This blog is Part 2 of this series. If you have not gone through the Part1, please go and check it out now.
In Part 2, we will demo how to set up a local load balancing virtual service for a web-based application on our deployed Avi load balancer. The IP Address allocation and network connectivity are shown below.
There are hundreds of features are available when setting up a local load balancing service in Avi load balancer. In this blog, we will focus on the widely used features in enterprise load balancing solution:
- TLS/SSL Termination
- Session Persistence
- Health Monitor
Section 1: TLS/SSL Termination
The following deployment architectures are supported by Avi Load balancer (LB) for SSL:
- None: SSL traffic is handled as pass-through (layer 4), flowing through Avi LB without terminating the encrypted traffic.
- Client-side: Traffic from the client to Avi LB is encrypted, with unencrypted HTTP to the back-end servers.
- Server-side: Traffic from the client to Avi LB is unencrypted HTTP, with encrypted HTTPS to the back-end servers.
- Both: Traffic from the client to Avi LB is encrypted and terminated at Avi LB, which then re-encrypts traffic to the back-end server.
- Intercept: Terminate client SSL traffic, send it unencrypted over the wire for taps to intercept, then encrypt to the destination server.
We will use Client-side deployment architecture here.
Step 1: Get or Generate a certificate
Please note that a CA signed certificate is highly recommended for any production system. We will use a self-signed certificate here for simplification. Go to Templates—>Security—SSL/TLS Certificate, which all installed certificates are listed. A self-signed certificate is shown, its subject name is http://www.sddc.vmconaws.link.
Step 2: Create a customized SSL/TLS profile
The system default SSL/TLS profile still includes the support for TLS 1.0, which is not considered as very secure protocol anymore. So, we will go to Templates—>Security—>SSL/TLS Profile to create a new SSL/TLS profile which excludes TLS 1.0 as below:
Section 2: Session Persistence
Cookie persistence is the most-common persistence mechanism for a web-based application. Here we will define a persistence profile for our testing web application. Go to Templates—>Profiles—>Persistence and click “Create” button, then input the parameters as below:
- Name: sddc011-vs01-pp01
- Type: HTTP Cookie
- HTTP Cookie Name: vmconaws-demo
- Persistence Timeout: 30mins
Please note that the cookie payload contains the back-end server IP address and port, which is encrypted with AES-256.
Section 3: Health Monitor
Avi load balancer uses the health monitor to check if the back-end servers in the load balancing pool are healthy to provide the required service or not. There are two kinds of health monitors:
- Active Health Monitor: Active health monitors send proactive queries to servers, synthetically mimicking a client. Send and receive timeout intervals may be defined, which statically determine the server response as successful or failed.
- Passive Health Monitor: While active health monitors provide a binary good/bad analysis of server health, passive health monitors provide a more subtle check by attempting to understand and react to the client-to-server interaction. For example, if a server is quickly responding with valid responses (such as HTTP 200), then all is well; however, if the server is sending back errors (such as TCP resets or HTTP 5xx errors), the server is assumed to have errors.
Only active health monitors may be edited. The passive monitor has no settings.
Note: Best practice is to enable both a passive and an active health monitor to each pool.
Let’s start to create an active health monitor for our application. Go to Templates—>Profiles—>Health Monitors and click “Create” button, then input the parameters as below:
- Name: sddc01-vs01-hm01
- Server Response Data: sddc01
- Server Response Code: 2xx
- Health Monitor Port: 80 (Please note that we don’t change the default setting here. But this option can be very useful for some cluster-based application)
Section 4: Create a Load Balancing Pool
Now it is time to create the load balancing pool. Go to Application—>Pools and click “Create Pool”. In the Step 1 window, input the parameters as below:
- Load Balance: Least Connections
- Persistence: sddc-vs01-pp01
Add an active health monitor: sddc01-vs01-hm01.
Add two member servers:
- centos01: 192.168.96.25
- centos02: 192.168.96.26
Section 5: Create a Virtual Service
We will use the “Advanced Setup” to create a virtual service for our web application.
In “Step 1: Setting” window, input the parameters as below:
- Name: sddc01-vs01
- Service: 443 with SSL
- Pool: sddc01-vs01-pool
- SSL Profile: SSLProfile-tls1.x
- SSL Certificate: http://www.sddc.vmconaws.link
We use the system pre-defined application profile “System-HTTP” as the applied Application Profile for simplification here. The “System-HTTP” profile includes comprehensive configuration options for a web application, which possibly requests a separated blog to cover. Let’s list a few here:
- X-Forwarded-For: Avi SE will insert an X-Forwarded-For (XFF) header into the HTTP request headers when the request is passed to the server. This feature is enabled.
- Preserve Client IP Address: Avi SE will use the client-IP rather than SNAT IP for load-balanced connections from the SE to back-end application servers. This feature is disabled.
- HTTP-to-HTTPS Redirect: Client requests received via HTTP will be redirected to HTTPS. This feature is disabled.
Leave all settings as default for Step 2 and 3.
In “Step 4: Advanced”, input the parameters as below:
- Use VIP as SNAT: enabled
- SE Group: Default-Group
Section 5: VMC Setup
To enable user’s access to our testing web, two changes are required in the VMC SDDC.
- Network Address Translation
- A CGW firewall rule to allow traffic from the Internet to the LB VIP (192.168.96.100) on HTTPs
So far, we have completed all load balancing configurations. Let’s go to verify our work.
Application web page (https://www.sddc.vmconaws.link):
Session Persistence Cookie:
This is the end of this blog. Thank you very much for reading!