AppGate ZTNA overcomes traditional problems associated with high availability and load balancing through the combination of several key concepts:
Appliance based
All system functions are served by performant Ubuntu-based appliances that can be run as Cloud instances, virtual machines, or physical appliances. The design of the software has been optimized to take full advantage of multi-core processors and built in features such as AESNI. Gateway through-puts in the range 20Gb/s-40Gb/s can be achieved even when using virtual hosts.
HA Controllers
An AppGate ZTNA Controller is an appliance that performs on-demand transactions using REST calls, preventing a bottleneck for signed-in users who are only connected to and pushing traffic through Gateways. As a result, short periods of unavailability of a Site's sole Controller may go unnoticed by users unless their tokens happen to expire during that time.
For hyper-scaling where there may be a high number of transactions, a larger Controller can be specified to improve performance; however there is a practical limit to the number of cores/threads that can be utilized in one appliance. (See Appendix for physical and virtual appliance sizing.) When this limit is reached, AppGate ZTNA has built in support for HA Controllers, enabling load-balanced, highly available, multi-master Controllers to be deployed.
Site-based access
AppGate ZTNA makes it easy to distribute Gateway load based on Policy when a Collective is comprised of several Sites. Entitlement tokens are issued on a per-Site basis based on which Policies were assigned. This makes it easy to provision Sites in Europe to European employees and Sites in the Americas to American employees. Sites that have not been specifically allowed will not be accessed by that Client.
Gateway Micro-firewall service
AppGate ZTNA uses a patented approach that allows the Gateway to provide a secure tunnel service and micro-firewall instance on an individual basis using a separate thread for each connected Client. Once a secure tunnel has been established between Client and Gateway, the Client pushes the user's Entitlement token to initiate access. The Gateway uses the Entitlement token to set up the individual firewall table for each micro-firewall engine. By distributing countless micro-firewall services across all the processing cores, new Client connections are always assigned to the processor with available resources. Additionally, each firewall service only has to manage a few rules for the individual user.
HA Gateways
AppGate ZTNA Gateways have also been designed for scalability. Adding HA Gateways to a Site, or subdividing Sites into smaller micro-sites, will scale performance of the infrastructure linearly. Sites and Gateways are independent and, unlike traditional solutions, AppGate ZTNA requires no inter-Gateway traffic. Therefore, adding another Site protected by a new Gateway, or adding another Gateway to serve an existing Site, will not impact the performance of existing appliances as the system relies on token passing, not inter-appliance traffic. As a result, there is no operational constraint to the number of Gateways that can be added to manage performance and reliability as network traffic or user-population increases.
Load balancing
Internal HA mechanisms for load balancing should be used for both Controllers and Gateways. This ensures that the Client connections are distributed optimally. For example, performance and availability can be enhanced using weightings to ensure that Gateways with 8vCPUs receive twice the number of connections vs. ones with only 4vCPUs.