28th August

in AWS and Azure

Load balancing UDP on EC2

Posted by Ben Cabot

I had been tasked with finding a way to load balance UDP on AWS. Normally we would use ipvsadm in at layer 4 DR but because of the limitations in EC2 this is not possible so another method was needed.
So this is a short guide on how to get a simple UDP load balancer running. We will be using pen, it is described as a simple tcp load balancer and has been around for a while.

UPDATE: Our current version of Enterprise AWS for EC2 now fully supports UDP load balancing in high performance layer 4 NAT mode.

Even though it is described as a TCP loadbalancer the Zen loadbalancer project has written a patch which will allow pen to load balance UDP which you can download from  http://sourceforge.net/projects/zenloadbalancer/files/zenlb_pen_c.patch/

Once you have downloaded the source code, patch and uncompressed them in the same folder you will need to apply the patch by simply running.

root@penudp:~/pen-0.18.0# patch pen.c zenlb_pen_c.patch

From here it is just the normal build.

make install

And that’s it, so now if we run pen we see it now has UDP support.

root@penudp:~/pen-0.18.0# pen
pen [-C addr:port] [-X] [-b sec] [-S N] [-c N] [-e host[:port]]
[-t sec] [-x N] [-w dir] [-HPWadfhrs]
[-o option]
[-E certfile] [-K keyfile]
[-G cacertfile] [-A cacertdir]
[-Z] [-R] [-L protocol]
[host:]port h1[:p1[:maxc1[:hard1[:weight1[:prio1]]]]] [h2[:p2[:maxc2[:hard2[:weight2[:prio2]]]]]] ...

-B host:port abuse server for naughty clients
-C port control port
-T sec tracking time in seconds (0 = forever) [0]
-H add X-Forwarded-For header in http requests
-U use udp protocol support

Now to test this I have just brought up a couple of DNS servers running bind.
These have the address and So we start pen by running:

root@penudp:/# pen -r -U 53

This will start pen listening on port 53 and balance the servers and in round robin mode.

We can then check its running with:

root@penudp:/# netstat -tnulp | grep pen
udp 0 0* 29661/pen

To test it is working I have enabled logging on the DNS servers and will use dig and specify the pen server as the name server.

root@penudp:/# dig @ bbc.com
root@penudp:/# dig @ microsoft.com

Then looking at the bind logs we can see that the connections are being correctly made to each server.

ben@bindd1:~$ tail -n 1 /var/log/syslog
Aug 22 12:42:57 bindd1 named[1372]: client query: bbc.com IN A +E (
root@bind2:/home/ben# tail -n 1 /var/log/syslog
Aug 22 12:43:07 bind2 named[6827]: client query: microsoft.com IN A +E (

About the author

Ben Cabot

Ben is our Amazon AWS expert continually working to find new ideas that we can add to our ENTERPRISE AWS product.
When out of the office he is normally found floating around on a kayak or at the lake fishing.

Live chat