Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Known performance issue while using Knox

avatar
Rising Star

Any one notice any performance for degradation while having all clients accessing services via rest over KNOX? It see for me Knox is not a good solution for low latency applications. thoughts?

1 ACCEPTED SOLUTION

avatar

Knox is a proxy and as such does add overhead. At a simplistic level, this overhead can be broken down into five areas:

  1. Authentication and authorization - The additional time required to perform authentication and authorization.
  2. Connection creation - The additional time required to setup the connection between Knox and the backend service.
  3. Data transport - The additional time required physically move the request and response data through the Knox server unaltered.
  4. Request and response processing - The additional time imposed by processing done to the request and response data stream.
  5. SSL termination - The additional time imposed by SSL encryption if the direct connection to the service would otherwise not occur over a secure connection.

We try to set expectations at around +0.5 to +1.0 in terms of overhead, yielding a 1.5x to 2.0x increase in overall response times. These types of numbers are of course highly generalized and may vary significantly based on the use case. For example, as you point for very small requests and responses the connection creation time may disproportionately dominate overall and produce a higher relative overhead.

View solution in original post

2 REPLIES 2

avatar

Knox is a proxy and as such does add overhead. At a simplistic level, this overhead can be broken down into five areas:

  1. Authentication and authorization - The additional time required to perform authentication and authorization.
  2. Connection creation - The additional time required to setup the connection between Knox and the backend service.
  3. Data transport - The additional time required physically move the request and response data through the Knox server unaltered.
  4. Request and response processing - The additional time imposed by processing done to the request and response data stream.
  5. SSL termination - The additional time imposed by SSL encryption if the direct connection to the service would otherwise not occur over a secure connection.

We try to set expectations at around +0.5 to +1.0 in terms of overhead, yielding a 1.5x to 2.0x increase in overall response times. These types of numbers are of course highly generalized and may vary significantly based on the use case. For example, as you point for very small requests and responses the connection creation time may disproportionately dominate overall and produce a higher relative overhead.

avatar

Knox provides solution for perimeter security and like any security component, (encryption or authorization) does add overhead to the processing time. With that said, in order to determine whether a security tool is needed or not, performance is not considered as a deciding factor. We can load balance the traffic across multiple knox instances to distributed the load to avoid too much degradation in performance.