Application availability and scalability are no longer enough. Today’s enterprises require an integrated solution that also delivers the highest levels of security, performance and adaptability for their business critical Web applications.
Early-generation server load balancing technology has proven to be an invaluable asset, especially for organizations hosting widely utilized Web applications. By operating as a virtual entry point to such applications, load balancing provides an opportunity to execute a variety of algorithms for splitting the processing load among back-end servers. In addition, periodic polling to establish the status of participating nodes can be used not only to fine tune the load distribution but also to avoid directing traffic to servers that are actually offline. In other words, server load balancers (SLBs) are a simple yet highly effective means to scale an application environment while simultaneously ensuring its availability.
Time marches on, however. Business requirements evolve, as do the processes and technologies used to fulfill them. In fact, the following are just a handful of the key changes and trends that have taken hold since SLBs were first introduced:
What these changes and trends expose is the need for enterprises to step up from a simple load balancing solution to a more comprehensive application delivery solution—a solution that addresses not just scalability and availability of the application environment, but application performance, security and adaptability as well. Accordingly, this paper is intended to serve as a guide for organizations looking to replace their early generation SLBs. Details on the top eight criteria to use during an evaluation process are provided, along with numerous examples of how Citrix® Citrix ADC® meets and often exceeds the associated requirements.
Citrix ADC in a nutshell
Citrix ADC is an enterprise-class solution for server and global server load balancing. However, it is much more than that. Because Citrix ADC also incorporates comprehensive application performance and security functionality, it is appropriately classified as a full-featured Application Delivery Controller. A market-proven solution, Citrix ADC is used by eight out of the 10 largest Web sites, with an estimated 75 percent of Internet users hitting a Citrix ADC daily.
8 must have features for today’s network demands
These days, placing greater emphasis on enhancing application performance, security and adaptability is indeed appropriate. By no means, however, does this obviate the need to address fundamental requirements pertaining to application availability and scalability. To ensure these baseline objectives are met, it is recommended that organizations begin their evaluation of an SLB replacement by considering the presence and strength of the feature sets for layer 4 (L4) load balancing, layer 7 (L7) content switching and other L7 traffic management functionality, and global server load balancing.
The ability to direct traffic based on L2-L4 information (e.g., MAC/IP address and TCP port) should be considered a prerequisite for all load balancing solutions. Related functionality that should also be present is concerned with health monitoring, session persistence and network integration.
A leading solution such as Citrix ADC can be identified by its superior breadth of coverage, measured in terms of the protocols that are supported (e.g., TCP, UDP, FTP, HTTP, HTTPS and SIP), the load balancing options and algorithms that are available to choose from (e.g., round robin, least packets, least bandwidth, least connections, response time, SNMP monitoring of back-end resources) and the scope of health attributes that can be monitored. Having the option to deploy the solution using purpose-built appliances, virtual appliances or a combination of both is also an important characteristic when it comes to fitting in.
Also referred to as content switching, L7 load balancing is essentially an extension of the traffic distribution, health monitoring and session persistence capabilities discussed above. The difference is that routing decisions can also be based on application layer data and attributes, such as HTTP header, uniform resource identifier, SSL session ID and HTML form data. This difference enables more-efficient utilization of resources because all of the services and components of an application no longer need to be implemented on all of the server nodes. As a result, each physical system can now be tailored to the functions it will be supporting.
When evaluating solutions against this criterion, emphasis should be placed on the breadth and depth of L7 load balancing and content-switching policies that can be established, as well as the ease with which they can be constructed or configured. Organizations should also consider the value of a variety of advanced L7 content features not strictly associated with distributing traffic. For example, Citrix ADC enables content to be rewritten (e.g., to mask sensitive data) and includes a responder module for configuring custom responses (e.g., redirects, error messages) to specified types of inbound requests.
The general concept of global server load balancing is to extend the core L4 and L7 capabilities so that they are applicable across geographically distributed server farms. The primary objective is to provide an additional degree of availability by accounting for site level disruptions and outages. Secondary benefits include: (a) being able to further enhance performance for remote users by routing their sessions to the closest or best-performing datacenter; and (b) being able to balance and optimize resource utilization on an enterprise wide basis.
Unlike many other solutions on the market, Citrix ADC incorporates global server load balancing as an optional feature. A separate, standalone device is not required. Citrix ADC’s other distinct advantage, once again, is that it offers an extensive array of options when it comes to the site level health attributes that can be monitored, as well as the mechanisms and algorithms that can be used to distribute sessions among an organization’s different datacenters.
The point has already been made that simple, early generation load balancers are not sufficient. Overall, they leave organizations in the undesirable position of having to acquire and implement an additional set of products to achieve adequate levels of application performance and security. The deficiencies in these early load balancers also explain why leading industry analysts strongly encourage organizations to embrace advanced Application Delivery Controllers (ADCs) when replacing their server load balancers. The intent with ADCs in general, and Citrix ADC in particular, is to have a single device that incorporates not just a core set of load balancing capabilities but a comprehensive set of application performance and security services as well. The next two sections elaborate on what this means in terms of specific functionality.
Compensating for obvious deficiencies and otherwise enhancing application performance can be a tricky proposition. Sub-optimal application performance can be the result of resource constraints at virtually any point in the path that a user’s session traverses. A few of the more likely bottlenecks are inadequate client hardware, insufficient bandwidth at either the client or server end of the connection and overloaded server infrastructure. Alternately, there can be problems with the application itself. This is frequently the case when the underlying protocols or application logic have not been optimized for operation over a wide area network. The resulting condition, referred to as chattiness, is a highly inefficient behavior whereby it takes numerous back-and-forth exchanges between client and server to complete a single, user level action.
The diversity of potential issues is why an ideal solution should incorporate an overlapping set of features that enhance application performance. These include caching, compression, TCP communications management and SSL offload.
Of course, having a comprehensive set of application acceleration features is really just table stakes. With Citrix ADC, organizations also benefit from having highly granular control over the configuration of these capabilities. This control is particularly important for caching and compression mechanisms since there are often scenarios where: (a) it is preferable to not cache certain content or (b) the use of compression incurs a greater penalty than the benefit it provides (e.g., for low-latency, high-bandwidth connections).
Pulling double duty
All of the application acceleration capabilities discussed above contribute to a significant, secondary benefit. Specifically, by offloading network and server infrastructure, these capabilities often enable organizations to make do with fewer resources, delaying the need for further investments in net - work bandwidth, routing and switching platforms, and server hardware.
As an intermediary between users and back-end resources, the SLB/ADC is also an ideal place to implement much needed security measures. Recalling the trends highlighted earlier—especially those pertaining to the evolution of threats, user mobility and inter-connectivity—it should be clear that SSL VPNs and application firewalls are two countermeasures, in particular, that deserve attention.
Aside from facilitating remote access, the benefit of having SSL VPN technology as an integral component of an ADC is that it provides fine-grained control over which users have access to which functions in which applications, and under which conditions (e.g., based on type and configuration status of the client device). When properly utilized, this capability can substantially reduce the risk of providing application access to a vast population of remote, mobile and third party users.
The shortcomings of network firewalls, which concern themselves primarily with network addresses and port-level information, are well documented. In general, they do not understand the inner workings of protocols and languages such as HTML and XML; they do not understand HTTP sessions; they cannot validate user inputs to an HTML application; they cannot filter or obfuscate sensitive data included in server responses; they cannot detect maliciously modified parameters in a URL request; and they are incapable of inspecting SSL-encrypted traffic. In contrast, it is specifically this depth of visibility and control that enables an application firewall to protect Web applications against a wide range of both known and unknown attacks.
Of course, having robust, application layer controls does not obviate the need to provide protection at other layers of the stack. This is another area where Citrix ADC outshines the competition. For example, Citrix ADC features a customized TCP/IP stack that: (a) enforces a positive security model, dropping all traffic that deviates from common guidelines for packet formation and content; and (b) prevents leakage of low level information by zeroing the unused portions of reused packets. In addition, Citrix ADC provides robust connection handling routines to automatically thwart many types of DDoS/flood attacks.
The final three criteria are what set superior application delivery solutions such as Citrix ADC apart. Although many solutions may, in fact, incorporate all of the aforementioned functional capabilities, those that fail to thoroughly address the need for a choice of platform, an integrated, modular design and unified management will not be nearly as effective and efficient as those that do.
Application delivery is substantially more compute intensive than ordinary load balancing. Not only is the scope of functionality greater, but so is the depth of processing that needs to be conducted to provide the requisite level of application visibility and control. Less clear, though, is how to account for this difference, especially in ensuring the solution is able to scale appropriately.
One key is having a platform where the hardware—and more importantly, the system level software—has been constructed and optimized explicitly for the higher-level services that define an ADC. Some of the more significant features of such a platform are:
Equally important to being able to scale, however, is being able to do so in a manner that is both affordable and agile. This is where the flexibility of the Citrix ADC system architecture has a distinct advantage, since it makes feature-complete Citrix ADC virtual appliances possible. With the addition of Citrix® Citrix ADC® VPX to the Citrix ADC product family, IT organizations have a choice. They can implement purpose-built Citrix ADC appliances to achieve maximum scalability; implement Citrix Networking VPX virtual appliances to reduce their total cost of ownership, and increase the flexibility and responsiveness of their application delivery infrastructure; or implement a combination of both platforms to achieve an optimum balance between both sets of objectives.
With Citrix Networking VPX—a full-featured virtual appliance version of Citrix ADC that can be deployed on any hardware platform running the Citrix ® Citrix Hypervisor ™ server virtualization system—there is no physical appliance to deal with. As a result, IT departments can deploy application availability, security and accelerations services on-demand, anywhere within private, hosted or cloud-based networks and datacenters. Not only is a more thorough implementation of critical application delivery services possible, but it can be done in a way that takes full advantage of virtualized servers and off-the-shelf hardware that already in place—all while facilitating the longer-term objective of having a fully dynamic datacenter.
For most organizations, having options is a firm requirement. So is having a solution that is adaptable and, therefore, future proof. Consequently, a top consideration for an SLB replacement is that it feature a modular design. This way individual capabilities (e.g., application firewall, SSL VPN) can be added as needed when the organization is ready to take the next step in the evolution of its application delivery infrastructure. Furthermore, new modules that account for ever changing conditions can be developed and implemented over time without having to resort to deploying a fleet of additional, standalone devices.
Equally important is that the modules be truly integrated components of the overall system. For instance:
Ultimately, the ability to unleash the full power of an ADC depends heavily on the strength and usability of the associated management capabilities. Three elements of the Citrix ADC solution are particularly helpful in identifying the specific features to look for when considering management capabilities.
Early generation server load balancers are tried and true solutions for improving the availability and scalability of an organization’s application infrastructure. Nonetheless, enterprises that persist in using such products run the risk of exposing themselves and their customers to increasingly poor application performance and a seemingly endless stream of application layer security threats.
One option to overcome these shortcomings would be to implement multiple standalone devices that address each of the underlying issues. However, a much more efficient and effective approach is to replace old server load balancers with new Application Delivery Controllers. These tightly integrated physical and virtual appliances not only provide core load-balancing capabilities, but also deliver the highest levels of security and performance for today’s business critical Web applications. Furthermore, the eight criteria detailed in this paper can be used to help ensure that enterprises select a solution that is truly best of breed.