Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Measure Oracle Cloud Infrastructure Web Application Firewall Latency Impact on Oracle Cloud Infrastructure Load Balancer

Introduction

In this tutorial, we benchmark the performance impact of Oracle Cloud Infrastructure Web Application Firewall (OCI WAF) on an OCI Load Balancer using Siege, a high-performance HTTP(s) load testing tool.

By running Siege tests against the OCI Load Balancer with and without OCI WAF enabled, we measure key performance metrics such as latency, throughput, transaction rate, and concurrency. The goal is to understand how much overhead OCI WAF introduces and determine its trade-offs between security and performance.

This benchmarking will help access whether enabling OCI WAF significantly affects response times and whether the benefits of added security outweigh the performance cost in a high-traffic environment.

In this tutorial, we will deploy a private OCI Load Balancer with an attached regional OCI WAF to analyze its impact on latency. The architecture consists of:

• Private Load Balancer: Operates in a private subnet, distributing traffic securely across backend servers.

• Regional WAF: Inspects and filters incoming HTTP traffic before forwarding it to the OCI Load Balancer.

• Backend Servers: Two or three Apache Tomcat instances running in private subnets, serving web traffic over Transport Layer Security (TLS) end-to-end.

• Siege Load Testing Tool: Generates HTTP traffic to simulate real-world load and measure latency impact.

Why is this Tutorial Essential?

Security and performance are two critical factors in modern cloud applications. While OCI WAF helps protect against cyber threats, it can introduce additional latency that impacts user experience. Understanding how OCI WAF affects performance in an OCI Load Balancer with end-to-end TLS is crucial for architects and engineers aiming to optimize both security and responsiveness.

This tutorial provides a practical approach to measuring OCI WAF induced latency. For more information about OCI WAF, see OCI WAF.

What is Oracle Cloud Infrastructure Flexible Network Load Balancer?

A flexible load balancer in OCI is a fully managed service that automatically distributes HTTP, HTTPS, and TCP traffic across multiple backend servers. It provides scalability, high availability, and traffic management without requiring manual intervention. OCI Flexible Network Load Balancer can be easily configured with SSL/TLS termination, OCI WAF integration, and advanced routing features to meet the needs of modern applications. For more information, see Oracle Cloud Infrastructure Flexible Network Load Balancer.

Architecture

This architectural design illustrates one client virtual machine (VM) based on Siege HTTPS benchmark utility, connecting toward a private load balancer that will attach a local/region OCI WAF, with three different Apache Tomcat backend servers using HTTPS as well. We will be testing load balancer with and without OCI WAF.

Audience

This tutorial is for cloud architects, DevOps engineers, and security professionals working with OCI Load Balancer and OCI WAF. If you need to optimize security without compromising performance, you can use this tutorial.

Objectives

• Evaluate the latency and bandwidth impact that regional OCI WAF introduces to OCI Flexible Network Load Balancer. Throughout this tutorial, users will learn how to set up Siege as an HTTP(S) benchmarking tool and configure OCI WAF within OCI Flexible Network Load Balancer.

Prerequisites

• An active OCI tenancy. You must have the necessary permissions to create and manage network resources in OCI.

• A basic understanding of Linux Operating System, OCI, Oracle Linux, including how to install and configure software in Linux.

• A good understanding about how to use the OCI Console to create and manage network resources.

• A good understanding about how to use and configure OCI Flexible Network Load Balancer and OCI WAF.

Task 1: Deploy Networking Component (VCN, Subnets, OCI Load Balancer and OCI WAF)

1. Deploy a Virtual Cloud Network (VCN) with at least three subnets (Siege, LB, and WebTier) in your tenancy, using an IPv4 CIDR of your choice or following the recommended architecture. For more information, see:

   • Create and Configure a Virtual Cloud Network
   • Overview of VCNs and Subnets

2. Deploy an OCI Flexible Network Load Balancer with WAF in the OCI Load Balancer subnet. For more information, see:

   • Task 1: Deploy OCI Web Application Firewall Local
   • Task 3: Configure OCI Load Balancer

For this test, we have loaded OCI WAF policy with at least 300 protection recommended rules as follows:

Task 2: Deploy the VM(s) in the Subnets for Testing Purposes

We need to deploy Oracle Linux 9 image to install the HTTP benchmark tool called Siege as well as the Apache Tomcat as backend servers later on.

Refer to this documentation to create VM: Deploying the OCI Instance

You will need to deploy one VM for Siege in the client subnet.

Task 3: Install Siege on Oracle Linux

1. Enable Extra Packages for Enterprise Linux (EPEL) repository in your Oracle Linux. For more information, see How To Enable EPEL Repository on Oracle Linux 8/9.

2. Run the following command as root to install Siege.

   yum install siege
   

   

3. Run the following command to verify the Siege version.

   siege -v
   

   You should see the current Siege version along with other help commands.

Task 4: Install Apache Tomcat on Oracle Linux

At this point, we have an OCI Flexible Network Load Balancer with no backend servers configured. Now, we will install the Linux version of Apache Tomcat on Oracle Linux 8 or 9.

1. Deploy two or three linux VMs in Web Private subnet. For more information, see Deploying the OCI Instance.

2. Install Apache web server into those VMs. For more information, see Install the Apache Web Server and Installing Tomcat on Oracle Linux in Oracle Cloud.

3. Once you have the Apache web servers up and running, make sure the OCI Load Balancer subnet can reach the web private subnet, allowing HTTPS traffic to web private subnet (port 443) from the OCI Load Balancer subnet. Now, in order to add the backend servers, refer to step 8 of Task 3: Configure OCI Load Balancer.

4. Go to the OCI Console, navigate to Networking, Load balancers, Load balancer, Load balancer details, Backend sets, Backend set details and click Backends, you should see two backend servers.

   

   Now, test OCI Load Balancer performance with and without OCI WAF.

Task 5: Siege Benchmark Analysis – OCI Load Balancer Performance With and Without OCI WAF

Now, we have the OCI Load Balancer and OCI WAF configured along with the backend servers, we need to take some initial steps to enable Siege to work over HTTPS connections.

We have used a lab certification authority (CA) certificate to sign the server certificates installed on the OCI Load Balancer and backend servers. However, we only need to focus on the OCI Load Balancer’s server certificate since the OCI Load Balancer will terminate the TLS connection and establish a second TLS connection to the backend servers. This second connection is transparent to Siege (the client).

For example, your CA certificate file is called my-ca.crt:

1. Upload my-ca.cert to your Linux machine and run the sudo cp my-ca.crt /etc/pki/ca-trust/source/anchors/ command. That will copy the CA into the trusted CA store.

2. Run the following command to update the trusted CA store.

   sudo update-ca-trust extract
   

   or if you are using Oracle Linux 9,

   sudo update-ca-trust
   

3. Run the following command to verify the installation.

   openssl verify /etc/pki/ca-trust/source/anchors/my-ca.crt
   

   and list all trusted certificates.

   trust list | grep "my-ca"
   

4. Now, when Siege connects to the OCI Load Balancer through HTTPS, it will be able to verify the received certificate. We are using www.fwtest.com as the Common Name (CN) and Subject Alternative Name (SAN).

   Since we are not using a private DNS, simply add the following entry to your Linux file /etc/hosts file:

   LB private IP www.fwtest.com

   For instance:

   127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4\
   ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6\
   192.168.4.99 linux9-siege-intravcntest-v2.siegesubnet.vcn1inter.oraclevcn.com linux9-siege-intravcntest-v2\
   192.168.6.237  www.fwtest.com  <--- Add this entry
   

5. In order to get your load balancer private IP, navigate to Networking, Load Balancers, Load Balancer and click Load Balancer details.

   

6. If you want to test the TLS connection, including the OCI Load Balancer server certificate you installed before, run the following command:

   openssl s_client -connect www.fwtest.com:443 -tls1_2
   

   You will get something like:

   

7. Make a first test with Siege, 250 concurrent HTTPS clients using random HTTP header sizes.

   siege -c 250  -t1m --header="User-Agent: $(head -c 500 </dev/urandom | base64)"  https://www.fwtest.com/request.php
   

   Lifting the server siege...\
   Transactions:              237238    hits\
   Availability:                 100.00 %\
   Elapsed time:                  60.79 secs\
   Data transferred:             192.67 MB\
   **Response time:                 27.81 ms**\
   **Transaction rate:            3902.58 trans/sec**\
   **Throughput:                     3.17 MB/sec**\
   Concurrency:                  108.51\
   **Successful transactions:   237421**\
   Failed transactions:            0\
   Longest transaction:          440.00 ms\
   Shortest transaction:           0.00 ms\
   

   Now, run the same command without OCI WAF.

   Lifting the server siege...
   Transactions:              238843    hits\
   Availability:                 100.00 %\
   Elapsed time:                  60.54 secs\
   Data transferred:             193.98 MB\
   **Response time:                 17.97 ms**\
   **Transaction rate:            3945.21 trans/sec**\
   **Throughput:                     3.20 MB/sec**\
   Concurrency:                   70.88\
   **Successful transactions:   239018**\
   Failed transactions:            0\
   Longest transaction:          540.00 ms\
   Shortest transaction:           0.00 ms\
   

Performance Impact of OCI WAF (Siege Benchmark)

Key Metrics Comparison:

Metric	With OCI WAF	Without OCI WAF	Impact
Transactions	237,238	238,843	-1,605 (-0.67%)
Availability (%)	100.00	100.00	No change
Elapsed Time (s)	60.79	60.54	+0.25s
Data Transferred (MB)	192.67	193.98	-1.31 MB (-0.68%)
Response Time (ms)	27.81	17.97	+9.84 ms (+54.8%)
Transaction Rate (trans/sec)	3,902.58	3,945.21	-42.63 trans/sec (-1.08%)
Throughput (MB/sec)	3.17	3.20	-0.03 MB/sec (-0.94%)
Concurrency	108.51	70.88	+37.63 (53.1% higher with OCI WAF)

Observations and Key Takeaways:

• Increased Response Time:

  • The OCI WAF adds 9.84ms of latency per request (54.8% increase).
  • This is the most significant impact of enabling OCI WAF.

• Slightly Lower Throughput:

  • With OCI WAF: 3.17 MB/sec and without OCI WAF: 3.20 MB/sec (0.94% decrease).
  • The bandwidth loss due to OCI WAF is minor, about 1.31 MB over 60 seconds.

• Higher Concurrency with OCI WAF:

  • Concurrency jumps from 70.88 to 108.51, meaning more requests are waiting due to OCI WAF processing.
  • This aligns with the increased response time.

• Minimal Impact on Transaction Rate: The drop in transactions per second is only 1.08%, which is relatively low.

Conclusion

• OCI WAF added latency of +9.84ms per request.

• Throughput and transaction rates see minor decreases of ~1% impact.

• Concurrency is much higher with OCI WAF, meaning more requests are waiting due to processing overhead.

• If security is a priority, the cost of OCI WAF is justified. While disabling OCI WAF may provide a slight latency improvement, the OCI impact is minimal, and it should only be considered in rare cases where ultra-low latency is absolutely critical.

Note: The test results obtained using Siege depend highly on various factors, including network conditions, hardware/software configurations, and software settings specific to your environment. As such, these results may differ significantly from those in other environments. Do not use these results to make any definitive conclusions about the expected performance of your network or equipment. They should be considered as indicative rather than absolute measures of performance.

Related Links

• OCI Web Application Firewall

• Overview of Web Application Firewall

• Secure Your Applications using OCI Network Firewall and OCI WAF Regional with Let’s Encrypt Certificates

• Demo - OCI WAF on Load Balancers

Acknowledgments

• Authors - Luis Catalán Hernández (OCI Cloud Network Specialist and Multi Cloud), Par Kansala (OCI Cloud Network Specialist and Multi Cloud), Sachin Sharma (OCI Cloud Network Specialist),

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

<

Measure Oracle Cloud Infrastructure Web Application Firewall Latency Impact on Oracle Cloud Infrastructure Load Balancer

G31046-02

Copyright ©2025, Oracle and/or its affiliates.