Layer 4 SSL Support

Avi Vantage supports layer 4 SSL virtual services. As of 18.1.2, client-facing ports can be configured either for SSL-termination or in-the-clear communication. For SSL termination of HTTP protocol, use HTTP/HTTPs application profile.
Server side communication can be clear or encrypted. But, it has to be encrypted if the front-end is clear.

Note: Either the UI or the CLI may be used when client-facing ports are SSL-terminated. To have client-ports communicate in the clear while server-side ports are SSL-encrypted, the CLI must be used, as documented in the latter half of this article.

Client-Facing Ports are SSL-terminated

To apply and tune this client-facing feature, use the following touch points within the UI:

  • The SSL application type is selectable in either the Virtual Service Basic or Advanced Setup wizards. As shown in figure 1, click SSL for Application Type. Port 443 is the default, but can be changed. The required certificate can be self-signed or one of the other certs visible in the pulldown menu.
Screen Shot 2016-07-08 at 5.04.20 PMFigure 1. Basic Setup wizard showing selection of SSL application type.
  • The default application profile, System-SSL-Application, appears under the Application tab of Templates. Avi Vantage will automatically associate it with SSL type applications unless a change is made to the virtual service’s settings. Refer to Figure 2.

Screen Shot 2016-07-08 at 5.30.19 PM

Figure 2. The System-SSL-Application application template is a standard component of each Avi Vantage release.
  • Edit the virtual service’s settings if the system-standard defaults for the application, TCP/UDP, and SSL profiles need to be changed. Refer to Figure 3.

Screen Shot 2016-07-08 at 6.05.41 PMFigure 3. Avi Vantage automatically associates an SSL type application with system-standard application, TCP/UDP, and SSL profiles.

  • To enable the PROXY protocol for your layer 4 SSL VS, or to tune the TCP connection rate limiter settings, use the application profile editor, depicted in Figure 4. Note that you have the option to enable either version 1 or version 2 of the PROXY protocol.

Screen Shot 2016-07-08 at 5.54.51 PM

Figure 4. The System-SSL-Application application template can be edited by the user.

Client-Facing Ports are In-the-Clear

As of the time of this writing, Avi Vantage support for this feature is accessible via the Avi CLI only.


[admin:Ctrl-01]: virtualservice> services
New object being created
[admin:Ctrl-01]: virtualservice:services> port 9000
[admin:Abhinav-Ctrl-01]: virtualservice:services> no enable_ssl
+--------------------+
| Field	     | Value |
+--------------------+
| port	     | 9000  |
| enable_ssl | False |
+--------------------+
[admin:Ctrl-01]: virtualservice:services> save
[admin:Ctrl-01]: virtualservice> save