Load Balancing

Load Balancing / SSL Offload and Decryption

Optimize Performance and Reliability with Advanced Load Balancing Solutions

Load balancing is used in cloud and on-premises data centers to provide redundancy, disaster recovery, scale, and resilience to the applications users need. Several different load balancer systems can be used for different use cases.

Global Load Balancing

Global load balancers are typically used to deliver traffic to the nearest geographical workload presence. They are also used to fail traffic over when a data center is down. Some of these systems are DNS based, others are L4-L7 capable, depending on which features are needed. Features can be simplistic geographic load balancing, latency-based load balancing, priority-based load balancing, or hot/cold failover load balancing between data centers. Some global load balancing systems have more extensive L4-L7 features such as TLS/SSL Decryption, Web Application Firewall (WAF), or Content Delivery Network (CDN) features.

Some examples of Global Load Balancers are Microsoft Azure Traffic Manager (DNS Based), Azure Front Door (L4-L7 based), and Azure CDN (L4-L7 based CDN service).

An example of using Global Load Balancing is using Microsoft Azure Traffic Manager to failover between a primary cloud region and a DR region when running Azure Site Recovery to move workloads to the DR region. If internet-facing applications are hosted on those servers a global load balancer is required to move inbound user requests to the DR region. A common way would be to use Azure Traffic Manager which will change the Public DNS records for the servers to the Public IPs of the DR region to successfully fail over user requests to the DR region.

Data Center Load Balancing (Internal)

Application Delivery Controllers (ADCs) is the modern name of what was commonly thought of as data center “Load Balancers” in the past. These are L4-L7 based load balancers. Their job is to load balance user requests (internally or externally sourced) coming into the data center into the server farm. ADCs are responsible for probing servers and making sure servers are up and capable of accepting requests and re-routing client traffic to other servers when a server goes down. They are also responsible for performing SSL/TLS decryption both for providing security and operational tasks and for SSL offloading where required.

In the modern network, one of the most important functions of ADCs is to provide application firewalling or web application firewalling (WAF) services. WAFs can provide a more specialized traffic inspection than a general-purpose firewall. Web application servers require specialized security that is focused purely on web applications alone to secure them. WAFs are a specialized firewall that focuses solely, and in great depth, on protecting web applications in the data center.

ADCs, though specialized for L4-L7 layer load balancing, can also do simple TCP load balancing (L4 only) for traffic going between the layers of the application stack (application to middleware, or middleware to database/backend). This is useful as more complex load balancing features  are less required in these layers.

Some examples of ADC load balancers are F5 Big IP, Netscaler ADC, NGINX Load Balancer, and Azure Application Gateway. An example of a simple L4 load balancer is the Azure Standard Load Balancer.

An example of using an ADC is using Microsoft Azure Application Gateway to take in user requests and send them to a farm of application servers in Azure. A scale-set could be used to scale up or down these servers as needed. The Application Gateway can decrypt the traffic and implement a WAF firewall to protect the application with the Microsoft built-in WAF rule sets and the organization’s customized rules. The traffic can then be sent encrypted or unencrypted to the application servers. If a server goes down, the Application Gateway’s probes will detect this and remove it from the pool of eligible servers.

TLS/SSL Decryption and SSL Offload

ADCs and some Global Load Balancers perform TLS/SSL Decryption. The original intent was offloading SSL traffic and then sending it to the web frontend servers in unencrypted HTTP, to take the processing burden off the server. This original intent is less used today.

Modern ADCs still typically perform decryption whether offloading is required or not. For the ADC to perform advanced security control functions like WAF, the ADC must see the unencrypted HTTP traffic to act on it. ADCs are also often utilized to modify HTTP requests and responses to temporarily fix issues while developers work on fixing the application code. This could be removing a cookie, modifying an HTTP header, or modifying the HTTP body. When the ADC has decrypted the session, it can modify parts of the HTTP request or response to implement a quick fix when needed.

After the ADC has performed the steps above, it can either re-encrypt the traffic before sending it to the server farm or send it unencrypted (SSL Offloading). Re-encrypting the traffic is considered a higher security option and used more frequently in greenfield data center builds today.

When Global Load Balancing services decrypt traffic the traffic is typically re-encrypted before sending it to the target datacenter, as this traffic is typically crossing the internet.