Scribd
Upload
13 views3 pages

Recommended Topology - DDoS Protection For Networks

Uploaded by

cocanhsat115ne
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views3 pages

Recommended Topology - DDoS Protection For Networks

Uploaded by

cocanhsat115ne
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

12/19/24, 3:48 PM Recommended Topology: DDoS Protection for Networks

Cloud Application and Network Security


Recommended Topology: DDoS Protection for Networks

Table of Contents

Recommended Topology: DDoS Protection for Networks


Print

Last Updated Sep 24, 2023 3 minute read Summarize Documentation Cloud WAF DDoS Protection for Networks User Guide Public

This topic describes Imperva’s guidelines and recommendations for customer setup that provides maximum service availability, performance, and functionality.
This topology is recommended for both always-on and on-demand DDoS Protection for Networks customers.

Service Availability
Imperva has a global network of data centers, also referred to as Imperva PoPs. (For the full list, see Imperva Data Centers (PoPs).) When you connect your network to
Imperva, we advertise your network to transit providers from our PoPs all across the world using Anycast. After traffic is scrubbed, the legitimate traffic is sent to your data
center through several dedicated connections between your data center(s) and the Imperva PoPs.
Each of your data centers should be connected to at least 2 Imperva data centers to make sure service is available during failure or planned PoP maintenance. At least one
of these connections should be to a high capacity PoP (listed in the onboarding instructions here: Add a GRE Tunnel Connection).

Note:

To ensure 100% availability, each customer data center should be connected to 3 Imperva PoPs.
If you have multiple data centers, you can connect to the same or different Imperva PoPs.

Connecting to multiple Imperva PoPs ensures service availability by Imperva. Failures which would impact service availability can also occur at your end or even at your
ISP. Therefore, it is recommended that you use redundant endpoint routers and redundant ISP connections when connecting your data centers to Imperva PoPs.

Service Performance
For best performance, consider the following when setting up connections between your data centers and the Imperva PoPs:

Choose Imperva PoPs that minimize latency, as well as other performance KPIs such as packet loss and jitter. In most cases, this is achieved by connecting to
Welcome to Imperva! 👋 How
Imperva PoPs that are geographically closest to your data centers. can I direct you?

https://docs.imperva.com/bundle/cloud-application-security/page/network-ddos/network-topology.htm 1/3
12/19/24, 3:48 PM Recommended Topology: DDoS Protection for Networks

Note: It is also worthwhile considering the ISP, as in some cases, a connection through one ISP has lower latency than through another, due to peering
agreements between transit providers.

It is recommended to reinforce your setup with a redundant connection if the following apply:

You see significant performance differences between the different connections of your data center to the selected Imperva PoPs (e.g. a difference of
several 10s of milliseconds), and

a significant portion of the traffic to your network is scrubbed at the Imperva PoP the best performance that you are connecting to. This would typically
happen if both your data center and many of the users sending traffic to it are in proximity to that PoP.
Each Imperva PoP contains two tunnel endpoints (external routers). When you connect to both endpoints, traffic continues to flow through the alternate
connection in the event of local router failure, and does not fail over to a less preferable connection to a different PoP.

Note: Failover to a connection from a different PoP can still occur in some scenarios, such as in the event of a complete PoP failure.

Note: To make sure you set the right priority, you can use traffic manipulation techniques such as the AS prepend or local preference to prioritize the
additional tunnel to Endpoint 2 in the primary PoP. For details, see BGP Community Support Option.

Link monitoring considerations


Imperva's link performance monitoring collects performance KPIs of the connections between your data center and the Imperva PoPs you connect to. This is achieved by
continuous polling of your endpoints (using ICMP echo messages) from the Imperva PoPs. For details on Imperva's link performance monitoring capability, see Configure
Performance Monitoring: DDoS Protection for Networks.
Proper performance collection mandates that the ICMP echo replies travel the same path as the ICMP echo requests. If multiple connections between the same endpoint
in your data center and the same Imperva PoP are used, proper link performance monitoring cannot be guaranteed. This can lead to inaccurate KPIs displayed in the
performance dashboard. Such topology should be avoided if possible by using multiple endpoints in your data center.

See also:

https://docs.imperva.com/bundle/cloud-application-security/page/network-ddos/network-topology.htm 2/3
12/19/24, 3:48 PM Recommended Topology: DDoS Protection for Networks

Add a GRE Tunnel Connection


BGP Community Support Option

Configure Performance Monitoring: DDoS Protection for Networks

Imperva Data Centers (PoPs)

Contact
+1 (866) 926-4678
or Contact Us

Follow us

© Copyright 2024 Imperva. All Rights Reserved

Cookie Policy
Privacy and Legal
Modern Slavery Statement

Powered By

https://docs.imperva.com/bundle/cloud-application-security/page/network-ddos/network-topology.htm 3/3

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy