Why do we need L7 reverse proxy for increasing the limit of max TCP connection to the backend?

Question

I stumbled upon a YT video- 5 mins which explains that there's technically no limit to the number of connections that can be opened between the clients and servers even if there's a reverse proxy between them. I see that at max 64k connections can be opened b/w the reverse proxy and one of the backend server(assuming that the backend server listens on a single port for now).

The video mentions that 64k is the limit for L4 proxy and that's why L4 proxy is not scalable. What does "not-scalable" mean here? It also mentions that we cannot reuse the same TCP connection for anything else, why so? After the inception of HTTP/2.0 we can use the same TCP connection to send all kinds of HTTP requests so why can't the L4 proxy just do the same? Why can't it forward all the traffic that it has to send to a given backend server through one single TCP connection, it just has to replace the older TCP and IP header with the new header(with new sourceIP as itself and new destinationIP as one of the backend, similarly replace the ports as well). It doesn't have to seek into the HTTP frames for anything at all. Let me know if I'm incorrect in my understanding. Also, why is L4 connection to the backend called as "stateful"?

AFAIK, a L7 proxy just gets to the HTTP frames and extracts the request body and finds which exact backend to forward request to. What extra intelligence does it have to use the same TCP connection to forward all kinds of requests that an L4 proxy doesn't have?

The only difference that I see b/w L4 and L7 is that L4 doesn't get into the detail of what is inside the HTTP request while L7 is aware of that.

Answer 1

What does "not-scalable" mean here?

Has a limited number of TCP connections to the backend which can not be exceeded.

... we cannot reuse the same TCP connection for anything else, why so?

There is a 1:1 relation between active connections from clients to the L4 proxy and connections from the proxy to the backend. Data are forwarded on these connections w/o further interpretation. A connection from proxy to backend gets closed at the same time the connection between client and proxy gets closed. One use the same source port after that (but only with some delay) but this is not a connection reuse - it is a new connection with the same port,ip tuple (but probably different sequence numbers).

After the inception of HTTP/2.0 we can use the same TCP connection to send all kinds of HTTP requests so why can't the L4 proxy just do the same?

Because L4 means transport layer only (TCP, UDP) and there is no concept of HTTP, requests etc at this level. The only way is to forward the data as their are. Note that L4 proxies can not only be used for HTTP but also for SSH etc, i.e. protocols which have not even the concept of a request like HTTP does.

it just has to replace the older TCP and IP header with the new header

An L4 proxy does not tunnel the original IP and port but replaces it with a new IP and port from the system where the proxy is running on. It cannot just replace source IP and port in a running TCP connection - that's not how TCP works.

why is L4 connection to the backend called as "stateful"?

Because it keeps an association between the external connection (client to proxy) and the internal connection (proxy to backend) - that's the state.

The only difference that I see b/w L4 and L7 is that L4 doesn't get into the detail of what is inside the HTTP request while L7 is aware of that.

An L7 proxy works at the request level and can use the same TCP connection for requests coming in from different TCP connections on the client side. An L4 proxy cannot do this.

Answer 2

The root of your misunderstanding is perhaps understanding the nature of a connection, which is done using an ephemeral port.

The upstream server can handle only 64k connections from the same client because 64K is the limitation of the ephemeral port range at the client side.

Here is an example how you may assign more than 64K connections :

But you can assign several IP addresses to the same private interface of your load balancer and force server to use them in a round-robin fashion.

You can define several networks on the same interface of load balancer, for example:

• 192.168.1.1,
• 192.168.2.1,
• 192.168.3.1

And define corresponding extra IP addresses at upstream server:

• 192.168.1.2,
• 192.168.2.2,
• 192.168.3.2 .

With following upstream configuration load balancer will pass requests to the same upstream server while using different IP addresses:

upstream ipproxy {
  server 192.168.1.2:some-port;
  server 192.168.2.2:some-port;
  server 192.168.3.2:some-port;
}

Load balancer will be forced to use different IP addresses thus allowing you to bypass 64k connection limitation and achieve 192k connections.