Traditional ADC products measure throughput at the platform wire — the aggregate of every byte flowing through the appliance, regardless of which boundary it crossed. A single HTTP request touches the platform multiple times: client to platform, platform to application server, application server back to platform, platform back to client. Many vendors count each of those segments, so the same request consumes throughput on the meter up to four times.
On top of that, the network-layer protection that fires before a request ever reaches the vService — L3/L4 DDoS protection, network-layer firewall rules, IP reputation drops — still consumes bytes that count against the same meter. The better the network-layer protection performs, the larger the silent overhead loading the throughput accounting.
Bandwidth on an ADC is licensed as a tier, not metered per byte. But the tier you pick has to be high enough to cover everything the meter sees — so platform-wire metering pushes you into a larger tier than your real serving capacity requires. The TR7 model draws the line at the vService client-facing boundary. The traffic your virtual service actually serves to and from the client side is what gets measured. The internal pass-through to application servers is not metered. The traffic stopped at the network layer before the vService sees it is not metered. The tier you license lines up with the bandwidth you actually use.
Throughput measurement runs continuously in the TR7 ADC reporting layer. The same number that determines whether you fit in your licensed tier is shown live to operators — no separate billing platform, no opaque vendor-side calculation.
The meter sits at the vService client-facing edge. Traffic that reaches the vService and is processed by it counts. Traffic stopped before the vService — at the network firewall or by L3/L4 DDoS protection — does not.
Both the client-to-vService request side (RX) and the vService-to-client response side (TX) are summed. This is the industry-standard way to express true bi-directional throughput and matches how serving capacity translates into user experience.
When the vService relays a request to an application server and the response comes back, that internal traffic is not counted. Only the client-facing side counts toward the licensed tier.
The same throughput figure used for the license tier is shown in real time in the ADC reporting layer. Operators can watch utilization, see how much of the tier is in use, and plan tier capacity changes before the renewal cycle.
Measurement happens at the vService client-facing boundary. Three types of traffic never cross that boundary and therefore are not included in the licensed tier:
Packets dropped by network-layer firewall rules before the vService sees them are not in the measurement window. They never crossed the vService boundary.
Volumetric flood traffic blocked by network-layer protection before reaching the vService is excluded. Being a frequent attack target does not push you into a larger licensed tier.
When the vService relays a request to an application server and receives the response, that internal traffic is not metered. The same request is not counted a second time on the application-server side.
Most competitor products measure throughput at the platform wire — every byte through their infrastructure counts, both client-facing and application-server-facing. TR7 only counts the client-facing side. The structural consequences:
A request handled by your virtual service crosses two boundaries: client to vService, and vService to application server. Vendors that meter both add the second crossing to the same throughput figure for traffic that is structurally identical to the first. TR7 only counts the client-facing crossing.
When network-layer protection blocks an L3/L4 DDoS or a network firewall rule drops a flood, those bytes do not propagate into the throughput accounting. Being a high-value target should not force you into a larger licensed tier than your real serving capacity requires.
Because the duplicated application-server-facing traffic is not metered, the same licensed tier on TR7 carries substantially more real serving capacity than the same nominal tier on platform-wire metering products. For typical enterprise workloads the difference can compound to multiples.
The throughput figure your tier is sized against is the same figure surfaced in the reporting layer. Operators can audit it live, reconcile it against vService-by-vService activity, and plan tier capacity well before renewal.
Independently of the global licensed tier, individual vServices can have per-vService bandwidth limits with automatic fair-share QoS enforcement. Service Provider deployments distribute licensed bandwidth across tenants automatically.
Banking, government, betting, public services — workloads that block constant L3/L4 attacks at the network layer. Network-layer protection does its job without forcing you into a larger licensed tier than your real users require.
Black Friday, flash sales, ticket launches — windows when bot waves and legitimate traffic compete for the same capacity. The throughput your tier has to cover reflects what shoppers actually received, not the bot probes the network layer already filtered.
Outbound-heavy services where response payloads dominate the bandwidth profile. RX + TX measurement at the client-facing edge matches how serving capacity is usually expressed in this category.
Licensed bandwidth shared across customer tenants with automatic fair-share QoS. Per-vService limits let providers offer differentiated service tiers; the global license measures only the client-facing total across all tenants.
The TR7 ADC reporting layer shows the same vService-boundary figure that determines your licensed tier — visible, predictable, and free of pre-vService overhead.