We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

Choosing Your Deployment Mode and Service Types

  • Last updated on

You can deploy the Barracuda Load Balancer ADC in either one- or two-armed mode. Additionally, you select whether the Barracuda Load Balancer ADC acts as a reverse proxy for each type of traffic that is load balanced.

A service is a combination of a virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated ports for the specified VIP address is directed to one of the real servers that are associated with that particular service.

When you create a service, specify whether the incoming traffic type is load balanced at Layer 4 or at Layer 7. You can also configure settings such as a scheduling policy and security for each service.

One-Armed and Two-Armed Mode

You can deploy the Barracuda Load Balancer ADC in either one-armed mode or two-armed mode:

  • One-Armed – In a one-armed topology, all of the real servers and VIP addresses are configured on a single network, usually the WAN network, or (less commonly) the LAN network.
  • Two-Armed  – The VIP addresses (incoming traffic) and the real servers are configured on different networks. Internet traffic is routed through one port on the Barracuda Load Balancer ADC. Traffic from the real servers is routed through a separate port on the Barracuda Load Balancer ADC. A two-armed deployment requires you to configure separate networks for the incoming traffic and the real servers.
    If a Layer 4 - UDP or Layer 4 - TCP service is used in a two-armed deployment, the Barracuda Load Balancer ADC must be the default gateway for all downstream real servers. For all other types of services, the real servers and VIP addresses can be positioned in a variety of ways.

Figure 1 shows a WAN deployment using a one-armed topology and TCP Proxy, UDP Proxy, or Layer 7 services. The gateway IP address of the real servers need not change when adding the Barracuda Load Balancer ADC to the network. All of the virtual IP addresses and the IP addresses for the real servers are connected to the WAN.

Figure 1. One-armed using TCP Proxy, UDP Proxy, or a Layer 7 service.

one_arm_tcpProxy_deployment_new.png


Figure 2 shows a network where there are virtual IP addresses available on both the WAN and LAN side. Clients coming from the Internet or intranet can access the database or web service. On the LAN side, the web servers can access the database service.

Figure 2. Two-armed TCP Proxy, UDP Proxy, or Layer 7 Service.

two_arm_tcpProxy_deployment_new.png

Direct Server Return

If a real server generates a much greater volume of outbound traffic than inbound traffic, you can configure Direct Server Return (DSR) for it. DSR increases outbound traffic throughput by directing traffic from the real server directly to the client, bypassing the Barracuda Load Balancer ADC. For more information about this deployment option, see Direct Server Return Deployment.

Figure 3 below illustrates how requests and responses are processed in a one-armed network where DSR is enabled for the real servers.

  1. The request arrives at the switch and is passed to the virtual IP (VIP) address on the Barracuda Load Balancer ADC.
  2. A real server is selected, and the data frame of the packet is modified to be the MAC address of that real server.
  3. The packet is then placed back on the network.
  4. Because the VIP address is bound to the real server’s loopback interface, the real server accepts the packet.
  5. The real server responds directly to the client using the VIP address as the source IP address.

Figure 3. Example DSR, one-armed architecture.

dsr_one_arm_deployment_new.png

Service Types

You can create Layer 4 or Layer 7 services to pass incoming traffic to the real servers. Both types of services provide different options for handling traffic.

Layer 4 Services

Layer 4 services pass traffic in half-NAT mode, changing the destination IP address to that of the real server, but keeping the original source IP address.

Traffic TypeDeployment ModeLayer 4 Service TypeNotes
TCP or UDPOne-armed.

Provides the best performance when most of the traffic is outgoing.

Layer 4-TCP, Layer 4-UDP

Real servers in Direct Server Return mode.

  • Requires a loopback adapter on each real server. This enables the real server to reply to the client using the IP address of the service configured on the Barracuda Load Balancer ADC instead of using its own IP address which would likely cause the client to drop the incoming packets (since the original destination IP address would not match the IP address from the replying server).
  • Can keep the IP addresses of the real servers.
  • SSL offloading and other Layer 7 capabilities are not supported.
  • Persistence is achieved using the client IP address.

Layer 7 Services

Layer 7 services pass traffic in full-NAT mode, changing both the source and destination IP addresses. The Barracuda Load Balancer ADC acts as a proxy. Connections from the client are terminated at the Barracuda Load Balancer ADC and new connections are established between the Barracuda Load Balancer ADC and the real servers.

For Layer 7 services, the topology can be either one-armed or two-armed. When you install the Barracuda Load Balancer ADC, you do not need to change the gateway of the servers in the server farm.

For secure Layer 7 services (Secure TCP Proxy, HTTPS, and FTP SSL), the Barracuda Load Balancer ADC inspects the encrypted traffic using a certificate that is specified when the service type is selected. The traffic can be re-encrypted, or you can configure SSL offloading to send the de-crypted traffic to the real servers.

Traffic TypeLayer 7 Service Type

UDP

 

UDP Proxy

UDP Proxy supports persistence using both the client IP address and port. Many UDP applications involve all client requests coming from one client IP address. A UDP Proxy service that is configured with persistence of client IP port number distributes traffic across all of the real servers.

TCPTCP Proxy
TCP with SSL processing offloaded to the Barracuda Load Balancer ADCSecure TCP Proxy
HTTP (web servers)HTTP or HTTPS
FTP (FTP servers)FTP or FTP SSL
Remote Desktop ServicesLayer 7 - RDP

Configuring Services

For more information on the available service types and how to configure them, see Services.

Deployment Examples

The following table lists some common cases with suggested deployments:

Use CaseSuggested Deployment
The Barracuda Load Balancer ADC provides Layer 4 load balancing of TCP/IP traffic.

Create one or more Layer 4 - TCP services.

The Barracuda Load Balancer ADC provides Layer 4 load balancing of UDP traffic.

Create one or more Layer 4 - UDP services.

The Barracuda Load Balancer ADC provides SSL offloading and Layer 4 load balancing of TCP/IP traffic.

Create one or more Secure TCP Proxy services.

If you use a one-armed topology, you do not need to reconfigure the IP addresses of the real servers.

A two-armed topology provides better performance.

The real servers are on the same subnet as the Barracuda Load Balancer ADC, and the configuration cannot be changed.

You have the following options:

  • Use a one-armed topology, and create a TCP Proxy service (or a Secure TCP Proxy service if SSL offloading is required). 
  • If almost all of the traffic is outbound, configure Direct Server Return with a Layer 4 service.
There is an existing IT infrastructure using Windows where the web servers must communicate with systems such as Active Directory Domain Services, ISA Servers or domain controllers.

To avoid changing network settings, you have the following options:

  • Use one-armed topology. and create a TCP Proxy service.
  • Configure Direct Server Return with a Layer 4 service,

For the best performance, it is recommended that you use a two-armed topology and create a Layer 4 service.

The outbound traffic is far greater than the inbound traffic. For example, if the real servers are providing streamed audio or visual media. Configure Direct Server Return with a Layer 4 service to increase throughput.
The real servers must individually be remotely administered.

You have the following options:

  • Create new services that each load balance a single real server.
  • Deploy the real servers in a one-armed topology and add them to a TCP Proxy service.
  • Deploy the real servers in Direct Server Return mode, and add them to a Layer 4 service.

Additional Deployment Notes

More information about different deployment options can be found in these articles:

Last updated on