Introduction
This document articulates the architecture of our web infrastructure, which is designed for security, efficient service routing, and scalability, particularly for our Rails applications. It delineates the interaction between components to provide a high-availability environment. The components below that include HAProxy, Consul, Nomad, and Vault are collectively referred to as the "KE-Stack."
Cloudflare Configuration
Cloudflare is the first point of engagement for external user requests, providing security enhancements and DDoS protection. For external requests to www.hunter-ed.com, Cloudflare terminates TLS, establishing secure connections with users. Cloudflare then proxies these secure connections to our AWS ALBs, managing traffic flow to the backend.
AWS Application Load Balancers (ALBs)
Our infrastructure utilizes two AWS ALBs: one for external traffic and one dedicated to internal traffic.
- The external ALB works in tandem with Cloudflare to route external requests to the external HAProxy cluster after performing TLS termination for domains like ke-eng.io.
- The internal ALB handles server-to-server requests within our network, bypassing Cloudflare to ensure internal traffic remains secure and efficient.
HAProxy Configuration
HAProxy clusters handle load balancing for both external and internal traffic:
- External HAProxy cluster: Handles client-facing traffic routed through Cloudflare and the external ALB.
- Internal HAProxy cluster: Manages server-to-server traffic routed from the internal ALB.
HAProxy integrates with Consul for dynamic service discovery based on Nomad's dynamic port assignments.
Service Discovery with Consul
Consul acts as the cornerstone of our service discovery system, maintaining a registry of services and their health status. HAProxy uses this registry to route traffic to the most appropriate service instances dynamically, enabling:
- Efficient traffic routing.
- Dynamic updates when services or ports change due to Nomad orchestration.
Nomad Orchestration
Nomad orchestrates the deployment, maintenance, and scaling of services. It dynamically assigns ports to services, avoiding conflicts on shared hosts. These ports are registered with Consul for efficient service discovery and traffic routing within the infrastructure.
Traffic Flow
The journey of a request through our infrastructure:
- External Traffic: Begins at Cloudflare for TLS termination, then flows to the external ALB, HAProxy cluster, and eventually the appropriate backend service.
- Internal Traffic: Starts at the internal ALB, bypasses Cloudflare, and is routed through the internal HAProxy cluster to the service instance.
Conclusion
Our infrastructure combines Cloudflare for external requests, AWS ALBs for routing, HAProxy clusters for load balancing, and Consul integrated with Nomad for dynamic service discovery and orchestration. This robust architecture ensures our Rails applications can scale efficiently while maintaining high availability and security.