You can deploy the Barracuda Load Balancer ADC in either one- or two-armed mode. Additionally, you select whether the Barracuda Load Balancer ADC acts as a reverse proxy for each type of traffic that is load balanced.
A service is a combination of a virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated ports for the specified VIP address is directed to one of the real servers that are associated with that particular service.
When you create a service, specify whether the incoming traffic type is load balanced at Layer 4 or at Layer 7. You can also configure settings such as a scheduling policy and security for each service.
One-Armed and Two-Armed Mode
You can deploy the Barracuda Load Balancer ADC in either one-armed mode or two-armed mode:
- One-Armed – In a one-armed topology, all of the real servers and VIP addresses are configured on a single network, usually the WAN network, or (less commonly) the LAN network.
- Two-Armed – The VIP addresses (incoming traffic) and the real servers are configured on different networks. Internet traffic is routed through one port on the Barracuda Load Balancer ADC. Traffic from the real servers is routed through a separate port on the Barracuda Load Balancer ADC. A two-armed deployment requires you to configure separate networks for the incoming traffic and the real servers.
If a Layer 4 - UDP or Layer 4 - TCP service is used in a two-armed deployment, the Barracuda Load Balancer ADC must be the default gateway for all downstream real servers. For all other types of services, the real servers and VIP addresses can be positioned in a variety of ways.
Figure 1 shows a WAN deployment using a one-armed topology and TCP Proxy, UDP Proxy, or Layer 7 services. The gateway IP address of the real servers need not change when adding the Barracuda Load Balancer ADC to the network. All of the virtual IP addresses and the IP addresses for the real servers are connected to the WAN.
Figure 1. One-armed using TCP Proxy, UDP Proxy, or a Layer 7 service.
Figure 2 shows a network where there are virtual IP addresses available on both the WAN and LAN side. Clients coming from the Internet or intranet can access the database or web service. On the LAN side, the web servers can access the database service.
Figure 2. Two-armed TCP Proxy, UDP Proxy, or Layer 7 Service.
Direct Server Return
If a real server generates a much greater volume of outbound traffic than inbound traffic, you can configure Direct Server Return (DSR) for it. DSR increases outbound traffic throughput by directing traffic from the real server directly to the client, bypassing the Barracuda Load Balancer ADC. For more information about this deployment option, see.
Figure 3 below illustrates how requests and responses are processed in a one-armed network where DSR is enabled for the real servers.
- The request arrives at the switch and is passed to the virtual IP (VIP) address on the Barracuda Load Balancer ADC.
- A real server is selected, and the data frame of the packet is modified to be the MAC address of that real server.
- The packet is then placed back on the network.
- Because the VIP address is bound to the real server’s loopback interface, the real server accepts the packet.
- The real server responds directly to the client using the VIP address as the source IP address.
Figure 3. Example DSR, one-armed architecture.
You can create Layer 4 or Layer 7 services to pass incoming traffic to the real servers. Both types of services provide different options for handling traffic.
Layer 4 Services
Layer 4 services pass traffic in half-NAT mode, changing the destination IP address to that of the real server, but keeping the original source IP address.
|Layer 4 Service Type
|TCP or UDP
Provides the best performance when most of the traffic is outgoing.
|Layer 4-TCP, Layer 4-UDP
Real servers in Direct Server Return mode.
Layer 7 Services
Layer 7 services pass traffic in full-NAT mode, changing both the source and destination IP addresses. The Barracuda Load Balancer ADC acts as a proxy. Connections from the client are terminated at the Barracuda Load Balancer ADC and new connections are established between the Barracuda Load Balancer ADC and the real servers.
For Layer 7 services, the topology can be either one-armed or two-armed. When you install the Barracuda Load Balancer ADC, you do not need to change the gateway of the servers in the server farm.
For secure Layer 7 services (Secure TCP Proxy, HTTPS, and FTP SSL), the Barracuda Load Balancer ADC inspects the encrypted traffic using a certificate that is specified when the service type is selected. The traffic can be re-encrypted, or you can configure SSL offloading to send the de-crypted traffic to the real servers.
|Layer 7 Service Type
|TCP with SSL processing offloaded to the Barracuda Load Balancer ADC
|Secure TCP Proxy
|HTTP (web servers)
|HTTP or HTTPS
|FTP (FTP servers)
|FTP or FTP SSL
|Remote Desktop Services
|Layer 7 - RDP
For more information on the available service types and how to configure them, see Services.
The following table lists some common cases with suggested deployments:
|The Barracuda Load Balancer ADC provides Layer 4 load balancing of TCP/IP traffic.
Create one or more Layer 4 - TCP services.
|The Barracuda Load Balancer ADC provides Layer 4 load balancing of UDP traffic.
Create one or more Layer 4 - UDP services.
|The Barracuda Load Balancer ADC provides SSL offloading and Layer 4 load balancing of TCP/IP traffic.
Create one or more Secure TCP Proxy services.
If you use a one-armed topology, you do not need to reconfigure the IP addresses of the real servers.
A two-armed topology provides better performance.
|The real servers are on the same subnet as the Barracuda Load Balancer ADC, and the configuration cannot be changed.
You have the following options:
|There is an existing IT infrastructure using Windows where the web servers must communicate with systems such as Active Directory Domain Services, ISA Servers or domain controllers.
To avoid changing network settings, you have the following options:
For the best performance, it is recommended that you use a two-armed topology and create a Layer 4 service.
|The outbound traffic is far greater than the inbound traffic. For example, if the real servers are providing streamed audio or visual media.
|Configure Direct Server Return with a Layer 4 service to increase throughput.
|The real servers must individually be remotely administered.
You have the following options:
Additional Deployment Notes
More information about different deployment options can be found in these articles: