| Load Balancing in gRPC |
| ====================== |
| |
| # Scope |
| |
| This document explains the design for load balancing within gRPC. |
| |
| # Background |
| |
| ## Per-Call Load Balancing |
| |
| It is worth noting that load-balancing within gRPC happens on a per-call |
| basis, not a per-connection basis. In other words, even if all requests |
| come from a single client, we still want them to be load-balanced across |
| all servers. |
| |
| ## Approaches to Load Balancing |
| |
| Prior to any gRPC specifics, we explore some usual ways to approach load |
| balancing. |
| |
| ### Proxy Model |
| |
| Using a proxy provides a solid trustable client that can report load to the load |
| balancing system. Proxies typically require more resources to operate since they |
| have temporary copies of the RPC request and response. This model also increases |
| latency to the RPCs. |
| |
| The proxy model was deemed inefficient when considering request heavy services |
| like storage. |
| |
| ### Balancing-aware Client |
| |
| This thicker client places more of the load balancing logic in the client. For |
| example, the client could contain many load balancing policies (Round Robin, |
| Random, etc) used to select servers from a list. In this model, a list of |
| servers would be either statically configured in the client, provided by the |
| name resolution system, an external load balancer, etc. In any case, the client |
| is responsible for choosing the preferred server from the list. |
| |
| One of the drawbacks of this approach is writing and maintaining the load |
| balancing policies in multiple languages and/or versions of the clients. These |
| policies can be fairly complicated. Some of the algorithms also require client |
| to server communication so the client would need to get thicker to support |
| additional RPCs to get health or load information in addition to sending RPCs |
| for user requests. |
| |
| It would also significantly complicate the client's code: the new design hides |
| the load balancing complexity of multiple layers and presents it as a simple |
| list of servers to the client. |
| |
| ### External Load Balancing Service |
| |
| The client load balancing code is kept simple and portable, implementing |
| well-known algorithms (e.g., Round Robin) for server selection. |
| Complex load balancing algorithms are instead provided by the load |
| balancer. The client relies on the load balancer to provide _load |
| balancing configuration_ and _the list of servers_ to which the client |
| should send requests. The balancer updates the server list as needed |
| to balance the load as well as handle server unavailability or health |
| issues. The load balancer will make any necessary complex decisions and |
| inform the client. The load balancer may communicate with the backend |
| servers to collect load and health information. |
| |
| # Requirements |
| |
| ## Simple API and client |
| |
| The gRPC client load balancing code must be simple and portable. The |
| client should only contain simple algorithms (e.g., Round Robin) for |
| server selection. For complex algorithms, the client should rely on |
| a load balancer to provide load balancing configuration and the list of |
| servers to which the client should send requests. The balancer will update |
| the server list as needed to balance the load as well as handle server |
| unavailability or health issues. The load balancer will make any necessary |
| complex decisions and inform the client. The load balancer may communicate |
| with the backend servers to collect load and health information. |
| |
| ## Security |
| |
| The load balancer may be separate from the actual server backends and a |
| compromise of the load balancer should only lead to a compromise of the |
| loadbalancing functionality. In other words, a compromised load balancer should |
| not be able to cause a client to trust a (potentially malicious) backend server |
| any more than in a comparable situation without loadbalancing. |
| |
| # Architecture |
| |
| ## Overview |
| |
| The primary mechanism for load-balancing in gRPC is external |
| load-balancing, where an external load balancer provides simple clients |
| with an up-to-date list of servers. |
| |
| The gRPC client does support an API for built-in load balancing policies. |
| However, there are only a small number of these (one of which is the |
| `grpclb` policy, which implements external load balancing), and users |
| are discouraged from trying to extend gRPC by adding more. Instead, new |
| load balancing policies should be implemented in external load balancers. |
| |
| ## Workflow |
| |
| Load-balancing policies fit into the gRPC client workflow in between |
| name resolution and the connection to the server. Here's how it all |
| works: |
| |
|  |
| |
| 1. On startup, the gRPC client issues a [name resolution](naming.md) request |
| for the server name. The name will resolve to one or more IP addresses, |
| each of which will indicate whether it is a server address or |
| a load balancer address, and a [service config](service_config.md) |
| that indicates which client-side load-balancing policy to use (e.g., |
| `round_robin` or `grpclb`). |
| 2. The client instantiates the load balancing policy. |
| - Note: If any one of the addresses returned by the resolver is a balancer |
| address, then the client will use the `grpclb` policy, regardless |
| of what load-balancing policy was requested by the service config. |
| Otherwise, the client will use the load-balancing policy requested |
| by the service config. If no load-balancing policy is requested |
| by the service config, then the client will default to a policy |
| that picks the first available server address. |
| 3. The load balancing policy creates a subchannel to each server address. |
| - For all policies *except* `grpclb`, this means one subchannel for each |
| address returned by the resolver. Note that these policies |
| ignore any balancer addresses returned by the resolver. |
| - In the case of the `grpclb` policy, the workflow is as follows: |
| 1. The policy opens a stream to one of the balancer addresses returned |
| by the resolver. It asks the balancer for the server addresses to |
| use for the server name originally requested by the client (i.e., |
| the same one originally passed to the name resolver). |
| - Note: In the `grpclb` policy, the non-balancer addresses returned |
| by the resolver are used as a fallback in case no balancers can be |
| contacted when the LB policy is started. |
| 2. The gRPC servers to which the load balancer is directing the client |
| may report load to the load balancers, if that information is needed |
| by the load balancer's configuration. |
| 3. The load balancer returns a server list to the gRPC client's `grpclb` |
| policy. The `grpclb` policy will then create a subchannel to each of |
| server in the list. |
| 4. For each RPC sent, the load balancing policy decides which |
| subchannel (i.e., which server) the RPC should be sent to. |
| - In the case of the `grpclb` policy, the client will send requests |
| to the servers in the order in which they were returned by the load |
| balancer. If the server list is empty, the call will block until a |
| non-empty one is received. |
