Shared Load Balancing—A New Virtual Service Offering

As an alternative to using dedicated load balancing devices, CIT has developed a new Shared Load Balancing Service for customers with hosted servers at the NIH Data Center. At a high level, load balancing refers to managing and optimizing traffic flow or workload across multiple servers for high availability, decreased response times, maximized throughput, and optimal resource utilization.

Drawbacks of dedicated load balancing

Previously, CIT only offered dedicated F5 load balancer solutions. The dedicated devices are a good choice for customers who have high-traffic applications that make full use of the devices' resources, but are less suited for applications with lower capacity requirements, which use only a fraction of dedicated device resources. If you need FIPS 140-2 compliance but have a low-traffic application, then because FIPS modules are only available on high-end (dedicated) F5 devices, you are paying a premium for dedicated hardware without making use of its full resources.

CIT's Shared Load Balancing Service provides a cost-effective option for customers who need either standard or FIPS-compliant traffic management but don't need the full capacity of a dedicated load balancer.

What benefits does shared load balancing offer?

The new service offers shared load balancing on F5 devices on a fee-for-service basis. The shared service maximizes hardware utilization without compromising performance or security by allocating the F5 device resources, such as CPU, memory, secure socket layer (SSL) transactions, compression, and FIPS processing, among multiple customers. The shared service provides the same technical features as the dedicated service at a lower cost.

The overall benefits of the shared option include:

• Cost Savings
• Lower charges for CIT customers (compared to dedicated load balancing)
• Reduced total cost of ownership for load balancing hardware
• Reduced real estate costs by creating shared resources instead of adding physical devices


• FIPS Compliance
• Provides cost-effective FIPS 140-2 compliant load balancer solution for customer applications and servers


• Greener Data Center and Operational Efficiency
• Allows higher capacity utilization of system resources
• Reduces the number of physical devices to support
• Achieves higher degree of energy efficiency and saves on Data Center power and cooling

Is the shared service for everyone?

CIT believes the Shared Load Balancing Service will benefit a significant number of customers, however a customer's technical requirements or other factors may make dedicated load balancing or another service better suited to meet customer needs.

The shared service will not be available in the following instances:

• When customer technical requirements necessitate changes to the Shared Load Balancing Service configuration that could potentially affect other customers.


• When a customer has specific Service Level Agreement requirements that fall outside the Shared Load Balancing Service criteria.


• When a customer has varying maintenance window requirements.


• When a customer consumes a high enough percentage of the load balancer hardware or network resources that would warrant a dedicated solution.

What about security?

With the Shared Load Balancer Service, device resources are shared among customers, but security controls separate customer application traffic.

These controls include:

• Physical Controls – Physical separation of application traffic is achieved by means of separate physical ports on the F5 device.


• Logical Controls – Logical separation of customer traffic is accomplished through the use of individual Virtual Local Area Networks (VLANs) across the F5 device and network switches.


• Global IP forwarding is disabled on the F5 device so customers cannot forward traffic from one VLAN to another. Custom IP forwarding is created to allow traffic to securely flow only within a customer's subnet.


• F5 device configurations map each customer's Virtual IPs (URLs) to a unique group of destination servers. This prevents one customer's traffic from being forwarded to other customers' servers.


• Similar to a proxy server, the F5 device creates and manages a session table to track each packet flow.


• All SSL certificate keys are protected with a FIPS 140-2 compliant hardware module, which in turn prevents keys from being exported or tampered with.

Additionally, access to the F5 devices is limited to appropriate CIT staff, and an audit function is enabled to record changes made to the devices.

Monthly maintenance

The Shared Load Balancing Service includes an established monthly maintenance window for software patching and code upgrades when required. Emergency updates may be necessary to address critical system failures or vulnerabilities. In such cases, CIT will notify customers by email about emergency maintenance activities.

The Shared Load Balancing Service offering

The Shared Load Balancing Service offers the following technical features:

• One physical port per customer, configured with multiple VLANs. Speed is set at 1Gbps full-duplex.


• A redundant F5 BIG IP appliance infrastructure.


• Health check monitors for site/application high availability.


• Physical interface link up/down monitoring with automatic failover to standby F5 device.


• FIPS 140-2 processing of SSL certificates up to 500 transactions per second (TPS) per port.


• Web compression up to 200 Mbps.


• Certificate Keys stored in a FIPS 140-2 certified hardware module.


• Server load sharing and fault tolerance capabilities for customer applications, up to 50 virtual IPs (URLs) per port.

For more information

For more information about this service or CIT's other virtualization offerings, see the CIT Service Catalog online at http://cit.nih.gov/ServiceCatalog/, or call your CIT Customer Coordinator, or contact the NIH IT Service Desk at http://itservicedesk.nih.gov/support or 301-496-4357, 301-496-8294 (TTY), or toll free at 866-319-4357.

Back to top of page