Understanding SLB: How Server Load Balancing Modes Work and Their Packet Flows

1. Background of SLB

SLB (Server Load Balancer) distributes client requests among multiple servers using a virtual IP (VIP). It balances traffic according to algorithms, preventing overload and improving service efficiency.

Clients see only the VIP; real server IPs are hidden.

2. Three Transmission Modes of SLB

Difference between Layer 4 and Layer 7 SLB:

Layer 4 SLB works at TCP/UDP level, establishing connection with the real server after the three‑way handshake.

Layer 7 SLB works at HTTP/FTP/HTTPS level, forwarding only after receiving application‑layer packets.

SLB operates in three modes:

Reverse proxy mode

Transparent (pass‑through) mode

Triangle mode

3. Reverse Proxy Mode

In this mode the load balancer acts as a reverse proxy: client requests reach the balancer, which records packet details, rewrites the destination IP to the selected real server, and changes the source IP to the balancer’s downstream interface before forwarding.

The real server replies to the balancer, which then rewrites the source back to the VIP and forwards the response to the client.

Packet capture shows the TCP three‑way handshake between client and balancer, followed by HTTP request forwarding to the chosen real server (e.g., 172.16.75.82) and response translation back to the client.

Because the client IP is hidden from the real server, adding an X‑Forwarded‑For header is recommended.

4. Transparent (Pass‑Through) Mode

Here the real server does not see the balancer; the client’s IP is preserved. The balancer forwards the packet unchanged to the selected real server, which replies directly to the client. The balancer only rewrites the source IP to the VIP when forwarding the response.

Packet captures illustrate unchanged client IP in the request and response paths.

5. Triangle Mode

In triangle mode the balancer selects a real server and forwards the packet based on MAC address while keeping the VIP as the source IP on the server’s loopback interface. The server replies directly to the client; the balancer does not modify the returning packet.

Packet captures show TCP handshake and HTTP exchange following this pattern. This mode is suitable for scenarios with heavy downstream traffic from server to client.

Requirements: the real server must have a route to the client and the VIP must be configured on its loopback interface.

6. Summary

Reverse proxy mode offers higher security by allowing firewall rules based on the balancer’s IP and by using X‑Forwarded‑For. Transparent and triangle modes have different trade‑offs regarding client IP visibility and performance.