Do Load Balancing Routers Help in Site-to-Site VPN Setups?

Multi-office enterprises are increasingly dependent on services managed and provided from their regional headquarter data centers. Often this includes public, private and/or hybrid cloud architectures. This puts additional pressure on the SLAs of the WAN links at the branch offices in terms of performance and reliability. High availability of the WAN links is a necessity and not a luxury anymore.

IPSec based VPN tunnels (or more increasingly SSL based – keep an eye on my upcoming blog about IPSec vs SSL)  are the primary choice of today’s enterprises. It is important to look at two methods that IT managers can use to add reliability, manage latency, and increase throughput within their budget: load balancing routers and broadband bonding routers.

Load Balancing Routers

One approach is to utilize a legacy link load-balancing firewall that can send a flow on only one of the WAN links for your VPN setup. In SMB (Small and Medium-sized Business) environments, load balancing might be an acceptable approach, however, in branch office connectivity, the traffic boils down to a single session, namely, the site-to-site VPN between the branch and the headquarter data center. All traffic is encapsulated inside that single session, therefore the load-balancing router will lack the ability to add any significant value to the VPN setup. There will be no performance gain since the single VPN session will only traverse one of the WAN links plugged into the link load balancer. There will be some level of redundancy, however, the VPN will break when the WAN link carrying that VPN traffic goes down. So there will be a VPN outage and no seamless failover.

Broadband Bonding Firewalls

With broadband bonding firewalls however, the single VPN session will be intelligently split into smaller-sized pieces and sent over the multiple WAN links. This will have 3 primary advantages for inter-office VPN session that the link load balancers lack:

  • High availability via session continuity: when one of the WAN links that is carrying part of the VPN traffic goes down, the bonding tunnel between the bonding firewalls will shield the loss of packets, and therefore the outage from the higher layers, in this case, the VPN application. The net effect will be that the VPN session will be kept alive. A complete and seamless VPN failover.
  • High performance: because of the true aggregation of the ISP connections, the speed of that connection will be the sum of the speeds of the individual lines.
  • Less expensive bandwidth: in most cases, a similarly performing WAN connection would not be available from a single service provider, or if there is one, it would be very expensive. In essence, broadband bonding provides a method for IT managers to build, monitor and manage their own WAN links. It even gives them the power of utilizing multiple ISPs simultaneously (e.g. they can aggregate several DSL or cable lines and even T1 or MPLS lines to create a high-end WAN link very cost effectively).

Cahit Akin, CEO, Mushroom Networks, Inc.

Mushroom Networks is the provider of SD-WAN (Software Defined WAN) and NFV solutions capable of Broadband Bonding that enables self-healing WAN networks that route around network problems such as latency, jitter and packet loss.


One thought on “Do load balancing routers help in site-to-site VPN setups?

  1. This is really so good to see this topic on router and VPN. I am also facing the same problem with a load balancer setup but up until now I didn’t know there was a solution. The described set up and router sounds like the right solution. I want to say a well-penned article.

Comments are closed.

© 2004 – 2024 Mushroom Networks Inc. All rights reserved.

Let’s chat. Call us at +1 (858) 452-1031 or fill the form: