Effective WAN Clustering Relies on High-Quality VPNs

WAN clustering, also called geoclustering or remote clustering, is a network architecture through which multiple servers and other computing resources housed in different geographical locations form what appears to the user to be a single, highly-available network.

The goal of WAN clustering includes maximizing employee productivity by ensuring information assets are available anytime, anywhere. It is a principal architecture IT teams employ as part of disaster recovery/business continuity programs and load balancing. WAN clustering can be used for just about any computing resource, including mainframes, file servers, PCs and software application stacks.

Two core technologies that have enabled the rapid growth of WAN clustering are very rapid wide area network connectivity, and the ability to create and manage a clustered network through a single, virtualized master identity.

Another core capability that is critical to the rapid and secure operation of WAN-clustered network architecture is VPN technology. VPNs ensure information is secure traveling between servers as well as to and from servers and end users’ devices, be they PCs, laptops, tablets or smart devices.


Image via Shutterstock

More about WAN Clustering

Advocates of clustering suggest that the approach can help an enterprise achieve 99.999 percent (so called five nines) availability in some cases. A common use of WAN clustering is to load balance traffic on high-traffic networks, especially networks where users upload and download large files, such as complex drawings and video. Formerly, “cold-standby“ solutions had been the rule: a replacement server was only used if the running system failed. This is less efficient and unnecessarily ties up resources. Today, it happens often that several, connected servers are operated in parallel – the load is equally distributed amongst the servers with the help of load balancing. One distinguishes here between active/active and active/passive concepts depending on the task- and role allocation in within the server cluster.

When using a modern active/active clustering concept, any number of servers is merged to a “cluster.” The servers are syndetic and every active session is known by every server. This is why the session can be taken over by any other server in case of an interruption. Some solutions even allow for an equal authority of all cluster nodes instead of applying the standard master-slave concept with one server having the command of all other servers.

With load balancing, all sessions can be optimally distributed among all servers, too – for perfect performance and an efficient use of resources. This is particularly interesting since – in the era of tablets, smart devices and BYOD – the number of server requests is expected to increase rapidly.

WAN clustering can also provide a relatively low-cost form of parallel processing (rapid processing of program instructions by dividing them among multiple processors) for scientific and other applications.

Role of WAN Clustering in Disaster Recovery/Business Continuity

In a disaster recovery/business continuity situation, the functions of a particular server or entire network location are taken over by any server(s) at a different location when one server or network location becomes unavailable for any reason such as scheduled down time, hardware or software failure, or a cyber attack.  The process involves automatically offloading tasks to another server location so that the procedure is as seamless as possible to the end user. The recovery process can apply to any aspect of a system; it might protect against a failed processor, network connection, storage device, or Web server. It might protect against natural disasters such as flooding or blackouts.

Originally, stored data was connected to servers in very basic configurations: either point-to-point or cross-coupled. In such an environment, the failure (or even maintenance) of a single server frequently made data access impossible for a large number of users until the server was back online. More recent developments, such as the storage area networks and cloud computing, make any-to-any connectivity possible among servers, data storage and other systems. Typically, these networks utilize many paths between the server and the system. Each consists of complete sets of all the components involved. A failed path can result from the failure of any individual component of a path. IT teams employ multiple connection paths, each with redundant components to avoid single points of failure, to help ensure that the connection is still viable even if one (or more) paths fail.

Role in Load Balancing

Load balancing is the division of a computer, server or network’s workload between two or more computers/servers so that more work gets done in the same amount of time and, in general, all users get served faster. Load balancing can be implemented with hardware, software, or a combination of both. Load balancing is often the main reason IT teams opt for a clustering architecture.

Companies whose websites receive large volumes of traffic also frequently select clustering architecture. For load balancing Web traffic, there are several approaches. For Web serving, one approach is to route each request to a different server host address in a domain name system (DNS) table, round-robin fashion. Usually, if two servers are used to balance a work load, a third server is needed to determine which server to which to assign the work. In some approaches, the servers are distributed over different geographic locations.

Maximizing WAN Clustering Potential through Well-Managed VPNs

No matter the objective, a well-managed VPN is essential to successful WAN clustering. When designing VPNs into a clustered architecture, IT teams must strike a balance between accessibility, speed and cost. There are several strategies IT teams should employ to achieve the optimal performance from VPN technology.

While IT managers can typically estimate how many users the VPN will handle on a day-to-day basis, they often have trouble accounting for the rapid bursts of VPN usage that occur for reasons ranging from bad weather forcing employees to work at home, to a new product launch that drives mountains of traffic to a Web server.

IT teams must size VPN capacity to handle worst-case scenarios, but this can become very expensive, especially if most of the time there is limited VPN usage. Prioritizing the information needs of particular key people or types or data is a proven approach to achieving the balance between cost-effective VPN infrastructures and meeting the needs of peak periods.

IT teams should also watch VPN performance continuously to gauge usage and to analyze for trends. If employees “discover” the benefits of a well-managed VPN, they may begin to use it more, resulting in additional data flows that can impede performance.  Concurrently, if the company is growing and expanding the number of employees and servers, IT teams have to make sure that existing hardware can cope with the traffic and that there are enough VPN licenses for every user available.

Employees should also receive training in the types of data best suited to travel through VPNs. Uploading or downloading rich media applications or streaming video can tie up significant VPN resources. Being even somewhat selective with what data travels over the network can provide important performance benefits. Some IT teams divert non-sensitive data off the VPN, ensuring sensitive data can reach is destination, a process called split tunneling. However, due to security reasons one should stick to anti-split tunneling because otherwise malware has a potential way into the company´s network.

Selecting the Best VPN Technology for Your Network

As with any technology, IT teams must determine what objectives they are trying to reach before selecting which VPN technology to implement. One ongoing area of discussion is on the merits of SSL VPNs or IPsec VPNs. 

There are reams of articles on the benefits and weaknesses of each protocol. Briefly, an IPSec VPN creates a secure connection through a client application on the remote device and a VPN terminator on the company’s network. IPsec VPN solutions are very widely used and for many years were the standard remote access solution. They are especially well suited for fixed connections, for example, from the enterprise network to branch offices or suppliers and customers. They allow complete network access and are considered to be secure and reliable.

When using IPsec VPN technology in a large-scale environment, this technology exhibits a major drawback: an IPsec VPN client has to be installed on every end device. To do this, installation and administrator rights are needed.

Secure Socket Layer (SSL) VPNs have gained in popularity because they are “clientless,” meaning the remote device doesn’t need to have a client pre-installed to connect to the corporate network. In many situations, an SSL VPN tunnel is created when a remote user opens a Web browser and connects to a pre-defined URL. The VPN then prompts the user for a user name and password. Once authenticated, the user is often taken to a company individual webpage including several options for network access or company applications.

An SSL VPN allows full network connectivity, as does an IPsec VPN, but can be deployed more easily to remote users since neither installation nor administrator rights on the client are needed. This makes SSL-VPN solutions attractive for enterprises.

Another variable in VPN performance is completely out of the hands of IT teams – quality of the local Internet connection. If an employee is working at home, at an Internet café or some other remote location and teens nearby are downloading the latest movie or playing interactive video games, performance may suffer. This is often true in hotels as well, even expensive ones where guests pay for broadband. And, it can be true in corporate offices where carriers have failed to upgrade pipes adequately.

IT teams can partly address this issue by researching the quality of bandwidth at corporate offices and demanding SLAs with minimum throughput guarantees within an acceptable range.

Teams should also study the types of traffic that will travel over the VPN when selecting the best technology for their organization. If the VPN will carry voice traffic, teams must be aware that voice is highly sensitive to any latency, while video downloads are less latency sensitive but typically require more bandwidth. A well-conceived VPN strategy can help IT teams address these issues. Some organizations prioritize traffic based on port. Voice and business critical traffic might be prioritized over routine file transfers, for example.  

Conclusion

Calculating the ROI of an effective VPN deployment is extremely difficult because the benefits are numerous. Employees gain anytime, anywhere access to critical information. With an included option for geographic clustering, IT teams attain an effective approach to maximize the performance of the organization’s network, while concurrently protecting critical assets from all forms of threats – weather, earthquakes, cyberattacks, et al.  It is safe to say that as the credit card ad goes, a well-managed VPN is – priceless.