By Mohammed AbuKhater,Vice President Sales META, F5
The impact of coronavirus (COVID-19) on organizations around the world has been significant, altering day-to-day life for millions of people. Each one of us is grappling with challenging personal issues, all the while trying to do the right thing for our businesses, our co-workers, and our customers. If you’re an IT professional, you are also likely on the front lines of a host of new business continuity challenges. You need to respond quickly to unprecedented changes in work schedules, remote access to applications, and spikes in networking and data demands. Any of these can result in sluggish application health and performance due to over-taxed resources—affecting your ability to serve customers as they adapt to COVID-19.
Apart from scaling your remote access, F5 has several recommendations that can help with diminished application availability and performance.
1. Relieve App Servers from Encryption Congestion
Most Internet traffic is now encrypted. While this may not have been an issue before COVID-19, the anticipated higher traffic load may put a strain on your back-end servers due to the additional processing. With BIG-IP Local Traffic Manager (LTM) in front of your web applications, you can use available SSL offload capabilities. So, if your security posture allows it, we recommend that you transfer the SSL load to your BIG-IP LTM and relieve your back-end servers. This should help improve app availability and user experience.
2. Improve App Performance with Traffic Optimizations
Several optimizations that are standard BIG-IP LTM capabilities can be made to more efficiently use resources. These include the following:
- OneConnect is a feature that relieves the overhead of TCP connection setup to the servers by taking TCP connections from many clients while establishing only one connection to the back-end servers. Some servers may use the incoming IP address to perform functions like targeted advertising. This information, in one, connect model, can be preserved in the HTTP headers, utilizing a property called X-Forwarded-For.
- Compression can be enabled to speed up the client experience from BIG-IP LTM to the client. Because the compression reduces the data downloaded by clients, adding compression profiles on your BIG-IP devices can help improve performance.
- Caching is another way of relieving server load, by only requesting content that is known to change, while caching—and delivering the rest to the client upon request from a BIG-IP appliance. This feature is highly configurable.
- HTTP/2 can be used to improve performance by using fewer TCP connections similar to OneConnect. This may be an opportune time to look to implement HTTP/2. HTTP/2 is supported both client-side and server-side.
3. Right-Size Your Performance Bandwidth for Existing BIG-IP VE Instances
To manage the increased bandwidth to your apps, we recommend validating that you have the right BIG-IP Virtual Edition (VE) performance option in place (as BIG-IP VE instances can range from 25M to over 100G in throughput). Confirm that the VE license you have, whether running in a public or private cloud environment, allows for the traffic you are now observing.
The steps to upgrade your license—say from a BIG-IP LTM 25M to 200M, or 200M to 1G—are simple.
- First: Obtain a throughput upgrade add-on registration key or a new base registration key from your F5 account manager.
- Second: Input that information into the BIG-IP GUI.
Be aware that traffic processing is briefly interrupted while the BIG-IP system reloads the configuration. Make sure that the compute instance size and adapter you’re using meets your needs. BIG-IP LTM can be scaled to 100G and more, but it will need appropriate compute resources to do so.
4. Optimize Traffic Load Across Global Sites
The COVID-19 pandemic is impacting locations around the world in different ways and at different times, so it’s understandable that localized traffic patterns are uneven. There may be breaking news in certain “hot spots” that causes ripple effects with websites getting overloaded. But if you have multiple hosting locations, you can consider changing the GSLB rules to favor a site in a further away location to someplace with less stressed servers. This may yield better results more quickly and easily than expanding capacity in one location.
Since VPN traffic is typically routed through centralized IT resources, customers can have fine-grained control over where to send their clients with BIG-IP DNS as well as the most integrated monitoring solution. In addition, BIG-IP DNS can be set up to reroute traffic dynamically to a public cloud environment such as AWS with elastic resources based on capacity or pool member health thresholds. You can redirect traffic loads and set up autoscaling for additional capacity before customers or users start to see performance problems.
5. Add Visibility and Analytics to your Existing Environment to Understand Performance Bottlenecks
If you start to get calls about “slow applications,” you will need to be able to respond and pinpoint application vs. network latency issues. Having deep visibility and analytics will help you get answers faster. So you may want to familiarize yourself with BIG-IQ Centralized Management, which allows you to assess and manage the performance and health of your BIG-IP estate and supported applications wherever deployed. From a single unified GUI—accessible from anywhere—users can troubleshoot issues, investigate security incidents, and control remote access policies and permissions. With exponential increase in new remote workers, having greater visibility into application security will save you time in assessing how your defenses are holding up.
6. Make Sure Your ISP Speeds Meet Your Needs
This may seem obvious, but make sure your ISP speeds meet your needs. Remember that if you host remote access or your web servers on-premises and you are using your main Internet connection for both Internet access and hosting, ISP speeds can be asymmetric. You may now require higher inbound speeds.
In addition, you should validate whether you have enough upstream and downstream bandwidth to cope with a higher number of concurrent VPN users. Often an organization’s security policies mandate that when remote users are on the corporate VPN, all traffic, including Internet traffic, goes through the organization’s IT resources for policy enforcement. So again, contact your ISP or consider adapting your VPN security policy in the short-term.
Needless to say, these are challenging times. We hope that these recommendations help you to address the needs of your users and customers.