Getting started with inbound traffic management

Inbound traffic on a Firewall can be managed with a Server Pool.

What inbound traffic management does

Server Pools primarily provide load balancing and High Availability for two or more servers that offer the same service to users. Server Pools also control which NetLink incoming traffic uses. Inbound traffic management can:
  • load-balance incoming traffic between several servers to even out their workload
  • monitor the server’s status so that the traffic is not directed at unavailable or overloaded servers (optional Monitoring Agents can be installed on each server)
  • send dynamic DNS (DDNS) updates to a DNS server to prevent incoming traffic from attempting to use a non-functioning NetLink in a Multi-Link configuration (with or without using the other features of Server Pools).

Limitations

  • DDNS updates have no access control, so the communications must be secured in other ways.
  • Standby servers cannot be defined for a Server Pool. Only load balancing between the servers in the Server Pool is supported.
  • Only TCP and UDP protocols are supported for Server Pools.
  • Source address translation is not supported for Server Pools.
  • Server Pools are only supported for IPv4 traffic.

What do I need to know before I begin?

It is recommended that each Server Pool offers one type of service. If the servers provide several services (for example, HTTP and HTTPS), create a separate Server Pool for each service.

Server Pools

Figure: How Server Pools and related elements are used together



Host elements represent your servers in the SMC. One or more Host elements are added as Server Pool members to a Server Pool element. The Server Pool element must be used in an IPv4 Access rule in the Firewall Policy for incoming traffic to be routed to the pool members. There can be several Server Pools for different services. The Access rules define which traffic is directed to which pool.

The Server Pool is a built-in load balancer in the Firewall that can be used for distributing incoming traffic between a group of servers to balance the load efficiently and to ensure that services remain available even when a server in the pool fails. The Server Pool has a single external IP address that the clients can connect to. The Firewall uses NAT to distribute the incoming traffic to the different servers.

The server load is distributed to the Server Pool members based on each server’s availability. Monitoring Agents installed on each server can be used to monitor server availability and load balancing. Alternatively, the server availability can be checked by periodically sending simple ICMP Echo Requests (ping) or by periodically sending TCP strings to check that the expected response is returned. The ping test only checks the server’s connectivity, the TCP test checks that specific services are available, and the Monitoring Agents provide additional information about the server’s load and functioning.

If the tests or the Monitoring Agent report a server failure, the server is removed from the Server Pool and the connections are distributed to the remaining servers. When a server is removed from the Server Pool, traffic from existing connections can still be sent to the server (since in typical use scenarios the other servers would not be able to handle them in any case) without sending new connections to the failed member. With Monitoring Agents, the server can be completely excluded from handling traffic.

When a previously unavailable server comes back online, existing connections are not redistributed, but some of the new connections that are opened are again directed to the server that rejoins the pool.

Additionally, Multi-Link can be used with Server Pools to provide the connecting clients access to the Server Pool through multiple Internet connections, increasing Server Pool availability.