To terminate the client SSL connections, both the SSL profile and SSL certificate must be assigned to the virtual service. The Avi Load Balancer can accommodate a broader set of security needs within a client community by associating multiple SSL profiles with a single virtual service, and it can allow the Service Engines to choose based on the client’s IP address.
For more information more about the basics of setting up an SSL/ TLS profile see SSL/TLS Profile section.
Configuring SSL/ TLS Virtual Service
SSL/ TLS virtual service must be configured with some base SSL profile. That profile might be identical to the system default profile shipped with every Avi Load Balancer release image or a custom defined image. However, the key point is that it must exist. Optionally, to treat some of the client community in customized fashion, an authorized user may define and associate one or more profile selectors with the virtual service. Their presence triggers an algorithm within Avi Load Balancer that is based on the client’s IP address and may cause the Service Engine to obey profile parameters other than those defined in the base SSL profile.
Profile Selector Anatomy
A given virtual service may have several profile selectors. However, the below image depicts only one profile selector.
A client IP list contains:
An IP group reference: points at one or more IP groups and identifies all the clients collectively that applies to the SSL profile selector.
A match criterion: governs the presence or absence from the list which will cause a client to take on the selector’s SSL profiles parameters.
An SSL profile reference (exactly one per selector) is SSL profile with parameters such as SSL/TLS version, SSL timeout, ciphers, and so on.
Algorithm
If one or more profile selectors are associated with the virtual service, Avi Load Balancer checks each of them and attempts to match with the client’s IP address. Since the selector list is in ordered fashion, it may yield different results depending on the sequence.
While checking the selectors, if no SSL profile is not assigned to the client, then the base SSL profile is applied.