Traffic Shaping

<< Back to Technical Glossary

Traffic Shaping Definition

Traffic shaping is a computer network bandwidth management technique that delays some or all datagrams in line with a traffic profile to improve latency, optimize performance, or increase usable bandwidth for certain types of packets by delaying other types. Also called packet shaping, traffic shaping switches, rules, and policies all prioritize traffic and bandwidth to ensure a higher quality of service or QoS for network traffic related to business. Traffic shaping and policing are related but distinct practices which will be detailed further below.

Application-based traffic shaping is among the most common types of traffic shaping, in which specific traffic shaping policies are applied based on data packet identity. For example, it is typical to allocate maximum bandwidth to a business-critical application that is sensitive to latency such as a Voice-over-IP (VoIP), while throttling peer-to-peer file-sharing networks such as BitTorrent with application-based traffic-shaping.

This image depicts the packet shaping of traffic shaping, with the physical layer encompassing high-priority, medium-priority, and low-priority traffic.


Traffic Shaping FAQs

What is Traffic Shaping?

Traffic shaping manages bandwidth by limiting the flow of certain types of network packets deemed less important by the organization while prioritizing more important traffic streams. Traffic shaping ensures sufficient network bandwidth for time-sensitive, critical applications using policy rules, data classification, queuing, QoS, and other techniques.

Bandwidth throttling is the regulation of traffic flow into a network. Rate limiting is the control of the outward traffic flow. Typically, traffic shaping measures a committed information rate (CIR) in bits per second (bps). It then buffers any non-essential traffic that exceeds the average bit rate.

By controlling the amounts of data that flow into and out of the network, the organization can leverage traffic shaping to enhance network performance. Network policies categorize, direct, and queue traffic. This works like classifying priority packages for delivery without delay; slowing packet transmission for less critical applications allows proper bandwidth management and function of mission-critical applications such as those involving VoIP.

Another apt analogy is the security for a high-end event. The security team has a list of A-list guests that get past the red rope without waiting, every time. Everyone else has to queue up.

The traffic shaping appliance acts as the security team, and it treats only packets related to mission-critical applications as A-list guests. As long as the event has plenty of room, anyone can come in—but if things get crowded, ordinary packets are going to queue up and wait so important applications will not experience latency, and they may also be removed.

Latency can rise substantially if a resource becomes over-utilized to the point of congestion. Traffic shaping can prevent latency via bandwidth throttling, rate limiting, or more complex rules or algorithms. In fact, there are many reasons and means to achieve this control; however, delay of packets is always central to traffic shaping.

Traffic shaping may be applied by a network element as part of a router or by the traffic source, such as a network card or computer. However, the most commonly seen type of traffic shaping is control of traffic entering the network, applied at the network edges.

At times, traffic sources apply traffic shaping to ensure their sent traffic complies with a contract which a policer could potentially enforce in the network. Teletraffic engineering is another common use for traffic shaping, which is part of several Internet Traffic Management Practices (ITMPs) in domestic ISPs’ networks. Data centers also use traffic shaping to ensure that they host their tenants on the same physical network and maintain service level agreements for their various tenants and applications.

Why is Traffic Shaping Needed?

Network bandwidth is finite by definition, so bandwidth management and traffic shaping are essential to improved delivery of time-sensitive data and performance of higher priority applications.

Traffic shaping is a flexible yet powerful way to defend against bandwidth-abusing distributed denial-of- service (DDoS) attacks while ensuring quality of service. It regulates abusive users, guards applications and networks against traffic spikes, and stops network attacks from overwhelming network resources.

Transitioning from a high speed interface to a low speed interface can cause egress blocking: tail drop or packet loss in the outgoing queue. Prevent this issue by configuring egress traffic shaping to ensure all packets are eventually sent, at least until the buffer fills.

There are four basic factors that affect network quality: delay, bandwidth, packet loss, and jitter. These factors are typically not problematic in a local area network or LAN, where bandwidth is not at issue and all devices are in close proximity.

These networks merely require wireless connections or cables with sufficient capacity to handle network traffic. The price of devising this type of one-off network is generally manageable.

Wide area networks or WANs spread across distances and public networks such as the internet pose a challenge, particularly with respect to these four network quality factors. This is because the cost of infrastructure to connect to either WANs or public networks is both high and recurring.

It is important to retain bandwidth for voice, so use some traffic shaping device in any location with VoIP phones. This includes your main office, data center, and any home offices or other satellite locations.

The weakness in the standard application-based approach is that many application protocols attempt to circumvent application-based traffic shaping using encryption. Route-based traffic shaping policies can prevent applications from bypassing them by applying packet regulation policies based on the intended destination and source of the packet.

Traffic shaping is critical for cybersecurity and a key element of any network firewall. It ensures higher quality of service for data and business applications, and regardless, limited network resources make bandwidth prioritization a requirement.

Traffic Shaping and Quality of Service

Traffic shaping does not come into play when traffic arrives at a normal rate. Manageable traffic rates mean the system is running smoothly to start with. However, traffic that is arriving faster than that configured rate will be delayed in a buffer until it can safely be sent out below that configured rate.

This has to do with achieving quality of service. Quality of service or QoS thinking acknowledges that the four factors that affect network quality impact different applications in different ways, based in large part on user requirements. QoS strategies are therefore flexible in assessing a “best” level of service for various kinds of applications.

Voice or VoIP applications are a good example, because although voice traffic packets do not require much bandwidth, voice does not tolerate packet loss or delay. This is why just a second or two of a lost meeting or conversation is so annoying—especially repeatedly, in a business setting.

In contrast, bandwidth is the most salient factor when downloading a large file over a TCP connection, because TCP can retransmit packets to make up for packet loss.

For proper QoS network implementation, there are several important considerations:

Traffic Classification

Analyze the types of applications and traffic running on the network to more appropriately apply traffic shaping rules to different traffic classes. Identify mission-critical traffic such as traffic to and from an application server, and define how to match that traffic.


Classified traffic should be marked with tags to make it simple for all devices in the traffic path to apply required policies. There are common tags that device manufacturers rely on to build default profiles for different traffic classes, such as MPLS Experimental bits, Differentiated Services Code Points (DSCP) bits, and IP Precedence (IPP) bits.

QoS Policies

Traffic classification and marking have as their goal the consistent application of QoS policies to the packets. Some common QoS policies related to traffic shaping include congestion management and queuing, congestion avoidance, for example weighted random early detection, and traffic policing.

Traffic Shaping vs Policing

Traffic shaping and policing are often confused, but they are important to distinguish.

Traffic policing works in bursts, remarking or dropping excess traffic only when the traffic rate reaches the maximum rate configured in the system. In other words, it switches on like a thermostat once the traffic rate exceeds what it should. If you graph the look of traffic policing, you see a jagged looking saw edge, but with blunt spikes where the traffic policing remarks the traffic past the limit.

This is why traffic policing is less ideal for applications like VoIP. Since the excess data packets are simply dropped when the traffic reaches the maximum rate, the uneven data flow often means a poor user experience.

Traffic shaping works constantly over time toward a smoothed goal for traffic output. In contrast to traffic policing, traffic shaping retains excess packets in a buffer or queue rather than remarking them. It then transmits the excess packets over time as traffic permits, producing that smooth curve.

Traffic shaping implies and demands a sufficient buffer or queue for the delayed packets; traffic policing has no such requirement. Traffic shaping thus demands memory to enable.

Another consideration is that queueing packets up to be sent later—traffic shaping—can only ever apply to outbound traffic. True inbound traffic shaping does not exist, because inbound traffic is the realm of traffic policing. Traffic shaping also demands a scheduling function so delayed packets can be transmitted later from different queues.

Because traffic shaping and traffic policing are two entirely different techniques, the user should determine which will work best in each situation.

Traffic Shaping Techniques

The right traffic shaping technique depends on the types of traffic on the network. Categorization of those varieties of traffic is a critical first step in this process, one that defines traffic shaping techniques.

Default traffic shaping techniques often intercept all packets when they arrive at the packet shaper and store them in a buffer for processing. High priority packets transmit immediately, while less important packets remain buffered. Sometimes, if the buffer is full, traffic shaping merely drops arriving packets.

However, there are two more specific traffic shaping techniques in frequent use as well.

Application-based Traffic Shaping

The application-based traffic shaping technique prioritizes the data packets of some applications over others—for example, the voice data packets of a VoIP over the basic data packets of a browser. This kind of traffic shaping technique would hold the browser packets until all VoIP packets were sent, ensuring less latency for the critical app.

However, application-based traffic shaping techniques can also reduce bandwidth usability. They are also vulnerable to being circumvented by encryption.

Route-based Traffic Shaping

The route-based traffic shaping technique seeks to prevent applications from circumventing application-based traffic shaping policies. It does this by focusing instead on the actual source and intended destination of the packets so disguising them with encryption is less useful.

Benefits of Traffic Shaping

Using a network traffic shaping device or software has many benefits:

  • Accelerates network traffic
  • Adding bandwidth as an alternative is expensive
  • Avoids network congestion by detecting consumption of abnormal bandwidth
  • Blocks attacker IPs
  • Frequently necessary to meet the service-level agreements (SLAs) of contracts
  • Enhances application performance
  • Ensures high quality of transmission for critical applications
  • Guarantees tiered-service level offering to end users
  • Internet Traffic Management best practices recommend traffic shaping
  • Limits unwanted traffic
  • Maximizes resource/higher priority app utilization and allocation of bandwidth
  • Necessary for network firewall
  • When network interfaces are overloaded by non-essential traffic, it causes jitter, delays, and packet loss for real-time voice streams


Traffic shaping helps to ensure critical data and business applications run efficiently with the bandwidth they require. Ultimately, traffic shaping helps ensure better quality of service (QoS), deliver higher performance, maximize usable bandwidth, reduce latency, and increase return on investment (ROI).

How to Implement Traffic Shaping

All traffic shaping solutions implement traffic shaping techniques a bit differently, but there are some basic factors to be aware of:

  • Rate of transmission, how fast the network is actually capable of sending bits per second
  • ISP bandwidth, how many bits per second the system can handle
  • Committed information rate (CIR in bits per second), the goal rate of transmission for traffic shaping
  • Burst size (in bits per second), the number of bits needed to be sent at once to maintain the CIR
  • Time intervals in seconds, the frequency of transmission


Committed information rate or CIR is the same as burst size divided by time interval. To calculate the CIR in bits per second, divide the burst size in bits per second by the time interval in seconds.

A traffic shaper delays metered traffic to ensure that each packet complies with the applicable traffic contract. It may implement metering with a number of traffic shaping rules or algorithms, for example the token bucket or leaky bucket. There is one FIFO buffer for each class of metered packets or cells shaped separately, and the excess packets are retained there until the system can transmit them and remain in compliance. Transmission can happen immediately (when traffic is already under the limit), after a delay (until the scheduled release time) or never (should packet loss occur during buffer overflow conditions).

Buffer Overflow Conditions

All buffers in traffic shapers are finite, so implementations must include strategies for full buffers. Tail drop is a common and simple approach which involves simply dropping traffic upon arrival at a full buffer. This results not only in traffic shaping, but also in traffic policing. A more sophisticated approach might apply a random early detection algorithm or other dropping algorithm.

Traffic Classification

More basic traffic shaping implementations uniformly shape all traffic. More sophisticated traffic shaping techniques classify traffic first based on protocol or port number, for example. Then, a particular desired effect can be achieved by shaping various traffic classes separately.

Self-limiting Sources

Self-limiting sources generate traffic which never exceeds an upper limit. In other words, self-limiting sources shape the traffic they generate to some degree because they cannot transmit faster than their encoded rate allows.

Traffic Shaping Features

The best traffic shaping software packages, tools, and other solutions share certain features:

Logical Bandwidth Separation Capability

It is critical to be able to logically analyze and separate traffic into categories and divide the amount of bandwidth available between them. This is important to enable separate flows of traffic for distinct subnets or user groups, or for ingress traffic shaping, which separates many locations with different bandwidth demands behind a single point of ingress.

Intuitive Policy Management

Traffic shaping policies should be predictable and intuitive, so that administrators can be confident when they apply them they will see the desired outcomes.

Flexible Bandwidth Configurations

Administrators need the flexibility to create the combination and number of bandwidth rules that meet organizational needs.

Dynamically Adjustable

To better accommodate work from home, remote workforce, and bring your own device (BYOD) trends, bandwidth must adapt dynamically as new devices and hosts join the network. Some organizations may need to devise rules for fair bandwidth sharing, cap the number of devices, or cap bandwidth for each individual device.

Does Avi Offer Traffic Shaping?

Yes. Avi’s flagship product Avi Platform delivers application services including distributed load balancing, web application firewall, global server load balancing (GSLB), network and application performance management across a multi-cloud environment. As such it offers significant traffic shaping, throttling and rate-limiting options. These can be applied at different levels – from a virtual service to pool/server level or at the client level.

For example, Avi can limit the number of TCP connections to a specific virtual service. This ensures that the service cannot be compromised and used to spawn excessive connections or that a poorly coded service does not create unanticipated behaviors. Equally, Avi can limit the maximum bandwidth a specific service is allowed which ensures lower priority services with bursty bandwidth needs such as a backup, do not compromise high latency services such as VoIP calls.

Limits can also be set on the number of connections that can be made to an individual server, and even the maximum number of connections to a server pool. This can be used to prevent denial of service attacks that subject servers to an overload of requests.

Traffic shaping can be applied at the client level – meaning that the maximum number of connections from a single client can be capped – preventing it slowing performance for others on the network. Limits can be set for all clients connecting to a specific URL, which can also help prevent DDoS attacks.

The primary role of an ADC is load balancing, but it can also offer traffic shaping, application acceleration, caching, compression, content switching, multiplexing and application security.

For more on the actual implementation of load balancing, security applications and web application firewalls check out our Application Delivery How-To Videos.

TLS Proxy

<< Back to Technical Glossary

TLS Proxy Definition

A TLS proxy is a gateway for a Transport Layer Security (TLS) connection, which is a protocol that provides communications security over a computer network. A TLS proxy server protects against denial-of-service (DoS) attacks and other security threats.

Diagram depicts TLS Proxy a gateway for a Transport Layer Security (TLS) connection, which is a protocol that provides communications security over a computer network. A TLS proxy server protects against denial-of-service (DoS) attacks and other security threats.

What is TLS Proxy?

A TLS proxy is used in secure connections to allow for additional networking services while protecting against denial-of-service attacks. TLS (Transport Layer Security) provides encryption and authenticity of communication over the Internet. It started out for secure online e-commerce transactions and has quickly become the defacto security protocol. TLS proxies are becoming more prominent than older SSL (Secure Socket Layer) proxies when it comes to handling incoming TLS connections.

How Does TLS Proxy Work?

A connection is being intercepted by a TLS proxy when it inspects incoming traffic to block malicious connections. A high speed redundant network is used to run the TLS proxy to protect against distributed DoS (DDoS) attacks.

Transport Layer Security (TLS) often uses an HTTP proxy to inspect the HTTP traffic between client and server. A TLS handshake session by itself does not offer protection. It only creates the connection. Security is enforced by running a TLS session between the client and the HTTP proxy along with a separate session between the HTTP proxy and the server.

Why Uninstall TLS Proxy?

There are times when uninstalling a TLS proxy is needed. Older SSL/TLS protocols can be a security risk. Outdated versions of SSL/TLS are susceptible to bugs that can allow attackers to decrypt communications.

Sometimes HTTPS certificate errors need to be bypassed because they are too sensitive and an over abundance of warnings can result in problematic false positives or false negatives.

The best way to prevent attacks is to configure the TLS proxy to remove all incoming HTTP headers that have the same name (header rewrite). The header should also have a name that is not commonly known, or something long and random.

How To Bypass TLS Proxy?

Enterprises wishing to modify traffic as they see fit can run into problems when applications stop to verify that every certificate of authority is valid. This can cause bottlenecks when trying to validate certificates. It’s necessary to convince an app that a certificate of authority is trusted and valid before being able to act as man-in-the-middle (MITM) and modify traffic flow. This requires bypassing the TLS proxy with the following techniques:

• Add a custom certificate of authority (CA) to the trusted server certificate store
• Overwrite a packaged CA with a custom CA
• Reverse custom certificate code

Does Avi offer TLS Proxy?

Yes. Avi can serve as a TLS proxy for the back-end servers in the service’s pool. It communicates with the client over SSL/TLS.

For more on the actual implementation of load balancing, security applications and web application firewalls check out our Application Delivery How-To Videos.

For more information see the following TLS proxy resources:

TCP Load Balancing

<< Back to Technical Glossary

TCP Load Balancer Definition

A TCP Load Balancer uses transmission control protocol (TCP), which verifies information sent to internet protocol (IP) addresses. It ensures the data arrives error-free to non-HTTP applications.

Diagram depicting tcp load balancer for ensuring data arrives error free from application servers to non-http applications.

What Is a TCP Load Balancer?

A TCP load balancer is a type of load balancer that uses transmission control protocol (TCP), which operates at layer 4 — the transport layer — in the open systems interconnection (OSI) model. TCP traffic communicates at an intermediate level between an application program and the internet protocol (IP). A TCP load balancing configuration provides a reliable and error-checked stream of packets to IP addresses, which can otherwise easily be lost or corrupted. Each application is assigned a unique TCP port number to enable delivery to the correct application and to provide health checks.

How Does a TCP Load Balancer Work?

TCP load balancers are for applications that do not use HTTP. When deployed in front of a database cluster, a TCP load balancer spreads requests across all available server configurations. Any application data destined for a server is forwarded to the available server over a new TCP connection. Separating (or proxying) the client to server connections allows for enhanced security, such as TCP protocol sanitization or DoS mitigation. It also provides better server performance and client connections.

TCP Load Balancer Versus HTTP Load Balancer

HTTP load balancing is a simple HTTP request/response architecture for HTTP traffic. But a TCP load balancer is for applications that do not speak HTTP.

Can Application Load Balancers Work At TCP Level?

Yes. An application load balancer can work at TCP level as long as it is at layer 4 of the open systems interconnection (OSI) model. This is because TCP load balancers are for applications that do not use HTTP. Layer 7 in the OSI model, for example, expects all network traffic to be HTTP. But a load balancer operating in layer 4 will read the TCP packet information and direct the communication to the right place. The “level” of a load balancer refers to how far back up the network stack that a communication must travel before it is directed to its final destination. An application load balancer route based on TCP has less latency because network communication does not have to go all the way up and back down the network stack at the load balancer.

Does Avi Offer a TCP Load Balancer?

Yes. Avi Networks’ intent-based Software Load Balancer provides scalable application delivery across any infrastructure and any level in the networking stack (L4-7). The Software Load Balancer forms the backbone of Avi, providing speed, performance and reliability for modern enterprises. Learn more about Avi’s TCP load balancing configuration.

For more on the actual implementation of load balancers, check out our Application Delivery How-To Videos.

For more information on tcp load balancing see the following resources: