The purpose of this document is to aid an administrator in determining the number and locations of Umbrella Virtual Appliances in their environment. Each customer network environment is different and this guide is meant to help you, the sysadmin, in making an informed decision about how many VAs to deploy and where they should be situated. The key factors are ensuring the hardware prerequisites are met, the network latencies between hops, as well as the overall number of Umbrella Sites and users for each VA.
What is a Virtual Appliance
The Virtual Appliance (VA) is a non-caching conditional DNS forwarder. It is a virtualized machine that uses Ubuntu as its OS, and lives in a virtualized environment. Its purpose is to append identity information to external queries sent up to Umbrella. The prerequisites for the virtualized environment follow.
Virtualized Server Environment Prerequisites
VMWare ESXi 4.1 update 2 and newer
Windows Server 2008 R2 Server with the Hyper-V Role or Hyper-V Server 2008
Windows Server 2012 (Standard or Datacenter), Windows Server 2012 SP1 (Standard or Datacenter) or Windows Server 2012 R2 (Standard or Datacenter) with Hyper-V role installed and configured
Number of dedicated CPU cores per Virtual Appliance: minimum of 1
Amount of memory per Virtual Appliance: 512MB minimum
Hard drive space per Virtual Appliance: 6.5GB
For guidance in sizing, increasing the number of CPU cores on a VA will improve its performance, but the amount of RAM allocated to the machine must scale along with the number of CPU cores present. A good rule of thumb is allocating 512MB of RAM per CPU core on the VA. For example, a VA deployed with 2 CPU cores should have 1GB of RAM available.
The full spec of hardware requirements can be found here: https://support.umbrella.com/hc/en-us/articles/231266168-Quick-Start-Virtual-Appliances-Stage-1-Getting-Ready
In order for the VAs to properly communicate with Umbrella for information and updates, please be sure to review the applicable network prerequisites here.
The number and location of VAs deployed in your environment will depend on the following:
Latency between VA and Umbrella anycast resolvers
Latency between users and the VAs
Number of Umbrella Sites
Number of users served by the VAs
In general, clients on the network have the best web browsing experience when the time to retrieve web resources is under 300ms. This total time to obtain web resources (such as documents, images, and stylesheets) includes both the time to retrieve a DNS response and the time needed to establish a connection with the server indicated in the DNS response. Umbrella aims to minimize the distance that a DNS packet must travel from a client device to our DNS resolvers. However, we do not control the responsiveness of those web servers or how traffic from various locations on the Internet is routed.
TOTAL TIME = Time to retrieve DNS response + Time to retrieve a web resource
There are two factors to consider when optimizing DNS response time: the distance between the VA and Umbrella anycast resolvers, and the distance between the client and the VA.
The VA, when deployed, will forward all externally-bound DNS requests to Umbrella anycast resolvers, 220.127.116.11 and 18.104.22.168. Therefore, when determining the latency between the VA and the closest Umbrella datacenter, we recommend an average DNS response time under 150ms for the best user experience.
When determining where to deploy VAs in your environment, you will want to take into account the distance between the clients that will utilize the VAs and the VAs themselves. For optimal performance, an average ping time between a client and the VM host on which the VA lives should not exceed 50ms.
Number of Umbrella Sites
The Sites feature in Umbrella allows administrators to segregate their Umbrella deployments. Each Umbrella Site is an isolated deployment in which the components will only communicate with other components in the same Umbrella Site.
This is primarily useful in environments containing locations with high-latency connections or in environments with locations whose internal IP space overlaps.
We require each Umbrella Site to have at least two VAs deployed. This will ensure high availability and that VAs are receiving timely updates from Umbrella.
Number of users per VA
A typical VA deployed with the minimum hardware requirements has a maximum throughput of 4500 queries per second.
Taking into account these metrics, a single VA can handle DNS requests from at least 150,000 concurrent users. We have defined a single user as a client that generates an average of 1000 DNS requests in a typical eight-hour work day. Therefore, we define concurrent users as the number of users or devices sending DNS requests to a VA at the same time.
In the end, the number of users on the network likely will NOT be the limiting factor when determining the number of VAs to deploy.