There are several ways to deploy ProxySQL between your applications and the database servers. A common approach is to have a floating virtual IP (VIP) managed by keepalived as the application endpoint. The proxies have to be strategically provisioned to improve the resiliency of the solution (different hardware, network segments, etc,).
When we consider cloud environments, spreading instances across many availability zones (AZ) is considered a best practice, but that presents a problem regarding VIP handling.
Per definition, VPC subnets have to be created in a specific AZ, and subnet IP ranges can’t overlap with one another. An IP address cannot simply be moved to an instance on a different AZ, as it would end up in a subnet that doesn’t include it.
So in order to use the VIP method, we would need to keep all our proxies in a single AZ. This clearly is not the best idea. In addition to this, the regular VIP method doesn’t work, due to the fact that broadcast is not allowed in AWS.
Let’s instead see how to overcome this by putting ProxySQL instances behind a Network Load Balancer (NLB) instead.
Creating a Load Balancer
1. Create an NLB, specifying the subnets where you launched the ProxySQL instances:
1 2 3 4 5 | aws elbv2 create-load-balancer --name proxysql-lb --type network --scheme internal --subnets subnet-03fd9799aedda2a1d subnet-0c9c99a5902d8760f |
With the above command, the LB internal endpoints will automatically pick an available IP address on each subnet. Alternatively, if you want to specify the IP addresses yourself, you can run the following:
1 2 3 4 5 | aws elbv2 create-load-balancer --name proxysql-lb --type network --scheme internal --subnet-mappings Subnet-Id=subnet-03fd9799aedda2a1d,PrivateIPv4Address=10.1.1.2 Subnet-Id=subnet-0c9c99a5902d8760f,PrivateIPv4Address=10.1.2.2 |
The output of the above includes the Amazon Resource Name (ARN) of the load balancer, with the following format:
1 | arn:aws:elasticloadbalancing:us-east-1:686800432451:loadbalancer/net/ivan-proxysql-lb/980f7598e7c43506 |
Let’s save the value on a variable for later use:
1 | export LB_ARN=<paste the value from above> |
Adding the ProxySQL Targets
2. Create a target group, specifying the same VPC that you used for your ProxySQL instances:
1 2 3 4 5 6 7 8 | aws elbv2 create-target-group --name proxysql-targets --protocol TCP --port 6033 --target-type instance --health-check-port 6032 --health-check-interval-seconds 10 --vpc-id vpc-018cc1c34d4d709d5 |
The output should include the ARN of the target group with this format:
1 | arn:aws:elasticloadbalancing:us-east-1:686800432451:targetgroup/proxysql-targets/d997e5efc62db322 |
We can store the value for later use:
1 | export TG_ARN=<paste the value from above> |
3. Register your ProxySQL instances with the target group:
1 2 3 4 5 6 7 | aws elbv2 register-targets --target-group-arn $TG_ARN --targets Id=i-02d9e450af1b00524 aws elbv2 register-targets --target-group-arn $TG_ARN --targets Id=i-05d9f450af1b00521 |
Creating the LB Listener
4. Create a listener for your load balancer with a default rule to forward requests to your target group:
1 2 3 4 5 | aws elbv2 create-listener --load-balancer-arn $LB_ARN --protocol TCP --port 3306 --default-actions Type=forward,TargetGroupArn=$TG_ARN |
The output contains the ARN of the listener, with the following format:
1 | arn:aws:elasticloadbalancing:us-east-1:686800432451:listener/net/ivan-proxysql-lb/980f7598e7c43506/0d0c68ddde71b83f |
5. You can verify the health of the registered targets using the following command:
1 | aws elbv2 describe-target-health --target-group-arn $TG_ARN |
Be aware it takes a few minutes for the health to go green.
Testing Access
6. Now let’s get the DNS name of the load balancer:
1 | LB_DNS=$(aws elbv2 describe-load-balancers --load-balancer-arns $LB_ARN --query 'LoadBalancers[0].DNSName' --output text) |
7. Test access to the load balancer itself:
1 | curl -v $LB_DNS:3306 |
8. Finally, test the connection to the database through the load balancer:
1 | mysql -u percona -p -hinternal-proxysql-1232905176.us-east-1.elb.amazonaws.com |
Final Considerations
For this example, I am using a simple TCP connection to ProxySQL’s admin port as the health check. Another option would be to expose a separate HTTP service that queries ProxySQL to handle more complex health check logic.
It is also important to mention the difference between target-type:instance and target-type:ip for the target group. In the latter, if you check the client connections on the Proxy side (stats_mysql_processlist table) you will see they all come from the load balancer address instead of the actual client. Hence it is more desirable to use instance, to see the real client IP.
As usual.. amazing!!
Sorry Javier I had missed your comment. Thanks for stopping by! glad it was useful
Thanks Ivan for the amazing article. Few things I wanted to clarify, NLB has connection timeout of 350 seconds, so how does it impacts ProxySql connections, can something be done to avoind that? Also, do you need to use sticky sessions to make sure that queries do not route to other connections?
This is great! I’ve gotten this far. Now I need to setup SSL end-to-end. I’m getting weird errors when I have different certs across the different servers. Do I need to somehow synchronize all of the SSL certs on the NLB, ProxySQL and DB nodes?