Global Traffic Manager (GTM)

Fast, secure DNS and optimized global application delivery.

Joe Cassidy
F5 Networks
Field Systems Engineer | Major Accounts Central

Global Server Load Balancing Overview

No matter what happens, customers expect your website to be available 24x7. Implementing a highly available data
center is a first step, but multi-data center high availability keeps your apps accessible in the event of a disaster or when
systems go offline.

Global load balancing solutions from F5 allow you to spread workloads across multiple data centers. You can route traffic
geographically and implement secure and scalable DNS to improve your business continuity and user experience.
Global Traffic Manager (GTM)
BIG-IP Global Traffic Manager (GTM) improves the performance and availability of your applications by intelligently directing users to
the closest or best-performing physical, virtual, or cloud environment.

Using high-performance DNS services, BIG-IP GTM scales and secures your DNS infrastructure from DDoS attacks, and it delivers a
complete, real-time DNSSEC solution that protects against hijacking attacks—all in one high-availability solution.

One feature of the GTM is to serve as a wide area load balancer (GSLB) that uses DNS resolution as its traffic management
mechanism but there are many more DNS services achievable with F5 solutions.

Achieve Faster Application Performance & Availability

BIG-IP GTM directs your users to the nearest data center that will provide the best application experience. This ensures your
distributed applications are always fast and available. BIG-IP GTM employs a range of global load balancing methods and intelligent
monitoring specific to each application and each user. It also routes traffic according to your business policies and current network
and user conditions.
 Chooses the closest or best performing data center
 Continuously monitors application availability
 Routes traffic based on business logic to available applications

Get high-performance DNS & Security

BIG-IP GTM scales to over 10 million responses per second (RPS) to manage rapid increases in DNS queries. Using a set of features
that includes multicore scalability, DNS Express, and IP Anycast integration, BIG-IP GTM handles millions of queries to deliver high-
speed DNS query responses, protects your organization from DDoS attacks, and ensures top performance for users. With DNS
caching and resolving, BIG-IP GTM enables fast, same-site responses in a shorter period of time.
 Ensures users have access to apps during volume spikes
 Keeps your DNS infrastructure dynamic and available
 Speeds web browsing, thanks to an 80 percent latency reduction

Avoid latency and improve performance with geo-location

Users are increasingly intolerant of website performance issues and expect sites to be delivered in a localized manner. With global
load balancing solutions, you can direct users to the closest or best-performing data center—enabling IT staff to determine
whether performance or localization is more important when serving customer needs.
 Use geo-location to route traffic when localization is key.
 Select the best-performing site when response time is most important.
 Automatically redirect users to an alternate site when trouble occurs at the first choice.

Support both IPv6 & IPv4 environments

While IPv6 is accepted as inevitable, the need to support IPv4 will not go away soon. Many data centers run on IPv4, and the cost to
migrate can be prohibitive. But supporting newer IPv6 devices is mandatory to stay competitive. F5 offers a strategic point of control
to support both DNS environments.
 Direct IPv6 and IPv4 traffic to the appropriate servers for each.
 Translate IPv6 to IPv4 and back to support both protocols from a single set of servers.

Gain complete DNSSEC for globally distributed data centers

Typical global server load balancing can leave local DNS servers and your infrastructure open to DNS cache poisoning and other
attacks. BIG-IP GTM solves this with real-time, signed responses for every query, protecting your users and your business while
providing the benefits of high-performance global traffic management. In addition, CPU-intensive DNSSEC validation computations
are offloaded to BIG-IP GTM to ensure rapid responses. In addition, GTM integrates and utilizes Hardware Security Modules (HSMs)
from third party vendors for implementation, centralized management, and secure handling of DNSSEC keys delivering lower OpEx,
consolidation, and FIPS compliance.
F5 Global Traffic Manager (GTM) vs. Cisco Global Site Selector (GSS)
It is somewhat difficult to compare Cisco’s Global Site Selector (GSS) to F5’s Global Traffic Manager (GTM) as it would be
like comparing a Yugo to a Ferrari. The GSS is a simple Global Server Load Balancer (GSLB) compared to GTM which is an
intelligent global traffic delivery solution with advanced DNS services. The following will outline a few of the
features/capabilities that F5 provides that the Cisco GSS does not.

What Makes GTM Different?

GTM is different because it provides intelligent and automatic load balancing of applications across data centers and
improves application performance. Using high-performance hardware, GTM load balances requests based on the
implementation of business logic of when and how to transition users. GTM can also determine the best resource
based on the user’s location by using the built-in geo-location database. GTM provides continuous monitoring of your
entire infrastructure, including network and application health which ensures application availability to end users and
the best experience possible. GTM also uses dynamic failover of sessions between data centers during outages and
maintains persistence for stateful applications to prevent broken sessions. GTM works with a DNSSEC environment by
using F5’s real-time DNS request signing to secure and validate its answers.

Intelligent DNS Services:

High Performance DNS (DNS Caching)

DNS Express manages authoritative DNS queries by transferring zones to its own RAM. In this architecture, F5 DNS Services only
has to open the DNS query packet once, as long as the request is for an address that is in the zone that was transferred to DNS
Express. DNS Express simplifies a single processing instance of the DNS query to significantly improve the performance of F5 DNS
Services. With DNS Express, each individual core of each BIG-IP device can answer approximately 125,000 to 200,000 requests per
second.

DNS Security (DNSSEC and DNS iRules)

DNS is a key part of initial requests for Internet transactions, so organizations are at particular risk for hijacked DNS sessions or
denial of service (DoS) to DNS. These attacks have led to the development of DNS Security Extensions (DNSSEC) standards, which
secure DNS requests and ensure that the proper DNS server is answering them. DNSSEC adds the authentication and signed
responses that identify the DNS servers, which ensures that DNS responses come from a known and authorized DNS server. Uptake
of the DNSSEC standards was initially slow, but has significantly increased since January 2010.

DNS64 (IPv6 AAAA Resolution)

DNS64 allows LTM systems to handle IPv6-only client connection requests to IPv4-only servers on your network by returning an
AAAA record response to the client.  Also known as IPv6 to IPv4 NAT resolution, this is a companion technology to LTM's native
ability to NAT IPv6 addresses to IPv4.

IP Anycast (Route Health Injection)

Scaling Internet servers and making them redundant usually results in multiple servers for single URLs. When administrators create
DNS entries for these fully qualified domain names (FQDNs), they enter multiple IP addresses as either A records for IPv4 or multiple
AAAA records for multiple IPv6 records. DNS responses typically include either the list of appropriate IP addresses or just the first
address listed for the FQDNs.

F5 DNS Services use IP Anycast, also called Route Health Injection (RHI), to determine the closest and most available Internet
server address to return for each DNS request. This methodology increases reliability, performance, and security .
Multicore (CMP) BIG-IP v11
The first step to protecting a DNS infrastructure is to enable it to scale out GSLB and DNS performance by using CMP
(multicore CMP available with GTM v11) technology on the BIG-IP system. Even dedicated and streamlined DNS servers
can only handle tens-of-thousands of DNS queries per second and they are very expensive. With BIG-IP CMP, GTM and
DNS Services can run across multiple CPU cores, enabling high-performance query resolution and user access to
applications even during spikes. CMP enables BIG-IP to scale query performance with the number of cores. Each core
is able to resolve more than 130k queries per second.

Enhanced Monitoring
It's not enough to measure connectivity or even status codes, Application Delivery Controllers need to be able to provide
health monitoring of the full stack.  GTM coupled with LTM will provide the most robust application health monitoring
for a data center environment.

Summary
One of the biggest differentiators between Cisco GSS and the F5 GTM is the obvious interoperability that you get
between GTM and other F5 solutions. The GTM provides much more awareness of your server load balancing
environment with LTM and the applications behind those LTMs. F5 offers a lot of intelligent DNS services that provide
DNS security with DNSSEC, DNS D/DoS protection, and DNS iRules as well as providing for a more resilient, better
performing DNS infrastructure with DNS Express, DNS caching, IP Anycast & CMP.