Avi Networks Transforms Application Delivery Control - Page 2
Avi Networks aims to offer what an ADC should be all about: delivering applications to end users in the most secure, efficient, cost-effective fashion.
Hands-on with Avi Networks version 15.1
Installation of Avi Network’s ADC involves installing virtual instances of the management/control planes and data planes on either a physical appliance or on the appropriate cloud-based hosts.
Avi Networks uses a Virtual Machine (VM) ideology, which in turn is fused to an SDN-based deployment. The respective ADC code for the individual planes is then deployed into the virtual machines, distributing the ADC functionality to the locations that are closest (via response time) to the applications and services being delivered to users. While that may be an oversimplification of the sophisticated capabilities offered by the Avi ADC, it is still important to note that separating the control and data planes brings with it significant advantages.
Nonetheless, the primary goal of the Avi Networks ADC is to bring load balancing and resiliency to line-of-business applications. Avi Networks makes that happen by incorporating machine learning techniques with the flexibility of SDN to create a highly interactive offering that merges management, diagnostics, reporting, load balancing and security.
Here, Avi Networks makes the whole concept of load balancing easily understood. The product uses a paradigm that creates “pools” of virtual services. In essence, each virtual service that is displayed on the application dashboard contains all of the elements that make up the delivery of an application.
To add a new virtual service, one just has to launch the “New Virtual Service” wizard and offer the ADC some very basic information, such as the IP address of the application, the port it uses, and a name. The wizard then steps the administrator through choosing policies, implementing analytics and finalizing the basic setup.
The New Virtual Service wizard does an excellent job of directing the administrator to the most critical settings and offers suggestions throughout the setup process on how to best configure the service. What’s more, the wizard-based setup employs lookups to help locate existing services via URLs or IP addresses.
For most use cases, the defaults work well for deploying Avi’s product with excellent results. Nonetheless, the product also offers manual configuration of several (if not all) of the settings via the Avi UI or REST APIs.
Virtual service pools are the foundation of Avi’s ideology, which is referred to as “Distributed Microservices." These distributed microservices power the data plane of the application delivery platform and work hand-in-hand with Avi’s service engines to enhance application traffic. They can be combined to consolidate load balancing, application acceleration and application security into a unified delivery mechanism.
The basic framework is provided by the Hyperscale Distributed Resources Architecture (HYDRA), which allows administrators to manage application deployment services, such as load balancing and SSL termination, as well as extensive analytics information from those microservices and service engines.
The product offers advanced analytics, which AVI calls “Inline Analytics.” These allow administrators to delve into traffic statistics and access logs to determine how applications are performing and identify problems.
The application dashboard lets an administrator drill down into each defined virtual service, where submenus are presented that offer additional information. Here, graphic elements, such as charts, show the last six hours of activity for the virtual service. Administrators can also change the activity views to real time or to other lengths of time if they are researching issues that span long periods. Those graphical elements support additional drilldown, which allows administrators to delve deeper into events and the statistics surrounding those events. That proves to be a very powerful feature for those looking to troubleshoot application delivery problems. It's something not found in the typical ADC.
Avi Networks offers dozens, if not hundreds, of ways to drill down into the gathered data to determine where any problems may lie with delivering applications, or even to conduct forensic research into application access.
Application load balancing (and SSL termination) is based upon defined policies (or templates) that offer standardized methods for assigning a “cost” to an application, its route and other factors. Those “costs” are used by the service engines and application controllers to determine the most efficient method to deliver an application. High “costs” can be used to initiate new virtual machines to autoscale applications experiencing increased loads. While “costs” are used behind the scenes, they correlate to a readily apparent, administrator-facing element called a “health score,” which is tied directly into performance analytics.
Several templates are included with the product and available via a dropdown list during the configuration of an application pool. Several load balancing choices are available, including Round Robin, Least Connections and Source IP. Administrators can also assign “weight” factors to elements in the application pool, which are used to shift loads based upon administrator preferences.
One of the most important aspects of an ADC is application security. For most products on the market, that means providing full end-to-end SSL session supportin addition to a method to accelerate that traffic. Simply put, a physical appliance must have sufficient horsepower to accelerate and terminate SSL connections without impacting performance.
For proprietary, hardware-based ADCs, SSL termination comes at a price – namely, when it comes to scaling SSL terminations. Most of those devices have to rely on internal ASICs or CPUs to encrypt and decrypt traffic, meaning that scaling up may require a hardware replacement.
Avi Networks takes an alternative approach that enables SSL acceleration to be scalable without requiring a rip and replace. Avi is able to accomplish that thanks to SDN technologies. The virtual appliance can simply be assigned more processing power without updating the management/control planes.
What’s more, Avi also offers support for ECC-based certificates as an alternative to RSA-based certificates. ECC-based encryption/decryption is less processor-intensive and makes a faster and a more secure methodology for SSL encryption. It also improves battery life in mobile devices by lowering burdens on the CPU.
Avi Networks ADC feature set
As ADCs go, Avi offers an extensive feature set, centered on its ability to secure and load balance applications. Load balancing, security, acceleration and QoS features include
- Protocols: TCP, UDP, HTTP, HTTPS, DNS, SPDY
- Algorithms: Avi ServerSaver, Least Connections, Least Load, Fastest Response, Consistent Hash, Round Robin, and Random Selection – with weighted priority built into each algorithm
- Persistence: Source IP Address, HTTP Cookie, Secure Cookie
- Server Health Monitoring: Ping, TCP, UDP, HTTP, HTTPS, DNS, External Script, Passive Inline
- Content Switching based on matches against HTTP and/or TCP/IP Headers
- SSL Offload: RSA (1K/2K/3K) + Elliptic Curve Cryptography (ECC) SECP256R1 / SECP384R1 / SECP521R1, Perfect Forward Secrecy (PFS), Strict Transport Security
- SSL server re-encryption
- IP, HTTP access control
- Policy-based client redirection, tracking
- Protocol validation
- DDoS mitigation: SYN flood, Slow Loris, SlowPOST, ICMP etc.
- TCP Optimizations: TCP proxy, buffering, TCP Multiplexing, Buffering, Connection Keep-alive, Windows Scaling, Selective Acknowledgement, Fast Ramp
- HTTP request and connection multiplexing
- GZIP compression
- Content caching
- Rate control of throughput and number of connections
- Ability to limit maximum number of connections on a single IP
- DSCP tagging for higher network QoS
- QoS controls across virtual services on a single Service Engine
Avi Networks successfully transforms ADC ideology by adopting SDN techniques. The platform effectively separates the data and control planes, making Avi’s ADC an excellent choice for distributed, cloud-enabled networks. The integrated advanced analytics allows administrators to stay one step ahead of application delivery problems, and the integrated machine learning reduces the amount of time an administrator has to spend fine tuning application delivery.
All things considered, Avi Networks is worth a long hard look for those looking to transition their applications to the cloud and build hybrid solutions without the need for proprietary hardware.
Frank is an award-winning technology journalist, professional speaker and IT business consultant with over 25 years of experience in the technology arena. He has written for several leading technology publications, including ComputerWorld, TechTarget, PCWorld, ExtremeTech, Tom's Hardware and business publications, including Entrepreneur, Forbes and BNET. Ohlhorst was also the Executive Technology Editor for Ziff Davis Enterprise's eWeek and formerly the director of the CRN Test Center.