L7Rule CRD can be used to modify the properties of the L7 virtual services, which are not part of the HostRule CRD.

L7Rule is applicable only when AKO is running in EVH mode.

A sample L7Rule CRD is shown below:

apiVersion: ako.vmware.com/v1alpha2
kind: L7Rule
metadata:
  name: my-l7-rule
  namespace: l7rule-ns
spec:
  allowInvalidClientCert: true
  closeClientConnOnConfigUpdate: false
  ignPoolNetReach: false
  removeListeningPortOnVsDown: false
  sslSessCacheAvgSize: 1024
  botPolicyRef: bot
  hostNameXlate: host.com
  minPoolsUp: 2
  performanceLimits:
          maxConcurrentConnections: 2000
          maxThroughput: 3000
  securityPolicyRef: secPolicy
  trafficCloneProfileRef: tcp
Note:

The L7Rule CRD must be configured in the same namespace as HostRule.

Specific Usage of L7Rule CRD

L7Rule CRD is created to set some of the default properties in a L7 virtual service. The parameters section below covers the details and associated rules for using each field of the L7Rule CRD.

Parameters

Parameter

Description

Default

allowInvalidClientCert

Process request even if invalid client certificate is presented.

False

closeClientConnOnConfigUpdate

Close client connection on virtual service config update.

False

ignPoolNetReach

Ignore pool servers network reachability constraints for virtual service placement.

False

removeListeningPortOnVsDown

Remove listening port if virtual service is down.

False

sslSessCacheAvgSize

The expected number of SSL session cache entries can be exceeded. Allowed values are 1024-16383.

1024

botPolicyRef

Bot detection policy for the Virtual Service. It is a reference to an object of type BotDetectionPolicy.The BotDetectionPolicy reference used by VirtualService requires at least 552 MB extra_shared_config_memory configured in ServiceEngineGroup on the Controller, or else virtual service creation will fail.

Nil

hostNameXlate

It translates the hostname sent to the servers from this value and translates the hostname sent from servers back to the value used by the client. It is not applied to child virtual services.

Nil

minPoolsUp

Minimum number of UP pools to mark virtual service up.

0

performanceLimits.maxConcurrentConnections

The maximum number of concurrent client connections allowed to the virtual service. It is not applied to child virtual services.

Nil

performanceLimits.maxThroughput

The maximum throughput per second for all clients allowed through the client side of the virtual service per SE. It is not applied to child virtual services.

Nil

securityPolicyRef

Security policy applied to the traffic of the virtual service. This policy is used to perform security actions such as Distributed Denial of Service (DDoS) attack mitigation, and so on. It is a reference to an object of type SecurityPolicy and is not applied to child virtual service.

Nil

trafficCloneProfileRef

Server network or list of servers for cloning traffic. It is a reference to an object of type TrafficCloneProfile.

Nil

Attaching L7Rule to HostRule

An L7Rule is specified in the HostRule specification. Respective L7Rule Properties are applied to the virtual service created through the corresponding Hostrule. An L7Rule can be attached in the Hostrule CRD specification with L7Rule as the key and the name of the L7rule CRD as the value.

apiVersion: ako.vmware.com/v1beta1
kind: HostRule
metadata:
  name: my-host-rule
spec:
  virtualhost:
    fqdn: test-ingclass.avi.internal     
    fqdnType: Exact
    l7Rule: my-l7-rule

Status Messages

The status messages are used to give instantaneous feedback to the users about the reference objects specified in the L7Rule CRD.

Following are a few sample status messages:

Accepted L7Rule object 
$ kubectl get l7rule
NAME         STATUS     AGE
my-l7-rule   Accepted   3d5s

An L7Rule is accepted when all the reference objects specified inside it exist in the Avi Load Balancer Controller.

Rejected L7Rule object 
$ kubectl get l7rule
NAME            STATUS     AGE
my-l7-rule-alt  Rejected   2d23h

The status provides the detailed reason for rejection, as shown below:

status:
  error: botPolicyRef "My-L7-Application" not found on controller
  status: Rejected

Caveats

L7Rule deletion

If an L7Rule is deleted, the corresponding fields in L7 virtual services in the Avi Load Balancer Controller will be configured with the default values.

HostRule deletion

If a HostRule referencing an L7Rule is deleted, the corresponding fields in L7 virtual services in the Avi Load Balancer Controller will be configured with the default values.

L7Rule admission

An L7Rule CRD is only admitted if all the objects referenced in it exist in the Avi Load Balancer Controller. If the object references are deleted out-of-band after admission, then AKO does not re-validate the associated HostRule CRD objects. The user needs to manually edit or delete the object for new changes to take effect.