This article provides an overview of the key features of the Barracuda Link Balancer. Before deploying the Barracuda Link Balancer, you need to understand the following concepts:
The Barracuda Link Balancer can manage links that have static or dynamic (DHCP) IP addresses and can authenticate using PPPoE.
Aggregating Link Bandwidth
The Barracuda Link Balancer automatically aggregates Internet bandwidth from multiple links. Administrators can choose multiple links from one or more ISPs to consolidate access to affordable Internet bandwidth. Any single session (e.g. a TCP stream) has only the bandwidth from a single WAN link. A computer connected to more than one remote site may have more than one session.
The Barracuda Link Balancer continually monitors the health of each Internet link, only using healthy links. If it detects a link failure, the failed link is removed from link balancing. When a failed link becomes available again, the Barracuda Link Balancer detects that, and resumes using it. This does not require any administrator intervention. If a link fails, existing sessions on that link will be disconnected. Clients connected to the failed link can reconnect quickly to their destination using another available link, rather than waiting for the original link to be restored.
Outbound Link Load Balancing
When the Barracuda Link Balancer detects traffic from a client IP address going to a new destination IP address, a link is selected by calculating the available capacity for each link based on uplink speed and current usage, and using the link with the largest available capacity. If needed, you can create outbound routing rules to override this selection process.
Inbound Link Balancing and Failover
The Barracuda Link Balancer uses authoritative DNS to direct incoming connections to a WAN link. When an external user accesses a website hosted behind the Barracuda Link Balancer, for example, the Barracuda Link Balancer receives a DNS request for the IP address of that website. The Barracuda Link Balancer responds with the IP address, which directs the traffic to a WAN link. When determining which IP address to return, the available capacity is calculated for each link based on configured speed and current usage. The link with the largest available capacity is returned so that adaptive inbound load balancing is achieved. Also, failed link addresses are not returned. To accomplish this, the Barracuda Link Balancer acts as an authoritative DNS server for the domains or sub-domains that you host. You can create DNS records on the Barracuda Link Balancer to identify your domain and to map that domain to multiple externally accessible IP addresses.
The Barracuda Link Balancer supports Layer 2 VLANs.
The Barracuda Link Balancer supports High Availability configurations where two Barracuda Link Balancers are deployed as an active-passive pair.
The Barracuda Link Balancer automatically tracks the IP addresses of each client / source and corresponding server / destination. As long as the source and destination IP address pair are the same, traffic between them uses the same link. In addition, any one source and destination IP address pair is tied to a specific link for up tot 15 minutes of inactivity. Already tracked source IP address traffic may be sent on a different link if the destination IP address is unique.
Bandwidth Management and Quality of Service (QoS)
The Barracuda Link Balancer includes software that can automatically prioritize critical Internet applications. For example, you can assign priority to web browsing and email while giving peer-to peer applications and media streaming a lower priority. In this way, you can ensure that bandwidth-intensive applications do not interfere with business-critical operations.
The Barracuda Link Balancer incorporates standard firewall functions, including:
- Network Address Translation (NAT).
- IP masquerading - Clients in the internal network are protected from the Internet. All Internet services appear to be provided by the Barracuda Link Balancer firewall, while the internal clients remain invisible.
- 1:1 NAT - You can directly assign external addresses to internal servers. Ideal for hosting internal applications or services requiring regular outbound requests such as SMTP, 1:1 NAT provides a secure method to match additional external addresses with a single internal server for inbound and outbound traffic.
- Port forwarding (or Port Address Translation) - Traffic to the same port across one or more multiple links is directed to an internal client.
- Many to 1 NAT - One internal server may receive traffic from more than one WAN link. You can achieve this by creating 1:1 NAT rules or port forwarding rules.
- IP access lists - Use IP access lists to allow or deny access, either inbound or outbound, to remote networks, clients, applications, services and ports.
- Port blocking.
- Assistance in preventing and mitigating distributed denial of service attacks (DDoS).
Site-to-Site VPN and Link Failover
You can create a site-to-site VPN tunnel between two Barracuda Link Balancers or between a Barracuda Link Balancer and another device that supports IPsec. Networks connected via a tunnel communicate as if they are on the same network, even though they are separated by the Internet. This functionality allows your site-to-site VPN tunnel to automatically failover to a secondary link in case the primary link fails.
Ability to Deploy with Your Network Firewall
If you already have a firewall that meets your requirements, you can use the link balancing, failover and bandwidth management capabilities of the Barracuda Link Balancer and disable its firewall functionality. You can add the Barracuda Link Balancer to your network without removing your firewall, with minimal disruption to your existing network.
Local Network Services
The Barracuda Link Balancer includes the following local network services:
- DHCP server - The Barracuda Link Balancer can automatically provision client IP addresses using the DHCP protocol. Along with defining traditional DHCP options, administrators may view active leases in real time.
- DNS caching server - The Barracuda Link Balancer caches responses to DNS queries so that repetitive DNS requests are served quickly and locally.
A variety of trend and activity reports for the WAN links, VPNs and other system components can be generated on-demand or scheduled. Reporting is only available on models 330 and above.
The Barracuda Link Balancer configuration can be administered through an SSL-secured web interface. Access can be through the LAN or, if configured, any WAN interface. The web interface also allows you to view traffic statistics, monitor network component health, and troubleshoot.
Integration with External Systems and Services - Security Considerations
Barracuda Link Balancer integrates with other systems and services in your environment, like your authorization server and email system. Barracuda Networks recommends creating separate service accounts for these integration points, rather than personal accounts, and then using the principle of least privilege. This integration strategy is part of an overall security policy. For more information, see Security for Integrating with Other Systems - Best Practices.