This topic describes how to restrict access to both the Avi Load Balancer Controller’s management interfaces and the list of ciphers and HMACs that are allowed for management sessions.

By default, the Avi Load Balancer Controller does not restrict the client IP addresses that are allowed to attempt access to the Controller through its management interfaces. The Avi Load Balancer provides a way to define the set of IP addresses allowed to attempt management access to the Controller.

Additionally, access through all the management interfaces can be further restricted by explicitly specifying the ciphers and keyed-hash message authentication codes (HMACs) that are allowed.

To establish a management connection with the Controller through any management interface, the client must support a cipher and HMAC that are allowed by the Controller.

Note:

  • When configuring the IP access list for API and SSH, ensure that the Controller nodes can talk to each other by either placing them on the same subnet or explicitly adding the Controller IP addresses.

  • Avi Load Balancer does not currently support SSH and System Internal Access control types if controller IPs are FQDN based.

IP Access Lists

When the configuration is modified to specify allowed IP addresses for accessing specific management interfaces, the Avi Load Balancer programs the Linux IP tables on the Avi Load Balancer Controller host to allow the specified IP addresses at the network layer.

Separate IP access lists can be configured for each of the following management interfaces:

  • REST API / Web interface (or any script or other means of automation that uses the REST API)

  • SSH daemon

  • CLI Shell (allows remote CLI access)

  • SNMP

The following is a logical view of the management interfaces.



Note:

Avi Load Balancer internally converts commands that are entered through the web interface or the CLI shell into REST API commands. Similarly, the system responses are converted back into web interface or CLI format when presented in return to the Avi Load Balancer user. To restrict IP access through the interfaces, separate IP lists must be entered for each interface.

IP Access List Format

For each management interface, the set of client IP addresses that are allowed to access that interface can be specified in any of the following ways:

  • Individual IP addresses; example: 1.1.1.1, 2.2.2.2

  • IP address ranges; example: 1.1.1.1-1.1.1.100

  • IP address prefixes (subnets); example: 1.1.1.0/24

  • IP address groups

Caution:

  • When changing the IP access list for the management interface, ensure to include the IP address in the access list. Else, the management session will end after the change is saved.

  • If no IP addresses are added to the access list of the management service, any IP address is allowed to attempt access to that service.

Restricting IP Access to Management Interfaces through Web Interface

  1. Navigate to Administration > System Settings.

  2. Click the edit icon to open the EDIT SYSTEM SETTINGS pop-up window.



  3. In the Client Management Access section, configure the fields Allowed SSH Clients, Allowed CLI Shell Clients, Allowed External HTTP(S) Clients, and Allowed External SNMP Clients as required, and enter or select the IP addresses that are allowed access.

    • Host, range, or subnet: Choose Select From Available or Enter Custom Value to activate the field, and select or type the address(es). If you are listing multiple addresses, use commas to delimit them. For entering a range, use a hyphen between the starting (lowest) and ending (highest) addresses.

    • IP Group: Select the IP group (if already configured) or click Create to create the group (list). Enter the group name and address information and click Save to return to the EDIT SYSTEM SETTINGS pop-up window.

    Note:

    Enter the Controller management IPs for HTTP(s) settings using the field Allowed External HTTP(S) Clients. Internal Analytics APIs fail if the management IPs of the cluster nodes are not included in the list of IPs allowed for external HTTP(s).

  4. After specifying the allowed client IP addresses for each management service, go to the next section or click Save to save the changes and close the popup.

Restricting the Allowed Ciphers

By default, Avi Load Balancer allows management sessions to use any of the following ciphers:

  • aes128-ctr

  • aes256-ctr

  • arcfour256

  • arcfour128

  • aes128-cbc

  • 3des-cbc

  • blowfish-cbc

  • aes192-cbc

  • aes256-cbc

Ciphers arcfour128 and arcfour256 are not supported. To restrict access to a subset of these ciphers, specify the individual ciphers:

  • In the Update System Access Settings popup, in the Allowed Ciphers field, enter the cipher names. The names must be spelled as shown above. Use commas between the names.

  • Go to the next section or click Save.

Restricting the Allowed HMACs

The Avi Load Balancer allows management sessions to use any of the following HMACs:

To support fewer HMACs, specify the individual HMACs:

  1. In the EDIT SYSTEM SETTINGS pop-up window, in the Allowed HMACs field, enter the HMAC names. The names must be spelled as shown above. Use commas between the names.

  2. After updating, click Save to save the changes and close the popup.

REST API -IP Addresses That Are Allowed Management Access

The following request to the Avi Load Balancer REST API retrieves the current system settings, including the mgmt_ip_access_control section. This section specifies the client IP addresses that are allowed to access the Controller through the management services.

In this example, access through the web interface or REST API is restricted to addresses in the 10.10.0.0/16 subnet, and to IP addresses in the range 3.3.3.1-100. IP access for the other management services is not included in this output, because IP access has not been explicitly defined for them.

API: GET /api/systemconfiguration
Data:
{
    "email_configuration": {
        "from_email": "[email protected]",
        "mail_server_name": "localhost",
        "smtp_type": "SMTP_NONE",
        "mail_server_port": 25
    },
	...

    "mgmt_ip_access_control": {
        "api_access": {
            "ranges": [
                {
                    "begin": {
                        "type": "V4",
                        "addr": "3.3.3.0"
                    },
                    "end": {
                        "type": "V4",
                        "addr": "3.3.3.100"
                    }
                }
            ],
            "prefixes": [
                {
                    "ip_addr": {
                        "type": "V4",
                        "addr": "10.10.0.0"
                    },
                    "mask": 16
                }
            ],
            "match_criteria": "IS_IN"
        }
    },
}

Allowed Ciphers and HMACs

The following REST API request retrieves the list of allowed ciphers and HMACs.

API: GET /api/systemconfiguration
Data:
{
    "email_configuration": {
        "from_email": "[email protected]",
        "mail_server_name": "localhost",
        "smtp_type": "SMTP_NONE",
        "mail_server_port": 25
    },
        ...

    "ssh_ciphers": [
        "aes128-ctr",
        "aes256-ctr",
        "aes192-cbc",
        "aes256-cbc"
    ],

    "ssh_hmacs": [
        "hmac-md5",
        "hmac-md5-96",
        "hmac-sha1",
        "[email protected]",
        "hmac-sha2-512"
    ],
}

For more information, see Renewing Default (Self-Signed) Certificates on NSX Advanced Load Balancer.

For more information on how to Change the Default Portal Certificates, see Change the Default Certificate of the Controller topic in the VMware Avi Load BalancerConfiguration Guide.