White Paper : ABCs of Application Delivery Controllers

White Paper

Place graphic in this box

The ABCs of ADCs

The Basics of Server Load Balancing and the Evolution
to Application Delivery Controllers
Introduction Business Challenges
Whether you need to expand an application from one server to two or need to deliver • Application availability
an application to millions of users across the globe, you’re going to need an application • Application scalability
delivery controller (ADC). ADCs provide basic application scalability, availability and • Application performance
reliability of earlier server load balancers and include advanced features for today’s • Business continuity
dynamic, content-rich applications like hardware-based secure traffic acceleration, HTTP • Data center cost reduction
compression and virtual environment integration.

Every ADC is a server load balancer first with advanced features layered on top of that Segments
core. So what is a server load balancer? • Small Business
• Medium Business
• Enterprise
Application Delivery Controller • Data center
At its core, every ADC is first and foremost a server load balancer. ADCs build on this with • MSP
advanced features that support today’s complex application environments.

Advanced Features
Server Load Balancer • Layer 7 intelligent routing
• Layer 4 network routing (TCP/UDP) • Global Server Load Balancing
• Basic server healthchecks • Scripting/automation
• Session persistence • Link Load Balancing
• HTTPS traffic management • SSL offloading
• HTTP compression

1 www.fortinet.com
White Paper : ABCs of Application Delivery Controllers

The Basics of Server Load Balancing that were constantly in contact with one another to share
As websites began to see increased traffic in the mid- information on server status, connections and other means
1990s, single servers were reaching their limits to handle to provide forms of server health-checking. Connection
the capacity. Additional servers were required to expand requests would be handed to the first available server to
applications along with technologies to make it appear to then be routed to the best available one (either itself or
end users that they were accessing a single server. another server in the cluster). This worked well for smaller
applications with less than 10 servers. Larger applications
The first method to address this scalability was DNS saw dramatic performance decreases with each new server
resolution, also referred to as “Round-robin DNS”. This due to the continuous need for servers to stay in contact
method assigns a group of unique internal IP addresses with each other. This limited capacity combined with
to servers behind a firewall to a single DNS name. When proprietary software led to the need for a new solution that
a user requested a resolution to a website name the DNS could reliably scale and support multiple applications.
would respond back with multiple addresses in order, for
example 10.1.0.10, 10.1.0.11 and 10.1.0.12. The next
request made to the DNS would be supplied the same
The Hardware-based Load Balancer
addresses, however they would be rotated so the second Beginning in the late 1990s, manufacturers introduced
server would be first (10.1.0.11, 10.1.0.12 and 10.1.0.10). the first hardware-based load balancing appliances. By
The DNS would continue to rotate through the servers for separating load balancing from the applications themselves,
each sequential response. the appliances could rely on using network layer techniques
like network address translation (NAT) to route inbound and
Round Robin DNS was a simple solution that solved the outbound traffic to servers. Another key component that
issue of scalability by offering an almost limitless number of was introduced was server health-checking. At predefined
servers to be added to a DNS name. However without the intervals, the load balancer would check on the status of
capability to know the status of the server on the receiving the server to determine if it was available and what its traffic
end of the request, users could be sent to a server that load was. If a server was down, traffic would be directed
was down or overloaded. to operational servers. If a server was overloaded, traffic
Soon many software-based approaches for load balancing would be redirected until it was back below set thresholds to
became available to address the issue of server availability, receive new requests.
usually as part of an operating system or application
software. These systems created clusters of servers

DNS-based Round Robin

Simple load balancing using rotating sequential IP addresses 192.0.0.1
supplied by DNS resolution responses to client requests.
s
er
rv

192.0.0.2
Se

192.0.0.3

User 1
192.0.0.1
er

192.0.0.2 User 2 com

rv

ple.
Se

192.0.0.3 m
192.0.0.2 .exa
S

ww
DN

192.0.0.3 User 3 w
192.0.0.1 192.0.0.3
192.0.0.1 User 4
192.0.0.2 192.0.0.1
192.0.0.2
192.0.0.3

2 www.fortinet.com
White Paper : ABCs of Application Delivery Controllers

Hardware-based Load Balancing

A dedicated server load balancing appliance that uses network-layer 192.0.0.11
routing to manage multiple servers behind a single external

s
er
rv
IP address for clients. 192.0.0.12

Se
192.0.0.13

C
AD
1
0.
0.
2.
19
Users 1 to 4
Simply type in the URL
of the site managed by the
ADC. The DNS resolves only to
one IP, in this example to 192.0.0.1

Applications could now scale and users would have reliable Intelligent Load Balancing
connections. The only limiting factor was the capacity of the
When a car is disabled on an interstate highway, a traffic
hardware itself. In most cases, organizations that migrated
cop will direct cars around the disabled lane. Similarly, an
from DNS-based or software load balancing saw an average
SLB can direct network traffic away from a slow or disabled
25% increase in server performance, reducing the need to
server. But, the highway, much like the data center, is only
add new servers to add more capacity.
a means to the end. What’s really important to you is the
destination (or, the “application”, in data center terms). And
The Application Delivery Controller every destination is unique, each with its own priority and
Simple load balancing is no longer sufficient to meet the value to the data center operators and the users accessing
basic needs of most organizations. Today web servers aren’t applications.
just delivering static content, they’re delivering dynamic,
For example, you may take a different route to get to your
content-rich applications. Businesses are using web
office than you do to your grocery store. And getting to the
based applications to deliver mission critical functionality to
office in a timely manner probably has a higher priority. When
employees and customers.
you get into your car, you want to get to your destination as
Over the past 10 years load balancers have evolved expediently as possible. What we need today is a traffic cop
into Application Delivery Controllers who cannot only clean up the congestion
(ADCs). These new devices understand after it happens, but can actually prevent
application specific traffic and can Hardware-based load the traffic jam from occurring in the first
optimize application server performance balancers with network- place. That’s the role of the application
by offloading many of the compute- level traffic management delivery controller. In addition to load
intensive tasks that would otherwise were the forerunners of balancing traffic, what distinguishes
bog down CPUs that could be better modern application delivery ADCs from server load balancers is their
occupied elsewhere. A common controllers ability to intelligently route users to their
comparative analogy used to describe application and content destinations
the role of SLBs is to compare them to efficiently and intelligently, based on
a “network traffic cop”. We’ll use this business priorities and goals.
analogy to describe the incremental advantages of an ADC
Referring to the analogy above, imagine the ADC is the
over a server load balancer.
ultimate traffic cop; one who would not only redirect you

3 www.fortinet.com
White Paper : ABCs of Application Delivery Controllers

Intelligent Load Balancing

Web Server 1
ers
ADCs use layer-7 content inspection to determine the type of packet

erv
and then can route it to the server that is configured to handle that
S
OFFLINE
type of traffic. Web Server 2
AVAILABLE
Health-checking Mail Server
Although part of basic load balancing, ADCs use additional AVAILABLE
methods like custom PHP scripting to determine the status
of a server and redirect traffic to other servers. In this example
Users 1-3 are directed to Web Server 2 as the
primary server is offline.

AD.exCample.c
om

w
ww

User 1
Website L7 Routing
User 2 In this example, User 4 is using an email client
Website and needs to get to the mail server. The ADC can
User 3 automatically determine the application type of the
Website packet and send it to the mail server.
User 4
Mail

around the disabled lane, but would know where you were Much in the same way that a highway commuter lane has
going, take into consideration the time of day, and know fewer cars with higher occupancy to reduce congestion,
where the location is within the surrounding city. With that advanced ADCs offload servers by reducing the bandwidth
information, he would give you directions that would take utilization required to deliver application data from the data
you directly to your destination, bypassing stoplights, center to the desktop. ADCs offer compression to remove
construction and any delays along the way. non-essential data from traversing network links. This helps
to deliver maximum bandwidth utilization to support more
Applying this analogy to users requesting applications
traffic and avoids the need for network upgrades.
and content from a data center, an advanced ADC will
route users to destination servers based on a variety of By offloading and accelerating SSL encryption, decryption
criteria that the data center manager and certificate management from
implements using policies and advanced servers, ADCs enable web and
application-layer knowledge to support Intelligent load balancing application servers to use their CPU and
business requirements. And, much like provides administrators the memory resources exclusively to deliver
our example traffic officer, an advanced capability to create rules application content and thus respond
ADC will ensure that the users get to that route traffic based on more quickly to user requests. Our
the applications based on their specific business rules and network smarter traffic cop comes to the rescue
needs while protecting the network and traffic conditions again, this time eliminating distractions
applications from security threats. that prevent you from concentrating on
the driving tasks at hand. Web-based
Advanced Features of an ADC applications consist of a variety of
different data objects which can be delivered by different
Among the advanced acceleration functions present
types of servers. ADCs provide application-based routing
in modern ADCs are SSL offloading technology, data
using file types to direct users to the server (or group of
compression, TCP and HTTP protocol optimization and
servers) that is set up to handle their specific information
virtualization awareness.

4 www.fortinet.com
White Paper : ABCs of Application Delivery Controllers

requests, such as ASP or PHP applications. User requests history would be lost, and the user would need to start
can be routed to different servers by sending requests for the transaction over. Once again, the ultimate traffic cop
static file types (jpg, html, etc.) to one server group, and saves the day by understanding the application, network
sending user requests for dynamic data to other servers conditions and your priorities.
optimized for that purpose. Like the ultimate traffic cop, the
Global Server Load Balancing for ADCs solves the complex
ADC knows the optimal path for each destination.
problem of scaling applications across multiple data
Transaction-based applications require centers for disaster recovery or to
connections to the same server in order improve application response times for
Advanced features like
to operate correctly. The best-known geographically dispersed users. Using
SSL offloading, HTTP
example of this is the “shopping cart” a DNS-based approach combined
compression and content-
problem when you establish a session with configurable business rules, user
aware routing separate
with one server to add an item to your requests are resolved to the closest,
ADCs from basic load
cart and then are load balanced to a best performing or lowest-cost data
balancers
different server to checkout. If you don’t centers. If a data center is down due to a
have a persistent connection to the natural disaster or planned maintenance,
original server, you’ll find your cart is automatically users are routed to a
empty. different data center until the primary data center is back
online.
ADCs use session state with HTTP headers and cookies to
ensure that users and servers remain “persistent”. The ADC Link Load Balancing intelligently manages multiple wide-
uses the cookie within the HTTP header to ensure that users area links (WAN) to the internet from the ADC to improve
continue to be directed to the specific server where the application response times, reduce bandwidth needs
session state information resides. Without this capability, if and to provide redundancy should a link fail. If an internet
the user went to a different server, the previous transaction connection becomes congested or is offline, traffic is
automatically routed to the remaining links.

SSL Offloading and Compression

E-commerce
ers
ADCs offer the ability to offload SSL encryption/decryption and

erv
reduce bandwidth needs by compressing HTTP content.
S Web Server

SSL/HTTPS Offloading Mail Server

ADCs can offload the processor-intensive SSL encryption and
decryption from servers, freeing them up to serve the
applications they were designed to. Here users 1 and 2
are both using SSL connections to the ADC (gold) and the
ADC in turn converts to the traffic to HTTP
between it and the servers (green).

AD.exCample.c
om

w
ww

User 1
E-commerce
User 2 HTTP Compression
Secure Mail Users 3 and 4 are both accessing content-rich
websites from the Web Server. The content is sent to
User 3
the ADC (red) and it is compressed for delivery to these
Website
users (blue) and decompressed using Gzip in their
User 4 web browsers.
Website

5 www.fortinet.com
White Paper : ABCs of Application Delivery Controllers

Global Server Load Balancing

Multiple datacenter traffic management for disaster recovery and
reduced application response times.

Intelligent Global Routing

Datacenter 1 Each ADC actively communicates with the others to provide
Datacenter 3
up-to-the-minute status on the datacenter and the servers behind
each ADC (dotted red).

AVAILABLE
OFFLINE

AD
AD

C
C

AD
AVAILABLE

Disaster Recovery
C Improved Response Times
In this example, Datacenter 1 is down. Users of this Datacenter 2 Users are routed to the closest. Here the user
datacenter would automatically be routed to other in Australia is routed to Datacenter 3 in
data centers. Here to Datacenter 2 in orange. Asia (green) and users in Europe and the
Middle East are routed to Datacenter 2. (blue)

Finally, today’s ADCs need to operate in and manage risks. Most advanced ADCs have some form of security
virtual environments. Advanced ADCs offer deep resource and some include basic WAF services. We expect that this
management of virtual environments and not just basic trend will continue with the ADC playing a key role in helping
health-checking for server availability. With this tight virtual prevent application-layer threats.
integration, the ADC can make load balancing decisions
We also see SDN as a game-changing
based on the status of the virtual
technology that has the potential to
machines and the servers they run on. Global Server Load reshape the IT industry, as well as ADCs.
The Future of ADCs Balancing and Link Load The adaptive, flexible environment
Balancing are important that SDN enables will require an ADC
Just as ADCs have replaced server load
features for routing traffic that supports features like customized
balancers, new technologies and new
between multiple data scripting and comprehensive APIs.
application delivery needs will shape the
centers
future of the ADC. Trends in network We predict that ADCs will be a point
security, SDN, device consolidation, of service and feature aggregation as
cloud/virtualization and other future opposed a device that is subsumed by
developments will impact the evolution of these devices. another. The ADC is a critical routing hub that is difficult to
replace with another device and will continue to stand as a
Fortinet sees network security as the major factor shaping
primary network component in the modern data center.
the ADC market in the coming years. As network threats
continue to get more sophisticated, most of these new
attacks are targeted at the applications themselves like SQL
Injection and Cross-Site Scripting. Inclusion and/or close
coupling with additional security platforms like firewalls and
Web Application Firewalls (WAFs) will help to minimize these

6 www.fortinet.com
White Paper : ABCs of Application Delivery Controllers

FortiADC Application Delivery Controllers

The FortiADC line of hardware and virtual Application FortiADC Benefits
Delivery Controllers provide unmatched Server Load When you choose a FortiADC for your
Balancing performance whether you need to scale an application delivery needs you’ll be
application across a few servers in a single data center or guaranteed the security, performance
serve multiple applications to millions of users around the and interoperability you need today and
in the future.
globe.
Security: Fortinet is a leader in network security and
With included SSL Offloading, HTTP Compression, Global unified threat management. Our FortiADC products build
Server Load Balancing, Firewall and Link Load Balancing, on that expertise to ensure your applications and users are
they offer the performance, features and security you need protected from the latest network and application threats.
at a single-all inclusive price. Advanced models include Performance: All of Fortinet’s appliances and virtual
10-GE SFP+ ports, hardware-based SSL ASICs, dedicated products are built to perform. Our latest FortiADC
management channels and dual power supplies to meet the appliances offer up to 50 Gbps of L4 throughput for data
demands of datacenter environments with L4 throughput up center and MSP environments.
to 50 Gbps. FortiADCs include: Interoperability: When you buy a FortiADC, you get an
• Advanced server load balancing for scalability and integrated application delivery solution. All our products are
resilience of your infrastructure by distributing application designed to leverage and seamlessly interoperate with other
load over multiple servers. Fortinet products and services like FortiGate, FortiManager
and FortiAnalyzer. We optimize and test our products
• Caching of static content to reduce the load on the
to minimize bottlenecks to increase overall performance
server and network infrastructure, increasing application
between platforms when used together in a secure
responsiveness and reducing delivery delays.
application delivery network.
• Dynamic HTTP Compression to accelerate network
performance without using vital server resources.
• Hardware and software-based SSL Offloading to reduce
the performance impact on your server infrastructure.
• Link Load Balancing to distribute traffic over multiple
ISPs to increase resilience and reduce the need for costly
bandwidth upgrades.
• Global Server Load Balancing to manage traffic across
multiple geographical locations for disaster recovery and
improved application response times.

FortiADC Application Delivery Appliances

With Layer-4 throughput starting at 2.7 Gbps through to 50 Gbps, Fortinet has an
ADC to meet needs of almost any application environment.

FortiADC-300E FortiADC-200D

FortiADC-1000E

7 www.fortinet.com
 White Paper : ABCs of Application Delivery Controllers

Summary
Server load balancing grew out of the need to scale
websites in the 1990s and is the foundation of today’s
modern application delivery controller. Building on this core
of server load balancing, the advanced features of ADCs not
only scale applications, they intelligently provide application
availability.

Features such as SSL offloading, HTTP compression and

intelligent policy-based layer 7 routing, distinguish a basic
server load balancer from a modern ADC.

As applications needed to expand across multiple data

centers, features like Global Server Load Balancing and Link
Load Balancing were introduced to manage inter-site traffic
and WAN links between multiple locations.
The ADC will continue to evolve with new features like virtual
environment management, integrated security services and
SDN support.

About Fortinet
Fortinet (NASDAQ: FTNT) helps protect networks, users and
data from continually evolving threats. As a global leader in
high-performance network security, we enable businesses
and governments to consolidate and integrate stand-alone
technologies without suffering performance penalties. Unlike
costly, inflexible and low-performance alternatives, Fortinet
solutions empower customers to embrace new technologies
and business opportunities while protecting essential
systems and content. Learn more at www.fortinet.com.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA SALES OFFICE
Fortinet Inc. 120 rue Albert Caquot 300 Beach Road 20-01 Prol. Paseo de la Reforma 115 Int. 702
899 Kifer Road 06560, Sophia Antipolis, The Concourse Col. Lomas de Santa Fe,
Sunnyvale, CA 94086 France Singapore 199555 C.P. 01219
United States Tel: +33.4.8987.0510 Tel: +65.6513.3730 Del. Alvaro Obregón
Tel: +1.408.235.7700 Fax: +33.4.8987.0501 Fax: +65.6223.6784 México D.F.
Fax: +1.408.235.7737 Tel: 011-52-(55) 5524-8480
www.fortinet.com/sales

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may
also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained
in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing
herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance
metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
8 Fortinet disclaims
lab tests. www.fortinet.com
in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.