SSL hardware offloading in physical and virtual RELIANOID load balancers

View Categories

SSL hardware offloading in physical and virtual RELIANOID load balancers

3 min read

Description #

Hardware Offloading is used to delegate highly load computing tasks to a dedicated hardware resource directly, rather than a software process in order to increase performance and to free generic computing resources. Enabling hardware offload optimizations in RELIANOID solutions brings improved performance, throughput, lower CPU load and freeing more resources for other tasks.

It is well known that secure communications are a must. However, it is well known as well that managing encrypted transmissions is a heavy burden for a common computing systems. Because of this, many vendors have been offering for years SSL offloading solutions and some organizations have developed dedicated hardware solutions to perform SSL offloading tasks.

More recently, some hardware manufacturers have decided to extend their micro-processor platforms to embed hardware capable of managing SSL traffic efficiently. An example of this is AES technology, later improved with The Advanced Encryption Standard Instruction Set (AES-NI). AES-NI is an extension to the x86 architecture for microprocessors from Intel and AMD. The purpose of AES-NI is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES) like the AES-128 and AES-256 ciphers. AES-NI was designed to provide 4x to 8x speed improvements when using AES ciphers for bulk data encryption and decryption. Today AES-NI instruction is embedded in the majority of Intel and AMD microprocessors in the market.

RELIANOID 5.1 is able to check whether the main host CPU supports the AES-NI instruction set and offer to the user the possibility of leveraging SSL hardware acceleration for HTTPS communications. The most interesting aspect of this feature is that AES-NI can be used in RELIANOID physical as well as Virtual Load Balancers running on top of common hypervisors in the market (Vmware, KVM, Xen or HyperV).

How does HTTPS Offloading work in RELIANOID physical or virtual appliance? #

Client requests to open a HTTPS connection to the RELIANOID Load Balancer Appliance. HTTPS profile inside the LSLB (Local Service Load Balancing) core generates the HTTPS tunnel between RELIANOID Server and Client. The SSL operations are sent to the CPU AES-NI hardware to manage all encryption / decryption operations directly in hardware for the HTTPS traffic between client and RELIANOID. Finally, the RELIANOID Server will forward the traffic to the Backend servers.

SSL Hardware offloading flow

Hardware offloading flow for RELIANOID Load Balancer

How to use it #

Firstly, please ensure to update to RELIANOID EE 5.1 or a greater release. In addition, check if your hardware supports AES-NI and enable it applying the following steps:

Go to the RELIANOID Web Panel and create a new LSLB Farm with HTTP profile as follows:

HTTP Farm Creation for SSL Offloading

Once the new LSLB farm with HTTP profile is created, edit the created farm and select the HTTPS option of the Listener field. New configurable parameters will be shown. At this point the RELIANOID Load Balancer system will check AES support in CPU hardware. If supported, the SSL offloading feature will be available in the list of Ciphers as shown below.

SSL Offloading enabled

Select here the option SSL offloading and save changes.

This will send all HTTPS traffic managed by this farm to be processed by the AES-NI instruction set of the CPU hardware.

Benchmark numbers #

RELIANOID Load Balancer is able to manage about 72k SSL connections per second with SSL offloading enabled in an Intel® CoreTM i5-6500, Base Frequency 3.20 GHz with 4 cores.
RELIANOID Load Balancer is able to manage about 93k SSL connections per second with SSL offloading enabled in an Intel® Xeon E3-1245 v5, Base Frequency 3.5 GHz with 2 x 4 cores.

SHARE ON:

Powered by BetterDocs