All White Papers

White Paper

BIG-IP Virtual Edition Products, The Virtual ADCs Your Application Delivery Network Has Been Missing

Updated June 05, 2011

Introduction

Over the past few years, virtualization technologies have had a monumental impact on the way IT functions. Server virtualization was introduced to the data center through virtual platforms-virtualized hardware and software that enabled IT staff to virtualize individual physical servers and consolidate them onto commodity hardware. As server virtualization becomes more and more common, it is extending into other areas of the data center, such as networking and overall IT infrastructure. The adoption of virtualization by enterprise IT has been growing at such an unbound rate that we're now seeing concepts based on virtualized infrastructure, such as the enterprise cloud, make their way into the data center.

Traditionally, ADCs are physical appliances that sit at the edge of the data center, providing advanced application delivery features and removing load from applications. In today's virtual data center, the physical Application Delivery Controller (pADC) provides these services to applications either running on physical servers or running on virtual platforms from vendors such as VMware and Microsoft. The role of the pADC doesn't change, however, when delivering services for applications running on virtual machines; the applications still have the same optimization, availability, and security needs regardless of what platform, physical or virtual, they're running on.

As IT staff virtualize and consolidate infrastructure components throughout the data center, it is only a matter of time before the Application Delivery Network (ADN) is folded into the virtual infrastructure as well. Collapsing services into the infrastructure typically is driven by a replacement strategy where any physical device or appliance is ported to a virtual machine and consolidated onto shared hardware servers. To respond to this "rush to virtualize," many ADC vendors are reacting with virtual ADC clones that don't take into account their impact to the overall ADN. Most of these pADC virtual clones have either been treated as replacements for the pADC or have provided inferior application delivery features as little more than virtual load balancers. Although collapsing such a critical portion of the data center into shared virtual environments poses challenges, managing the entire application delivery lifecycle through a virtualized environment nonetheless can have major advantages when combined with existing physical ADC deployments.

To achieve the architectural advantages that virtualized applications can bring to the enterprise cloud, the pADC and virtual Application Delivery Controller (vADC) must work together as part of a new, agile Application Delivery Network. The limitations of deploying just one type of ADC will be echoed throughout the enterprise, within the enterprise cloud, and throughout the ADN. Therefore, the greatest benefits can be gained when the vADC becomes an extension of the existing ADN.

How Virtual Editions of BIG-IP Products Extend vADC Functionality

Beginning with F5 BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE), F5 created a full-featured vADC that runs on commodity hardware, yet still provides the same level of application services offered by BIG-IP LTM physical appliances. This parity architecture extends to all virtual editions of BIG-IP products: as F5 continues to release advanced ADC feature modules as BIG-IP virtual products, virtualized application delivery functions can be extended beyond the physical data center into the cloud or other virtualized data centers.

The following advanced ADC feature modules are available as virtual editions of BIG-IP products:

  • BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)-Extend availability and optimization services to any application with this fully virtualized ADC.
  • BIG-IP Global Traffic Manager (GTM) Virtual Edition (VE)-Manage global application availability and provide seamless disaster recovery and routing based on quality of service, geographic location, or business criteria.
  • BIG-IP Application Security Manager (ASM) Virtual Edition (VE)-Ensure comprehensive protection and security for web applications.
  • BIG-IP Access Policy Manager (APM) for LTM VE-Establish a simplified, single point of control that draws on access policies to provide granular control of users' application access.
  • BIG-IP WAN Optimization Manager (WOM) Virtual Edition (VE)-Optimize and secure WAN connectivity between data centers and accelerate application data over long-distance network connections.

Unlike other virtual ADCs, BIG-IP virtual edition instances are neither a replacement for BIG-IP physical appliances nor a partial port to a virtual platform. Rather, virtual editions of BIG-IP products are full-featured virtual versions of BIG-IP systems that run on VMware's advanced virtual server platforms using commodity hardware. BIG-IP virtual edition products take advantage of VMware's sophisticated networking platform and provide the same application delivery features and performance as lower- to mid-level BIG-IP appliances.

While BIG-IP virtual instances can be deployed in a stand-alone architecture, continuing to provide advanced ADC services to the virtualized applications, BIG-IP virtual edition products were not designed to be the sole ADC solution for the virtual data center. Instead, the virtual editions of BIG-IP products were designed to be integrated into every step of the application development and deployment lifecycle. From evaluation through development, from QA testing and staging through production, the virtual editions of BIG-IP products were designed to be available to everyone who touches the application deployment workflow.

The vADC Workflow

Discussions around vADCs often center on how to use them in production and, more specifically, how to replace the physical with the virtual throughout the data center. Typically, however, pADC replacement is not the best option. In fact, in most situations, it's not a good option at all; physical appliances still offer huge benefits for high-end performance and dedicated services. Yet until now, replacement has been the only option available. The virtual editions of BIG-IP products change this model by extending the ADN to include both pADCs and vADCs.

There's no question that a virtualized, production-ready ADC has a place in the data center, but a vADC expands the role of the Application Delivery Controller beyond merely sitting on a physical server in front of virtualized production applications in the data center. BIG-IP virtual edition products introduce an entirely new workflow to customers of the BIG-IP product family, integrating the vADC with the pADC to expand their available features throughout the application deployment lifecycle. This new workflow also helps break down traditional barriers that exist between application, server, and network teams in an organization. By using devices already in the organization's data center, albeit in a virtualized form, with the same configurations and settings, virtual BIG-IP instances provide an opportunity for any group in the enterprise to use, become familiar with, and build application delivery policies for the BIG-IP device during the entire application deployment lifecycle.

Evaluation and Design

Long before applications are accessible to users, they typically go through a long cycle of design, integration, feature validation, and performance testing inside the organization. During this time, application architects figure out:

  • How to use the application throughout the organization.
  • How to integrate it with existing IT applications and systems.
  • How the application will ultimately provide business value.

Unfortunately, application testing and design is often done on an isolated network in a very specific, non-user environment. All too often applications behave completely differently in production simply because they weren't tested or built in the same environment where they're ultimately deployed.

Peripheral technologies-technologies that support the applications through their entire lifecycle-such as an ADC are also evaluated and designed as part of the application rollout. Testing and evaluating core application networking features, such as managing SSL traffic, during the design phase can be daunting, if not impossible, with traditional physical ADC hardware. Often, the application architects and designers don't have the opportunity to test and design their applications with an ADC in mind. They may, for example, build an application to manage SSL traffic only to later learn that SSL is offloaded by a BIG-IP device.

As portable virtual machines running on any VMware server-based platform, virtual BIG-IP instances can be integrated into application architecture planning and design stages. This gives application architects access to the application tools available in all BIG-IP appliances -such as application acceleration and optimization policies, security policies, and F5 iRules control language. For example, if a new application needs to be deployed using cookie persistence or SSL offloading, those BIG-IP LTM features can be integrated into the design and development phases long before an application is rolled into production. In this model, BIG-IP virtual edition products can be used as a "pre-development" tool for new applications. Many parts of the organization may not have access to physical BIG-IP hardware during application design and testing, but anyone can download trial versions of virtual BIG-IP instances and deploy them with their application as part of design and testing. This means that designers and integrators can evaluate the interaction between the BIG-IP devices and the new application to assess and maximize the benefits long before application staging and production.

Testing, QA, and Staging

The next stage of an application roll-out is typically testing and QA, running the application through a battery of tests to validate both its features and its load capabilities. Much like the design stage, testing is usually performed in a quarantined part of the network called the staging environment. In a staging environment, however, applications often perform differently than they will in production because they are tested under artificial, simulated circumstances.

One of the limitations of using physical ADCs in the data center is access to those devices during each stage of the application lifecycle. For many organizations, performing development and testing on production pADCs would violate corporate best practices; production gear is too critical for those organizations to risk impacting live applications with test scenarios. The constraints of budget (resulting in an inability to buy pADCs for development and testing) and resource-sharing (reducing access to production hardware for non-production testing) create limitations in the testing environment that in turn impact the quality of testing.

By building BIG-IP virtual edition products into the staging environment during QA testing, IT staff can more accurately measure and size the application for real-world deployment, in essence mirroring the production pADC deployment without impacting production traffic and applications. In addition, SSL offloading can be accurately measured along with application load and features, creating a much more accurate representation of how the application is going to perform once moved into production.

Testing and QA is also the best time to customize BIG-IP application policies. BIG-IP application and policy templates start with customized network delivery configurations for well-known applications such as Microsoft Exchange Server 2010, SAP Dynamics, LDAP, and RADIUS. Using BIG-IP LTM VE, for example, the templates can be further refined to provide a specific delivery environment for the application before it is moved into production. During this time, iRules can be written and tested with the application to measure the effect on both the application and on BIG-IP virtual edition products.

With easy access to a full-featured yet portable BIG-IP virtual platform, everyone involved in the application design and deployment has the opportunity to build ADN features into the application lifecycle from the beginning.

Production

As the application is moved into production, BIG-IP virtual edition products enable the application delivery lifecycle to be completed under two different models. In both, successful production deployments for BIG-IP virtual instances depend on deploying the BIG-IP vADC along with the pADC, either in a stand-alone architecture or as part of a larger enterprise cloud deployment.

  1. Test and development configurations, settings, iRules, and templates for virtual BIG-IP instances can be moved onto physical BIG-IP appliances as new applications are rolled into production. These application-specific configuration changes can be quickly tested and validated to work in a production environment, drastically reducing the time needed to build new production configurations.
  2. In a truly fluid and agile environment, especially one where the new applications are also running on virtual platforms, BIG-IP virtual instances can be bundled with the application and pushed live to production at the same time. This model treats BIG-IP virtual instances as an integral and required part of the application roll-out, pushing the vADC as well as the pre-configured application policy templates-fine-tuned during development, test, and staging-into production together.

The choice of how to mix the vADC and pADC devices in production depends on the type of application, the expected performance levels (both CPU- and network-based) of the application, how the application will be used and accessed, and where the application lives in the data center. With both models, though, BIG-IP virtual edition products allow advanced features of the vADC to be coupled with the application throughout its lifecycle, from design all the way through production.

By incorporating BIG-IP virtual edition products into today's planning for deployments of tomorrow's production applications-whether those may be stand-alone, internal enterprise cloud, or external cloud applications-application architects, designers, and developers can see real-world production scenarios at every step of the application lifecycle.

pADC + vADC: An ADN Architecture Shift

Even though they are relatively new to the market, vADCs have, to date, been single-purpose virtual appliances meant to bring mobility to application delivery by replacing pADCs. In essence, existing vADC options are simply a re-packaging of their pADC "big brothers"-they don't offer new ADN solutions beyond less hardware. The pADC replacement model is not an attractive option in most cases, however, because vADCs aren't able to perform or scale application traffic to the level of pADCs. Often, replacing a tuned physical appliance with a virtualized version of the same appliance on commodity hardware has left some application virtualization projects feeling the pinch.

In contrast to the existing model, virtual BIG-IP instances are not intended as straight one-for-one replacements for higher-end, physical BIG-IP appliances. In certain situations, especially with architectures where a virtual BIG-IP instance is intended to be the primary ADC for virtualized mobile applications, a BIG-IP virtual edition product might be the only ADC necessary. For most deployments, however, virtual BIG-IP instances are designed to operate in conjunction with existing physical BIG-IP appliances. A virtual edition of a BIG-IP product is an augment solution rather than a replace solution.

Consequently, the choice to deploy a vADC should not be based on how to replace a pADC but rather how to extend the reach of the Application Delivery Network, especially when the vADC is deployed as part of an enterprise cloud. The final decision whether, when, and where to deploy a vADC should be based on the right tool for the job and how it will impact the entire Application Delivery Network.

Physical or Virtual: Which to Choose?

There is currently a perception in the market that choosing between a physical and a virtual ADC comes down to a hard choice: Should IT invest in capital and deploy physical ADC appliances? Or should IT use a software-based vADC? Each solution has merit on its own, but the best choice is a solution that employs both physical appliances and software vADCs. Before making the leap into either solution exclusively, first consider how, where, and why the ADC will be deployed.

What is the final goal of deploying the ADC? Is the business need to provide application access and security to production applications spread between multiple data centers? Or is the business need to provide dedicated and isolated application delivery services to an application service?

Physical ADC: The Gatekeeping Workhorse

When trying to choose between a pADC and vADC, physical locations should always be evaluated first. Where will the ADC be located? A very typical enterprise model is to position the BIG-IP device at the edge of each data center to provide security, optimization, and availability for applications residing in that single data center; BIG-IP Global Traffic Manager (GTM) is then positioned one level above those data centers, providing global application delivery between each data center. In this model, the ADC is a mission-critical component for applications in the data center and is expected to manage large amounts of application connections, data, and bandwidth.

While not a hard and fast rule, it's typically better to deploy physical ADC appliances rather than virtual ADCs in a mission-critical role. Physical BIG-IP products run on purpose-built hardware that's fine-tuned for application delivery, and they are designed to provide the necessary resources for advanced application delivery, such as hardware for SSL acceleration and compression. BIG-IP system hardware also offers dedicated serial failover for high availability, something not typically available to virtual machines running on commodity virtual hardware.

Bandwidth-and other networking issues such as user connections, session management, transactions per second, and so on-are also critical considerations when choosing between a pADC and vADC. At the high end, purpose-built F5 BIG-IP hardware is able to scale up to 72GB of sustained L4 and L7 application throughput and manage 200,000 user transactions per secondi. vADCs are virtual machines running on commodity hardware with commodity network cards and shared network drivers. Any network-based system that moves to a commodity virtualized environment will have to deal with-and compensate for-the additional processing components found in the hypervisor layer. As more sophisticated virtual switching is deployed throughout the virtual infrastructure, managing application traffic that passes through a virtual ADC becomes much more complicated and risky. In situations where "speeds and feeds" are the primary concern, a physical BIG-IP appliance is better suited to manage those large bandwidth and networking requirements.

The Agility of the Virtual ADC

Even though the role of the "application gatekeeper" for the entire data center topology may not be the best use of a vADC, virtual application delivery has a place within the enterprise and beyond. A production-class virtualized ADC is primarily used together with application-specific services and other virtualized workloads.

For example, a pool of virtual web servers running SharePoint might already be clustered together on a virtual server. Adding a vADC to this pool of web services makes bundling that application service together more portable and agile. For example, in this case IT might deploy BIG-IP LTM VE which includes the SharePoint application template and a series of pre-configured application settings that are customized for SharePoint. This particular instance of BIG-IP LTM VE does not need to manage traffic for other applications, such as Microsoft Exchange or Oracle applications; those virtualized application services would be bundled with their own BIG-IP LTM VE instances running the application templates appropriate for each specific application. Each vADC can host a specific application template as part of the entire application service bundle.

As these application bundles move around or between data centers or even out to an external cloud provider, BIG-IP LTM VE moves with the applications, providing a constant level of optimization, security, and availability for those applications. This model will become a requirement as application SLAs are built in one location with the virtualized applications in another. With BIG-IP LTM VE, the application SLA policy can be created in a controlled environment. As the application moves, that application SLA policy accompanies the application wherever it goes.

The Best of All Worlds

Although each type of ADC is oriented toward different, specific functions in the data center, true flexibility and agility comes from using virtual BIG-IP instances together with a physical BIG-IP appliance. Most production enterprise data centers are broken into two or more segments with each segment housing a particular application function. For example, many sites have a DMZ to segment public connections from the back-end infrastructure. A pADC can be placed at the edge of the data center in front of the DMZ to handle all application traffic, while multiple vADC instances can reside inside the DMZ perimeter. The vADCs are an extension of the entire ADN, providing isolated services, security, and policy management for specific application traffic. As services move in and out of the DMZ, for example, from staging to production-a new application's vADC application settings, iRules, and configuration changes can be pushed live onto the pADC for that new public application.

Maximum Agility for Cloud-Based ADNs

There is a very specific implementation where fully virtualized ADCs become a viable solution: when building a complete ADN off-premise in a cloud network or as part of a cloud/hosting hybrid provider network. In this scenario, it becomes advantageous to build a complete software Application Delivery Network. Not only does a cloud architecture typically necessitate the use of virtual appliances-by design, the cloud infrastructure should be as agile and dynamic as the applications it's supporting-but this virtual model also allows the cloud provider to give the enterprise customer complete control over the entire application delivery chain.

An enterprise can use all BIG-IP virtual edition products as part of a cloud-based application delivery infrastructure. BIG-IP GTM VE provides availability and global DNS services between cloud locations, between multiple cloud providers, or most beneficial, as the delivery engine controlling a hybrid cloud architecture between the on-premise data center and off-premise cloud provider. Inside the customer's cloud network, BIG-IP LTM VE provides local availability and optimization for applications that are running within the cloud infrastructure. As new applications are rolled out and retired to meet business demands, BIG-IP LTM VE will provide load balancing services for these new applications. BIG-IP APM for LTM VE and BIG-IP ASM VE provide localized application security services by managing authorized user access to each application and providing application-layer security throughout the cloud infrastructure. Finally, BIG-IP WOM VE provides symmetric optimization between cloud locations and providers or between the on-premise and off-premise data center.

Conclusion

To be a successful part of the enterprise IT data center, a vADC must be designed to work with existing virtual platforms, applications, and tools, and it must also be able to integrate into the larger Application Delivery Network. It's not enough for a vADC to be a software clone of the pADC, and vADCs are not designed to be swap-out replacements for physical ADCs. Instead, vADCs are meant to be an extension of the entire Application Delivery Network, and they should provide new models for building a more dynamic ADC infrastructure.

As customers begin to integrate the ADN with their enterprise cloud deployments, vADCs are the obvious first choice for providing that mobility to application networking traffic by replacing every physical ADC with a virtualized clone. Physical appliances will never meet the mobility requirements of applications moving off of physical devices onto virtual platforms, in and out and around the enterprise cloud. Likewise, virtual ADCs are not designed to be the single managers of mission-critical application traffic. Together, the vADC and pADC bring the best of all worlds to the ADN. Rather than replacing the ADN infrastructure with virtual clones, BIG-IP virtual edition products should be added as part as a holistic application delivery solution, working for and in concert with existing BIG-IP pADC appliances.

When working together as part of a complete virtual ADN and enterprise cloud solution, vADCs and pADCs can co-exist and extend the Application Delivery Network to offer services for dynamic applications and environments, while also taking responsibility for high availability, disaster recovery, and geographically disperse data centers. BIG-IP virtual edition products create new models for application delivery, extending the reach of the ADN to every part of the data center, even when that reach encompasses external data centers such as public clouds. As IT continues to evolve and move toward a more agile enterprise cloud model, virtual BIG-IP instances will play a more critical role in application delivery. Individually, the pADC and vADC each have merit, but it's only when they're working as one unified solution that enterprise IT can have a truly agile application delivery network, covering any type of application deployment needed. Implementation of BIG-IP virtual edition products is a necessary step in changing the ADN architecture, unifying the physical and virtual environments, from user access over the virtualized network through the virtualized application servers. BIG-IP virtual edition products change the way IT delivers applications.

1 Performance data based on an F5 VIPRION configured with four PB200 performance blades