Application Delivery Controllers: A Key to App Modernization
If you get them right, modern approaches to building applications such as microservices and Function as a Service (FaaS) offer highly effective methods to deliver value to your organization and your customers. They enable you to move fast by making changes to small parts of your system hundreds of times a day. Their competitive advantages are so significant that it is tempting to imagine that most enterprises would already have updated and overhauled their applications for the modern era. The reality, however, is quite different.
As the 2023 Gartner CIO and Technology Executive Survey suggests, the transition to modern technology platforms is indeed well underway, but it is also far from complete. According to Gartner’s survey, in 2023:
- 46% of organizations expected to increase their spend on application modernization.
- 50% planned to increase their spend on cloud platforms.
- 47% said they would decrease investments in legacy infrastructure and data center technologies.
The main reason application modernization takes time in large enterprises is the complexity of the modern deployment environment. Enterprise IT teams typically deal with their own data centers alongside multiple public clouds — often as a result of mergers and acquisitions — while trying to deliver new ideas to customers quickly and reliably.
The Evolution of Application Delivery Controllers
As the infrastructure running our applications has grown more complex, the supporting systems have evolved to be more sophisticated. Load balancers, for example, have been largely superseded by application delivery controllers (ADCs). These devices are usually placed in a data center between the firewall and one or more application servers, an area known as the demilitarized zone (DMZ).
While first-generation ADCs primarily handled application acceleration and load balancing between servers, modern enterprise ADCs have considerably expanded capabilities and have evolved into feature-rich platforms. Modern ADCs include such capabilities as traffic shaping, SSL/TLS offloading, web application firewalls (WAFs), DNS, reverse proxies, security analytics, observability and more. They have also evolved from pure hardware form factors to a mixture of hardware and software options.
One leader of this evolution is NetScaler, which started more than 20 years ago as a load balancer. In the late 1990s and early 2000s, it handled the majority of internet traffic. When the company was acquired by Citrix in 2005, NetScaler added technology specific to Citrix workloads, and the product was later rebranded Citrix ADC. Following Citrix’s acquisition in 2022, it was redubbed NetScaler.
Over time NetScaler has evolved into a full-featured application delivery and security platform. It offers both hardware and software form factors that include virtualized, containerized and bare-metal ADCs. NetScaler is part of the underlying application architecture that enables secure business-critical processes for some of the largest financial, retail, healthcare and public cloud providers in the world.
Despite the wide range of supported form factors, NetScaler emphasizes maintaining a single, common codebase, with releases planned and rolled out to ensure feature parity across the different form factors. “The interfaces and APIs our customers are using to manage their applications stay the same — whether in their data center, edge or cloud,” explained Sunit Chauhan, head of product management at NetScaler. “This creates a significant benefit for developers as there is only one set of APIs and user interfaces to learn.”
Source: NetScaler
Most ADCs, including NetScaler, do have core network and switching capabilities to operate within the network, but they are not traditional switches or routers. They operate at OSI layers 3 to 7. “The purpose of the NetScaler node is to load balance across multiple servers — tens, thousands or sometimes tens of thousands of servers that users are trying to access,” Chauhan said. “Most of our larger customers also deploy across multiple locations. So we have a capability called global server load balancing (GSLB) that allows us to balance load across on-premises and cloud data centers in numerous locations.”
To operate at this scale, you need to run a great deal of automation, including infrastructure as code. “Many of our customers use both Terraform and Ansible to manage their infrastructure,” Chauhan said. “NetScaler always included REST APIs, but over the last year, we have introduced next-generation, declarative APIs. These make the management of NetScaler [ADCs] using Infrastructure as Code constructs much easier since the next-gen APIs are built around application services, rather than networking constructs.”
API Security and Observability in Distributed Environments
At a high level, NetScaler’s three major pillars are performance, security and observability.
NetScaler’s one-pass architecture (on the right side of the diagram above) starts by taking HTTPS traffic and decrypting it. Then the other security services — the WAF, bot protection and API security — take over.
“API security has become very important, as most traffic now is API driven,” Chauhan said. This is because a microservices-style architecture requires interservice communication, which in turn increases the security exposure for East-West traffic — both within the data center and sometimes outside to a partner application. NetScaler’s API protection covers rate limiting, authentication and authorization, as well as content routing. It also uses machine learning to stop a variety of cyberattacks, such as excessive client connections via API and attempted account takeovers.
In addition, NetScaler CPX, a container-based ADC, provides security inside the cluster. “We were the first in the industry to introduce multicluster ingress controllers,” Chauhan told The New Stack. “A NetScaler ingress controller, which sits inside the Kubernetes cluster, programs a load balancer (or a NetScaler ADC outside the cluster) and signals back to balance the load across multiple clusters. So within the data center, we provide multicluster load balancing, and outside the data center, we have GSLB for load balancing and traffic shaping.”
Chauhan also emphasized the importance of observability for maintaining a strong security posture. The NetScaler node tracks some 25,000 parameters for every session going between the inside and outside of the network, with the data exposed to ops teams via the NetScaler Console. “We realized about five years ago that these insights are really useful for security admins,” Chauhan said. “But typically the security admins were not logging into the NetScaler Console because it wasn’t their primary responsibility.”
However, as the observability industry evolved to include products like Elasticsearch, Honeycomb, New Relic, Prometheus and Splunk, NetScaler added the ability to export data into a variety of observability endpoints: “This means if a security team is interested in the insights NetScaler provides, they can embed this data into their own dashboards,” Chauhan said.
How NetScaler’s Architecture Achieves High-Performance Application Delivery
In addition to observability and security capabilities, NetScaler provides high-performance application delivery — which can be measured by throughput, latency or total transactions per second. To assess this, in 2021 Citrix commissioned Tolly to benchmark the performance of NetScaler (then called Citrix ADC) against competitor F5 BIG-IP Virtual Edition (VE). Tests, which ran in an AWS environment, assessed ADC and firewall capabilities using various encryption protocols. Tolly measured latency as an indicator of responsiveness, transaction throughput and end-user experience. The tests focused on P99 latency, which measures the worst 1% of the flows.
While it’s wise to view any benchmark with skepticism, particularly a corporate-sponsored one, Tolly’s tests showed the Citrix ADC VPX outperformed the F5 BIG-IP VE in all test scenarios, with lower latency and CPU utilization against comparable throughput levels.
Chauhan said NetScaler’s one-pass architecture is behind this high performance: “Once we decrypt the packet, all the remaining functions are carried out in a single pass. We don’t send something to another function and get it back.” This means that you can be running multiple compute tasks, such as network and security inspections, simultaneously. This gives NetScaler significant latency and throughput advantages.
Evaluate Your Options
Alongside commercial competitors such as F5’s BIG-IP, there are open source alternatives including HAProxy. “Open source load balancers are great for initial innovation and application development,” Chauhan said. “But in an enterprise setting, you’ll probably need to move to something that is fully supported. Platform teams usually like to stay with a single solution to reduce the attack surface, rather than whatever is easily downloadable for a developer.”
To help developers who are interested in giving it a try, NetScaler recently announced NetScaler CPX Express, a free version of its Kubernetes ingress proxy, which creates a straightforward path to production.
Citrix is now including all of NetScaler’s capabilities in its new subscription plans. These plans make it less expensive for Citrix customers to extend NetScaler application delivery and security to hybrid- and multicloud deployments across the enterprise. The goal is to make “almost unlimited functionality, capability and capacity” available to Citrix customers, Chauhan said, to help them manage the complexity of today’s modern applications.
