Fortinet black logo

Handbook

Link Load Balance

Link Load Balance

The Link Load Balance menu contain features and configurations that allow you to link load balance.

This section is organized into the following sub-menu topics:

Link load balancing basics

The link load balancing (LLB) features are designed to manage traffic over multiple internet service provider (ISP) or wide area network (WAN) links. This enables you to subscribe to or provision multiple links, resulting in reduced risk of outages, additional bandwidth for peak events, and potential cost savings if your ISP uses billing tiers based on bandwidth rate or peak/off-peak hours.

In most cases, you configure link load balancing for outgoing traffic. Outbound traffic might be user or server traffic that is routed from your local network through your ISP transit links, leased lines, or other WAN links to destinations on the Internet or WAN. You configure link policies that select the gateway for outbound traffic.

When the FortiADC system receives outbound traffic that matches a source/destination/service tuple that you configure, it forwards it to an outbound gateway link according to system logic and policy rules that you specify.

The LLB feature supports load balancing among link groups or among virtual tunnel groups.

Using link groups

The link group option is useful for ISP links. It enables you to configure multiple ISP links that are possible routes for the traffic. The LLB picks the best route based on health checks, LLB algorithms, bandwidth rate thresholds, and other factors you specify, including a schedule.

LLB link groups shows an example topology when FortiADC is deployed to support link groups.

LLB link groups

Using virtual tunnels

A virtual tunnel is a good choice when you want to load balance traffic from applications that embed the source address in the packet payload, like VPN and VoIP traffic. Such traffic can be difficult to load balance using traditional LLB methods. Virtual tunnels enable reliable, site-to-site connectivity using Generic Routing Encapsulation (GRE). The local FortiADC appliance encapsulates traffic so that it can be routed according to your link policy rules. The link policy rules use LLB techniques to identify the best available route among a group of links. If one of the links breaks down, the traffic can be rerouted through another link in the tunnel group. When traffic egresses the remote FortiADC appliance, it is decapsulated and the original source and destination IP addresses are restored.

WAN connectivity over single leased lines shows an example of a deployment that does not use LLB. It uses dedicated leased lines for its WAN links, which are reliable, but expensive.

WAN connectivity over single leased lines

LLB virtual tunnels shows the same network deployed with FortiADC appliances. The LLB link policy load balances traffic among more affordable ADSL links.

LLB virtual tunnels

Depending on your business, you might use the link group option, the virtual tunnel option, or both.

The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load balancing, the system evaluates rules in the following order and applies the first match:

  1. LLB link policy
  2. Policy route
  3. Static/Dynamic route
  4. LLB default link group

Link load balancing configuration overview

The system has a configuration framework that enables granular link load balancing rules.

LLB configuration summary shows the configuration objects used in the LLB configuration and the order in which you create them. A link policy specifies the source/destination/service matches to which the policy applies. You apply a link policy to a link group or a virtual tunnel.

LLB configuration summary

The granular configuration of the gateway configuration includes health checks and bandwidth thresholds. The granular configuration of link groups includes load balancing methods, persistence rules, and proximity routes.

The granular configuration of virtual tunnels includes load balancing methods. In the virtual tunnel configuration, you can enable health check tests, but you do not use health check configuration objects.

Basic steps
  1. Add address, address group, service, service group, and schedule group configuration objects that can be used to match traffic to link policy rules. This step is recommended. If your policy does not use match criteria, it will not have granularity.
  2. Configure optional features. If you want to use health check rules, configure them before you configure the gateway links. If you want to use persistence rules or proximity routes, configure them before you configure a link group.
  3. Configure gateway links.
  4. Configure link groups or virtual tunnels.
  5. Configure the link policy. When you configure a link policy, you set the source/destination/service matching tuple for your link groups or virtual tunnels.

Link Load Balance

The Link Load Balance menu contain features and configurations that allow you to link load balance.

This section is organized into the following sub-menu topics:

Link load balancing basics

The link load balancing (LLB) features are designed to manage traffic over multiple internet service provider (ISP) or wide area network (WAN) links. This enables you to subscribe to or provision multiple links, resulting in reduced risk of outages, additional bandwidth for peak events, and potential cost savings if your ISP uses billing tiers based on bandwidth rate or peak/off-peak hours.

In most cases, you configure link load balancing for outgoing traffic. Outbound traffic might be user or server traffic that is routed from your local network through your ISP transit links, leased lines, or other WAN links to destinations on the Internet or WAN. You configure link policies that select the gateway for outbound traffic.

When the FortiADC system receives outbound traffic that matches a source/destination/service tuple that you configure, it forwards it to an outbound gateway link according to system logic and policy rules that you specify.

The LLB feature supports load balancing among link groups or among virtual tunnel groups.

Using link groups

The link group option is useful for ISP links. It enables you to configure multiple ISP links that are possible routes for the traffic. The LLB picks the best route based on health checks, LLB algorithms, bandwidth rate thresholds, and other factors you specify, including a schedule.

LLB link groups shows an example topology when FortiADC is deployed to support link groups.

LLB link groups

Using virtual tunnels

A virtual tunnel is a good choice when you want to load balance traffic from applications that embed the source address in the packet payload, like VPN and VoIP traffic. Such traffic can be difficult to load balance using traditional LLB methods. Virtual tunnels enable reliable, site-to-site connectivity using Generic Routing Encapsulation (GRE). The local FortiADC appliance encapsulates traffic so that it can be routed according to your link policy rules. The link policy rules use LLB techniques to identify the best available route among a group of links. If one of the links breaks down, the traffic can be rerouted through another link in the tunnel group. When traffic egresses the remote FortiADC appliance, it is decapsulated and the original source and destination IP addresses are restored.

WAN connectivity over single leased lines shows an example of a deployment that does not use LLB. It uses dedicated leased lines for its WAN links, which are reliable, but expensive.

WAN connectivity over single leased lines

LLB virtual tunnels shows the same network deployed with FortiADC appliances. The LLB link policy load balances traffic among more affordable ADSL links.

LLB virtual tunnels

Depending on your business, you might use the link group option, the virtual tunnel option, or both.

The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load balancing, the system evaluates rules in the following order and applies the first match:

  1. LLB link policy
  2. Policy route
  3. Static/Dynamic route
  4. LLB default link group

Link load balancing configuration overview

The system has a configuration framework that enables granular link load balancing rules.

LLB configuration summary shows the configuration objects used in the LLB configuration and the order in which you create them. A link policy specifies the source/destination/service matches to which the policy applies. You apply a link policy to a link group or a virtual tunnel.

LLB configuration summary

The granular configuration of the gateway configuration includes health checks and bandwidth thresholds. The granular configuration of link groups includes load balancing methods, persistence rules, and proximity routes.

The granular configuration of virtual tunnels includes load balancing methods. In the virtual tunnel configuration, you can enable health check tests, but you do not use health check configuration objects.

Basic steps
  1. Add address, address group, service, service group, and schedule group configuration objects that can be used to match traffic to link policy rules. This step is recommended. If your policy does not use match criteria, it will not have granularity.
  2. Configure optional features. If you want to use health check rules, configure them before you configure the gateway links. If you want to use persistence rules or proximity routes, configure them before you configure a link group.
  3. Configure gateway links.
  4. Configure link groups or virtual tunnels.
  5. Configure the link policy. When you configure a link policy, you set the source/destination/service matching tuple for your link groups or virtual tunnels.