The Avi Load Balancer supports layer 4 SSL virtual services. Client-facing ports can be configured either for SSL-termination or in-the-clear communication. For SSL termination of HTTP protocol, use HTTP/ HTTPs application profile. Though server side communication can be clear or encrypted, it has to be encrypted if the front-end is clear.

Note:

The UI or the CLI can be used when client-facing ports are SSL-terminated. To make client-ports communicate in the clear while server-side ports are SSL-encrypted, the CLI mode must be used.

Client-Facing Ports are SSL-terminated

To apply and tune the client-facing port feature in the Avi Load Balancer UI:

  • Navigate to the Virtual Service Basic or Advanced Setup wizards. Select type SSL application.

  • Click SSL for Application Type. Default value for Port is 443 and can be changed. The required certificate can be self-signed or be one of the other certs visible in the drop-down menu.



  • As shown in the following figure, the default application profile, System-SSL-Application, appears under the Application tab of Templates. The Avi Load Balancer automatically associates it with SSL type applications, unless a change is made to the settings of the virtual service.



  • Edit the settings for the virtual service if the system-standard defaults for the application, that is, TCP/ UDP, and SSL profiles need to be changed. For instance,





  • To enable the PROXY protocol for your layer 4 SSL VS, or to tune the TCP connection rate limiter settings, use the application profile editor.

Note:

You have the option to enable either version 1 or version 2 of the PROXY protocol.



Client-Facing Ports are In-the-Clear

Support for this feature is accessible through the Avi Load Balancer CLI only.

[admin:Ctrl-01]: virtualservice> services
New object being created
[admin:Ctrl-01]: virtualservice:services> port 9000
[admin:Abhinav-Ctrl-01]: virtualservice:services> no enable_ssl
+--------------------+
| Field	     | Value |
+--------------------+
| port	     | 9000  |
| enable_ssl | False |
+--------------------+
[admin:Ctrl-01]: virtualservice:services> save
[admin:Ctrl-01]: virtualservice> save