N T L

NETWORK TRAFFIC LOAD BALANCING
Vendors : KEMP & A10
Table of Contents
Abstract .............................................................................................................................................. 3
A10 Networks Load Balancer .............................................................................................................. 4
Scheduling Methods ....................................................................................................................... 4
Options ........................................................................................................................................... 5
Routed Non-Redundant .................................................................................................................. 6
Network Layout Non-Redundant Routed ..................................................................................... 7
Routed Redundant .......................................................................................................................... 8
Network Layout Redundant Routed ............................................................................................ 9
NAT Non-Redundant ..................................................................................................................... 10
Network Layout Non-Redundant NAT........................................................................................ 11
NAT Redundant............................................................................................................................. 12
Network Layout Redundant NAT ............................................................................................... 13
Non Default Setups ....................................................................................................................... 14
Transparant setup ..................................................................................................................... 14
One-Arm Mode ......................................................................................................................... 14
Direct Server Return.................................................................................................................. 14
KEMP Load Balancer ......................................................................................................................... 15
Scheduling Methods ..................................................................................................................... 15
Options ......................................................................................................................................... 15
NAT Non-Redundant ..................................................................................................................... 16
Network Layout NAT Non-Redundant........................................................................................ 17
NAT Redundant............................................................................................................................. 18
Network Layout NAT Redundant ............................................................................................... 19
Abstract
This document will inform the reader with the available Network Load Balancing Methods Leaseweb
offers and Supports.
The setups contain load-balancers from vendors Kemp and A10 Networks as in Low-End and Highend respectively. For the Low-end there will only be 1 setup available with support from Leaseweb,
with the A10 Networks we offer and support multiple setups with more options.
For each Vendor there will be a description and a drawing available for each setup, scheduling
method and options we support.
(We will also list the capabilities for each Load-balancer in a Supported – Not Supported Table)
A10 Networks Load Balancer
Scheduling Methods
The scheduling methods we support are Round Robin, Least Connection, Least Requests, Fastest
Response Time, Stateless Source IP HASH, Stateless Destination IP HASH, Stateless Source and
Destination IP HASH.







Round Robin
With this method the incoming requests are distributed sequentially over the IPs/Servers
configured for that VIP
Least Connection
All requests will be hashed based on the Source, and will be placed in a so called "bucket",
every Source IP in specific bucket will be forwarded to the same server
Least Requests
Requests are distributed on the basis of the amount of requests that every server is currently
receiving
Fastest Response Time
Requests are forwarded to the server with the fastest Response time, this may be ICMP or
any Layer 4 port TCP health check
Source IP HASH
All requests will be hashed based on the Source, and will be placed in a so called "bucket",
every Source IP in specific bucket will be forwarded to the same server
Stateless Destination IP HASH
All requests will be hashed based on the Destination IP, and will be placed in a so called
"bucket", every Destination IP in specific bucket will be forwarded to the same server
Stateless Source and Destination IP HASH
All requests will be hashed based on the Source and Destination IP, and will be placed in a so
called "bucket", every Destination IP in specific bucket will be forwarded to the same server
Options











Transparency
This options allows you to decide if you would like to see the real source IP of the requestor
initiating the connection to your VIP or the ip of the KEMP as the source of the request.
Advanced NAT possibilities
1-to-1 NAT, 1-to-many NAT, policy NAT
Health Monitor
Monitor IPs/Servers in a VIP group to add/remove IPs/Servers from group when unavailable,
Monitor specific Ports on IPs/Servers for availability of the IP/Server on the specified service
HTTP Layer 7 Modification
HTTP Header insert/remove/replace redirect and compression per content
Layer 4 options and modification
idle time-out and Initial Window Size modification
Persistency Options
Cookie Persistency, Destination IP Persistency, Source IP Persistency, SSL Session Persistency
SSL Offloading
The load balancer will take care of the SSL handshake with the client and forward the request
to the actual servers as a HTTP request so that the actual servers don’t have the SSL
encryption overhead
SSL Ciphers
TLS1 RSA AES 128 bit SHA 256 bit
TLS1 RSA AES 256 bit SHA 256 bit
TLS1 RSA AES 128 bit SHA 128 bit
TLS1 RSA AES 256 bit SHA 128 bit
SSL3 RSA RC4 128 bit MD5
SSL3 RSA RC4 128 bit SHA
SSL3 RSA DES 192 bit SHA
aFlex scripting
The aFlex scripting language is based on the “Tool Command Language (tlc)”.
Provides in-depth, granular control of inspection and redirection policies (filter, drop, and
redirect).
Access-Lists
Configure non-state full access-list on interfaces and VIPs
Virtual Chassis
1 central control plane for both Load-balancers in a redundant setup
Routed Non-Redundant
The non-redundant setup we offer will contain only 1 switch and 1 A10 Networks Load-Balancer,
which means there will be a single point of failure, meaning if 1 of the devices may become
unavailable your platform will be down and not reachable.
The routed setup we offer and support requires an ip range of a /30 between the router and the A10
Networks Load-Balancer. On the router we will route your range statically to the A10 Networks LoadBalancer. This means that the A10 Networks Load-Balancer will, next to fulfilling the function of a
Load-balancer, also have the function and capabilities of a router. The benefits of this setup is that
there is no NAT needed, and your server will have ips from the Internet Routable Ip Range. Making
them reachable directly on their own ips directly. This does bring vulnerabilities as the servers are
open to the internet. We do support Access-list on interfaces however this is a non-statefull filter,
and does not provide the same protection as a firewall. However this also means that if you would
like to deploy a low-resource needing service, you can do it on 1 single server without having to
create a VIP on the A10 Networks Load-Balancer.
The requests arriving at the VIP IP will be processed by the A10 Networks Load-Balancer and with a
modified IP HEADER forwarded to the IPs/Servers configured for that specific VIP IP. However when
connecting to the server ip directly, this does not happen.
Network Layout Non-Redundant Routed
Routed Redundant
The redundant setup we offer will contain 2 switches and 2 A10 Networks Load-Balancers , which
means there will be no single point of failure, meaning if 1 of the devices may become unavailable
your platform will stay online with the High Availability configuration.
The routed setup we offer and support requires an ip range of a /29 between the routers and the
A10 Networks Load-Balancers. The routers will require 3 ips, 1 for each individually and 1 ip for the
virtual ip which will act as the gateway ip and will be active on the primary/active router. If the active
router fails for whatever reason, the second router will take control of the virtual ip and route traffic.
The A10 Networks Load-Balancers have support for the VRRP redundancy protocol, this will require 3
ips, 1 for each individually and 1 ip for the virtual ip which will act as the gateway ip and will be active
on the primary/active router. If the active router fails for whatever reason, the second router will
take control of the virtual ip and route traffic. However since The A10 Networks Load-Balancers will
each have interfaces in the outside and inside vlan, there will also be a need for 3 ips which will be
assigned from the range designated for the servers/VIPs. Just like the routers, if one of them may fail,
the other The A10 Networks Load-Balancer will take control of the Virtual IP and act as the active
router and load-balancer.
On the router we will route your range statically to the A10 Networks Load-Balancers Virtual IP. This
means that the A10 Networks Load-Balancer will, next to fulfilling the function of a Load-balancer,
also have the function and capabilities of a router. The benefits of this setup is that there is no NAT
needed, and your server will have ips from the Internet Routable Ip Range. Making them reachable
directly on their own ips directly. This does bring vulnerabilities as the servers are open to the
internet. We do support Access-list on interfaces however this is a non-statefull filter, and does not
provide the same protection as a firewall. However this also means that if you would like to deploy a
low-resource needing service, you can do it on 1 single server without having to create a VIP on the
A10 Networks Load-Balancer.
The requests arriving at the VIP IP will be processed by the A10 Networks Load-Balancer and with a
modified IP HEADER forwarded to the IPs/Servers configured for that specific VIP IP. However when
connecting to the server ip directly, this does not happen.
Network Layout Redundant Routed
NAT Non-Redundant
The non-redundant setup we offer will contain only 1 switch and 1 A10 Networks Load-Balancer,
which means there will be a single point of failure, meaning if 1 of the devices may become
unavailable your platform will be down and not reachable.
With the NAT setup the servers will have addresses allocated from the private internets. The internet
routable range, on which your website/service will be available, will be configured on the uplink and
available only in the segment/VLAN between the A10 Networks Load-Balancer and the uplink router.
The requests arriving at the VIP IP will be processed by the A10 Networks Load-Balancer and with a
modified IP HEADER forwarded to the IPs/Servers configured for that specific VIP IP.
Network Layout Non-Redundant NAT
NAT Redundant
The redundant setup we offer will contain 2 switches and 2 A10 Networks Load-Balancers , which
means there will be no single point of failure, meaning if 1 of the devices may become unavailable
your platform will stay online with the High Availability configuration.
The NAT Redundant setup we offer and support requires an ip range of a /29 between the routers
and the A10 Networks Load-Balancers. The routers will require 3 ips, 1 for each individually and 1 ip
for the virtual ip which will act as the gateway ip and will be active on the primary/active router. If
the active router fails for whatever reason, the second router will take control of the virtual ip and
route traffic.
The A10 Networks Load-Balancers have support for the VRRP redundancy protocol, this will require 3
ips, 1 for each individually and 1 ip for the virtual ip which will act as the gateway ip and will be active
on the primary/active router. If the active router fails for whatever reason, the second router will
take control of the virtual ip and route traffic. However since The A10 Networks Load-Balancers will
each have interfaces in the outside and inside vlan, there will also be a need for 3 ips which will be
assigned from the range designated for the servers/VIPs. Just like the routers, if one of them may fail,
the other The A10 Networks Load-Balancer will take control of the Virtual IP and act as the active
router and load-balancer. But the inside vlan ips will be allocated from the range Allocation for
Private Internets, this will bring down the need for more Internet Routable Addresses.
Network Layout Redundant NAT
Non Default Setups
The following setups we do not offer by default, and the request for one of these setups need to be
reviewed before offering support. During this review we would like to receive feedback why the
chosen setup is required.
Transparant setup
The A10 Networks Load-Balancer acts as a switch, destination nat will be used for requests coming to
the VIP, the servers will see the source ip of the client. Source nat is used for the reply from The A10
Networks Load-Balancer to the client. The benefits of this setup are servers retain current ip and stay
reachable and offer the services from their own dedicated ip. However the implementation is hard
for existing infrastructures because the reply also has to pass through the The A10 Networks LoadBalancer , since this is a Layer 2 setup, The A10 Networks Load-Balancer has be placed between the
server and router segment/vlan.
One-Arm Mode
The A10 Networks Load-Balancer will be added to the same vlan as the servers, source nat will be
used for requests coming to the VIP, the servers will see the source ip of The A10 Networks LoadBalancer interface. Destination nat is used for the reply from The A10 Networks Load-Balancer to the
client. The benefits of this setup are easily to add to current infrastructure, servers retain current ip
and stay reachable and offer the services from their own dedicated ip, and with this setup The A10
Networks Load-Balancer can be easily tested without
Direct Server Return
The A10 Networks Load-Balancer will be added to the same vlan as the servers, incoming traffic will
pass through the The A10 Networks Load-Balancer and there will be no ip header modification. The
reply from the server is sent directly to the router and bypassing The A10 Networks Load-Balancer.
With this setup there is no support for Layer 7 features, no SSL offloading support and on the servers
there needs to be changes applied to the IPstack of the server. The benefit of this setup is that you
will have higher speeds for big data outgoing to the client from your servers as the traffic does not
has to pass the The A10 Networks Load-Balancer on the way back to the client
KEMP Load Balancer
Scheduling Methods
The scheduling methods we support are Round Robin, Source IP and Least Connection.



Round Robin
With this method the incoming requests are distributed sequentially over the IPs/Servers
configured for that VIP
Source IP HASH
All requests will be hashed based on the Source, and will be placed in a so called "bucket",
every Source IP in specific bucket will be forwarded to the same server
Least Connection
Both mentioned methods do not take into account that the system does not recognize how
many connections are maintained for an IP/Server. It could therefore happen that Server B is
overloaded, although it receives/processes fewer connections than Server A. This potential
problem can be avoided with the "least connections" method, Requests are distributed on
the basis of the connections that every server is currently maintaining.
Options



Transparency
This options allows you to decide if you would like to see the real source IP of the requestor
initiating the connection to your VIP or the ip of the KEMP as the source of the request.
Source NAT
The server behind the KEMP will be able to use the KEMP outside interface IP or the
configured VIP IP, for the same port as the VIP, to reach IP’s on the internet.
IP/Servers Monitoring
The KEMP will monitor the IPs/Servers configured for a VIP, and remove the IP/Server with
issues from the available servers table for the specific VIP group. This will cause no requests
being send to the faulty server.
NAT Non-Redundant
The non-redundant setup we offer will contain only 1 switch and 1 KEMP, which means there will be
a single point of failure, meaning if 1 of the devices may become unavailable your platform will be
down and not reachable.
The only setup we offer and support is a NAT setup, with this setup the servers will have addresses
allocated from the private internets. The internet routable range, on which your website/service will
be available, will be configured on the uplink and available only in the segment/VLAN between the
KEMP and the uplink router. The requests arriving at the VIP IP will be processed by the KEMP and
with a modified IP HEADER forwarded to the IPs/Servers configured for that specific VIP IP.
Network Layout NAT Non-Redundant
NAT Redundant
The redundant setup we offer will contain 2 switches and 2 KEMP load-balancers, which means there
will be no single point of failure, meaning if 1 of the devices may become unavailable your platform
will stay online with the High Availability configuration.
The only setup we offer and support is a NAT setup, with this setup the servers will have addresses
allocated from the private internets. The internet routable range, on which your website/service will
be available, will be configured on the uplink and available only in the segment/VLAN between the
KEMP and the uplink router. The requests arriving at the VIP IP will be processed by the KEMP and
with a modified IP HEADER forwarded to the IPs/Servers configured for that specific VIP IP.
Network Layout NAT Redundant