Traffic Steering Optimizations for Salesforce Edge Network Users

Дата публикации: Aug 14, 2023

Описание

Background

DNS Primer

IP addresses are what two hosts use to talk to each other. IP addresses are difficult to remember and cumbersome to change following topology updates. This scenario is where the Domain Name System (DNS) steps in. A server or collection of servers takes requests for names and returns the IP address. Known as resolvers, these servers can be authoritative or non-authoritative. Non-authoritative resolvers respond to DNS requests by finding and asking authoritative resolvers and they usually cache the result. Authoritative resolvers respond to DNS requests independently. They don’t need to consult with any other resolvers.

Geographic Load Balancing

Using indirect mapping between the DNS name and IP address, a geographic load balancer can be constructed. The geographic load balancer, also known as a global server load balancer, is an authoritative DNS resolver that returns different IP addresses based on information received from the DNS request. This information can be the client's IP address, TCP connection parameters, the time of day, the physical port that the request was received on, or information in extended fields of the DNS request payload.

Proxies

It’s often advantageous for corporate IT admins to install proxy servers on their networks. These servers provide a single point of audit and policy enforcement. Clients who want to obtain a resource on the internet send the request to the proxy server. The proxy server fetches the resource on behalf of the client. The HTTP method CONNECT is used in HTTPS to create a secure connection between the client and server.

Topology of the Customer’s DNS

The customer’s network relies on a few DNS resolvers which can be their own or provided by their internet service provider. Consult with your internet service provider or network operator to determine the IP addresses of your DNS resolvers and their physical location. Use any available GeoIP database to verify the physical location and the GeoIP location match. Clients from most offices around the world connect to these DNS resolvers to make DNS requests. The following sections assume that you know where your resolver is physically located.

Problem Statement

Salesforce Edge uses geographic load balancing and multiple globally distributed points of presence to cache objects and terminate TLS closer to the end user. Clients are routed to the closest data center by using DNS. Salesforce's DNS servers rely on the location of the customer’s DNS resolvers.

For example, if the customer’s DNS resolver is in the United States, their clients outside the United States are perceived to be in the United States because of the resolver's GeoIP. As a result, they’re directed to a data center in the United States.

We see cases where the client's location is in a geography that isn’t closest to the Edge location that they’re directed to. In most cases, this scenario is beyond Salesforce Engineering's control, so the Resolution section outlines potential actions. If the client and the resolver are in close proximity, and if the GeoIP location incorrectly places them far apart, the customer must file a ticket with Salesforce Support.

Решение

Potential Solutions

EDNS+subnets

EDNS with client subnets is an extension of DNS that allows the non-authoritative resolver to pass the original client’s IP to the authoritative resolver. In the geographic load balancing scenario, the authoritative resolver can then return an IP address for the client and not the non-authoritative resolver.

Pros

Reuse existing topology
No new equipment or services to deploy

Cons

Larger DNS caches on the central non-authoritative resolver.
The resolver must support EDNS with client subnets. This feature is widely available, but not universally available.

Per-office resolvers

Placing a resolver in each office allows the authoritative geographic load balancing to use the resolver's IP address when returning IP addresses.

Pros

Better performance for all DNS requests

Cons

More pieces of infrastructure

Additional Considerations for Traffic Steering

Both solutions change the way DNS is handled to give end-users an IP address for a local Salesforce Edge. If users rely on a VPN, we recommend optimizing the configuration as follows.

We recommend using VPN split tunneling to prevent traffic destined for the local Salesforce Edge from traversing the VPN.

Recommended Desired Configuration: Consider an office in Morocco using correctly configured split tunnels, where packets travel first to Paris and then to the United States.

Not Recommended Configuration: Assuming the VPN termination happens in Texas, an improperly configured split tunnel results in poor performance from an inefficient traffic path. Consider an office in Morocco. Traffic first travels to Texas, then to Paris, and then back to a data center in the United States.

Номер статьи базы знаний

000396108

Эта статья решила вашу проблему?

Оставьте свой отзыв, чтобы мы могли стать лучше!