Access EJB's if the EAP6 server is behind a LoadBalancer or NAT
Environment
- Red Hat JBoss Entrprise Application Platform (EAP)
- 6.x
Issue
- Is it possible to invoke EJB if there is a NAT (Network Address Translation) in front of the server?
- How can I invoke an EJB if there is a loadbalacer in front of the EAP 6 servers?
- Is it possible to use clustered EJB's in a private network behind a loadbalancer or with NAT?
Resolution
If the EJBs and the JBoss servers in the private network do not use clustering features, the client needs to know the public address of the server.
The NAT or the load-balancer will forward the request to the server.
The following configuration is only needed if the the server sends back IP addresses or host names back to the client. And that scenario right now only happens with the cluster topology.
The configuration needs to be adapted to provide the different IP address and port.
This can be done with dependency on the source network.
<socket-binding name="remoting" port="4447">
<!-- handle all internal clients - return the real IP address this server is started with 192.168.1.37 -->
<client-mapping source-network="192.168.1.1/24" destination-address="192.168.1.37"/>
<!-- handle all other (suppose all public) - here the public address is used i.e. NAT or LoadBalancer -->
<client-mapping destination-address="209.132.182.26"/>
</socket-binding>
If you use the CLI, the command for standalone mode looks like this:
/socket-binding-group=standard-sockets/socket-binding=remoting:write-attribute(name=client-mappings, value=[{"source-network"="192.168.1.1/24", "destination-address"="192.168.1.37"},{destination-address="209.132.182.26"}])
The client-mapping element can be added multiple times as needed. It works with the first match from the list.
Using the above example, clients will be routed as follows:
- IP 192.168.1.* (/24 means the 24 MSB bits as network mask 255.255.255.0) => 192.168.1.37
- All other clients will use 209.132.182.26
- If there is no match, i.e. if the second mapping without a source-network is removed, the original server address will be used.
It is also possible to adjust the destination port with the client-mappings configuration.
If there is a problem with the connection you need to activate the INFO logging for 'org.jboss.ejb.client' at client side.
If the client detect a problem the following info will be logged:
org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager getEJBReceiver INFO: Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='master:app-oneB', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='192.168.27.37', destinationPort=5147}], resolvedDestination=[Destination address=192.168.27.37, destination port=5147]} in cluster ejb
NOTE
-
In a scenario where many nodes are represented by one IP, it is mandatory that all nodes are configured in the same way and have the same set of applications deployed, otherwise the invocations might fail sometimes.
-
If StatefulSessionBeans are used, the requests should be sticky to the node where the bean was created. If that is not possible, it lead to a decrease in performance as the SFSB must be replicated if the invocations are walking around the nodes.
-
It might fail if all nodes are not members of the same cluster.
Root Cause
If the server is located in a (private) network which is access from the public network via NAT, or use a load-balancer, the EJB can not be accessed by using the server's IP address. This address might not be reachable from the network outside.
The client can only connect to the public IP address or host name.
Related Articles
Invoke clustered EJB's from a remote client
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.