Faisal Memot demonstrates Stingray Traffic Manager, which is Riverbed's advanced virtual application delivery controller.
May 09, 2012
May 01, 2012
The backup plan, for the backup plan to the backup plan...
Unless you have been living under a rock for the last ten years, most people in IT have grasped the concept that perfectly working applications will eventually break: sometimes badly, other times CATASTROPHICALLY. Let's chalk this up to a mix of Murphy's and Moore's laws:
"With the speed of technology advancing and refreshing constantly, whatever can to wrong eventually will..."
Or as I like to define my 1st law:
"The amount of entropy in any IT system is directly proportionate to the frequency that things will go horribly wrong."
Now the worst part of this is that business is asking for IT systems to be more dynamic and agile moving forward. The capacity for catastrophic disaster when projects go "agile" or start a "continuous delivery" cycle are much greater if changes are not effectively tested and managed. Discreet infrastructure changes that are needed to support these agile and continuous deliveries can also cause havoc.
Now virtualisation has helped solve entropy in server hardware architecture by providing an abstraction layer between hardware and the operating system.
Moving further up the stack, similarly, Application Delivery Controllers (ADC) have carved out a place in the modern data centre to provide a critical abstraction between the entry point for a service and the resources that actually processes a given request. The abstraction comes when you create a virtual server and define a pool of resources to handle requests to that virtual server: The ADC ensures that the request is serviced by an available resource and that any resources that are not funcitoning correctly are bypassed.
Now we get to my 2nd law:
"Good health checks lead to good traffic management decisions."
The more granular and effective the health checks on any given system, the more effective your traffic management will be.
Now health checks are only half of the solution. Health checks are great at letting you know when a resource fails, but deciding what to do *when* that resource fails is where the "rubber meets the road."
Let's get to the topic in the title of this post: "Just what is the backup plan for the backup plan to the backup plan?"
Over the next four posts, I'll be running through the areas where your humble Stingray Traffic Manager can be configured to provide healthy available applications when things go HORRIBLY wrong. We are going to cover a variety of topics from things you can do inside your data centre to ways you can leverage public and private clouds to ensure you are able to keep on keeping on when DISASTER strikes.
This week we are going to cover:
Load Balancing - your first line of defence.
So you have your shiny new virtual ADC installed and you have set up your first virtual server and pool of resources. You are pretty proud of yourself but you wonder:
"Is there anything I could do to make it... Better?"
Chances are that there might be. There are several things that I do instinctively when setting up ADC virtual servers. Now good decisions come from experience, and experience, as we all know comes from *bad* decisions. So what have I learned in the last few years from all the *bad* decisions I have made looking after ADC's?
1) Make your health checks as granualr as you can:
- ICMP Ping is better than nothing;
- TCP Port checks are better than ICMP Pings;
- "Basic HTTP" checks are better than TCP port checks (for Webservers anyway); and
- "Full HTTP" checks that actually submit a valid HTTP request and validates the server's response are better still (again for web servers).
If we look at the Basic HTTP checks in the screenshot below, you can see that there is limited scope for customisation.
The basic HTTP check will send a "GET /" and will accept *any* response as a succesful health check. If the web server responds, it is considered healthy.
Now for a more granular health check, we could use the "Full HTTP" check. Out of the box the "Full HTTP" check will perform a similar "GET /" check, but will require the server to respond with a 2XX, 3XX or 4XX server response code to be considered healthy. A "500 Internal Server Error" status code would cause the node to fail the health check:
As you can see, we could also specify:
- A Host Header (in case we have virtual hosts being used to present multiple sites on a single back end node )
- A Path to retrieve: /myapplication/login.aspx for example
- A Status Regex to match ('^[234][0-9][0-9]$' is the default that will ensure a 2XX, 3XX or 4XX message is returned)
- An HTTP response body value to match so you can ensure your application is responding correctly.
Now that we have granular health checks in place, it is time to look at what we do when health checks fail.
2) Failure Pools
Failure Pools are designed to let you have a pool that has one or more servers to use if there are no healthy members of the default pool to service the request.
A common use for failure pools is to host a "Sorry" page - a pretty static content page advising users connecting to a service that there is a technical fault or a scheduled outage. To define a Failure Pool, just create a pool in the normal fashion. Lets say we called our failure pool "my_failure_pool". You can then configure our main pool to use it as a backup. Inside the configuration of the main pool, drop down the "Failure Pool" list and select it. It really is that simple, as you can see from the screenshot below:
3) Priority Lists
Priority lists are designed to allow you to control which hosts get used in a particular pool. A common use case for Priority Lists is when there is connectivity between two data centres, a pool definition might include resources from two different sites. Ideally, you want to always use the nodes that are local to the ADC. If enough of the local nodes are not available, then you want to expand the pool definition to include the nodes on the remote site. In the screen shot below, you can see I have configured the 172.16.10.x nodes as the highest priority group, but if the number of nodes in this group drops below 1, it will engage the next Priority Group level and use the nodes in the 172.16.135.x range.
4) Autoscaling Pools
Stingray Traffic Manager support the ability for the STM to automatically scale the number of nodes in a pool based on demand for the service. Out of the box VMWare ESX (tm), Amazon EC2 (tm) and Rackspace (tm) are supported targets.
Many integrations have been performed by Stingray customers into other API's for Autoscaling such as environments built on OpenStack and CloudStack. The Autoscale feature is provided with appropriate credentials to the Hypervisor or cloud environment and monitors server response times. If the defined percentage of server responses exceed the required maximum threshold for response times, the STM will trigger an autoscale to increase the number of nodes in the pool. The size of the Autoscaled pool can have a low and high watermark set to allow you to constrain the minimum and maximum nodes that will be dynamically provisioned. As you can see from the screen shot below, Autoscaling has been set up onto a VMWare hypervisor for a mimumum of 2 nodes and a maximum of 10 nodes.
In the screenshots above, if 40 percent of the connections exceed 1000ms response times for a period of 20 seconds, the STM will initiate a scale up of the pool. If 95 percent of the connections return under the 1000ms response time for more than 20 sec, the STM will initiate a scale down of the pool.
So as you can see, even with basic load balancing features such as Advanced Health Checks, Failure Pools, Priority Group Lists and some advances features such as Pool Autoscaling, there really are many things that you can do to add more resiliency to your deployment.
April 28, 2012
April 25, 2012
Cybersecurity Act of 2012
Currently in front of the US Congress is the Cybersecurity Act of 2012. With so much of today's infrastructure and economy dependent on the Internet the US Govt is considering what additional measures it can take to protect critical infrastructure, government assets, companies and individuals. A portion of this act is focused on education and awareness, which we all can use in the fast moving world of security.
While we can't control what the US Govt, or any other govt does to protect us, we certainly can take action to protect our own infrastructures. Designing a strong security architecture requires building layers of security. By this I mean, having multiple security and monitoring systems that provide many methods of monitoring, detection, defense, etc. However, to do this you need to consider the various attack vectors, your gaps, and how to economically implement the architecture. In many cases, making security economical within a large organization requires leveraging solutions you already have, but possibly haven't utilized to their maximum capability.
Riverbed's IT Performance solutions not only contribute to improving efficiencies, they also have extensive capabilities related to monitoring and security. However, often our clients aren't leveraging these existing capabilities as part of their security architecture. Using tools already deployed in your infrastructure can help your organization improve security, while saving money.
In today's blog we'll briefly cover some of the security and monitoring capabilities in Riverbed's solution portfolio.
Stingray supports:
- Application delivery controller service protection capabilities against attacks such as malformed requests, Denial of Service (DOS), Distributed DOS, etc.
- Access rules to deny unauthorized addresses, as well as user authentication integration to deny to unauthorized users.
-
The Web Application Firewall (WAF) can block application layer attacks, such as code injection, cross site scripting, phishing attacks, spiders and much more. This can be done in software on the servers or in the Traffic Manager itself. This architecture enables massive scaling that is cloud ready, can be distributed globally, all while being centrally managed.
- Develop sophisticated OSI layer 3 - 7 security policies, to include shadow rule sets to model how a policy will affect traffic prior to applying it.
- Bandwidth management capabilities to limit requests, bandwidth, etc.
- Global Load Balancing for COOP scenarios.
- Extensive and customizable web logging for deep application analysis both onboard Stingray or using third-party web log analysis tools.
- Request tracing and packet capture for deeply analyzing attacks or suspicious users.
- Traffic Script and Java integration provides extensibility to build custom security capabilities. Your imagination is truly the limit with these unique options.
Cascade supports:
- Drill-able network visualization tools to easily see who did what to whom and what happened.
- Extensive flow reporting to cost effectively monitor every conversation within an enterprise.
- Network Behavior Analysis and Detection (NBAD) and Rule Based Events (RBE) for performance and security event alerting. Enabling you to be told about security events or anomalies very efficiently - such as new hosts, suspicious hosts, worms, unauthorized scanners, servers transmitting on unauthorized ports, backdoored hosts, unauthorized firewall policies, and much more.
- Integration with vulnerability scanners, SIMs, Active Directory, DHCP and DNS architectures to enable streamlined analysis and security automation.
- Automated and/or manual right-click integration with switching and routing infrastructure to disable interfaces with compromised hosts so they can be quickly and easily quarantined.
- Shark provides continuous high-speed long-term packet capture with analysis via PIlot.
- Shark can export packets in PCAP format to support analysis with third-party tools, like your favorite reconstruction tool. This enables deep forensic analysis and the packets to prove exactly what happened.
Steelhead supports:
- Flow export to Cascade and/or Security Information Management (SIM) frameworks so you can monitor host level conversation details globally.
- Continuous packet capture for forensic analysis (tcpdump format).
- QoS and Inpath rules to deny or block suspect traffic types - such as P2P, malware, etc. This enables distributed blocking of unwanted traffic. When using Central Management Console (CMC) your organization can enforce actions globally within seconds.
- RSP/VSP virtualization frameworks to deploy your favorite security tools within a remote site without the need for more hardware (VPN, Firewalls, IDS/IPS, open source tools, etc). For example, a SNORT package is available for RSP from the Riverbed Community site.
While Rivered is know as the IT Performance company, you can see we also have useful security capabilities.
Scary Fact: The Verizon 2012 Data Breach Investigations Report analyzed over 855 data breaches (i.e. compromised records). Of these data breaches the attacked organization only discovered eight percent of the breaches. Ninety-two percent of the breaches were discovered by other parties (law enforcement, fraud detection services, customers, etc). Records were exfiltrated in seconds to hours in sixty percent of the cases, while in eighty-three percent of the cases it took weeks to months for the breach to be discovered.
Are your web applications protected from code injection, cross-site scripting, insecure direct object references or cross-site request forgery? These are just a few of the most common web application vulnerabilities. If you are interested in learning more about web application security there are outstanding free resources at the Open Web Application Security Project (OWASP). One my my favorites is the WAF Best Practices article. OWASP hosted AppSec 2012 recently and was kind enough to invite Riverbed's Alex Meseil, Director of WAF, to discuss his experience and lessons learned about Cloud-based Distributed WAF - an architecture being used by some of the largest Internet content providers today.
We all need to be aware of the challenges with security, especially at the application layer. Contact Riverbed today to discuss how we can further assist.
April 20, 2012
Four Steps to a Faster, Happier Microsoft SharePoint Deployment
One customer was faxing documents back and forth rather than waiting for slow Microsoft SharePoint® downloads. It's not SharePoint's fault; it's often other factors outside SharePoint involving the network. Fact is, people will drop any technology like a hot brick when the WAN slows the end-user experience.
But it does not have to be that way because Riverbed® products give users the SharePoint experience they need to be productive.
Think Centralized SharePoint - We are not talking about a distributed environment in which each branch needs additional hardware and in-branch IT talent—not to mention the unavoidable complexity involved. Instead, you can get a centralized SharePoint deployment with the performance of a local setup. For that you will need a performance platform from Riverbed.
So without further ado, here are the steps for giving your users a faster, happier SharePoint deployment.
Step 1: Know what is on your SharePoint network and who is using what
Riverbed® Cascade®
- Four reasons to centralize SharePoint
- Powerful search indexesLess hardware
- Less in-branch IT administration
- Simplified backup processes
Start by building an accurate picture of your SharePoint landscapes. That is, understand what and who is on your networks. Cascade accomplishes this with an unrivaled speed and top-to-bottom accuracy.
- Discover all hosts in 2- and 3-tier SharePoint farms
- Map dependencies between web, app, and data tiers
- Identify which users are connecting to which hosts
In addition to providing visibility into network performance to resolve users' SharePoint performance complaints, Cascade can help accelerate SharePoint deployment and re-architecture projects, while reducing outage risks and failed cutovers. Within a few hours, Cascade can discover all systems, identify server and client dependencies and locations, and show the information in a graphical, interactive format.
Step 2: Centralize and consolidate SharePoint server farms
Riverbed® Steelhead® appliances
Why distance causes problems
Start with the physics of traveling great distances, toss in application chattiness that causes hundreds or thousands of round trips, and you've got a recipe for slow applications.
Armed with your SharePoint map courtesy of Cascade, next it's time to make improvements by centralizing and consolidating SharePoint server farms. For this, you need to banish the performance blocks with:
- Data deduplication
- TCP protocol optimization
- Streamlining chatty protocols
- Prioritization and quality-of-service (QoS) management
The results speak for themselves:
- SharePoint operations are up to 30x faster
- Bandwidth utilization is reduced by up to 99%
Step 3: Managing sudden popularity
Riverbed® Stingray™ Traffic Manager
With Steelhead appliances juicing SharePoint performance, everyone now loves collaborating, so the load increases. And traffic now spikes when, for example, the CEO asks everyone to read the quarterly results and everyone tries to download the document all at once.
To increase the throughput of that SharePoint server farm, use Stingray Traffic Manager. With it SharePoint servers can support a greater number of users. How? Stingray Traffic Manager manages those requests more efficiently, including offloading some heavy lifting and repetitive tasks from the servers themselves. That means you can support more users. Bonus: You may even be able to reduce the number of servers in the farm.
Steelhead appliances optimize the limitations of SharePoint over the WAN: limited bandwidth, the impact of latency, protocol chattiness, and QoS management
Stingray Traffic Manager addresses server availability and supports greater throughput and performance from the SharePoint server farmStingray Aptimizer dynamically tunes the content on the SharePoint webpages themselves for faster load times.
Step 4: Happiness is a faster-loading page
Riverbed Stingray Aptimizer
As SharePoint users navigate around the site they must wait for each page to load—just like for Internet-based webpages. SharePoint components such as style sheets and images slow load times, as the browser has to fetch each piece from the server.
Stingray Aptimizer—a simple software installation on the SharePoint web server—can dynamically tune SharePoint pages, reducing the number and weight of those page components, leading to improved load times for SharePoint users. It's done by:
- Merging files for fewer round trips
- Shrinking and compressing files for less data
- Increasing caching to reduce reloads
- Tuning the page layout
Results:
- Up to 76% reduction in load times
- Up to 43% less traffic
April 12, 2012
Analysing Page Load Time with Stingray
Here in the Stingray unit of Riverbed we are all too familiar with the online tools which help profile the performance of your web services. Sites like webpagetest.org which allows you to run simulated tests from various locations over the globe, using a multitude of different User-Agents or browsers. Yet as good as these tools are, at the end of the day they are just simulations. What if you want to see what your actual users are experiencing when they attempt to visit your pages from the shores of Peru, snow dusted Moscow, or even good old London town? Well if you have a Stingray Traffic Manager, then I may just have the answer.
The map pictured above is using the OpenLayers API to plot client locations and colour code them according to the page load times they achieved.
Introducing Stingray PageSpeed...
Stingray PageSpeed is a little tool I built on top of the Traffic Manager to help our customers record and visualise exactly that data. Stingray (for the un-initiated) is an intelligent Layer 7 Application Delivery Controller (ADC), and as such it has all of the tools necessary to help you build your LIVE performance picture. All we need is a little bit of TrafficScript magic.
Stingray PageSpeed is actually just two TrafficScript rules coupled with a little bit of HTML for graphical representation of the data it collects. The system works by recording the time at which clients hit a predefined set of pages on your site, and then recording how long it takes to download and render the entire page. That data can be recorded to a log file via the Alerting system, dumped out to the Stingray Event Log, or simply made available through the PageSpeed UI.
Once you have a performance picture of how well your site is performing for real world, living and breathing customers you may find some performance optimizations are in order. Why not give your local Stingray team a call to discuss your options? You may want to give Stingray Aptimizer a trial; to optimize the web pages themselves. Or perhaps deploy a web-caching Stingray instance in a Data Centre or Public Cloud; to bring the content physically closer to the end users.
If you want to check out Stingray PageSpeed for yourself then go ahead and download the extension from the Riverbed Community Portal.
April 11, 2012
April 04, 2012
Custom Silicon - Compression and SSL Offload - Why (v)CPU is better than Silicon
Since I started with Riverbed in the Stingray Business Unit, many customers have been asking me about SSL offload, and why they would want to move away from their existing hardware ADC's with SSL offloaded into dedicated silicon. It would seem that many vendors of legacy hardware ADC appliances have zeroed in on this in their defence of their install bases with customers who are looking seriously at the benefits of a software of virtualised ADC solution.
With the advent of virtualisation and the push into elastic computation environments whether "on-premise" or into private or public clouds, much focus has shifted to the conversations of infrastructure automation to provide varying levels of elasticity. All of this is essentially aimed at a couple of key objectives:
- Reducing the time to deploy new initiatives
- Allowing applications to scale up and down as needed to meet demand
- Drive better economies by meeting demand when it is needed without having to over provision from the start
So how does this map to SSL acceleration being performed in CPU or on dedicated hardware? It all comes down to the basics of where this elasticity is coming from: Network and Compute capacities, when virtualised, become commodities that can be consumed dynamically and on demand. Now this level of commoditisation is not just about virtual machines or networks being provisioned, scaled or de-provisioned - it is more fundamental than that:
By moving SSL offload onto commodity (v)CPU on a soft/virtual ADC, it means the whole pool of compute is available to service your total ADC workload - regardless of whether it is SSL offload, Web Application Firewall, compression, complex L7 content rewrites or any other of a host of things that ADC's can do for your application.
Now this statement on the surface might seem vague and non specific, so let me nail this down with a specific customer example.
Last week one of our Cloud Service Providers had an opportunity laid in their lap to take on the hosting for an iPhone application that had started to grow in popularity and had hit severe scalability issues in their previous cloud hosting provider. The team did a great job of spinning up the capacity and helping the end user migrate their application in a very short time. All assisted of course with the Stingray Traffic Manager that was front ending the application and allowing it to scale onto a large pool of resources.
Now this might not seem incredible - ADC's have been "saving the day" in these kinds of use cases for a long time now. What sets this story apart is what happened next.
The application grew in popularity again, and the Stingray ADC was able to scale for the end users workload without costing any more money. The customers Stingray Traffic Manager had a sufficient license to meet their throughput requirements. What they needed was more "grunt" in the ADC they had for a combination of elements: more SSL, more caching, more buffering and more L7 Application handling smarts.
So what did they do? They Quadrupled the vCPU and memory allocations to their Stingray Traffic Managers almost instantaneously - this gave them an immediate boost to their whole ADC workload - SSL, Caching, Buffering and L7 functions all at once.
If they had been using a hardware ADC, while the SSL might have been offloaded into silicon, the scalability of the rest of the solution would have meant upgrading the *whole hardware ADC* to get at more compute power and memory. There was no ability to "re-route" the unused SSL hardware offload capacity to make more Compression or Application Firewall throughput. No using it to help with L7 content rewrites, no tapping into the dedicated hardware compression chips to help with content switching...
Any un-used SSL or compression hardware processing power is essentially "lost".
As you can see, by moving to a (v)CPU centric ADC model, the deployment is much more flexible and offers better value for the customer's dollar - the ADC will service the whole workload efficiently - not just elements of it. You have elastic capacity *inside* your ADC too now.
So do you still think you want to do SSL offload or compression in hardware?
March 22, 2012
Matching Optimization with Demand: Private Cloud Computing
There has been a lot of recent interest in industry efforts towards virtualizing the network to match the transformational results realized by virtualized computing. The argument goes, “we now have all this great virtualized compute capacity that give us the ability to better match services with demand, but the network remains stuck in the past as the LAN/WAN services are still deployed and provisioned in more static ways.” There is some truth to this argument along with some promising new directions (like OpenFlow), but as far as making existing the networks of applications of today and the foreseeable future run better, private clouds and technologies like VDI can be flexibly deployed and optimized using technology available now.
A key consideration, and an essential component of any enterprise cloud that hosts critical services, is how to intercept traffic in the data center so that the right protocol traffic can be optimized for each group of applications while still maintaining enough “on-demand” capability so that your cloud can handle traffic growth, new architectures (Citrix ICA optimization, for example) and avoid any brittleness that might go along with static provisioning. One approach is VRF-aware WCCP: a way to hand-off traffic to optimizers as it travels to these independently provisioned services at lower layers in enterprise network. For example, IT for different business units might be provisioned as separate collections of VMs on separate VLANs and subnets, each with its own IPv4/IPv6 routing table. This approach allows out-of-path interception at core/aggregation layer where traffic can be better abstracted.
If you are involved in planning or thinking about your next private cloud deployment, a straightforward discussion of how to actually make these decisions is discussed in Chapter 6 of a new book by our own Dr. Steve Smoot and Nam Kee Tan. The book, Private Cloud Computing: Consolidation, Virtualization, and Service-Oriented Infrastructure, recently reached the top 50 in its category on Amazon and covers a whole lot more on this topic, including other key considerations like storage architecture, Infrastructure-as-a-Service, and example case studies. There is just the right amount of depth (such as configuration examples) for designing new networking services for clouds -- services like subtenant provisioning that are central to the concept.
In short, optimization can be easily deployed ways that are fully compatible with deploying applications virtually in the enterprise using existing capabilities on your networking gear. Future technologies changing how we think of networking VMs, such as with a FlowVisor, may also enable new ways of optimizing traffic wherever it needs to be. Multi-tenant optimization is real today in a practical sense (it's technically very doable) and it supports the strategic gains of deploying a private cloud: more effectively matching services with demand.
March 19, 2012
March 07, 2012
Using Stingray Traffic Manager to load Balance Microsoft RDP with a Session Broker
With the rise of pocket computing, users can access their applications and data from anywhere any time. The only issue with this is that now, there is an expectation that the applications will be available… you guessed it… any where any time… (sheesh!)
But how do we do it? How do we make sure that your critical application or resource is up all of the time: Enter the ADC. These are problems that ADC's are born to solve. ADC's are the best way to keep your application ticking along regardless of outage, change window, administration errors and all the other things that plague your application stack.
Now, a misconception that I come across regularly is that ADC's can only provide value if the application is web based. This, simply put, is not true. In this example, I am going to show you how to make a farm of Microsoft Windows 2008R2 Remote Desktop Services servers highly available with a little more intelligence than using knuckle-headed "Round Robin" DNS, in an environment where direct connections to the servers just aren't possible.
In my example, I built a farm of three Remote Desktop Servers in under an hour in Amazon's Virtual Private Cloud, and front ended it with a Stingray Traffic Manager. Now, the AWS VPC setups and instructions for enabling MS RDS are pretty well documented, so I am not going to go into it here. The magic here lies in Traffic Script being able to parse just about any application protocol and interpret it at the application layer to make smart traffic management decisions.
In this instance, we are parsing the RDS x.224 headers that RDS Session brokers use to instruct an RDS client to connect to a particular RDS server. Traffic script can grab the header and read the important RDC Routing Token like this:
Cookie: msts=2232680714.15629.0000
Now this is a numeric value that, when decoded, will tell the Traffic Manager which back end node to send the traffic to. The Traffic Script in questions is available here:
http://community.riverbed.com/t5/Code-Samples/Load-Balancing-MS-RDP-with-a-Session-Broker/td-p/20449
See? ADC's are *perfectly* placed to keep those applications up 24/7.
Happy Traffic Managing!
March 02, 2012
One day, I might need to drive to the moon...
Traditionally, sizing hardware for an ADC deployment has been one of those things that required a mix of many skills. It was part science, part instinct, part experience, part crystal ball and part gamble. If there was a chance, or sometimes a hope, that you your application, product or offering would "take off", you would have to be ready to scale on the ADC you had picked months or years ahead. Add to that the variables where at some arbitrary point in the future, you might like to turn on advanced layer 7 functionality like an application firewall, heavy content re-writes or even just adding an additional ADC feature module, and you are left trying to size based on what you might be doing one day far off in the future. The only problem is, you are paying for it now.
It is literally like sitting in a car yard, trying to decide on which car to buy, trying to factor in that one day, you might want to drive to the moon...
I have just been reminded of this while sitting with one of our system integration partners that commented that one of their customers bought a pair of chassis based hardware ADC's from a different vendor for… wait for it… a total of 5 back end web servers because, one day, their application might "take off".
Now, I don't know about you, but if I was the customer staring down the barrel of a quote for $150k US RRP for a pair of ADC's that were taking a very modest load from day one on the chance that my application might need to scale I would be looking for a better way to do it.
I can see why Stingray's ability to scale on your commodity compute from 10Mb/s all the way to 40Gb/s and beyond with a license key upgrade seems so much more palatable to the customers I am talking to. I know if I was managing IT infrastructure budgets, the opportunity to buy only what I need right now and scale as I need to would make it much easier to get my application to market without shelling out megabucks up front.
February 23, 2012
The niceties of TrafficScript
So having worked with several ADC vendors over the last few years, I have had my fare share of interaction with manipulating traffic with a rules based framework like TrafficScript. One of the niceties of Stingray TrafficScript is that is truly has come from an applications
background rather than a "packet mangling" network appliance. For example, the first time I had to use TrafficScript to help a customer parse a response body, I was pleasantly surprised when I read the TrafficScript Reference for the http.getResponseBody() command (nb: the interesting bit is underlined below):
http.getResponseBody( [count] )
Returns the body of the HTTP response.
If the response has chunked transfer encoding this function will return the de-chunked body. Similarly if the response is gzip or deflate compressed the body will be returned uncompressed.
If the optional 'count' parameter is provided, http.getResponseBody() will read and return the first 'count' bytes of the response. If count is 0, http.getResponseBody() will return the entire response.
# Read the entire response body
$body = http.getResponseBody();
Now, having done similar things with both iRules on F5 BigIP and with actions on Citrix NetScaler, the fact that the Traffic manipulation language takes care of de-chunking and decompressing the body content means one simple thing:
With Stingray Traffic Manager, I can spend more time doing what I sat down to do and less time fiddling with the ADC platform...
Simple really..
February 21, 2012
February 20, 2012
February 15, 2012
February 13, 2012
Extending Stingray Traffic Manager with TrafficScript
One of my duties as a Channel System Engineer is to update our partners on our new technologies and products. In the recent months after people heard that we acquired two new outstanding technologies, I was often asked why believe that the Zeus ADC now Stingray Traffic Manager is superior to other ADCs on the market.
Of course there are many different correct answers to this question. But for me one of the main reasons is its flexibility, scalability and of course the fact that it is highly customizable, making it a solution that is easy to adapt to all the customer scenarios out there.
For those who might have missed it: Stingray Traffic Manager is a high-availability, application-centric traffic management and load balancing virtual ADC. It provides control, intelligence, security and resilience for all application traffic. Stingray Traffic Manager is intended for organizations hosting valuable business-critical services, such as TCP and UDP-based services like HTTP (web) and media delivery, and XML-based services such as Web Services.
Stingray Traffic Manager’s architecture ensures it can handle large volumes of network traffic efficiently. Its scalability allows you to add more front-end traffic managers or back-end servers as the need arises. The cluster size is unlimited, and the performance of the traffic manager grows in line with the performance of the underlying hardware.
These are all amazing features Stingray TM provides for scalabilty and felxibilty, but today I would like to talk specifically about one of the capabilities of the Stingray Traffic Manager that extends the possibilities mentioned above and makes it highly adaptable beyond what would be achievable with a monolithic approach: TrafficScript.
Using the TrafficScript language you can write tailored traffic management rules to inspect, manage and route requests and responses in every imaginable way.
TrafficScript rules can be executed whenever a new connection or network request is received, and whenever it receives a response from a node. The rules you create inspect the incoming and outgoing data in the connection, and other aspects such as e.g. the remote client address, destination address and port. You can write rules that can then modify the request or response (for example, rewriting the URL or headers in an HTTP request), set session persistence parameters, or decide how to route the request or even rewrite the content of the output page.
There are many occasions when you might want to use a TrafficScript rule.:
- You can use a rule to dictate session persistence information
- Rules can be used to check the response from the server and modify it, or even retry the request (if possible) if a transient error was detected.
- If you use various back-end systems with different presentation styles or even different protocols, rules can be used to integrate them into a single, coherent and consistent service. Incoming requests can be rewritten into the format suitable for the required service, and responses can be rewritten into a single, consistent form. For example, HTTP requests that involve a database lookup can be rewritten into SOAP request for a Web Service; the XML response can then be transformed into a suitable HTML document to return via HTTP.
- Rules can specify custom behavior for each connection; e.g. connections to a slow resource can be given a longer response time tolerance for example.
- Security: You can use a rule to check packets for a match with known web worms or viruses.
- Data Protection: you can write rules that ensure that sensitive data like credit card numbers or social security numbers are automatically hidden even if they were to be displayed in the output of a web page by accident.
One of the great properties of TrafficScript is that it is easy to learn and understand! Even for people with little coding experience. You don’t have to worry about having to learn an entirely new, complicated scripting language, TrafficScript will look familiar even to the untrained eye.
Here are two examples of TrafficScript rules:
1) Restricting Access Based on the Time of Day
This example only allows access to a particular service during office hours (between 9am and 6pm, Monday to Friday). It discards all connections that occur outside these times.
$dayofweek = sys.time.weekDay();
$hourofday = sys.time.hour();
# $dayofweek: Sunday is 1, Saturday is 7
# $hourofday: office hours are between 9am and 5:59pm if( $dayofweek == 1 ||
$dayofweek == 7 ||
$hourofday < 9 ||
$hourofday >= 18 ) {
log.warn( "Warning: access out of hours!" );
connection.discard();
}
2) Customer Prioritization
This example inspects the cookie in an HTTP request. It uses the value of the cookie to determine which pool to direct the request to. One pool is faster than the other because it contains machines that are reserved for premium users.
A company has a customer base divided into “gold” and “silver” membership. It wishes to give priority to the “gold” customers and has five servers, yellow, green, blue, black and purple.
Two server pools are created: standard, for the “silver” customers, containing machines yellow, green and blue; and premium, for the “gold” customers, which includes all five of the servers. Thus black and purple are only available to the “gold” customers.
The site uses a cookie login system, with the customer type encoded in the cookie. Different membership levels can be detected, and sent to the correct pool. This is the script needed to achieve this:
$cookie = http.getHeader( "cookie" );
if( string.contains( $cookie, "gold" )) {
pool.use( "premium" );
} else {
pool.use( "standard" );
}
5 short lines of code to ensure that your premium customers get the best possible service!
These two short examples show that TrafficScript is indeed a very approachable, easy to learn scripting language. The best part is: our outstanding Support Team will assist you if you have problems writing or adaptig your own TrafficScripts.
This is part of your support contract and ensures that there is someone around to help you at all times at no extra cost.
For a detailed overview and syntax to get you started, take a look at our Stingray Traffic Manager TrafficScript Guide.
Of course there is also a community of TrafficScript Users that can help you with your first (and further) steps. Visit them at http://community.riverbed.com/t5/Stingray-Family/ct-p/zeusproducts for code samples, answers to your questions and further documentation.
February 07, 2012
February 01, 2012
 |
|---|
Categories
- Application Acceleration
- Application Delivery
- Bandwidth Optimization
- Contests
- Corporate
- Customers
- Data Protection
- Disaster Recovery
- Events
- Fun
- Hybrid Cloud
- Load Balancing
- Mobile
- Packet Capture
- People
- Private Cloud
- Public Cloud
- Security
- Site Consolidation
- Storage Cloud
- Technical
- Virtualization
- Visibility
- Web Content Optimization
Recent Posts
- Download Math (or, Predicting the Future)
- 5 reasons why you should implement a cloud storage gateway
- Steelhead Cloud Accelerator - Live from Interop
- Eating our own Dogfood
- Interop 2012 - Riverbed customer DJO Global discusses Steelheads
- Riverbed @ Interop
- Viva Las Vegas: Riverbed at the General Dynamics C4 Systems (GDC4S) Conference Secure Communications and Computing User Conference and Training Event
- Interop 2012 - Gigamon partnership
- Interop 2012 - Riverbed customer Geoengineers discusses Whitewater
Blogroll
- Brad Reese on Cisco
- CIO - Advice and Opinion
- Cisco Subnet Blog
- CloudTweaks.com - Cloud Computing Research Community
- Colin McNamara - CCIE 18233 , VCP, RHCE, GCIH, Geek
- Communications Innovations
- Data storage technology and management resources - SearchStorage.com
- GigaOM
- InformationWeek | Global CIO
- InformationWeek's Analytics Weblog
- InformationWeek's Backup and Business Continuity Weblog
- InformationWeek's Storage Weblog
- InformationWeek's Virtualization Weblog
- Infrastructure | Arthur Cole | Blogs | ITBusinessEdge.com
- Network Computing: The Daily Blog
- Online Storage Optimization
- Original Blogs on BrianMadden.com - Brian Madden - BrianMadden.com
- Putting Realism Into Your Network
- Sean Michael Kerner
- Steve's IT Rants
- Storage Soup - A SearchStorage.com blog.
- StorageMojo
- StorageRap
- Tech Trader Daily - Barron’s Online
- The Forrester Blog For Infrastructure & Operations Professionals
- The musings of an IT Consultant
- The Network Hub - A SearchNetworking.com blog
- Virtualization - CIO.com - Business Technology Leadership
- VMblog.com - Virtualization Technology News and Information for Everyone
