A load balancer is a network appliance responsible for the effective distribution of incoming network traffic across multiple backend servers in order to guarantee always-available application services. Load balancers can be deployed as software appliances, hardware appliances or even as a service. A load balancer allows you to optimise server utilisation and remove single points of failure in application delivery to guarantee the following: 

Resilience – A load balancer allows you to run multiple application servers to fulfil the same role. In the event of a server failure, the load balancer will detect this and redirect traffic to the remaining online, healthy servers. This ensures high availability and reliability for applications. 

Scalability – Load balancers allow you to seamlessly scale services without impacting performance. By simply adding more servers behind the load balancer for distribution, you introduce the ability to adapt to an increase in load. 

Capacity – To increase capacity simply add more servers behind the load balancer. (Ok it’s not normally as easy as that because you’ll probably have databases and other app servers to consider, but you get the idea)

Load balancers distribute application traffic based on many different load balancing strategies or load balancing policies as they are sometimes called. In order to understand if a backend server is online and healthy, a load balancer will use back-end server monitoring and Server health checking. The principles of load balancing have been around for many years but these devices have evolved significantly from the basic layer4 device to much more sophisticated layer7 Application Delivery controllers, or ADCs as Gartner refer to them. ADCs offer many additional key features including security and traffic management.

Persistence is a feature that is required by many web applications and websites. Once a user has interacted with a particular server, all subsequent requests are sent to the same server thus ‘persisting’ to that particular server. Session persistence ensures a continuity of service and seamless end user experience and is often a requirement of ecommerce applications whose session state is stored on the local web server as opposed to a shared database. Persistence can come in many forms… 

Load Balancer Cookie: The load balancer will set a cookie at the client and use this to identify the backend server to be used for this user. 

Application Session Cookies: Many application servers already set their own session ID such as jsp session cookie or Asp.net. You can configure the load balancer to use these. 

IP Based: Uses the Client IP address to persist. This method works for layer4 and layer7.

SSL Session: Uses the SSL session ID. This is not very common as the session ID can change ,as such persistence is lost. 

RDP Session Cookie: Used for RDP connections.

This is a term used to describe an advanced load balancer. Now most load balancers are layer7 appliances, situated in a privileged position between the application and clients. With visibility of all the traffic the load balancer can perform a number of functions above and beyond simple load balancing and server redundancy. Load balancing is one of a number of features of an ADC including:

• Layer7 traffic management
• Application acceleration
• Content caching
• Application firewall
• Connection pooling and limiting
• Pre-authentication and single sign-on
• Proxying

The terms layer4 and layer7 refer to the protocol layers at which a load balancer operates within the OSI networking model. Layer4 load balancers operate at the transport layer, whilst layer7 load balancers operate at the application protocol level, affording them greater visibility and understanding of the application it is processing itself. This enables advanced functionality and optimisation features including intelligent traffic management, content caching, security and compression. Acceleration Features Layer4 load balancers are still available although their market share has been reducing significantly as layer7 advanced load balancers and ADC’s become more powerful and cost effective.

SSL (Secure Sockets Layer) is used to describe the process of encrypting the connection ,typically using a private certificate. HTTPS is HTTP run over an encrypted SSL connection. SSL can be a very CPU intensive operation thus reducing the speed and capacity of the web server. Offloading SSL termination to a load balancer allows you to centrally manage your certificates and frees up your servers to focus on delivering the application rather than decrypting SSL.

A WAF or Web Application Firewall is a security device designed specifically to mitigate threats at the Application layer i.e. layer7. More specifically, a Web Application Firewall is designed to work with HTTP and HTTPS protocols. They work in conjunction with a standard network firewall that typically blocks ports. In order for an application to offer a public service certain ports (such as 80 and 443 for a typical HTTP/HTTPS web app) have to be open. Hackers exploit these open ports, exposing the need for an additional, new layer of protection. That is where an Application Firewall or WAF comes into play. A Web Application Firewall will look at the HTTP Requests and Responses to work out if they are valid or not. Some requests may be valid for one site / page but not another, so in many cases, Application Firewalls may need more configuration. PCI DSS requires an Application Firewall to block some standard threats, in accordance with the OWASP published top 10 threats.