Load Balancing Traffic to Connection Servers and App Volume Managers

Overview

Both L4 and L7 virtual services are supported to Load balance traffic to connection servers. However, it is recommended to use L7 virtual services. This guide discussed using L7 virtual service to load balance traffic to connection servers.

Using an L7 Virtual Service

Create Custom Health Monitor for Connection Servers

  1. From the Avi UI, navigate to Templates > Profiles > Health Monitors.

  2. Click on Create.

  3. In the New Health Monitor screen, select the Type as HTTPS.

  4. Set the Send Interval to 30 seconds and Receive Timeout to 10 seconds. The New Health Monitor screen is as shown below:
    Health Monitor

  5. Select the Response Code as 2xx.

  6. Select an appropriate SSL Profile.
    Health Monitor

  7. Click on Save.

Create an SSL Profile

Create an SSL profile with session reuse disabled. Follow the steps shown below: To create a new SSL profile,

  1. In the Avi UI, navigate to Templates > Security > SSL/TLS Profile > Create > Application Profile.

  2. In the New SSL/TLS Profile screen, select the Ciphers and the TLS version.

  3. Enable TLS 1.2 for backward compatibility with older Horizon clients.

  4. Ensure the option Enable SSL Session Reuse is disabled.

  5. Under Ciphers, click Select From List to select the following ciphers:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


SSL Profile

  1. Click on Save.

Creating a Pool

If connection servers are configured in the replication mode then persistence on the connection server is not required. In the non-replication mode, use Consistent Hash - Source IP address as the load balancing algorithm.
Enable SSL to backend and select the appropriate SSL profile (Connection-Server-SSL-Profile used here).

To create a pool,

  1. From the Avi UI, navigate to Applications > Pools.

  2. Click on Create Pool.

  3. Enter the details as shown below:
    Pool

  4. Click on Next.

  5. Enter the Server IP Address and click on Add Server.
    Pool

  6. Click Next and enter the details as required under the Advanced tab.

  7. Click Next and click Save.

Creating an Application Profile

Use an HTTPS application profile, with Connection Multiplex and X-Forwarded-For disabled.
Pool

Create an SSL Profile

Create an SSL profile with session reuse disabled. Follow the steps shown below: To create a new SSL profile,

  1. In the Avi UI, navigate to Templates > Security > SSL/TLS Profile > Create > Application Profile.

  2. In the New SSL/TLS Profile screen, select the Ciphers and the TLS version.

  3. Enable TLS 1.2 for backward compatibility with older Horizon clients.

  4. Ensure the option Enable SSL Session Reuse is disabled.

  5. Under Ciphers, click Select From List to select the following ciphers:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


SSL Profile

  1. Click on Save.

Creating an L7 Virtual Service

To create the L7 virtual service,

  1. Navigate to Applications > Virtual Services.

  2. Click on Create Virtual Service > Advanced Setup.

  3. Enable SSL and choose the SSL profile that was created for the virtual service.

  4. Select the Connection Server Pool. The virtual service is as shown below:
    Virtual Service
    Virtual Service

  5. Click on Next and navigate to Step 4: Advanced.

  6. Click on Save.

The following are the changes in the UAG server when the load balancer is present between the UAG and connection server:

Connection Server

  • The connection server URL should point to the Avi load balancer.
  • The connection server URL thumb print:
    • For an L7 virtual service: The connection server URL thumbprint is taken from the certificate that is bound to the Avi load balancer.
    • For an L4 virtual service: The connection server URL thumbprint is be taken from the certificate that is present in the connection server itself.
    • For an L4 virtual service with SSL (System-SSL-Application) the connection server URL thumbprint is taken from the certificate that is bound to the Avi load balancer.

Load Balancing App Volume Manager

Load balancing for app volume manager can be achieved by configuring an L7 virtual service with HTTPS application profile.

App Volumes servers do not support connections for the same client originating from different source IP addresses. In the case where the virtual service is deployed as an Active/Active scale out, it is possible that multiple connections from the same client are processed by different Service Engines. As each Service Engine uses a distinct SNAT IP, the servers may see multiple connections for the same client with a different source IP, resulting in authentication failures. To address this issue, use either one of the options given below:

  • Option 1: Use an Active/Standby Service Engine group when load balancing App Volumes Or
  • Option 2: If native scale out is being used, configure the flow distribution algorithm to be based only the client IP address rather than the client IP and port through the CLI:

configure virtualservice <appvol-vs-name>
flow_dist flow_dist consistent_hash_source_ip_address
save

Note: Option 2 is only applicable in the case of native scale out. In the case where ECMP scaleout is used (for example with BGP), the distribution of flows across Service Engines is dependent on the ECMP hash algorithm used by the upstream router. If that hash is based on the full 5-tuple (source/destination IP/port/protocol) then this issue will be encountered.

Creating the App Volume Manager Pool

To create the pool,

  1. From the Avi UI, navigate to Applications > Pools.

  2. Select the vCenter cloud from the Select Cloud sub-screen.

  3. Click on Next.

  4. Click on Create Pool.

  5. In the New Pool: screen, update the details as shown below:

    Field Value
    Default Server Port 443
    Persistence None
    Load Balance Round Robin
    Analytics Profile Systems-Analytics-Profile

  6. To bind the monitor, click on Add Active Monitor and select the HTTPS Health Monitor that was created.

  7. Under SSL to Backend Servers, select Enable SSL.

  8. Select System-Standard as the SSL Profile.

    The New Pool screen appears as shown below: Pool

  9. Click on Next.

  10. Enter the Server IP Address and click on Add Server.
    Pool

  11. Click on Next and Save.

Creating Application Profile

  1. From the Avi UI, navigate to Templates > Profiles.

  2. Click on Create.

  3. Enter the Name of the profile.

  4. Select the Type as HTTP.

  5. Ensure Connection Multiplex is disabled.

The New Application Profile screen is as shown below:
Application Profile

  1. Click on Save.

Creating L7 Virtual Service

To create the new L7 virtual service,

  1. From the Avi UI, navigate to Applications > Virtual Services.

  2. Click on Create Virtual Service > Advanced Setup.

  3. In the New Virtual Service screen, enter the virtual service Name.

  4. Under VIP Address, enter the IPv4 VIP Address.

  5. Select the Application Profile that was created.

  6. Under Service Port,click on Add Port, enter 443 as the Port and select SSL.

  7. Under Pool, select the pool that was created for app volumes.

  8. Under SSL Settings, select System-Standard as the SSL Profile and select the SSL Certificate.

The New Virtual Service is as shown below:
Virtual Service

  1. Click on Next.

  2. Navigate to Step4: Advanced and click on Save.