A load balancer is a network appliance responsible for the effective distribution of incoming network traffic across multiple backend servers in order to guarantee always-available application services. Load balancers can be deployed as software appliances, hardware appliances or even as a service. A load balancer allows you to optimise server utilisation and remove single points of failure in application delivery to guarantee the following: Resilience – A load balancer allows you to run multiple application servers to fulfil the same role. In the event of a server failure, the load balancer will detect this and redirect traffic to the remaining online, healthy servers. This ensures high availability and reliability for applications. Scalability – Load balancers allow you to seamlessly scale services without impacting performance. By simply adding more servers behind the load balancer for distribution, you introduce the ability to adapt to an increase in load. Capacity – To increase capacity simply add more servers behind the load balancer. (Ok it’s not normally as easy as that because you’ll probably have databases and other app servers to consider, but you get the idea)

Load balancers distribute application traffic based on many different load balancing strategies or load balancing policies as they are sometimes called. In order to understand if a backend server is online and healthy, a load balancer will use back-end server monitoring and Server health checking. The principles of load balancing have been around for many years but these devices have evolved significantly from the basic layer4 device to much more sophisticated layer7 Application Delivery controllers, or ADCs as Gartner refer to them. ADCs offer many additional key features including security and traffic management.

A load balancing strategy or policy instructs the load balancer on where to send the next incoming request. There are many load balancing strategies available depending on the specific solution, however a few common ones are listed below: Round Robin: The most simple load balancing method where each server takes a turn to receive a request. Least Number of Connections: The load balancer will keep track of the number of connections a server has and send the next request to the server with the least connections. Note: Older, layer4 only load balancers tend not to support this as they typically run DSR (Direct Server Return) and don’t know how many connections are currently on the backend servers. Weighted: Typically servers are allocated a percentage capability as one server could be twice as powerful as another. Weighted methods are useful if the load balancer does not know the real and actual performance of the server. Fastest Response Time: This load balancing method is normally only available on more advanced products. The request will be sent to the fastest responding server.

Load Balancers run server health checks against web servers to determine if they are alive, healthy and providing service. Server health monitoring is the key to delivering resilient applications, and depending on the solution chosen, some load balancers are able to use layer7 health checks which offer greater sophistication in their problem detection. Below is a summary of the different methods of server health checks. Ping: This is the most simple method of server health check, however it is not very reliable because the load balancer can report that the server is up, whilst the web service can still be down. TCP Connect: This is a more sophisticated health check method which can check if a service is up and running. An example of this is services on port 80 for web. Simple HTTP GET: This method of server health check will make a HTTP GET request to the web server and typically check for a header response such as a 200 OK. Full HTTP GET: This server health check will make a HTTP GET and check the actual content body for a correct response. This feature is only available on some of the more advanced load balancing solutions but is the superior method for web applications because it will check that the actual application is available. Customisable Server Health Checks: Some load balancing solutions are able to accommodate custom monitors for TCP / IP applications for better control over their specific application services.

Persistence is a feature that is required by many web applications and websites. Once a user has interacted with a particular server, all subsequent requests are sent to the same server thus ‘persisting’ to that particular server. Session persistence ensures a continuity of service and seamless end user experience and is often a requirement of ecommerce applications whose session state is stored on the local web server as opposed to a shared database. Persistence can come in many forms… Load Balancer Cookie: The load balancer will set a cookie at the client and use this to identify the backend server to be used for this user. Application Session Cookies: Many application servers already set their own session ID such as jsp session cookie or Asp.net. You can configure the load balancer to use these. IP Based: Uses the Client IP address to persist. This method works for layer4 and layer7 SSL Session: Uses the SSL session ID. This is not very common as the session ID can change ,as such persistence is lost. RDP Session Cookie: Used for RDP connections.

This is a term used to describe an advanced load balancer. Now most load balancers are layer7 appliances, situated in a privileged position between the application and clients. With visibility of all the traffic the load balancer can perform a number of functions above and beyond simple load balancing and server redundancy. Load balancing is one of a number of features of an ADC including:

• Layer7 traffic management
• Application acceleration
• Content caching
• Application firewall
• Connection pooling and limiting
• Pre-authentication and single sign-on
• Proxying

The terms layer4 and layer7 refer to the protocol layers at which a load balancer operates within the OSI networking model. Layer4 load balancers operate at the transport layer, whilst layer7 load balancers operate at the application protocol level, affording them greater visibility and understanding of the application it is processing itself. This enables advanced functionality and optimisation features including intelligent traffic management, content caching, security and compression. Acceleration Features Layer4 load balancers are still available although their market share has been reducing significantly as layer7 advanced load balancers and ADC’s become more powerful and cost effective.

SSL (Secure Sockets Layer) is used to describe the process of encrypting the connection ,typically using a private certificate. HTTPS is HTTP run over an encrypted SSL connection. SSL can be a very CPU intensive operation thus reducing the speed and capacity of the web server. Offloading SSL termination to a load balancer allows you to centrally manage your certificates and frees up your servers to focus on delivering the application rather than decrypting SSL.

A WAF or Web Application Firewall is a security device designed specifically to mitigate threats at the Application layer i.e. layer7. More specifically, a Web Application Firewall is designed to work with HTTP and HTTPS protocols. They work in conjunction with a standard network firewall that typically blocks ports. In order for an application to offer a public service certain ports (such as 80 and 443 for a typical HTTP/HTTPS web app) have to be open. Hackers exploit these open ports, exposing the need for an additional, new layer of protection. That is where an Application Firewall or WAF comes into play. A Web Application Firewall will look at the HTTP Requests and Responses to work out if they are valid or not. Some requests may be valid for one site / page but not another, so in many cases, Application Firewalls may need more configuration. PCI DSS requires an Application Firewall to block some standard threats, in accordance with the OWASP published top 10 threats.