SoftLayer Design Decision Tool

The SoftLayer Design Decision Tool contains the potential advantages and disadvantages of the available components used for designing and building your SoftLayer Infrastructure as a Service (IaaS). Use this information during your solution design to help select the best options to meet your workload requirements. Click here for more information on the SoftLayer Solutions Design training class, which takes you through hands-on workshops to assist you with making architectural choices for your IaaS.

How to use the Design Decision Tool

The SoftLayer Design Decision Tool supports the infrastructure design process (Figure 1). It steps you through each component of your infrastructure to help you determine which options to use based on your requirements. You are encouraged to use the design process and decision tool when designing your IaaS.

Figure 1: Infrastructure design process

A high-level example of an e-commerce workload has been provided to assist you with the Design Decision Tool. After reviewing the example, you can than apply its tenants to your workload. Please be aware that more information is provided in the SoftLayer Solutions Design training class.

Indie Tix, Online Ticket Retailer (e-Commerce Example)

Indie Tix is an online ticket retailer that promotes indie music to mainstream listeners by putting on concerts in intimate venues (500 to 3,500 seats). In their current environment, they are facing increases in demand as indie artists are gaining popularity due to Internet exposure and mainstream air play.

They will be designing an architecture based on three tiers – web, application, and database - based on their current and future needs. The tiers are divided into three layers – presentation (web), business (application), and data (database) – with a server residing in each. Figure 2 illustrates Indie Tix’s architecture.

Figure 2: Indie Tix's three-tier architecture design

The first component to be determined is the global load balancer, which has the following requirements:

  • Available storefront – up to 24x7 – for top-tier customers
  • Anticipate traffic spikes that “follow the sun”
  • Handle seasonal spikes in service usage
  • Support 7,500 unique shoppers daily and 100 connections per second
  • Support highly variable and unpredictable compute requirements

Click the load balancer link and review the Considerations and Caveats for each option. You choices should be narrowed down to

Dyn.com

+Geolocation and ratio/weight balancing capable
- No provisioning on the private network

NginX

+ Geolocation and ratio/weight balancing capable
- Higher maintenance (must manage operating system as well)
- No management console (CLI and configuration files only)

Citrix NetScaler VPX + GSBL protects against failurs of servers and sites
+ Geolocation and ratio/weight balancing capable
+ Virutal appliance = low maintenance
- Requires and appliance, or appliances, for each site

 

 

Table 1: Global load balancer options for Indie Tix

Based on the pros and cons presented in Table 1, Indie selected the Citrix NetScaler VPX for their global load balancer. The next component is the firewall, then the local load balancer, and so on. You use the Design Decision Tool to match the best component option based on the IaaS design requirement. More information on the tool and how to use it is available in the SoftLayer Solutions Design training class.

IaaS Components

Below are links that will take you to the Considerations and Caveats for each option within a design component category.

 

Load Balancer

Considerations and Caveats

Option Considerations Caveats
Fortinet FortiGate Security Appliance (FSA)
  • Hardware accelerated SSL offload (consolidate with firewall).
  • Can be deployed in an HA cluster configuration.
  • No Authenticaiton Gateway function
  • No SSL pass through to web servers.
  • No proxy capability.
  • Limited IPS and IDS.
  • Applicance configuration.
Citrix NetScaler VPX (Virtual NetScaler)
  • Virtual appliance for App acceleration (consolidated with load balancer); available in Standard and Platinum Editions.
  • Acts as a proxy.
  • SSL offload processing in software plus Gateway modes (separate from load balancer).
  • Can be deployed in 2-node Active/Failover High Availability (HA) configuration.
  • Deployed as a virtual appliance to reduce costs and maintenance.
  • Can be deployed simultaneously on the public and/or private networks in SoftLayer.
  • Optimizes delivery of web-based applications with throughput from 1 to 3 Gbps throughput depending on the hypervsisor resources, encryption.
  • Global traffic can be managed enterprise wide in the Platinum Edition.
  • Balances loads at Layer 4 in Standard and Layer 7 content switching in Platinum.
  • Limited DoS/DDoS in Standard Edition; full DoS/DDoS with Layer 7 filtering in Platinum Edition.
  • Layer 4 and layer 7 traffic shaping and prioritized queues in Platinum Edition.
  • Geolocation and ratio/weight balancing capable in Platinum Edition.
  • GSLB protects against failures of servers in Platinum Edition.
  • AppFireall HTML plus XML securty in Platinum Edition.
  • Customer-managed appliance configuration.
  • Requires an appliance or appliances for each site implementation.
  • Priced as an individual appliance.
  • No integration with SoftLayer Auto Scale.
Citrix NetScaler MPX (Hardware NetScaler)
  • Physical appliance for App acceleration (consolidated with load balancer); default is Enterprise Edition, which is upgradable to Platinum Edition.
  • Acts as a reverse proxy.
  • SSL offload processing in hardware for much higher in SSL performance over VPX.
  • Can be deployed in 2-node Active/Failover HA Configuration.
  • Deployed as a physical appliance eliminates shared hypervisor resources.
  • Optimized delivery speed of web-based applications with throughput depending on model and encryption.
  • Global traffic can be managed enterprise wide.
  • Balance loads at Layer 4 and layer 7 content switching.
  • Full DoS/DDoS with Layer 7 filtering.
  • Layer 4 and Layer 7 traffic shaping and prioritized queues.
  • Geolocation and ratio/weight balancing capable.
  • GSLB protetcs against failures of servers and sites.
  • AppFirewall HTML plus XML security in Platinum Edition.
  • Customer-managed appliance configuration
  • Requires an appliance or appliances for each site implementation
  • Priced as an individual appliance.
  • No intergration with SoftLayer Auto Scale.
Local Load Balancer
  • Deployed as a SoftLayer Managed Service.
  • Major Layer 4 services are balanced.
  • Fully intergrated with the SoftLayer Auto Scale feature.
  • Supports web browser session persistence load balancing options.
  • Purchased based on the required number of connections per second of throughput.
  • On demand pool for adding or rmeoving servers.
  • For larger deployments, a dedicated hardware appliance may also be purchased.
  • Inability to re-crpyt forward traffic to web servers.
  • Can be deployed in a High Availability (HA) cluster configuration.
  • SSL Encryption Offload is an available upgrade otpion.
  • Public load balancing only (cannot load balance traffic on the private network).
  • Must be deployed on a per-datacenter basis.
  • Layer 4 traffic-shaping only, does not support Layer 7.
NginX
  • Open Source, no licenses to purchase.
  • Can be completely customized ot the workload.
  • Geolocation and ratio/weight balancing capable.
  • No support available through SoftLayer.
  • No Auto Scale integration.
  • Higher maintenance (must manage the operating system as well).
  • No managemange console (CLI and config files only).
Dyn.com
  • Geolocation and ration/weight balancing capable.
  • No provisioning on the private network.

 

Firewall

Considerations and Caveats

Option Considerations Caveats
Brocade vRouter (Vyatta) Gateway Appliance
  • Dedicated firewall that is deployed on a bare metal server.
  • Can be deployed in an HA configuration with Virtual Router Redundancy Protocol (VRRP).
  • A fully configurable and customizable router and firewall.
  • 10Gbps interface speeds are available.
  • Custom routing allows networks to span across SoftLayer datacenters and pods.
  • Supports mulitple VLANs whether in public or private networks.
  • Can perform Network Address Translation (NAT).
  • Can be used to create a site-to-site virtual private network (VPN) [Internet Security Protocol (IPSec)], as well as SSL VPN tunnels, including OpenVPN.
  • Can be used on both private and public networks.
  • Administrator can define security by zone or interface.
  • Discrete firewall rule definitions can be applied to individual IP addresses or across entire user-defined zones.
  • Able to mitigate synchronies packet (SYN) flood attacks, a form of distributed denial of service (DDoS) by using Transmission Control Protocol (TCP) SYN cookie functionality.
  • Able to limit connection attempts on a per port basis with hold-down timers.
  • Able to black list specific IP address ranges, further reduciing the network's exposure to attacks.
  • Stateful packet inspection; VLAN-level protection.
  • Ingress and egress firewall rules.
  • Firewall bandwidth options: 100Mbps, 1Gbps, and 10Gbps.
  • Not managed via the SoftLayer protal; must use the vRouter HTTPS or SSH interface.
  • Customer-managed solution, which may require training.
  • Additional skill and training may be required to build and secure.
  • Higher complexity in setup; training required.
  • Cannot be used in direct succession with Fortinet Securtiy Appliance (FSA).
Fortinet FortiGate Security Appliance (FSA)
  • Dedicated physical appliance firewall.
  • Can be deployed in an HA configuration.
  • Can be used to create a site-to-site VPN (IPSec) as well as SSL VPN tunnels.
  • Options to export configurations for backup HA, and DR.
  • Provides limited Intrustion Detection Systems (IDS) and Intrustion Prevention Systems (IPS) functionality.
  • Stateful packet inspection; VLAN-level protection.
  • Ingress and egress firewall rules.
  • Firewall bandwidth 1Gbps.
  • Can perform Network Address Translation (NAT).
  • Not managed via the SoftLayer portal; Administrator must use the FortiGate UI.
  • Customer-managed solution.
  • Only available for Internet-facing networks (public).
  • Does not support multiple VLANs within the SoftLayer environment.
  • Cannot be used in direct succession with the Brocade vRouter (Vyatta) Gateway Appliance or VyOS.
Firewall as a Service (FWaaS) offering - VLAN-based
  • Managed by SoftLayer.
  • Configure rules through the SoftLayer customer portal or API calls.
  • Protects an public VLAN.
  • Not deployable in an HA configuration.
  • Cannot customize the firewall features or functions.
  • No egress security (inbound filtering only).
  • Must be purchased on a per VLAN basis for each public network.
  • Cannot be used to create site-to-site VPN connections.
  • Only availables for Internet-facing networks (public).
Firewall as Service (FWaaS) offering - host based
  • Managed by SoftLayer.
  • Configure rules through the SoftLayer customer protal or API calls.
  • Protects individual servers and VMs.
  • Delegate firewall configuration to the owners of each service instance.
  • Not deployable in an HA configuration.
  • Cannot cusotmize the firewall features or functions.
  • No egress security (inbound filtering only).
  • Must be purchased on a per VLAN basis for each public network.
  • Cannot be used to create site-to-site VPN connections.
  • Only avaialable for Internet-facing networks (public).
VyOS
  • Deployed by customer via vyos.net.
  • No cost for the software.
  • Deployable on a virtual instance.
  • Managed by the customer for greater flexibility and contorl.
  • Similar considerations to Brocade vRouter (Vyatta) Gateway Appliance subject to network speeds on a virtual space.
  • Community driven technical support.
  • No API, GUI, or TACACS+; managed via SSH terminal only.
  • Customer-managed solution, which may require training.
  • HIgher complexity in setup; training required.
  • Cannot be used in direct succession with FSA.

 

Virtual Private Network (VPN)

Considerations and Caveats

Option Considerations Caveats
Brocade vRouter (Vyatta) Gateway Appliance
  • Managed through the vRouter web GUI.
  • Support through SoftLayer.
  • Redundant 1 Gbps uplinks.
  • Available with abundant VPN encryption options.
  • Managed by the customer for greater flexibility and control.
  • Only supported on bare metal configurations.
  • VPN traffic flows over the metered public network.
  • Customer-managed solution which may require training.
Fortinet FortiGate Security Appliance (FSA)
  • Redundant 1Gbps uplinks.
  • Available with abundant VPN encryption options.
  • Managed and unmanaged.
  • Only get access to one front-end VLAN per device.
  • VPN traffic flows over the metered public network.
Out-of-band VPN
  • Comes with a separate out-of-band network.
  • Available with SSL VPN and Point-to-Point Tunneling Protocol (PPTP) VPN "out of the box".
  • Not redundant.
  • Not intended for production or bidirectional traffic

SoftLayer Direct Link
  • Click here for considerations when using SoftLayer Direct Link.
  • Requires a high-speed WAN connection.
VyOS
  • Deployed by customer via vyos.net.
  • No cost for the software.
  • Deployable on a virtual instance.
  • Managed by the customer for greater flexibility and control.
  • Community driven technical support.
  • No API, GUI, or TACACS+; managed via SSH terminal only.
  • Customer-managed solution, which may require training.
  • VPN traffic flows over the metered public network.

 

Compute

Considerations and Caveats

Option: Virtual Server Considerations Caveats
Public/Public Cloud
  • Quick provisioning time; often within 15 minutes.
  • Supports 10Mbps, 100Mbps, or 1Gbps network connetions.
  • Available for use with Auto Scale user interface (UI) or API.
  • Deployable from a large selection of operating systems.
  • Local or storage area network (SAN) based storage.
  • No network link redundancy for public or private networks.
  • Primary disk options are limited; only two disks local for shared input/output (I/O) and sincle links for each of public, private, and management virtual LANs (VLANs).
  • Multitenant environments may provide challenges for attaining regulatory compliance.
Private/Private Cloud
  • All the advantages of public virtual servers.
  • Single tenant.
  • Can be used with different regulatory requirements.
  • No network link redundancy for public or pirvate networks.
  • Primary disk options are limited; only to local disks for shared I/O and single links for each public, private, and management VLANs.
  • Subsequent "private virtual servers" will be collocated on the same physical hypervisor server.
  • Auto Scale is only avaiable through the Auto Scale APIs.
Option: Dedicated Considerations Caveats
Montly deployment - Physcial Server/Bare metal Server
  • Single tenant.
  • The most flexible hardware configuration option of any instance type.
  • Redundant power and network options.
  • Network speeds up to 10Gbps.
  • Can reach full Payment Card Industry (PCI) compliance and other compliance standards.
  • Longest provisioning time.
  • No Auto Scale capability.
Houstly deployment - Bare Metal/Bare Metal Server
  • Short provisioning times; often less than one hour.
  • Single tenant.
  • Cna reach full (PCI) compliance and other compliance standards.
  • Fixed configuraations; only orderable with preset hardware configurations.
  • No upgrades to RAM or disks after provisioning.
  • Cannot select specific network VLAN when deployed.
  • No Auto Scale capability.

 

Storage

Considerations and Caveats

Options Considerations Caveats
Network Attached Storage (NAS)
  • Support only for Common Internet File Systems (CIFS), which is Microsoft Windows native file sharing protocal.
  • Legacy offering.
  • Not designed to deliver consistent I/O performance.
Performance Storage - Block
  • Granular control over input/output operations per second (IOPS).
  • Connects to the servers via iSCSI, which is the block-level storage protocol.
  • More flexibility in provisioning, e.g., higher IOPS on smaller volumes.
  • Ability to achieve up to 6,000 IOPS.
  • Concurrent access to multiple hosts.
  • Maximum capacity of 12 TB.
  • No replication functions.
  • Cannot automatically scale the storage volume.
Performance Storage - File
  • Granular control over IOPS.
  • Connects to the server via Network File System (NFS), which is a file sharing protocol.
  • More flexibility in provisioning, e.g., higher IOPS on smaller volumes.
  • Ability to achieve up to 6,000 IOPS.
  • Concurrent access for multiple hosts.
  • Maximum capacity of 12 TB.
  • NFS version 3 or 4.1 (no pNFS).
  • NFS only; CIFS not supported.
  • Cannot automatically scale the storage volume.
  • No replication functions.
  • Does not presently support Microsoft Windows.
Endurance Storage - Block
  • Connects to the servers via iSCSI, which is the block-level storage protocol.
  • Ability to scheduel point-in-time snapshots.
  • Creates replicas in other datacenters with support for failover and failback in disaster recovery (DR) scenarios.
  • Available in three IOPS performance tiers (0.25, 2.0, and 4.0) to support varying applications needs.
  • Ability to achieve over 6,000
  • Protects the integrity of the data and maintains availability during maintenance events and unplanned failures without the need to create and manage operating system-level redundant array of independent disks (RAID) arrays.
  • Concurrent access for multiple hosts.
  • Maximum capacity of 12 TB.
  • Volume size is scaled based on performance; higher performance requires high volumes.
  • Cannot automatically scale the storage volume.
Endurance Storage - File
  • Connects to the server via NFS, which is a file sharing protocol.
  • Ability to schedule point-in-time snapshots.
  • Create replicas in other datacenters with support for failover and failback in DR scenarios.
  • Available in three IOPS performance tiers (0.25, 2.0, and 4.0) to support varying application needs.
  • Ability to achieve over 6,000 IOPS.
  • Protects the integrity of the data and maintains availabilty during maintenance events and unplanned failures without the need to create and manage operating system-level RAID arrays.
  • Concurrent access for multiple hosts.
  • Maximum capacity of 12 TB.
  • NFS Verison 3 or 4.1 (no pNFS).
  • Volume size is scaled based on performance; high performance requires high volumes.
  • Cannot automatically scale the storage volume.
  • Does not presently support Microsoft Windows hosts.
QuantaStor
  • Integrated SoftLayer offering; it is the automated provisioning of Storage Server software.
  • Replication for DR.
  • Integrated with Object Storage for backing up and archiving.
  • Scale out NAS with GlusterFS; not suitable for IOPS intense workloads.
  • Volume snapshot and cloning.
  • Can serve iSCSI, NFS (3, 4) and Server Message Block2 (SMB2) storage, and Fibre Channel (FC) but not in SoftLayer.
  • May be ocnfigured with solid state drives (SSD) for caching or performance.
  • Configuration and management of the appliance is not provided by SoftLayer.
Microsoft Windows 2012 File Server Cluster
  • High availability (HA) provided through integration with Microsoft's Failover Clustering.
  • Deduplication including on Cluster Shared Volumes (CSVs).
  • Works with iSCSI, SMB3, CIFS, and NFS (version 2, 3, and 4.1) storage.
  • No volume and snapshot cloning [only virtual (VM) based].
  • Manual cluster and file server software configuration required.
  • Controlled and managed by Microsoft Windows.

 

Backup

Considerations and Caveats

 

Options Considerations Caveats
R1 Soft Server Backup Manager (Idera)
  • Performs incremental block-level backups; multiple recovery points; and remote datacenter backup.
  • Verification (disk safe) to detect corruption, disk safe replication, and encryption; central management console.
  • Includes SQL plugins and no additional licensing is needed for cost effectiveness.
  • Additional responsibility for server maintenance and software installation.
  • Lack of support of network-mounted volumes.
eVault
  • Performs incremental file-level bakcups; encryption and compression; and remote datacenter backup.
  • Deoployment of additional server infrastructure is not needed.
  • Automated provisioning and license management is not required.
  • Provisioned per server.
  • No centralized console for agents; one console per agent.
Object Storage
  • Saves money as it's the least expensive storage option and is ideal for long-term storage.
  • Able to store SoftLayer Standard and Flex Images.
  • Requires backup software specifically designed to work with Object Storage.
Snapshots and Image Templates
  • Deployment of the infrastructure is not required.
  • Replication of snapshots and inexpensive image templates.
  • Lack of file-level recovery points, incremental backup of options, and plugins for databases and other environments.
Bring your own licnese (BYOL)
  • Flexibility in solution choice.
  • No montly licensing option from SoftLayer.

 

Disaster Recovery (DR)

Considerations and Caveats

Option Consideration Caveats
Backup Software
  • Minimal, if any, server requirements for DR site; hardware deployed only during recovery operations.
  • Does not require a special disaster recovery or hot-site infrastructure, or any special license.
  • May involve long recovery times for large volumes of data.
  • The recovery physical or virtual servers must be deployed prior to the recovery.
Image Templates
  • Minimal, if any, server requirements for DR site; hardware deployed only during recovery options.
  • Does not require a special disaster recovery or hot-site infrastructure, or any special license.
  • Least expensive solution with minimal operational expenses and effor.
  • May involve long recovery times for large volumes of data.
  • Unless created regularly, the images may be out of date.
  • Only applies to virtualy servers (any OS) and physical servers running Microsoft Windows or Red Hat Linux.
Database and Filesystem Replication
  • Currenty of data is configurable (typically 15 minutes).
  • Native database and filesystem support (no additional licenses ofr DR functionality).
  • Quick recovery time, no requirement for data restoration or server deployments during the recovery operation.
  • Only applies to the file and database servers.
  • Requires some pre-build infrastructure at recovery site (increased cost).
  • Additional sofware licensing costs.
Rackware Solution
  • Currency of data is configurable for all tiers.
  • Not restricted to database and file servers.
  • Supported for Microsoft Windows and Linux servers.
  • No requirements to build web and application servers as part of recovery process.
  • Requires full pre-built infrastructure at recovery site.
  • Additional licensing cost and configuration.
  • No transactional integrity for database servers.

 

Reverse Proxy

Considerations and Caveats

Option Consideration Caveats
Fortinet FortiGate Securty Appliance (FSA)
  • Hardware accelerated SSL offload (consolidate with firewall).
  • Can be deployed in an HA cluster configuration.
  • Limited IPS and IDS functions.
  • No Authentication Gateway function.
  • No SSL pass through to web servers.
  • No proxy capability.
  • Customer-managed configuration.
Citrix NetScaler VPX (Virtual NetScaler)
  • Virtual appliance for App acceleration (consolidated with load balancer) available in Standard Edition and Platinum Edition.
  • Acts as a proxy with load balancing.
  • SSL offload processing in software plus Gateway modes (separate from load balancer).
  • Can be deployed in 2-node Active/Failover High Availability (HA) configuration.
  • Deployed as a virtual appliance reduces cost and maintenance.
  • Limited DoS/DDoS in Standard Edition; full DoS/DDoS with Layer 7 filtering in Platinum Edition
  • GSLB protects against failures of servers and sites in Platinum Edition.
  • AppFirewall HTML plus XML security in Platinum Edition.
  • Customer-managed configuration.
Citrix NetScaler MPX (Hardware NetScaler)
  • Physical appliance for App acceleration (consolidated with load balancer); default is Enterprise Edition, which is upgradable to Platinum Edition.
  • Acts as a proxy with load balancing.
  • SSL offload processing in hardware for much higher SSL performance over VPX.
  • Can be deployed in 2-node Active/Failover HA configuration.
  • Deployed as a physical appliance eliminates shared hypervisor resources.
  • Full DoS/DDoS with Layer 7 filtering.
  • GSLB protects against failures of servers and sites.
  • AppFirewall HTML plus XML security in Platinum Edition.
  • Customer-managed configuration.