I'm convinced for multiple years that open source is the future, however, after almost 10 years as a C-Level manager, my discourse changed a bit!

Let's be clear, originally, my discourse was more political than rational. But I think it's time to write how I'm explaining the advantages and disadvantages of open-source software to my customers.

Introduction

In the first article of this series, we are going to review something that I see in a lot of companies: a load balancer inside your data center.

We are going to compare HAProxy and F5.

Cost

The most sensitive topic by far! Let's start from the beginning: Open source is not cheap!

HAProxy

HAProxy is the reference in the open-source world if you want to deploy a load balancer (and the next one to choose NGiNX as a load balancer gets the Boulava).

HAProxy is almost 220k lines of C.

To operate it, you just buy 2 servers 1U, install FreeBSD on it, install HAProxy, and let's go, you have a running Load Balancer.

Cost of the setup, more or less 2kUSD to have around 40Gbps in High Availability.

But Loïc, who is going to maintain it?

Good question, and that's the mistake that most of the companies are doing! Every software, every component, every switch should be in an inventory, managed, updated.

So let's just imagine that you hire a sysadmin, full-time, to manage your systems, including HAProxy!

In Dubai, a good sysadmin, with 10 years of experience is paid around 10,000 USD per month.

Your sysadmin is going to spend 10% of his time per week to upgrade software (not only HAProxy) and 10% of the remaining time to manage, contribute, improve monitoring, and make HAProxy better. Long story short, let's say that he is going to spend 20% of his time on it.

We can evaluate the cost of 2,000 USD per month.

But what about the bus factor?

That's right, we need a second guy, so same cost, *2.

But Loïc, they need some certifications!

Certifications do not prove anything, except that you or your management are ready to burn money to have one more chocolate medal on your chest. It's better to let them train for 1 month on it, by using the software, reading the source code, deploying it multiple times, compiling it.

So total cost:

"Down Payment": 2 engineers * (1 month of training) + Hardware = 2 * 10000 + 3000 = 23,000 USD

Monthly cost: 2 engineers * (20% of monthly salary) = 2 * 2,000 = 4,000 USD.

So Total cost for operating a load balancer during 1 year:

23,000 + 12 * 4,000 = 71,000 USD

F5

We want to compare HAProxy with an equivalent solution. With some customization that you are going to be able to implement after one month of training, you can more or less have around the same performance as an F5-BIG-BT-i4800. This load balancer is a 1U server, with the software installed on it.

This one cost around 42,000 USD apiece. If you want 2, you double it.

But Loïc, even if it's closed source, they need some training, right?

Of course, but the difference is that instead of learning some software engineering, reading some RFCs, configuring some sysctl, understanding the network, they are going to learn some CLI command, WebUI, and some specific paradigm by a vendor.

Let's just assume that on top of this, you have some management in the company which is forcing you to pass a certification, then you have the extra cost of training for the certification + the cost of the certification. Let's say around 1,000 USD per engineer.

Also Loïc, the bus factor is the same than HAProxy, no?

Again, correct. The difference is that you reduce the time you spend on maintaining the software, so let's say that instead of spending 20% of your time per week, it's going to be 5%, even if some companies are telling you that it is 0%.

So total cost:

"Down Payment": 2 engineers * (2 weeks of training + certification) + Hardware = 2 * (5000 + 1000) + 2 * 42000 = 96,000 USD

Monthly cost: 2 engineers * (5% of monthly salary) = 2 * 500 = 1,000 USD.

So Total cost for operating a load balancer during 1 year:

96,000 + 12 * 1,000 = 108,000 USD

Security

I don't say that open source software is more secure than closed source software. But at least:

  1. You can check what is in it
  2. You can patch upstream if needed
  3. You know exactly what you put inside your infrastructure

The hack from Solarwinds was one of the best examples of what should never happen, putting a black box inside your infrastructure, causing remote code execution.

Furthermore, as an aficionado of security, and knowing how a load balancer is so sensitive in companies, I would not like to rely on anybody else to release a patch on a CVE 8+. Just to be clear, most load balancing products are using some open-source software underneath, and sometimes, you wish it was not the case (like a CentOS 6 not patched for years :-) ).

Some vendors, hiding behind their fake certifications!

Independence

Let's imagine that you have a contract for a year with a big company, but they are changing the terms of the contract, let's say that before you were not paying for the license, but now they are going to charge you 50,00USD a year for it. Which choice do you have? You are probably going to contact another big company, and again, you are going to spend much $$$. This means that once you choose a closed source solution, you are never getting out, except for a huge price.

Furthermore, if you choose a closed source company, you depend on this company 100%, which means that if some government is thinking that extraterritorial laws are normal, and your provider is following orders from this company, they could block you in 1 day (like Huawei and the Play Store)!

Contrarily, if you choose HAProxy, you are free to hire more people, train them, or even outsource it.

Scalability

Now let's assume that you have your first infrastructure working perfectly, a big load balancer in front. But what happens if you fill the infrastructure? You need to open a second DC. How is the cost going to be? We are going to calculate it over 2 years, knowing that at the beginning of Q5, you are going to launch the second infrastructure.

HAProxy

The training is done, you just pay for the hardware, so 3,000 USD.

Regarding the monthly maintenance, adding more HAProxy is not going to cost that much, let's say 5%, so total 25%.

So total cost:

"Down Payment": 2 engineers * (1 month of training) + Hardware * 2 = 2 * 10000 + 6000 = 26,000 USD

Monthly cost Y1: 2 engineers * (20% of monthly salary) = 2 * 2,000 = 4,000 USD.

Monthly cost Y2: 2 engineers * (25% of monthly salary) = 2 * 2,500 = 5,000 USD.

So Total cost for operating a load balancer during 2 years:

26,000 + 12 * 4,000 + 12 * 5,000 = 134,000 USD

F5

Same story here, the training is done, you just pay for the hardware.

Regarding the monthly maintenance, we are going to increase from 5% to 7.5% of the working time.

So, total cost:

"Down Payment": 2 engineers * (2 weeks of training + certification) + 2 * Hardware = 2 * (5000 + 1000) + 2 * 2 * 42000 = 180,000 USD

Monthly cost Y1: 2 engineers * (5% of monthly salary) = 2 * 500 = 1,000 USD.

Monthly cost Y2: 2 engineers * (7.5% of monthly salary) = 2 * 750 = 1,500 USD.

So Total cost for operating a load balancer during 2 years:

180,000 + 12 * 1,000 + 12 * 1,500 = 210,000 USD

Responsibility

That's the main point that I want to raise.

I'm really tired to see people choosing paid software because they can blame it on the vendor. It's time to stop this behavior.

When as a CTO, VP, or whatever title you have, you choose a solution to deploy in the company, stop hiding behind "According to Gartner, they are the best". It's YOUR choice, not anyone's else, and other people should not pay the price for it. So stop putting the blame on someone else, and start working with your team to find the best solution.

Conclusion

I hope that this article convinced you to consider an open-source software for your next system, and every 3 weeks for at least 6 months, we are going to discuss open-source software that you can self-deploy, operate, and increase the knowledge of your company.

If you have a problem and no one else can help. Maybe you can hire the Kalvad-Team.