Edge Router Pattern

2024-08-12

The "Edge Router Pattern" is a common way (probably the most common way) to setup web services. It looks something like this:

Internet Traffic To/From All Services Edge Router (Nginx/Traefik/etc) Service Service Service VPN

The "Edge Router" is the only service that is exposed directly to the internet, everything else is within your VPN/VPC/LAN.

You may want to insert one more layer, a CDN (content delivery network) between the proxy and the end user. However this doesn't change your security barriers, or fundamentally change the diagram above. Personally I prefer other optimizations.

The edge router handles SSL termination. Using SNI it knows which host is being requested and can offer the correct SSL cert. The edge router is also responsible for SSL cert renewal — automated via ACME/Lets Encrypt or manually, and for redirecting non-SSL requests to SSL. Behind the edge router you should be within your own trusted environment, and so send non-ssl traffic to the services. This doesn't mean that the traffic is no longer encrypted (even on a LAN it is best to keep all traffic encrypted) just that it is no longer handled via TLS/SSL.

The edge router should be able to handle HTTP3 (or later, whenever that becomes a thing) and generally do all it can to optimize the latency between it and end users. On the internal side the network is much shorter, and has much higher bandwidth, so the services can use whatever is easy for them, generally HTTP 1.1.

This way we have offloaded a lot of concerns & work from the services, to the edge router:

The edge router can also handles things like:

  1. Buffering of requests. Each request may consume a service thread or worker, and a large number of slow clients can make the backing services slow (as they wait on IO), even while they have plenty of resources available. Setting the edge router to buffer incoming requests can increase throughput under these conditions. It is a trade off though and if your services are lightly or moderately loaded, choosing not to buffer may decrease end to end latency.
  2. The edge router can also handle caching, and or compression of responses. Offloading work from backing services. Also the edge router is probably implemented in a higher performing language, and has seen much more optimization at these tasks.
  3. The edger router can also (generally does) load balance across your services.

A note on load balancing: once you go that route (generally early on) any of your application servers need to be able to handle a request from any of your users or you need to implement sticky sessions (where the edge router / load balancer pins each user's session to the same application server.)

You will also want to pay attention to the load balancing algorithm you use, I've seen many setups that defaulted to a round robin setup, that did not take into account if any the backing services where slow, overloaded, or down.

Another miss-configuration I've seen is services going outside the secure network, to the internet, and then back in via the edge router to talk to another, should-be-local service. That is both potentially insecure, exposes additional data to the internet, increases bandwidth costs and adds a dramatic amount of latency.

There many ways to handle this, a local (in VPN) DNS server, editing each services host file, or using something like Consul. For small to medium setups I prefer using IP addresses directly — they can be a little awkward to use but they are the lowest latency option.

While we are on DNS, another handy trick is to add a wildcard DNS entry pointing at your edge router. This way whenever you need to add a new, externally visible service, you can do so without editing DNS. So for example set up *.example.com and then when you need static.example.com or img.example.com they are already setup.

Also if you use if you use the DNS-01 challenge type you can setup matching wildcard SSL certs via Lets Encrypt.

There is a variety of software available that can act as an edge router, my favorites are Nginx & Traefik.

And finally Wireguard makes a great VPN.