SSL hardware offloading in physical and virtual Zevenet load balancers

POSTED ON 22 November, 2017


Hardware Offloading is used to delegate highly load computing tasks to a dedicated hardware resource directly, rather than a software process in order to increase performance and to free generic computing resources. Enabling hardware offload optimizations in Zevenet solutions brings improved performance, throughput, lower CPU load and freeing more resources for other tasks.

It is well known that secure communications are a must. However, it is well known as well that managing encrypted transmissions is a heavy burden for a common computing systems. Because of this, many vendors have been offering for years SSL offloading solutions and some organizations have developed dedicated hardware solutions to perform SSL offloading tasks.

More recently, some hardware manufacturers have decided to extend their micro-processor platforms to embed hardware capable of managing SSL traffic efficiently. An example of this is AES technology, later improved with The Advanced Encryption Standard Instruction Set (AES-NI). AES-NI is an extension to the x86 architecture for microprocessors from Intel and AMD. The purpose of AES-NI is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES) like the AES-128 and AES-256 ciphers. AES-NI was designed to provide 4x to 8x speed improvements when using AES ciphers for bulk data encryption and decryption. Today AES-NI instruction is embedded in the majority of Intel and AMD microprocessors in the market.

Zevenet 5.1 is able to check whether the main host CPU supports the AES-NI instruction set and offer to the user the possibility of leveraging SSL hardware acceleration for HTTPS communications. The most interesting aspect of this feature is that AES-NI can be used in Zevenet physical as well as Virtual Load Balancers running on top of common hypervisors in the market (Vmware, KVM, Xen or HyperV).

How does HTTPS Offloading work in Zevenet physical or virtual appliance?

Client requests to open a HTTPS connection to the Zevenet Load Balancer Appliance. HTTPS profile inside the LSLB (Local Service Load Balancing) core generates the HTTPS tunnel between Zevenet Server and Client. The SSL operations are sent to the CPU AES-NI hardware to manage all encryption / decryption operations directly in hardware for the HTTPS traffic between client and Zevenet. Finally, the Zevenet Server will forward the traffic to the Backend servers.

SSL Hardware offloading flow

Hardware offloading flow for Zevenet Load Balancer

How to use it

Firstly, please ensure to update to Zevenet EE 5.1 or a greater release. In addition, check if your hardware supports AES-NI and enable it applying the following steps:

Go to the Zevenet Web Panel and create a new LSLB Farm with HTTP profile as follows:

HTTP Farm Creation for SSL Offloading

Once the new LSLB farm with HTTP profile is created, edit the created farm and select the HTTPS option of the Listener field. New configurable parameters will be shown. At this point the Zevenet Load Balancer system will check AES support in CPU hardware. If supported, the SSL offloading feature will be available in the list of Ciphers as shown below.

SSL Offloading enabled

Select here the option SSL offloading and save changes.

This will send all HTTPS traffic managed by this farm to be processed by the AES-NI instruction set of the CPU hardware.

Benchmark numbers

Zevenet Load Balancer is able to manage about 72k SSL connections per second with SSL offloading enabled in an Intel® CoreTM i5-6500, Base Frequency 3.20 GHz with 4 cores.
Zevenet Load Balancer is able to manage about 93k SSL connections per second with SSL offloading enabled in an Intel® Xeon E3-1245 v5, Base Frequency 3.5 GHz with 2 x 4 cores.

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles