Contents
Description
Hardware Offloading is used to delegate highly loaded computing tasks to a dedicated hardware resource directly, rather than a software process to increase performance and to free generic computing resources. Enabling hardware offload optimizations in SKUDONET solutions brings improved performance, throughput, lower CPU load and freeing more resources for other tasks.
It is well known that secure communications are a must. However, it is well known as well that managing encrypted transmissions is a heavy burden for common computing systems. Because of this, many vendors have been offering for years SSL offloading solutions and some organizations have developed dedicated hardware solutions to perform SSL offloading tasks.
More recently, some hardware manufacturers have decided to extend their micro-processor platforms to embed hardware capable of managing SSL traffic efficiently. An example of this is AES technology, later improved with The Advanced Encryption Standard Instruction Set (AES-NI). AES-NI is an extension to the x86 architecture for microprocessors from Intel and AMD. The purpose of AES-NI is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES) like the AES-128 and AES-256 ciphers. AES-NI was designed to provide 4x to 8x speed improvements when using AES ciphers for bulk data encryption and decryption. Today AES-NI instruction is embedded in the majority of Intel and AMD microprocessors in the market.
SKUDONET 5.1 can check whether the main host CPU supports the AES-NI instruction set and offers the user the possibility of leveraging SSL hardware acceleration for HTTPS communications. The most interesting aspect of this feature is that AES-NI can be used in SKUDONET physical as well as Virtual Load Balancers running on top of common hypervisors in the market (Vmware, KVM, Xen or HyperV).
How does HTTPS Offloading work in SKUDONET physical or virtual appliances?
The client requests to open an HTTPS connection to the SKUDONET Load Balancer Appliance. HTTPS profile inside the LSLB (Local Service Load Balancing) core generates the HTTPS tunnel between the SKUDONET Server and the Client. The SSL operations are sent to the CPU AES-NI hardware to manage all encryption/decryption operations directly in hardware for the HTTPS traffic between the client and SKUDONET. Finally, the SKUDONET Server will forward the traffic to the Backend servers.
How to use it
Firstly, please ensure to update to SKUDONET EE 5.1 or a greater release. In addition, check if your hardware supports AES-NI and enable it by applying the following steps:
Go to the SKUDONET Web Panel and create a new LSLB Farm with an HTTP profile as follows:
Once the new LSLB farm with an HTTP profile is created, edit the created farm and select the HTTPS option of the Listener field. New configurable parameters will be shown. At this point, the SKUDONET Load Balancer system will check AES support in CPU hardware. If supported, the SSL offloading feature will be available in the list of Ciphers as shown below.
Select here the option SSL offloading and save changes.
This will send all HTTPS traffic managed by this farm to be processed by the AES-NI instruction set of the CPU hardware.
Benchmark numbers
SKUDONET Load Balancer can manage about 72k SSL connections per second with SSL offloading enabled in an Intel® CoreTM i5-6500, Base Frequency 3.20 GHz with 4 cores.
SKUDONET Load Balancer can manage about 93k SSL connections per second with SSL offloading enabled in an Intel® Xeon E3-1245 v5, Base Frequency 3.5 GHz with 2 x 4 cores.
