Balancing Rules

On the Network Protection > Server Load Balancing > Balancing Rules tab you can create load balancing rules for Sophos UTM on AWS Software. After having created a rule, you can additionally define weight distribution between servers and set interface persistence.

To create a load balancing rule, proceed as follows:

  1. On the Balancing Rules tab, click New Load Balancing Rule.

    The Add Load Balancing Rule dialog box opens.

  2. Specify the following settings:

    Service: The network service you want to balance.

    Virtual server: The original target host of the incoming traffic. Typically, the address will be the same as the gateway's external address.

    Real servers: The hosts that will in turn accept traffic for the service.

    Tip – For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.

    Check type: Select one of the following check types to monitor the service.

    • TCP: TCP connection establishment
    • UDP: UDP connection establishment
    • Ping: ICMP Ping
    • HTTP host: HTTP requests
    • HTTPS hosts: HTTPS requests

    When using UDP a ping request will be sent initially which, if successful, is followed by a UDP packet with a payload of 0. If ping does not succeed or the ICMP port is unreachable, the server is regarded as down. For HTTP and HTTPS requests you can enter a URL, which can either be with or without hostname, e.g. index.html or http://www.example.com/index.html.

    Interval: Enter a check interval in seconds. The default is 15 seconds, i.e., every 15 seconds the health status of all real servers is checked.

    Timeout: Enter a maximum time span in seconds for the real servers to send a response. If a real server does not respond during this time, it will be regarded as dead.

    Automatic firewall rules (optional): Select this checkbox to automatically generate firewall rules. These rules allow forwarding traffic from any host to the real servers.

    Shutdown virtual server address (optional): If and only if you use an additional address as virtual server for load balancing (see chapter Interfaces > Additional Addresses) this checkbox can be enabled. In case all real servers become unavailable that additional address interface will be automatically shut down.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new rule appears on the Balancing Rules list.

  4. Enable the load balancing rule.

    The new rule is disabled by default (toggle switch is gray). Click the toggle switch to enable the rule.

    The rule is now enabled (toggle switch is green).

To either edit or delete a rule, click the corresponding buttons.

Example: Suppose that you have two HTTP servers in your DMZ with the IP addresses 192.168.66.10 and 192.168.66.20, respectively. Assumed further you want to distribute HTTP traffic arriving on the external interface of your gateway equally to both servers. To set up a load balancing rule, select or create a host definition for each server. You may call them http_server_1 and http_server_2. Then, in the Create New Load Balancing Rule dialog box, select HTTP as Service. In addition, select the external address of the gateway as Virtual server. Finally, put the host definitions into the Real servers box.

Weight Distribution and Interface Persistence

To distribute weight between the load balancing servers and/or to set interface persistence of them, do the following:

  1. Click the Edit button of a load balancing rule.

    The Edit Load Balancing Rule dialog box opens.

  2. Click the Scheduler button on the header of the Real servers box.

    The Edit Scheduler dialog window opens.

  3. Specify the following settings:

    Weight: Weight can be set from 0 to 100 and specifies how much traffic is processed by a server relative to all other servers. A weighted round robin algorithm is used for this, a higher value meaning more traffic is routed to the respective server. The values are evaluated relative to each other so they need not add up to 100. Instead, you can have a configuration for example, where server 1 has value 100, server 2 has value 50 and server 3 has value 0. Here, server 2 gets only half the traffic of server 1, whereas server 3 only comes into action when none of the other servers is available. A value of zero means that always another server with a higher value is chosen if available.

    Persistence: Interface persistence is a technique which ensures that subsequent connections from a client are always routed over the same uplink interface. Persistence has a default timeout of one hour. You can also disable interface persistence for this balancing rule.

  4. Click Save.

    The Edit Scheduler dialog window closes and your settings are saved.

  5. Click Save.

    The Edit Load Balancing Rule dialog box closes.