Scalable and Secure MQTT Load Balancing With Elastic Beam and HiveMQ
Written by The HiveMQ Team
Published: July 5, 2016
A key challenge for a scalable and resilient MQTT broker infrastructure is load balancing the MQTT broker cluster nodes to ensure optimal performance and maximum reliability. Historically, all load balancing strategies for MQTT typically involve L4 load balancing, which means the load balancing takes place on the Transport OSI layer, which only has limited value for MQTT broker clusters.
Elastic Beam™ Secure Proxy is one of the first products that supports first-class MQTT routing features out-of-the-box to overcome MQTT load balancing limits. This blog post shows how HiveMQ and Elastic Beam can be used together to create truly resilient and secure MQTT cloud infrastructures.
Why are load balancers beneficial for MQTT?
Load balancers play a significant role in traffic routing and traffic shaping for the Internet and the IoT. Most load balancer products focus on L4 load balancing that routes traffic based on information like IP address, port and protocol (e.g. TCP or UDP).
L4 load balancing is typically pretty simple and only a few traffic delivery strategies are supported (e.g round robin or Sticky IP). It’s important to note that such a L4 load balancer is not aware of the Layer 7 protocol that is used (e.g. MQTT) and is not able to make delivery decisions based on high level protocol information.
Key advantages using a load balancer in MQTT deployments are:
- TLS offloading: Expensive cryptographic operations take place on the load balancer and not on the brokers
- Perfect for broker clusters: A MQTT client does not need to be aware of the MQTT broker topologies; it connects to the load balancer and the load balancer is responsible for establishing a connection with the “right” broker
- First line of defense: The MQTT brokers are not exposed directly to the Internet and - depending on the load balancing product - sophisticated attack prevention mechanisms on different levels of the OSI stack are used. Malicious clients won’t be able to hit the brokers directly
- Failover: When a MQTT broker node is unavailable, the load balancer will route traffic to healthy nodes to compensate for the unavailable node
Elastic Beam and HiveMQ
For sophisticated MQTT broker cluster implementations like HiveMQ, next-generation load balancers are needed to bring additional value to the table. This is where Elastic Beam, a commercial load balancer and IoT proxy router, comes into play. Beside the typical MQTT load balancing advantages we discussed above, the following additional advantages are available when combining Elastic Beam and HiveMQ:
- L7 MQTT load balancing: Elastic Beam understands MQTT natively and can make sophisticated routing decisions based on MQTT characteristics (e.g. client identifier)
- No single point of failure: Elastic Beam can be clustered and high availability can be achieved with additional mechanisms like DNS round robin for the load balancers. This means the broker cluster is highly available and the load balancer is also highly available
- Hybrid cloud support: Elastic Beam supports all major cloud providers and data center deployments - at the same time. Your MQTT clients from on-premise installations can communicate with the brokers easily as well as clients with Internet connectivity
- Additional security: Elastic Beam implements state-of-the-art security mechanisms as well as innovative features like machine learning for intrusion detection
- MQTT over websockets: Elastic Beam has first-class websocket support, which enables MQTT clients to use MQTT over (secure) websockets
Reference Architecture with Elastic Beam and HiveMQ
The reference architecture of Elastic Beam and HiveMQ as joint solution includes these components:
- A variety of MQTT clients connected to the backend with either plain MQTT (with TLS) or websockets (with TLS). Communication via both channels is possible simultaneously
- One or more Elastic Beam Secure Proxy nodes terminate TLS traffic, block compromised clients and route the traffic to the MQTT brokers
- Multiple HiveMQ MQTT broker cluster nodes for high availability and scalability
- (optional) Enterprise applications that are connected to the MQTT brokers either via Enterprise Integrations, plain MQTT or Shared Subscriptions. They can connect directly to the MQTT brokers or via the Elastic Beam load balancer, depending on the requirements
Both software products, Elastic Beam and HiveMQ, are very easy to install and get started. To get started, you literally just need to download the software and run the start script for both products.
For a kickstart with Elastic Beam and HiveMQ, there is an official HiveMQ Elastic Beam Integration Plugin available. With that HiveMQ plugin installed, Elastic Beam is able to integrate with the MQTT broker and can detect topology changes if nodes are unavailable.
To learn more about the Elastic Beam and HiveMQ integration, we recommend to download the application note that includes details about the solution, the reference architecture and benchmarks.