This topic describes the security related details. What to read next Overview of Avi Load Balancer SecurityThis section is focused on the security of Avi Load Balancer Service Engines and Controllers. SSL CertificatesAvi Load Balancer supports terminating client SSL and TLS connections at the virtual service, which requires it to send a certificate to clients that authenticate the site and establishes secure communications. Multi-level Domain Support for SSLAvi Load Balancer SSL support includes multi-level domain name support. Multi-level domain support allows a pool to be configured with a list of multiple domain names for server certificate verification. During SSL session setup between a back-end server and the Service Engine (SE), the Avi Load Balancer checks the server’s certificate for the domain names listed in the pool. If any of the domain names are found in the certificate, the SSL session is allowed. However, if the certificate presented by the back-end server does not contain any of the domain names listed in the pool, the SSL session is not allowed. OCSP Stapling in Avi Load BalancerOnline certificate status protocol (OCSP) stapling is an extension of the OCSP protocol. The validity of SSL/ TLS certificates can be checked using OCSP stapling. This section discusses OCSP Stapling in detail. Client SSL Certificate ValidationThis article explains the application profiles and PKI profile configurations. Client-IP-based SSL ProfilesTo terminate the client SSL connections, both the SSL profile and SSL certificate must be assigned to the virtual service. The Avi Load Balancer can accommodate a broader set of security needs within a client community by associating multiple SSL profiles with a single virtual service, and it can allow the Service Engines to choose based on the client’s IP address. SSL/ TLS ProfileThe Avi Load Balancer supports the ability to terminate SSL connections between the client and the virtual service, and to enable encryption between Avi Load Balancer and the back-end servers. SSL Client Cipher in Application Logs on Avi Load BalancerAvi Load Balancer supports capturing of SSL client’s ciphers details in the application logs on Avi Load Balancer. It records ciphers sent by a client in the client hello SSL packet. The ciphers details used to establish an SSL connection with a virtual service is available in the application log. Server Name IndicationServer Name Indication, or SNI, is a method of virtual hosting multiple domain names for an SSL enabled virtual IP. A single VIP is advertised for multiple virtual services. When a client connects to the VIP, the Avi Load Balancer begins the SSL/ TLS negotiation, and chooses a virtual service or an SSL certificate, only when the client has requested the site by name through the domain field of the TLS hello packet. If the requested domain name is configured on the virtual IP, the appropriate certificate is returned to the client and the connection is bound to the proper virtual service. True Client IP in L7 Security FeaturesThis section discusses the advantages of using True Client IP and its configuration. App Transport SecurityWith iOS 9 and later, Apple has mandated minimum security settings to comply with their App Transport Security (ATS) standard. To enable this level of SSL security for applications proxies by Avi Load Balancer, use the following settings for SSL/ TLS Certificates and SSL/ TLS Profiles. Venafi IntegrationThe Avi Load Balancer can be set up to integrate with the Venafi Trust Protection Platform™ for automation of SSL and TLS certificate life-cycle management. All certificates will be protected and controlled through TPP. This process is transparent to the Avi Load Balancer Controllers.
