Hardware and software
Gateway Network infrastructure best practices
| |
|---|---|
This document outlines the network infrastructure requirements for a High Availability Gateway with automatic failover and continuous service availability. The architecture targets a sustained processing rate of 3 to 6 ms/MB, supporting a 2-second processing window for imaging studies up to 250 MB. These outcomes rely directly on the network performance characteristics defined in this document. |
|
|---|
Three physically or logically isolated VLAN segments are required. |
Segment | Function | RX (Down) | TX (Up) | Latency | Jitter | QoS |
|---|---|---|---|---|---|---|
VLAN A | Cluster Management | 10 Gbps | 10 Gbps | < 1 ms | < 1 ms | CS7 |
VLAN B | Modality Ingest | 2.5 Gbps + | 2.5 Gbps + | < 15 ms | < 5 ms | AF41 |
VLAN C | Cloud Egress (GCP) | 1 Gbps + | 1 Gbps + | < 80 ms | < 20 ms | AF41 |
|
|
|---|
3.1 VLAN A - Cluster Management (Isolated) Any latency or packet inspection on VLAN A directly impacts cluster stability. Database replication and leader election depend on sub-millisecond communication between nodes. Firewall insertion on this segment will violate processing targets and may cause split-brain conditions. |
Traffic | Continuous low-latency node-to-node communication including database replication streams, cluster consensus heartbeats, orchestration health signaling, and load balancer coordination. Traffic is persistent and latency-sensitive rather than bursty. 10GbE full duplex is mandatory; 1GbE will cause database commit lag, replication delays, and cluster instability. |
|---|---|
QoS | CS7 highly suggested. Cluster management traffic benefits from highest network priority to maintain sub-millisecond consensus timing. Without QoS marking, competing traffic on shared upstream infrastructure could introduce latency spikes that trigger unnecessary failovers. |
Routing | Local only. No internet or external access. Strictly node-to-node within the 3-node cluster. No firewall, IDS/IPS, or packet inspection of any kind is permitted on this segment. |
VIP Requirement | One (1) floating static IP address on the cluster management network. This Virtual IP is used for internal cluster coordination and transfers automatically between nodes during failover. |
3.2 VLAN B - Modality Ingest (Clinical Network) |
Traffic | Inbound DICOM C-STORE from imaging modalities (local and remote), inbound HL7v2 from RIS/EHR systems, and outbound DICOM routing to local gateway and downstream clinical destinations. This segment is bidirectional by design with bursty ingest patterns driven by exam scheduling and modality utilization. |
|---|---|
QoS | DSCP AF41 highly suggested. DICOM C-STORE is latency-sensitive and benefits from prioritization during network congestion. Without QoS marking, large imaging transfers may be deprioritized behind bulk data traffic, increasing study turnaround time. |
Routing | Clinical network. Accepts connections from local modalities and remote imaging centers (via site-to-site VPN where applicable). Outbound routes to local gateway and downstream clinical destinations. |
VIP Requirement | One (1) floating static IP address on the clinical network. This Virtual IP transfers automatically between nodes during failover, providing a single stable endpoint for all sources. |
3.2.1 Remote Modality Ingest (VPN) In deployments where remote imaging centers send DICOM over site-to-site VPN tunnels into VLAN B, the following additional considerations apply: |
VPN MTU | Set the tunnel interface MTU to 1360–1400 on both ends.VPN adds overhead that reduces the effective MTU. Failure to adjust will cause fragmentation and throughput degradation on DICOM transfers. |
|---|---|
Latency | The < 15 ms threshold assumes a well-provisioned WAN link or site-to-site VPN. Remote sites with higher latency will experience reduced single-stream DICOM throughput due to TCP windowing. Each millisecond of round-trip time reduces achievable bandwidth on a single TCP stream. |
Bandwidth Sizing | VPN overhead (encryption, encapsulation) typically consumes 10–15% of raw link capacity. Size the WAN circuit to deliver the required throughput after VPN overhead. For sites with lower bandwidth, concurrent study processing will be limited by the WAN link, not the gateway. |
QoS Preservation | DSCP AF41 markings must be preserved across the VPN tunnel and any intermediate hops. Without end-to-end QoS, DICOM traffic from remote modalities will compete with general traffic and degrade during congestion events. |
Validation | Test end-to-end MTU with ping -f -l 1372 <gateway_VIP> from the remote site. If fragmentation occurs, reduce MTU until the test succeeds. Verify throughput with iperf3 across the tunnel under load. |
3.3 VLAN C - Cloud Egress (GCP) |
Traffic | The gateway pushes standardized data to both the Google Healthcare API and Platform. It also receives cloud-originated data including worklists, prior studies, and processing results. This segment is bidirectional with sustained upload patterns during peak volume and periodic cloud-to-gateway sync for prior study retrieval. |
|---|---|
QoS | DSCP AF41 highly suggested. Cloud egress traffic benefits from consistent throughput marking to prevent degradation during network congestion. Without QoS, cloud sync lag may increase during busy periods, but local DICOM processing is not affected. |
Routing | Outbound to GCP Healthcare API endpoints. If a VPN tunnel is used for cloud egress, see VPN considerations |
|
|---|
4.1 VLAN A - Isolated Network |
VLAN A must be a dedicated, isolated network segment connecting the three gateway nodes. This can be delivered as a dedicated VLAN, a flat isolated network, or a virtual interface on a trunked interface the delivery method is flexible. What is not flexible is the isolation: VLAN A traffic must not traverse any firewall, IDS/IPS, packet inspection device, or share a broadcast domain with non-cluster traffic. |
Connectivity | Dedicated VLAN, flat network, or virtual interface. Any method that provides isolated L2 connectivity between all three nodes at 10GbE speeds. |
|---|---|
Isolation | No firewall, IDS/IPS, or packet inspection between nodes. No inter-VLAN routing into or out of this segment. No non-cluster devices on this network. |
Switch | Dedicated switch or switch stacks are recommended but not required. If using a shared switch, VLAN A must be in its own broadcast domain with no inter-VLAN routing enabled. |
4.2 VLAN B and VLAN C - Flexible Connectivity |
VLAN B (Modality Ingest) and VLAN C (Cloud Egress) must be reachable from each gateway node, but the facility has flexibility in how that connectivity is delivered. These segments do not require dedicated physical interfaces and can be provided through any combination of the following: |
VLAN Trunking | Both VLANs trunked on a single 10GbE NIC using 802.1Q tagging. This is the most common configuration and works well because VLAN B and VLAN C peak traffic patterns are complementary heavy ingest (VLAN B RX) coincides with heavy cloud upload (VLAN C TX), utilizing both directions of the full-duplex link. |
|---|---|
Separate Interfaces | Each VLAN is on its own dedicated NIC. Provides maximum bandwidth isolation but requires additional physical interfaces per node. |
Layer 3 Routing | Gateway nodes on a single access VLAN with L3 routing to the modality and cloud networks via the facility’s core infrastructure. This is typical in environments where the gateway is placed in a DMZ or separate network zone. Latency, bandwidth, and QoS requirements from Section 2 still apply across the routed path. |
Regardless of the connectivity method chosen, the bandwidth, latency, jitter, and QoS requirements defined in Section 2 must be met end-to-end between the gateway nodes and the source/destination systems on each segment. |
|
|---|
5.1 Jumbo Frames (MTU 9000) |
Jumbo frames are recommended on VLAN A and VLAN B (local segments only, not across VPN tunnels) to reduce CPU overhead during heavy DICOM C-STORE ingest. Standard Ethernet frames (MTU 1500) require more CPU interrupts per megabyte of data transferred. With MTU 9000, each frame carries 6x more payload, reducing per-frame processing overhead and freeing CPU cycles for DICOM processing.
Requirement: All devices on the segment (switches, NICs, gateway nodes) must support and be configured for MTU 9000. A single device at MTU 1500 will cause fragmentation or black-hole packets. |
5.2 Dedicated Switch / VLAN Isolation |
Where possible, VLAN A should be on a dedicated physical switch or switch stack isolated from clinical traffic. This eliminates any risk of broadcast storms, spanning-tree reconvergence, or QoS contention on the cluster management plane from impacting cluster stability. |
|
|---|
Insufficient bandwidth or added latency on the Cluster Management network (VLAN A) will directly prevent the system from meeting performance and availability requirements. This is the single most critical network dependency for the HA Gateway. Database replication lag, consensus timeouts, and split-brain conditions are all direct consequences of an underperforming or improperly isolated VLAN A.
For deployments with remote imaging centers, VPN tunnel misconfiguration (incorrect MTU, missing QoS marking, insufficient WAN bandwidth) will result in degraded DICOM transfer performance from those sites. While this does not impact local modality ingest or cluster stability, it will affect turnaround time for studies originating from remote locations. |