Choosing the best application delivery controller for your environment shouldn't be complicated, but how can you distinguish among vendors to determine which ADC product will work best for your needs?
This application delivery controller comparison will help take the guesswork out of the ADC buying process. We compare application delivery controllers from 11 leading vendors: A10 Networks, Amazon Web Services, Array Networks, Avi Networks, Barracuda Networks, Citrix, F5 Networks, Kemp Technologies, Microsoft, NGINX and Radware. By examining what features and functionality each ADC offers and matching those to your requirements, you can select the ADC product that will best meet the needs of your network.
ADC platform options: Which are best?
There are many factors that will determine which application delivery controller is best for your organization, including where it will run. Keep in mind there are several platform options available, but not all vendors support all platforms.
The typical platform options include the following:
- A physical appliance that bundles hardware and software together. This might include proprietary acceleration boards or cryptohardware.
- Bare metal, which is typically a software-only option that doesn't provide acceleration boards that install on a standard x86-based server the customer provides.
- A virtual appliance that delivers software as a bootable appliance on VMware or a similar host.
- A cloud instance, which is a virtual appliance that's hosted in a cloud, such as AWS or Microsoft Azure.
Traditional ADC vendors are likely to offer a broader set of options. Kemp Technologies, for example, offers its product in all four platform options. A10 Networks offers a product line that's focused on traditional deployments, as well as one for cloud deployments. Avi Networks offers its load balancer as software only, while AWS and Microsoft load balancers can be deployed only as virtual appliances on the respective cloud vendor's network.
Using extensive research into the application delivery controller market, TechTarget editors focused on those companies that offer the broadest selection of ADC features -- both through appliances and through software only. Our research included data from TechTarget surveys, interviews and reports from other respected research firms, including Gartner.
How application delivery controllers address server load balancing
Because the core functions are well-established, you can expect basic Layer 4 distribution to work similarly across all vendor options. Longtime vendors, such as Citrix, F5 Networks and Radware, will likely have more granular choices for features such as distribution algorithms.
Application server load balancing, also known as Layer 7 balancing, will likely vary across vendors. Most vendors use the load-balancer label to cover Layer 4 and Layer 7, but not all do. For example, the Microsoft Azure Load Balancer only deals with Layer 4 traffic. If you want to distribute traffic at Layer 7, you must use a different product. However, AWS only provides Layer 7 functions in a higher-end virtual appliance, and Barracuda Networks doesn't provide Layer 7 functionality in its lowest-cost model. But Citrix NetScaler, by contrast, includes Layer 7 functionality even in its most basic, standard edition.
ADC devices that offer global server load balancing
This feature will likely only be of interest to companies that have multiple, geographically dispersed server farms. Several of the vendors examined here, including Citrix NetScaler, Kemp Technologies and Barracuda Networks, offer this functionality. But most of these ADC vendors make it available only in their higher-end, enterprise-focused products.
Application acceleration functionality: Hardware vs. cloud-only
As you examine application delivery controllers, keep in mind that application acceleration references a group of related functions that are implemented individually. These include caching, compression, TCP optimization and traffic-shaping functionality. Hardware-oriented vendors, including A10 Networks, Array Networks, Citrix and F5 Networks, and software-only vendor Avi Networks, all offer application acceleration features, whereas cloud-only ADCs, such as AWS and Microsoft Azure Load Balancer, do not.
The SSL offload function
The vast majority of traffic crossing the internet is encrypted using some variation of the Secure Sockets Layer (SSL) protocol.
For e-commerce sites with high-transaction rates in particular, the SSL load will be significant. Many ADC vendors provide an SSL offload function that enables the SSL cryptofunctions to be performed in the ADC, thereby saving CPU resources on the target server.
Typically, the SSL workload is offloaded to specialized cryptohardware in the ADC. This feature is offered by vendors, including Array Networks, Avi Networks, Citrix and F5 Networks. In addition, these vendors also offer advanced elliptic curve cryptography and perfect forward secrecy.
Security capabilities in ADC products: WAFs vs. doing it yourself
For application delivery controllers, security covers a number of areas, including basic access-control-list capability, protection from distributed denial-of-service (DDoS) attacks, a full-function web application firewall (WAF) or even outbound data loss prevention (DLP). Vendor offerings range from minimal to integrated full-function WAFs. For some vendors, the WAF function is available as an add-on feature set or separate product.
Some vendors and customers think security defenses shouldn't reside in the ADC. Therefore, don't take the absence of certain security functions necessarily as a product flaw, but rather an alternative deployment architecture.
Of the legacy vendors, A10 Networks provides an integrated WAF with its Thunder ADC, and Citrix provides WAF functionality, as well as DLP capabilities, via its optional AppFirewall add-on.
Similarly, F5 offers the BIG-IP Application Security Manager to implement WAF functionality. Kemp Technologies has a built-in WAF, but only makes it available to users that subscribe to the company's Enterprise Plus license.
Cloud-vendor load balancers, such as AWS Elastic Load Balancer and Microsoft Azure, don't provide WAF functionality. Thus, it's in the area of security services you will find the biggest differences not only in features, but also in packaging and, most likely, pricing. So, if your architectural requirements call for your ADC to handle security, plan on spending time to determine what feature and packaging options your shortlist vendors offer.
ADCs that focus on analytics
Analytics is a broad and somewhat vague term. Virtually every vendor can likely put a check mark in this column. In our research, we've seen significant differences in the types of information the leading ADC devices present. We've seen some with basic info, such as transaction rates, and others where there's a separate category for DDoS attacks. There is no standard set of management features that you can expect from every vendor. As a result, you'll want to closely examine what each vendor offers.
Avi Networks is a good example of a vendor that focuses on analytics. The company provides granular, per-transaction performance data in an easy-to-use interface. Its product offers DVR-like functionality that enables you to go back in time and replay and analyze network conditions from prior periods.
But it isn't just the newer players focused on analytics. For example, A10 Networks delivered a major upgrade to its analytics capabilities last fall that help developers determine source errors, latency or other problems.
The price of throughput
With ADCs, it's common practice to price according to throughput. For hardware appliances, this isn't surprising, as it will require more powerful -- and, thus, more expensive -- hardware, higher density and faster network interfaces to provide that higher throughput.
Many vendors will also charge you based on desired throughput when using hardware-independent, virtual load balancers. This approach also makes sense, as users that demand more throughput from a product can expect to pay more.
Kemp Technologies, for example, has throughput-based tiers that go from 200 Mbps to 10 Gbps. For each tier, the number of SSL transactions per second also increases.
Most appliance-based vendors offer a range of models with increasing performance and price. Array Networks offers six different appliances that range in rated maximum Layer 4 throughput from 3.5 Gbps to 140 Gbps. Radware has more than 40 model and throughput combinations.
Increasingly common is the metered pricing approach pioneered by cloud vendors such as AWS and Microsoft. Paying as you go makes perfect sense for virtualized and software-based bare-metal application delivery controllers, because the ADC vendor doesn't have to be concerned about hardware costs.
What are your licensing options?
Ultimately, ADC client companies might use a variety of deployment options to suit various needs. Even more common will be scenarios where currently deployed ADCs are appliance-based, and future ADC deployments will be virtualized or cloud-based.
However, if you plan to move from a hardware-based appliance to a virtualized ADC, be careful you don't end up paying for licenses more than once. This could happen if your ADC vendor has a strict, inflexible licensing policy. You've already paid for a license for your appliance, but unless your vendor allows you to transfer your hardware license to your new software instance, you could be stuck paying twice for the same functionality.
Fortunately, most ADC vendors have recognized that license flexibility is important and have created new licensing models that reflect this new reality. A good example of this is Radware's Global Elastic License, which provides all licensed throughput and capacity to be shared among all physical and virtual application delivery controllers. And it doesn't matter whether the ADCs are in the cloud or on premises. This is the type of license you should insist upon with whichever vendor you choose. Look for this type of maneuverability with your ADC licensing as you evaluate vendors.