Application Delivery Controller Buyer's Guide
Application delivery controllers (ADCs) have one primary function: making applications perform faster. These may be outward-facing applications such as ecommerce sites, or they may be internal applications such as CRM, ERP, or BI, or Microsoft Exchange or SharePoint deployments.
The market for application ADCs is booming, with sales increasing by over 10% last year to around $1.4 billion, according to research house Dell'Oro Group http://www.delloro.com/. And that growth looks set to continue: TechNavio http://www.technavio.com/, a market research company, expects the market to grow by 11% a year over the next two years.
What's driving this growth is falling prices - making the devices attractive to small and medium sized businesses as well as large enterprises and service providers. There are other factors at work too: "We believe that data center build outs, consolidation, and the continued preference of users bringing their own devices as well as increased applications on each device will drive robust growth in 2012," says Alan Weckel, a Dell'Oro group director
Different vendors' ADCs use many different techniques to increase application performance, but the most important one, that all ADCs employ, is load balancing - a technology that's been around for nearly twenty years. A load balancer acts as a proxy, taking incoming requests and distributing them among a pool of available servers to ensure optimum performance. If one or more of these servers fails or needs to be taken down for maintenance, the load balancer simply distributes incoming traffic to the remaining servers, eliminating any disruption. Global load balancing enables ADCs to distribute requests to servers at other locations, either because they are geographically closer to the client, or to provide redundancy and failover capabilities.
There are number of ways for distributing the traffic, including a simple Round Robin approach, and using a "weighted" approach that sends more traffic to the most powerful servers. ADCs can also talk to the servers to establish their memory and CPU utilization rates, and can use custom scripted load balancing rules as well.
ADCs' capabilities go well beyond load balancing, however. As well as using other techniques (discussed below) to improve application performance, many also offer security, authentication, bandwidth management and other service. But despite this, research carried out by Gartner shows that up to three quarters of organizations that deploy ADCs only use their load balancing functionality. This finding is echoed by James Colby, a marketing vice president at Radware, one of the leading vendors in the ADC space. "Probably 60% of the ADCs we sell are sold to companies that just want to do load balancing."
Beyond the core load balancing function, most ADC vendors offer appliances with a range of service that can be mix and matched according to customer needs. These include:
- Compression: Compressing the data sent from the application to the end user can make a significant improvement to application performance, especially when accessed over a WAN link
- Data caching: Commonly served data is cached on the ADC device, relieving the burden on the back end servers. When cached data is pre-compressed, this can add to the performance benefits
- Layer 7 content switching: Content switching involves load balancing based on page content. For example, requests for specific types of content such as video media or graphics can be sent to one server, while transactional traffic can be sent to another.
- Layer 7 persistence: Layer 7 persistence, also known as cookie persistence, allows the ADC to write and read session cookies into traffic, and to use that cookie information to ensure that a particular application session is always load balanced back to the same server. This ensures that a site visitor will not have to log in more than once, or that their shopping trolley doesn't "forget" the items that have been place in it.
- Application security: ADCs may include web application firewall functionality which defends against attacks on application specific vulnerabilities (such as cross site scripting vulnerabilities) which may not be stopped by a conventional firewall. Some ADCs also have IPS/IDS functionality
- SSL offloading: SSL security can place a significant burden on servers that have to handle SSL connections, adversely affecting performance. SSL offloading shifts this burden to the ADC - some ADCs even have dedicated SSL hardware - enabling them to establish SSL connections with clients and handle the encryption and decryption work, while communicating with the back end servers using standard http connections.
- WAN Optimization: As well as compression and caching, many ADCs carry out other forms of asymmetric WAN optimizations (that is, optimizations that only involve the ADC, requiring no special software or hardware at the client end. ) These include TCP customizations and protocol enhancements that keep connections alive longer, reduce the chattiness of the underlying protocols, and modifying the size of the receive window.
Buying an ADC
The first decision to be made is whether to buy a physical appliance, or to use a virtual, software only appliance. Although a software only appliance may be cheaper, and instances can be provisioned on demand, it will be unable to make use of services such as SSL offloading that make use of specific hardware in the appliance version of the product. Vendors such as F5, A10 and Citrix offer virtual appliances, but these only account for a tiny 3% of overall ADC spending at the moment, according to Dell'Oro's research.
The next step is calculate the capacity of the ADC that you are likely to need. This calculation should be based on:
- How many incoming connections per minute the ADC will have to handle
- The bandwidth it has to manage
- Likely scale-up requirements in the future
The third step is to establish what additional services (as described above) beyond load balancing, if any, are required.
The final step is to look at the price of any products that satisfy the requirements above. TechNavio suggests that this should often be a deciding factor. "Cost is one of the main reasons for end-users to choose among the existing products since the ADCs offered in the market are almost of the same capabilities except for certain advanced add-on features," it says in a research note.
The ADC market is dominated by F5 Networks, which accounts for around half of the entire market by sales. Citrix Systems and Cisco Systems round out the top three. Other leading vendors include Radware, Riverbed (which acquired software-based ADC maker Zeus Technologies in 2011,) A10 Networks, Array Networks and ActivNetworks.
Cindi Borovick, an analyst at IDC, says that while most ADCs have many features in common, certain vendors excel in certain areas: F5 and Citrix focus on application acceleration techniques, Radware and A10 focus on security and capacity, while Riverbed concentrates on virtual offerings. She says that scalability is also an important differentiator at the high end. "10 Gig connections are becoming the default for new data centers, so products need to be able to scale to deal with this."
F5 Networks F5's Big-IP http://www.f5.com/products/big-ip/ ADC range is made up of hardware devices offering traffic throughput from 1Gbps (for a single application) up to 72Gbps. These run its Traffic Manager Operating System (TMOS), responsible for setting up and destroying connections, socket management and other basic tasks, and its core Local Traffic Manager load balancing service. The entry level F5 1600 Series finishes there, while the more powerful appliances can run one or more other service modules and offer hardware-based SSL acceleration and dedicated compression and caching chips.
Other features include:
iControl - an API for offbox management of the appliance using any popular management platform (i.e. without using the TMOS user interface)
iRules - F5's traffic management control language. This can be configured to manipulate the traffic passing through the appliance, such as manipulating cookies to enable cookie based (Layer 7) persistence
iApps - configuration templates for 27 different applications such as Microsoft Exchange 2007 and 2010
Citrix Systems Citrix's NetScaler http://www.citrix.com/English/ps2/products/product.asp?contentID=21679&ntref=prod_cat devices offer load balancing and content switching, data compression, content caching, SSL acceleration, application flow visibility and application firewall capabilities.
NetScaler MPX appliances are hardened network appliances that offer up to 50 Gbps performance. NetScaler SDX is a high-density consolidation platform combining Xen-based virtualization and NetScaler's MPX architecture to run up to 40 NetScaler policies simultaneously. NetScaler VPX virtual appliances run as virtual machines on popular hypervisors allowing NetScaler to be provisioned on demand on industry-standard servers.
Citrix' AppExpert Policy Management includes pre-defined AppExpert templates for the rapid deployment with many enterprise business applications.
Cisco Systems Application Control Engine (ACE) http://www.cisco.com/en/US/products/ps5719/Products_Sub_Category_Home.html. The Cisco ACE family of application switches includes the Cisco ACE Service Module for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, as well as the Cisco ACE 4710 Appliance.
It includes a range of Cisco application switching technologies to improve application performance, including hardware-based compression, delta encoding and server offload with SSL, caching, and TCP processing. It also provides protection against application threats and denial-of-service (DoS) attacks with features such as deep packet inspection, network and protocol security, and scalable access control capabilities.
Radware Radware's http://www.radware.com/Products/ApplicationDelivery/default.aspx range of ADC appliances and software offer load balancing and other services including SSL offloading, Web compression, static and dynamic content caching, TCP optimization and bandwidth utilization control. Appliances are hardware overprovisioned so that customers can unlock new hardware capabilities when required, and customization and configuration is carried out through a user interface rather than by writing scripts.
Radware's ADCs can run the company's own ADC-VX hypervisor, and then run a separate virtual ADC (vADC) on top of this hypervisor for each application they wish to deliver, or assign separate vADCs to different business units, to provide resource reservation and fault isolation.
The company's AppShape templates allow for fast implementation with applications including SAP, Exchange Oracle EBS, Siebel and PeopleSoft and VMware View.
Riverbed Riverbed's Stingray http://www.riverbed.com/us/products/stingray/ software-based ADC can accelerate applications running on physical or virtual hosts or in the cloud. It is made up of Stingray Traffic Manager , for load balancing, SSL offload, and traffic optimization, Stingray Application Firewall, for security, and Stingray Aptimizer, which includes compression, caching and other ADC services.
The entire system can be configured using Riverbed's TrafficScript language to deploy policies that inspect, transform prioritize and route traffic.
Other ADCs to consider include:
A10 Networks AX series http://www.a10networks.com/products/axseries.php and SoftAX virtual appliance
Array Networks APV Series http://www.arraynetworks.com/products-apv-application-delivery-controllers.html
ActivNetworks BoostEdge http://www.activnetworks.com/en/boostedge/overview/