• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

I need help deciding on a redundant WAN design for internally hosted web application

We have a web application we developed, which we sell access to.  We have eliminated all single points of failure from the firewall back to the application (firewall clusters, redundant switching, vmware cluster, sql cluster, load balanced web servers, etc).  However, we only have a single 15mb fiber WAN link to our ISP.  We are generally pretty small time, but have made some creative designs that got us this far.

However, I'd like to make the WAN link redundant for incoming traffic.

Our firewalls (SonicWall 2400's) support WAN redundancy, and will load balance outbound traffic.  

How do I provide inbound redundancy for the web servers?

I can get a metro wireless (4G, 6mb down / 1mb up) connection for under $100/mo.  I would want it only as a FAILOVER for incoming traffic.  I don't want to load balance, unless I can direct MOST of the traffic to the fiber link.

I've read some about BGP, but it looks like it will be too "big" for me (requires at least a /24 IP range, and potentially some expensive hardware, etc).  Can you do BGP cheaply/simply? Also, it seems BGP doesn't let you control which incoming route users will take, and I prefer they all go through the fiber link unless it's down.

Are there any DNS tricks, or anything else, I can set up that provide fail over?  Even if it's not immediate, can we at least get something that will automatically switch over within a few minutes?

Aside from the ISP cost, I want to do something that's well south of $1,000.


1 Solution
These are some possibilities. Some of those you already mentioned, I add my comment to help you understand it better:

You need at least a class C (/24) addressing space, fill in all the forms to apply for and register your subnet, a router (or 2 for redundancy) that have enough memory to handle the BGP routing space (512M or more), 2 or more ISP willing to help you advertise BGP. Aside from the router, everything else doesn't cost that much money. In today technology, router w/ 512M of RAM is not that expensive any more.
If you can afford it, BGP is the best solution. It also allow you to control which route to take in your case.

You can also use DNS to direct user traffic when the primary link is down. This is probably the cheapest way to achieve this. However many organization (e.g. AOL etc.) cache DNS. Even your DNS change, there is no guarantee that your intended user will get the most updated DNS resolution. Typically most site will not update DNS record less than 4 hrs.

C) use of colo or other reliable internet connection
If you happen to have a colo or some location that already have redundant internet connection, there are ways you can take advantage of that to relay the traffic. e.g. In your case, you can use a bank of reverse proxy in colo that can query your internal server(s). Since you can configure your reverse proxy to take multiple route and talk to multiple servers, this move the failure point out to the colo. In a more general sense, I am able to setup router(s) in colo to relay through multiple tunnels to my in house servers.

D) application specific
Some applications it doesn't matter which server answer the query, as long as some server does. Some other applications will automatically retry if primary server cannot be reach.

E) Use 3rd party service
Some 3rd party provide services (e.g. Akamai) that have servers all over the world to serve clients' applications. Typically they use a combination of B & C above.

You can combine the methods above to provide multiple level of fail safe protection.
sunstonedAuthor Commented:
Thanks for the comments.  I'd like to know more about B, and how to configure that.  Seems like that might be the best way to go for now, as an easy/cheap solution.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now