We are using Windows NLB in our production environment to load balance https requests to ten IIS servers.
The settings are:
Setting |
Value |
Port |
443 |
Protocol |
TCP |
Filtering Mode |
Multiple Hosts |
Affinity |
Single |
Timeout (in minutes) |
Disabled |
So as long as there is no change in the NLB cluster membership, i.e. no hosts are leaving/joining the cluster, the same source ip will always be mapped to the same target IIS server (according to the docs for Server 2003 R2 - I can't find newer official docs that detail affinity):
Now what if I take down some or all machines, and bring all of them up again, so the cluster membership is the same as it was before taking down machines. Will the same source ip addresses again map to the same target servers as before, or does the mapping depend on things like cluster join order or something non-deterministic?
N.B. I just found that during convergence, the mapping may change:
In normal operations, if single affinity is used, NLB will guarantee that all connections coming from the same source IP will hit the same server. This would include multiple TCP connections of the same SSL session. However, configuration changes might cause NLB to accept different connections of the same SSL session by different servers during the convergence. As a result, the SSL session is broken.
Which is fair enough (and can be mitigated by enabling "extended affinity" using the "timeout" value, as the linked article explains). However I'm interested in the state after convergence.