Current proposal for load balancing:
The client would connect to the load balancer and then be assigned to one of the web servers.
Pro:
Simplicity
Single failure tolerance (except load balancer)
Con:
If one machine per chain fails, we are unavailable
The load balancer is a single point of failure (for the improvement, see below)
A more complicated but more robust scheme would use two load balancers and DNS load balancing between the load balancers. This is an optional extension for now.
Open questions:
How does the load balancer learns that one chain is down?
A simple solution would be that the web server stops accepting traffic when the cert server fails (itself or because the DB is unavailable) and the balancer thus switches when one server is unreachable.
How are users with an active session migrated to the other chain?
Current proposal for load balancing: The client would connect to the load balancer and then be assigned to one of the web servers.
Pro:
Con:
A more complicated but more robust scheme would use two load balancers and DNS load balancing between the load balancers. This is an optional extension for now.
Open questions: