The field of the invention is load balancing, and in particular using a firewall to perform load balancing.
A known load balancer is configured as a proxy server that receives a packet of information, performs some analysis on the packet to select a destination server, and then forwards the packet to the selected server. However, in order to perform load balancing on a packet, the packet must be addressed by its sender to the balancer, not to the packet""s actual intended destination. This disadvantageously adds an additional layer of complexity in the addressing scheme for the sender to obtain service from the destination server. Further, a known balancer performs substantial analysis of each packet, which absorbs processor resources of the balancer, adds a delay to the delivery of the packet to its actual intended destination, and increases the chances that a packet will be erroneously dropped.
A firewall regulates the flow of packetized information. A packet includes a header and a payload. The header includes header information (header parameters), which can include a source and destination address for the packet, as well as source and destination port numbers, a protocol number, a physical location identifier, flags, a priority indicator (ROUTINE, URGENT, etc.), security information, etc. The payload includes the data meant to be conveyed by the packet from its source to its intended destination. A known firewall is placed between the packet""s source and intended destination, where it intercepts the packet. A known firewall filters a packet based upon the packet""s header parameters and a rule loaded into the firewall. The rule correlates a pattern in the header of a packet with a prescribed action, either PASS or DROP. The filter identifies the rule that applies to the packet based upon the packet""s header, and then implements the rule""s prescribed action. When a DROP action is performed, the packet is blocked (deleted), and does not reach its intended destination. When a PASS action is performed, the packet is passed on toward its intended destination. The set of rules loaded into a firewall reflect a security policy, which prescribes what type of information is permissible to pass through the firewall, e.g., from which source, to which destination, for which applications, etc.
The analysis performed by a firewall in deciding what action to perform with respect to a packet is much less extensive than the analysis performed by a known load balancer in deciding where to route a packet. Therefore, a firewall action on a packet can be performed more quickly and with less burden on a processor than can a known load balancer. Also, a packet need not be addressed to a firewall in order to be acted on by the firewall, unlike a known load balancer. Thus, a firewall advantageously acts on a packet transparently, i.e., without requiring any special action on the part of the packet""s sender.
In accordance with an embodiment of the present invention, a packet is received at a firewall, which implements a rule and refers the packet to a load balancing proxy. The proxy performs a load balancing analysis at the load balancing proxy. Based on the results of the load balancing analysis, the proxy determines a load balancing rule, which is implemented by the firewall. At the end of the session to which the received packet belongs, the load balancing rule is deleted at the firewall.
The present invention provides at least two advantages over the prior art. Load balancing using a firewall is transparent to the sender compared with known load balancers, which are not transparent. The sender can advantageously address its packets to their intended destination, and need not specially address the packet to an intermediary, as with a load balancer. Also, the routing performed by a firewall implementing a rule is much quicker and more efficient than the routing performed by a load balancer.