Under Attack?
Search
Menu

Route Domains – Half-baked Virtualization Delivers Half-baked Results

By Frank YueMay 24, 2017

Imagine browsing your favorite websites on your computer or playing a browser-based game when things start slowing down.  You click the window in frustration hoping that the site responds, to no avail.  Finally, the browser alerts you that something is making it run too slow and you need to reset it.


The problem is not the browser design or the websites that you are surfing. It is the fact that you are browsing too many resource-intensive sites through multiple web browsing applications. You may be using Firefox, Chrome, Internet Explorer, Edge, Opera, Safari, and/or a combination of the many other browsers on the market.

Content isolation, not resource reservation

You may have different web browsing applications open because each one is independent of the other. All login information, cookies, history and other content is only relevant to the browser that is accessing that site. When you log onto a site in Firefox, those credentials do not cross over to Internet Explorer. Each browser is an isolated container for all of the content that it receives.

As a gamer, it is not uncommon for me to have different browsers accessing the same online game using different accounts. There are multiple reasons why this is beneficial, but there is a performance cost associated with this application access model.

All of these open web browsers fight for the same resources on your computer. When the resources are exhausted, the browsers start to fail. There are no restrictions that one can place on each browser version to ensure the performance of it or the other browsers. If one website starts to consume a large amount of computer resources, it can impact the performance of all of the other browsers and applications open on the computer.

If the user wants to properly isolate the different browsers so that there is no potential for one browser to impact another, then it is necessary to create virtual containers that can restrict CPU, memory, and network usage within that container. This is what virtual machines are designed to do within the application hosting environment.

[You might also like: Making Public Cloud Migration a Turnkey Process]

Not all applications are equal

Application delivery controllers (ADC) are built to manage and manipulate the access to applications by acting as a reverse proxy. Businesses often host multiple applications on the ADC due to cost, design, and functionality. Minimal thought is given to the resource needs, SLA requirements, and criticality of the application to the business. But this creates an environment that is susceptible to negative interactions.

In this architecture, if one of the hosted applications receives an increase in connections or requires custom policies that consumes excessive resources, then all of the other applications hosted on the ADC are negatively impacted. There are a finite amount of network, compute, and memory resources available within the ADC.

In the business world, this becomes a problem. Application availability is critical and it is unacceptable to have one application affect the availability of others within the network infrastructure. Application performance is not always predictable. Flash mobs, internet virality, natural disasters, and other events can impact an application’s usage. It is not acceptable to have a non-critical application surge and impact the resources available to critical services.

Route Domains are not virtualization

Some ADC vendors offer route domains as a solution to partition applications and tenants within the application delivery infrastructure. Route domains are based on virtual routing and forwarding (VRF) functions introduced when multi-protocol label switching (MPLS) was created. Route domains are a version of VRF-lite where the ADC is able to contain multiple forwarding information bases (FIB) that are separate and distinct.

In other words, the ADC is able to have separate layer 3 domains configured, with their own IP networks and routing tables. This is like having multiple browsers on a computer, where each route domain is equivalent to a unique browser instance.

The similarities within this analogy extend to the resource consumption problem. Just because there is virtual separation of content and application delivery, does not mean that there is separation of resource usage.

It is possible and probable that one application within one route domain will consume enough resources to affect the performance and availability of another application in another route domain. An unexpected, but probable, event is all that is required for the application to perform outside its normal parameters and impact all of the other applications configured on the ADC.

Enterprises and managed service providers that require multi-tenant services for their application delivery infrastructure need to look beyond route domains as a viable solution. True virtualization of the ADC through virtual machines is the only way to properly isolate and contain the applications.

The virtualization of the ADC through virtual instances that can allocate and reserve the compute, memory, and bandwidth available to the application must be a requirement when designing a proper application delivery infrastructure. Anything less is shortchanging your application users – your customers.

6_tips_sla_document_cover

Read “Keep It Simple; Make It Scalable: 6 Characteristics of the Futureproof Load Balancer” to learn more.

Download Now

Posted in: Application DeliveryTags:

Frank Yue

Frank Yue is Director of Solution Marketing, Application Delivery for Radware. In this role, he is responsible for evangelizing Radware technologies and products before they come to market. He also writes blogs, produces white papers, and speaks at conferences and events related to application networking technologies. Mr. Yue has over 20 years of experience building large-scale networks and working with high performance application technologies including deep packet inspection, network security, and application delivery. Prior to joining Radware, Mr. Yue was at F5 Networks, covering their global service provider messaging. He has a degree in Biology from the University of Pennsylvania.

Related Articles

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?