyServerCount"}
   ]
  }
 ]
}


	

	5.3 備份與恢復(fù)

	配置導(dǎo)出

	
#!/bin/bash
# export-slb-config.sh

REGION="cn-hangzhou"
OUTPUT_DIR="./slb-backup/$(date +%Y%m%d)"
mkdir -p${OUTPUT_DIR}

# 導(dǎo)出SLB實(shí)例配置
aliyun slb DescribeLoadBalancers 
  --RegionId${REGION}
  --output json >${OUTPUT_DIR}/slb-instances.json

# 導(dǎo)出監(jiān)聽配置
forlb_idin$(jq -r'.LoadBalancers.LoadBalancer[].LoadBalancerId'${OUTPUT_DIR}/slb-instances.json);do
  aliyun slb DescribeLoadBalancerListeners 
    --LoadBalancerId${lb_id}
    --output json >${OUTPUT_DIR}/listener-${lb_id}.json

 # 導(dǎo)出后端服務(wù)器配置
  aliyun slb DescribeVServerGroups 
    --LoadBalancerId${lb_id}
    --output json >${OUTPUT_DIR}/vserver-groups-${lb_id}.json
done

# 導(dǎo)出證書
aliyun slb DescribeServerCertificates 
  --RegionId${REGION}
  --output json >${OUTPUT_DIR}/certificates.json

echo"Backup completed:${OUTPUT_DIR}"


	

	使用Terraform管理配置

	
# 導(dǎo)入現(xiàn)有資源到Terraform
terraform import alicloud_slb_load_balancer.main lb-xxx
terraform import alicloud_slb_listener.http lb-xxx80

# 生成配置
terraform show -no-color > imported-config.tf

# 驗證配置
terraform plan


	

	災(zāi)難恢復(fù)流程

	
# 1. 創(chuàng)建新的SLB實(shí)例（使用Terraform或控制臺）
terraform apply

# 2. 配置DNS切換
aliyun alidns UpdateDomainRecord 
  --RecordId xxx 
  --RR www 
  --Type A 
  --Value 

# 3. 驗證新SLB正常工作
curl -I http://new-slb-ip/

# 4. 更新CDN回源配置（如有）
aliyun cdn ModifyCdnDomainConfig 
  --DomainName www.example.com 
  --Sources'[{"content":"new-slb-ip","type":"ipaddr","priority":"20","port":80}]'


	

	六、總結(jié)

	6.1 技術(shù)要點(diǎn)回顧

	本文詳細(xì)介紹了阿里云SLB負(fù)載均衡的配置和最佳實(shí)踐：

	產(chǎn)品選型：CLB適合存量業(yè)務(wù)，ALB適合七層應(yīng)用，NLB適合高性能四層場景

	高可用設(shè)計：跨可用區(qū)部署、健康檢查、后端服務(wù)器分布

	HTTPS配置：證書管理、TLS策略、HTTP重定向

	流量管理：基于路徑/Header的路由、會話保持、灰度發(fā)布

	安全加固：訪問控制、DDoS防護(hù)、安全組配置

	監(jiān)控告警：關(guān)鍵指標(biāo)監(jiān)控、異常告警、性能分析

	6.2 進(jìn)階學(xué)習(xí)方向

	GTM全局流量管理：多地域多活架構(gòu)

	DCDN全站加速：SLB與CDN聯(lián)動

	WAF Web應(yīng)用防火墻：七層安全防護(hù)

	服務(wù)網(wǎng)格：ALB與ASM集成

	Kubernetes Ingress：ALB作為K8s入口

	6.3 參考資料

	阿里云SLB官方文檔: https://help.aliyun.com/product/27537.html

	ALB文檔: https://help.aliyun.com/product/211127.html

	NLB文檔: https://help.aliyun.com/product/439469.html

	Terraform阿里云Provider: https://registry.terraform.io/providers/aliyun/alicloud/latest

	附錄

	A. 命令速查表

				操作
			

				命令
		

				查看SLB實(shí)例
			

				aliyun slb DescribeLoadBalancers
		

				查看監(jiān)聽
			

				aliyun slb DescribeLoadBalancerListeners --LoadBalancerId lb-xxx
		

				查看健康狀態(tài)
			

				aliyun slb DescribeHealthStatus --LoadBalancerId lb-xxx
		

				添加后端服務(wù)器
			

				aliyun slb AddBackendServers --LoadBalancerId lb-xxx --BackendServers '[...]'
		

				設(shè)置權(quán)重
			

				aliyun slb SetBackendServers --LoadBalancerId lb-xxx --BackendServers '[...]'
		

				上傳證書
			

				aliyun slb UploadServerCertificate --ServerCertificate ... --PrivateKey ...
		

	B. 配置參數(shù)詳解

	監(jiān)聽參數(shù)

				參數(shù)
			

				默認(rèn)值
			

				說明
		

				bandwidth
			

				-1
			

				帶寬峰值，-1表示不限制
		

				request_timeout
			

				60
			

				請求超時時間（秒）
		

				idle_timeout
			

				15
			

				空閑連接超時（秒）
		

				gzip
			

				on
			

				是否開啟Gzip壓縮
		

	健康檢查參數(shù)

				參數(shù)
			

				默認(rèn)值
			

				說明
		

				health_check_interval
			

				2
			

				檢查間隔（秒）
		

				health_check_timeout
			

				5
			

				超時時間（秒）
		

				healthy_threshold
			

				3
			

				健康閾值
		

				unhealthy_threshold
			

				3
			

				不健康閾值
		

	C. 術(shù)語表

				術(shù)語
			

				說明
		

				CLB
			

				Classic Load Balancer，經(jīng)典負(fù)載均衡
		

				ALB
			

				Application Load Balancer，應(yīng)用負(fù)載均衡
		

				NLB
			

				Network Load Balancer，網(wǎng)絡(luò)負(fù)載均衡
		

				VServer Group
			

				虛擬服務(wù)器組，后端服務(wù)器分組
		

				Listener
			

				監(jiān)聽，定義端口和協(xié)議
		

				Health Check
			

				健康檢查，檢測后端服務(wù)器狀態(tài)
		

				Session Persistence
			

				會話保持，同一客戶端路由到同一后端
		

				Forwarding Rule
			

				轉(zhuǎn)發(fā)規(guī)則，基于條件的路由