1. Home
  2. Knowledge Base
  3. Howto's
  4. SSL hardware offloading in physical and virtual SKUDONET load balancers

SSL hardware offloading in physical and virtual SKUDONET load balancers


Hardware Offloading is used to delegate highly loaded computing tasks to a dedicated hardware resource directly, rather than a software process to increase performance and to free generic computing resources. Enabling hardware offload optimizations in SKUDONET solutions brings improved performance, throughput, lower CPU load and freeing more resources for other tasks.

It is well known that secure communications are a must. However, it is well known as well that managing encrypted transmissions is a heavy burden for common computing systems. Because of this, many vendors have been offering for years SSL offloading solutions and some organizations have developed dedicated hardware solutions to perform SSL offloading tasks.

More recently, some hardware manufacturers have decided to extend their micro-processor platforms to embed hardware capable of managing SSL traffic efficiently. An example of this is AES technology, later improved with The Advanced Encryption Standard Instruction Set (AES-NI). AES-NI is an extension to the x86 architecture for microprocessors from Intel and AMD. The purpose of AES-NI is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES) like the AES-128 and AES-256 ciphers. AES-NI was designed to provide 4x to 8x speed improvements when using AES ciphers for bulk data encryption and decryption. Today AES-NI instruction is embedded in the majority of Intel and AMD microprocessors in the market.

SKUDONET 5.1 can check whether the main host CPU supports the AES-NI instruction set and offers the user the possibility of leveraging SSL hardware acceleration for HTTPS communications. The most interesting aspect of this feature is that AES-NI can be used in SKUDONET physical as well as Virtual Load Balancers running on top of common hypervisors in the market (Vmware, KVM, Xen or HyperV).

How does HTTPS Offloading work in SKUDONET physical or virtual appliances?

The client requests to open an HTTPS connection to the SKUDONET Load Balancer Appliance. HTTPS profile inside the LSLB (Local Service Load Balancing) core generates the HTTPS tunnel between the SKUDONET Server and the Client. The SSL operations are sent to the CPU AES-NI hardware to manage all encryption/decryption operations directly in hardware for the HTTPS traffic between the client and SKUDONET. Finally, the SKUDONET Server will forward the traffic to the Backend servers.

SSL Hardware offloading flow

Hardware offloading flow for SKUDONET Load Balancer

How to use it

Firstly, please ensure to update to SKUDONET EE 5.1 or a greater release. In addition, check if your hardware supports AES-NI and enable it by applying the following steps:

Go to the SKUDONET Web Panel and create a new LSLB Farm with an HTTP profile as follows:

HTTP Farm Creation for SSL Offloading

Once the new LSLB farm with an HTTP profile is created, edit the created farm and select the HTTPS option of the Listener field. New configurable parameters will be shown. At this point, the SKUDONET Load Balancer system will check AES support in CPU hardware. If supported, the SSL offloading feature will be available in the list of Ciphers as shown below.

SSL Offloading enabled

Select here the option SSL offloading and save changes.

This will send all HTTPS traffic managed by this farm to be processed by the AES-NI instruction set of the CPU hardware.

Benchmark numbers

SKUDONET Load Balancer can manage about 72k SSL connections per second with SSL offloading enabled in an Intel® CoreTM i5-6500, Base Frequency 3.20 GHz with 4 cores.
SKUDONET Load Balancer can manage about 93k SSL connections per second with SSL offloading enabled in an Intel® Xeon E3-1245 v5, Base Frequency 3.5 GHz with 2 x 4 cores.

Was this article helpful?

Related Articles

Download Skudonet ADC Load Balancer
Community Edition

Source Code

A versatile and installable ADC system designed for diverse vendor hardware.


Installable ISO 

Load Balancing as a Service alongside an ADC orchestration toolkit.

Download Community Edition

Download Community Edition

“We manage the information you provide with the sole aim of assisting with your requests or queries in regards to our products or services; applying the computer and security procedures to ensure its protection. Your data can be rectified or removed upon request but won’t be offered to any third parties, unless we are legally required to do so.” Responsible: SKUDONET SL - info@skudonet.com