Skip to main content

Application Networking

Updated May 25, 2020 ·

Overview

Most deployed applications depend on network services. Firewalls, load balancers, DNS, and reverse proxies control how users reach the application and how application components reach each other.

Firewalls

A firewall accepts or rejects traffic based on rules. Rules commonly evaluate source address, destination address, protocol, and port.

For a web application, a restrictive firewall policy might allow HTTPS and deny direct access to SSH or a database port.

Example policy:

  • Deny all inbound access by default.
  • Allow TCP port 443 from users.
  • Allow TCP port 22 only from a jump box.
  • Allow database traffic only from the application tier.

A jump box is an intermediate system that administrators connect through before reaching sensitive hosts.

Load Balancers

A load balancer receives client requests and distributes them across multiple servers.

For more information, please see LoadBalancers page.

Common load-balancing behaviors include:

MethodDescription
Persistent sessionKeeps a user tied to the server that owns their session state.
Round robinSends each request to the next server in the list.
Least connectionsSends new traffic to the server with the fewest active sessions.
IP hashUses a hash of the client IP to choose a consistent backend.

Load balancers also support release strategies such as blue-green and canary deployment by shifting traffic between old and new application versions.

DNS

DNS maps human-readable names to routable IP addresses. In deployments, DNS can point applications to different resources without changing application code.

For more information, please see Domain Name System DNS page.

Example:

  • Production database.example.com resolves to the production database.
  • Development database.example.com can resolve to a development database when the development environment uses its own DNS server.
  • The application code still uses the same hostname.

Note: DNS can help shift traffic, but DNS caching and propagation delay make it less precise than a load balancer for fast rollbacks.

Reverse Proxies

A forward proxy makes many clients appear as one client. A reverse proxy makes many internal servers appear behind one public endpoint.

For more information, please see Proxy Servers page.

Reverse proxies can route requests, terminate TLS, apply filtering, and hide internal server details from users.