Transcription
White Paper : ABCs of Application Delivery ControllersWhite PaperPlace graphic in this boxThe ABCs of ADCsThe Basics of Server Load Balancing and the Evolutionto Application Delivery ControllersIntroductionBusiness ChallengesWhether you need to expand an application from one server to two or need to deliveran application to millions of users across the globe, you’re going to need an applicationdelivery controller (ADC). ADCs provide basic application scalability, availability andreliability of earlier server load balancers and include advanced features for today’sdynamic, content-rich applications like hardware-based secure traffic acceleration, HTTPcompression and virtual environment integration. Every ADC is a server load balancer first with advanced features layered on top of thatcore. So what is a server load balancer?SegmentsApplication Delivery ControllerAt its core, every ADC is first and foremost a server load balancer. ADCs build on this withadvanced features that support today’s complex application environments.Server Load Balancer Layer 4 network routing (TCP/UDP) Basic server healthchecks Session persistence HTTPS traffic management1www.fortinet.comAdvanced Features Layer 7 intelligent routing Global Server Load Balancing Scripting/automation Link Load Balancing SSL offloading HTTP compression Application availabilityApplication scalabilityApplication performanceBusiness continuityData center cost reductionSmall BusinessMedium BusinessEnterpriseData center MSP
White Paper : ABCs of Application Delivery ControllersThe Basics of Server Load BalancingAs websites began to see increased traffic in the mid1990s, single servers were reaching their limits to handlethe capacity. Additional servers were required to expandapplications along with technologies to make it appear toend users that they were accessing a single server.The first method to address this scalability was DNSresolution, also referred to as “Round-robin DNS”. Thismethod assigns a group of unique internal IP addressesto servers behind a firewall to a single DNS name. Whena user requested a resolution to a website name the DNSwould respond back with multiple addresses in order, forexample 10.1.0.10, 10.1.0.11 and 10.1.0.12. The nextrequest made to the DNS would be supplied the sameaddresses, however they would be rotated so the secondserver would be first (10.1.0.11, 10.1.0.12 and 10.1.0.10).The DNS would continue to rotate through the servers foreach sequential response.Round Robin DNS was a simple solution that solved theissue of scalability by offering an almost limitless number ofservers to be added to a DNS name. However without thecapability to know the status of the server on the receivingend of the request, users could be sent to a server thatwas down or overloaded.Soon many software-based approaches for load balancingbecame available to address the issue of server availability,usually as part of an operating system or applicationsoftware. These systems created clusters of serversthat were constantly in contact with one another to shareinformation on server status, connections and other meansto provide forms of server health-checking. Connectionrequests would be handed to the first available server tothen be routed to the best available one (either itself oranother server in the cluster). This worked well for smallerapplications with less than 10 servers. Larger applicationssaw dramatic performance decreases with each new serverdue to the continuous need for servers to stay in contactwith each other. This limited capacity combined withproprietary software led to the need for a new solution thatcould reliably scale and support multiple applications.The Hardware-based Load BalancerBeginning in the late 1990s, manufacturers introducedthe first hardware-based load balancing appliances. Byseparating load balancing from the applications themselves,the appliances could rely on using network layer techniqueslike network address translation (NAT) to route inbound andoutbound traffic to servers. Another key component thatwas introduced was server health-checking. At predefinedintervals, the load balancer would check on the status ofthe server to determine if it was available and what its trafficload was. If a server was down, traffic would be directedto operational servers. If a server was overloaded, trafficwould be redirected until it was back below set thresholds toreceive new requests.DNS-based Round Robinrvers192.0.0.1192.0.0.2SeSimple load balancing using rotating sequential IP addressessupplied by DNS resolution responses to client requests.2www.fortinet.comrvSeUser 3192.0.0.3192.0.0.1192.0.0.2User 4192.0.0.1192.0.0.2192.0.0.3wcomple.m.exawwSUser 2192.0.0.2192.0.0.3192.0.0.1DNUser 1192.0.0.1192.0.0.2192.0.0.3er192.0.0.3
White Paper : ABCs of Application Delivery ControllersHardware-based Load Balancing192.0.0.11ServersA dedicated server load balancing appliance that uses network-layerrouting to manage multiple servers behind a single externalIP address for clients.192.0.0.12192.0.0.1ADC192.0.0.13Users 1 to 4Simply type in the URLof the site managed by theADC. The DNS resolves only toone IP, in this example to 192.0.0.1Applications could now scale and users would have reliableconnections. The only limiting factor was the capacity of thehardware itself. In most cases, organizations that migratedfrom DNS-based or software load balancing saw an average25% increase in server performance, reducing the need toadd new servers to add more capacity.The Application Delivery ControllerSimple load balancing is no longer sufficient to meet thebasic needs of most organizations. Today web servers aren’tjust delivering static content, they’re delivering dynamic,content-rich applications. Businesses are using webbased applications to deliver mission critical functionality toemployees and customers.Intelligent Load BalancingWhen a car is disabled on an interstate highway, a trafficcop will direct cars around the disabled lane. Similarly, anSLB can direct network traffic away from a slow or disabledserver. But, the highway, much like the data center, is onlya means to the end. What’s really important to you is thedestination (or, the “application”, in data center terms). Andevery destination is unique, each with its own priority andvalue to the data center operators and the users accessingapplications.For example, you may take a different route to get to youroffice than you do to your grocery store. And getting to theoffice in a timely manner probably has a higher priority. Whenyou get into your car, you want to get to your destination asOver the past 10 years load balancers have evolvedexpediently as possible. What we need today is a traffic copinto Application Delivery Controllerswho cannot only clean up the congestion(ADCs). These new devices understandafter it happens, but can actually preventapplication specific traffic and canthe traffic jam from occurring in the firstHardware-based loadoptimize application server performanceplace. That’s the role of the applicationbalancers with networkby offloading many of the computedelivery controller. In addition to loadlevel traffic managementintensive tasks that would otherwisebalancing traffic, what distinguisheswere the forerunners ofbog down CPUs that could be betterADCs from server load balancers is theirmodern application deliveryoccupied elsewhere. A commonability to intelligently route users to theircontrollerscomparative analogy used to describeapplication and content destinationsthe role of SLBs is to compare them toefficiently and intelligently, based ona “network traffic cop”. We’ll use thisbusiness priorities and goals.analogy to describe the incremental advantages of an ADCReferring to the analogy above, imagine the ADC is theover a server load balancer.ultimate traffic cop; one who would not only redirect you3www.fortinet.com
White Paper : ABCs of Application Delivery ControllersIntelligent Load BalancingADCs use layer-7 content inspection to determine the type of packetand then can route it to the server that is configured to handle thattype of traffic.erservSWeb Server 1OFFLINEWeb Server 2AVAILABLEHealth-checkingAlthough part of basic load balancing, ADCs use additionalmethods like custom PHP scripting to determine the statusof a server and redirect traffic to other servers. In this exampleUsers 1-3 are directed to Web Server 2 as theprimary server is offline.Mail ServerAVAILABLEomAD.exCample.cwwwUser 1WebsiteL7 RoutingIn this example, User 4 is using an email clientand needs to get to the mail server. The ADC canautomatically determine the application type of thepacket and send it to the mail server.User 2WebsiteUser 3WebsiteUser 4Mailaround the disabled lane, but would know where you weregoing, take into consideration the time of day, and knowwhere the location is within the surrounding city. With thatinformation, he would give you directions that would takeyou directly to your destination, bypassing stoplights,construction and any delays along the way.Much in the same way that a highway commuter lane hasfewer cars with higher occupancy to reduce congestion,advanced ADCs offload servers by reducing the bandwidthutilization required to deliver application data from the datacenter to the desktop. ADCs offer compression to removenon-essential data from traversing network links. This helpsto deliver maximum bandwidth utilization to support moretraffic and avoids the need for network upgrades.Applying this analogy to users requesting applicationsand content from a data center, an advanced ADC willroute users to destination servers based on a variety ofBy offloading and accelerating SSL encryption, decryptioncriteria that the data center managerand certificate management fromimplements using policies and advancedservers, ADCs enable web andIntelligentloadbalancingapplication-layer knowledge to supportapplication servers to use their CPU andprovides administrators thebusiness requirements. And, much likememory resources exclusively to delivercapabilitytocreaterulesour example traffic officer, an advancedapplication content and thus respondthat route traffic based onADC will ensure that the users get tomore quickly to user requests. Ourbusinessrulesandnetworkthe applications based on their specificsmarter traffic cop comes to the rescuetraffic conditionsneeds while protecting the network andagain, this time eliminating distractionsapplications from security threats.that prevent you from concentrating onthe driving tasks at hand. Web-basedapplications consist of a variety ofAdvanced Features of an ADCdifferent data objects which can be delivered by differentAmong the advanced acceleration functions presenttypes of servers. ADCs provide application-based routingin modern ADCs are SSL offloading technology, datausing file types to direct users to the server (or group ofcompression, TCP and HTTP protocol optimization andservers) that is set up to handle their specific informationvirtualization awareness.4www.fortinet.com
White Paper : ABCs of Application Delivery Controllersrequests, such as ASP or PHP applications. User requestscan be routed to different servers by sending requests forstatic file types (jpg, html, etc.) to one server group, andsending user requests for dynamic data to other serversoptimized for that purpose. Like the ultimate traffic cop, theADC knows the optimal path for each destination.history would be lost, and the user would need to startthe transaction over. Once again, the ultimate traffic copsaves the day by understanding the application, networkconditions and your priorities.Global Server Load Balancing for ADCs solves the complexproblem of scaling applications across multiple dataTransaction-based applications requirecenters for disaster recovery or toconnections to the same server in orderimprove application response times forAdvanced features liketo operate correctly. The best-knowngeographically dispersed users. UsingSSL offloading, HTTPexample of this is the “shopping cart”a DNS-based approach combinedcompression and contentproblem when you establish a sessionwith configurable business rules, useraware routing separatewith one server to add an item to yourrequests are resolved to the closest,ADCs from basic loadcart and then are load balanced to abest performing or lowest-cost databalancersdifferent server to checkout. If you don’tcenters. If a data center is down due to ahave a persistent connection to thenatural disaster or planned maintenance,original server, you’ll find your cart isautomatically users are routed to aempty.different data center until the primary data center is backonline.ADCs use session state with HTTP headers and cookies toensure that users and servers remain “persistent”. The ADCLink Load Balancing intelligently manages multiple wideuses the cookie within the HTTP header to ensure that usersarea links (WAN) to the internet from the ADC to improvecontinue to be directed to the specific server where theapplication response times, reduce bandwidth needssession state information resides. Without this capability, ifand to provide redundancy should a link fail. If an internetthe user went to a different server, the previous transactionconnection becomes congested or is offline, traffic isautomatically routed to the remaining links.SSL Offloading and CompressionADCs offer the ability to offload SSL encryption/decryption andreduce bandwidth needs by compressing HTTP content.SSL/HTTPS OffloadingADCs can offload the processor-intensive SSL encryption anddecryption from servers, freeing them up to serve theapplications they were designed to. Here users 1 and 2are both using SSL connections to the ADC (gold) and theADC in turn converts to the traffic to HTTPbetween it and the servers (green).erservE-commerceSWeb ServerMail ServerAD.exCample.comwwwUser 1E-commerceUser 2Secure MailUser 3WebsiteUser 4Website5www.fortinet.comHTTP CompressionUsers 3 and 4 are both accessing content-richwebsites from the Web Server. The content is sent tothe ADC (red) and it is compressed for delivery to theseusers (blue) and decompressed using Gzip in theirweb browsers.
White Paper : ABCs of Application Delivery ControllersGlobal Server Load BalancingMultiple datacenter traffic management for disaster recovery andreduced application response times.Intelligent Global RoutingEach ADC actively communicates with the others to provideup-to-the-minute status on the datacenter and the servers behindeach ADC (dotted red).Datacenter 1Datacenter 3AVAILABLEOFFLINEADCCADADCDisaster RecoveryIn this example, Datacenter 1 is down. Users of thisdatacenter would automatically be routed to otherdata centers. Here to Datacenter 2 in orange.AVAILABLEDatacenter 2Improved Response TimesUsers are routed to the closest. Here the userin Australia is routed to Datacenter 3 inAsia (green) and users in Europe and theMiddle East are routed to Datacenter 2. (blue)Finally, today’s ADCs need to operate in and managerisks. Most advanced ADCs have some form of securityvirtual environments. Advanced ADCs offer deep resourceand some include basic WAF services. We expect that thismanagement of virtual environments and not just basictrend will continue with the ADC playing a key role in helpinghealth-checking for server availability. With this tight virtualprevent application-layer threats.integration, the ADC can make load balancing decisionsWe also see SDN as a game-changingbased on the status of the virtualtechnology that has the potential tomachines and the servers they run on.Global Server Loadreshape the IT industry, as well as ADCs.The Future of ADCsBalancing and Link LoadBalancing are importantfeatures for routing trafficbetween multiple datacentersJust as ADCs have replaced server loadbalancers, new technologies and newapplication delivery needs will shape thefuture of the ADC. Trends in networksecurity, SDN, device consolidation,cloud/virtualization and other futuredevelopments will impact the evolution of these devices.Fortinet sees network security as the major factor shapingthe ADC market in the coming years. As network threatscontinue to get more sophisticated, most of these newattacks are targeted at the applications themselves like SQLInjection and Cross-Site Scripting. Inclusion and/or closecoupling with additional security platforms like firewalls andWeb Application Firewalls (WAFs) will help to minimize these6www.fortinet.comThe adaptive, flexible environmentthat SDN enables will require an ADCthat supports features like customizedscripting and comprehensive APIs.We predict that ADCs will be a pointof service and feature aggregation asopposed a device that is subsumed byanother. The ADC is a critical routing hub that is difficult toreplace with another device and will continue to stand as aprimary network component in the modern data center.
White Paper : ABCs of Application Delivery ControllersFortiADC Application Delivery ControllersThe FortiADC line of hardware and virtual ApplicationDelivery Controllers provide unmatched Server LoadBalancing performance whether you need to scale anapplication across a few servers in a single data center orserve multiple applications to millions of users around theglobe.With included SSL Offloading, HTTP Compression, GlobalServer Load Balancing, Firewall and Link Load Balancing,they offer the performance, features and security you needat a single-all inclusive price. Advanced models include10-GE SFP ports, hardware-based SSL ASICs, dedicatedmanagement channels and dual power supplies to meet thedemands of datacenter environments with L4 throughput upto 50 Gbps. FortiADCs include: Advanced server load balancing for scalability andresilience of your infrastructure by distributing applicationload over multiple servers. Caching of static content to reduce the load on theserver and network infrastructure, increasing applicationresponsiveness and reducing delivery delays. Dynamic HTTP Compression to accelerate networkperformance without using vital server resources. Hardware and software-based SSL Offloading to reducethe performance impact on your server infrastructure. Link Load Balancing to distribute traffic over multipleISPs to increase resilience and reduce the need for costlybandwidth upgrades. Global Server Load Balancing to manage traffic acrossmultiple geographical locations for disaster recovery andimproved application response times.FortiADC BenefitsWhen you choose a FortiADC for yourapplication delivery needs you’ll beguaranteed the security, performanceand interoperability you need today andin the future.Security: Fortinet is a leader in network security andunified threat management. Our FortiADC products buildon that expertise to ensure your applications and users areprotected from the latest network and application threats.Performance: All of Fortinet’s appliances and virtualproducts are built to perform. Our latest FortiADCappliances offer up to 50 Gbps of L4 throughput for datacenter and MSP environments.Interoperability: When you buy a FortiADC, you get anintegrated application delivery solution. All our products aredesigned to leverage and seamlessly interoperate with otherFortinet products and services like FortiGate, FortiManagerand FortiAnalyzer. We optimize and test our productsto minimize bottlenecks to increase overall performancebetween platforms when used together in a secureapplication delivery network.FortiADC Application Delivery AppliancesWith Layer-4 throughput starting at 2.7 Gbps through to 50 Gbps, Fortinet has anADC to meet needs of almost any application 0E7www.fortinet.com
White Paper : ABCs of Application Delivery ControllersSummaryServer load balancing grew out of the need to scalewebsites in the 1990s and is the foundation of today’smodern application delivery controller. Building on this coreof server load balancing, the adva
The Hardware-based Load Balancer Beginning in the late 1990s, manufacturers introduced the first hardware-based load balancing appliances. By separating load balancing from the applications themselves, the appliances could rely on using network layer techniques like network address translatio
