In today’s cloud-based environments, maintaining robust security postures while ensuring high availability and scalability is a top priority. Enterprises face-off the challenges and fall into risks if these aren’t taken care. Though there are optimizations happening in the cloud infrastructure, still many enterprises couldn’t be able to configure their cloud to maintain high availability and develop applications at scale for global marketplace.
To break the ice, Oracle Cloud Infrastructure (OCI) introduces SYMMETRIC HASHING support on its network load balancers, empowering customers to deploy flexible security architectures that meet their unique needs.
How Symmetric Hashing Works on the OCI Network Load Balancer?
OCI private network load balancers can be configured in transparent mode, allowing them to operate as a bump-in-the-wire, preserving source and destination IP addresses. This enables use cases like scaling firewall appliances, IPS, and IDS, where the load balancer forwards incoming packets to a next-hop network virtualization appliance for security policy application before reaching the application servers.
In this mode, the load balancer doesn’t modify packet information, instead, it acts as a route target, requiring traffic to be directed through it via a VCN routing table entry.
What Network Designs Can be Enabled with Symmetric Hashing?
With private network load balancers in transparent mode, you can now enable symmetric hashing, which ensures that incoming and outgoing traffic is consistently routed to the same network virtual appliance (NVA) without requiring source NAT on the NVA. This feature enables two key network design scenarios:
- Single network load balancer front-ends firewall appliances and handles both forward and reverse traffic.
- Enable symmetric egress traffic through SD-WAN appliances
Architecture
In the following diagram, we have a scenario in which you have a transparent network load balancer acting as a bump in the wire in front of your firewalls to load balance flows through all your active firewalls.
To redirect traffic through the transparent network load balancer and firewalls, we use intra-VCN routing to send incoming traffic from the on-premises data center to the load balancer via a private IP route rule in the DRG route table. The load balancer then distributes the traffic to one of the active firewalls, which forwards it to the actual servers without modifying the packet’s IP headers.
On the return path, we use VCN route table rules to ensure that traffic from the backend servers is routed through the load balancer, which then directs it to the same firewall device that handled the original traffic (thanks to symmetric hashing). The firewall then sends the return traffic back to the on-premises data center network through the DRG.
The key requirement is that the load balancer forwards both incoming and outgoing traffic to the same firewall device, all while preserving the original source and destination IP addresses. This ensures that backend applications see the true client IP address, not the load balancer’s or firewall’s IP address.
INFOLOB’s Unmatched Excellence with Oracle Cloud
Implementing symmetric hashing and integrating robust security measures creates a flexible and secure architecture on OCI Network Load Balancers. This approach ensures efficient traffic distribution, session persistence, and data security, making your application more resilient and secure.
INFOLOB experts – being the pioneers of cloud-powered transformation and leveraging in-built AI features, delivers greater optimizations and configures as per your business requirements. Around 250+ global customers rely on us to carry out their workloads daily and remain on the final phases of transformation by embracing the OCI’s high availability and scalability atop sophisticated layers of security.
We stand as your go-to solution architects for the cloud expertise we own. Grow and reinvent your business growth with us, today!
For all queries, please write to: