Use the Policies tab to define policies or DataScripts for the virtual service. DataScripts and policies consist of one or more rules that control the flow of connections or requests through the virtual service to control security, client request attributes, or server response attributes. Each rule is a match/action pair that uses if/then logic: When true it matches the rule and corresponding actions will be performed. Policies are simple GUI-based, wizard-driven logic, whereas DataScript allows more powerful manipulation using Avi Load Balancers Lua-based scripting language.

Procedure

  1. Configure Network Security to explicitly allow or block traffic based on network (TCP/UDP) information.
    1. Select the IP Reputation DB.
    2. Select the Geo DB.
    3. Click + to view the Add Network Security Rule sub-screen.
    4. Select the Logging check box for Avi Load Balancer to log when an action has been invoked.
    5. Under Matching Rules, select the network security match criteria from the Add New Match drop down menu. For example, Service Port is 80.
    6. Under Actions, select a configurable action to be implemented when the match criteria is met. For more information, see Network Security section in Virtual Service Policies.
    7. In the Role-Based Access Control (RBAC) section click ADD and configure the Key and the corresponding Value to provide granular access to control, manage and monitor applications. For more information, see Granular Role Based Access Controls per App in the VMware NSX Advanced Load Balancer Administration Guide.
    8. Click Save Rule.
  2. Similarly, configure HTTP Security, HTTP Request, HTTP Response rules, as required.
  3. Under DataScripts, click Add DataScript.
    1. Select the Script to Execute from the drop-down menu or Create DataScript.
    2. Click Save DataScript.
  4. Author custom authentication policies and attach the policies to identity providers (IdP). Under Access, select and configure one of the following:
    Option Description

    SAML

    Security Assertion Markup Language (SAML) is an XML-based markup language for exchanging authentication and authorization between an identity provider (IdP) and a service provider(SP). To know how to configure an application for SAML-based authentication, create an SSO policy and bind it to the virtual service, see SAML Configuration on NSX Advanced Load Balancer.

    JWT

    JWT validation is supported as one of the access policies for secure communication through NSX Advanced Load Balancer and it is based on a JWT issued by an authorization server. To know more, see Configuring NSX Advanced Load Balancer for JSON Web Tokens (JWT) Validation section in the VMware Avi Load BalancerAdministration guide.

    LDAP

    LDAP is an extension of the basic authentication policy where the provided user name and password will be authenticated against the target LDAP server. LDAP is a commonly used protocol for accessing a directory service. A directory service is a hierarchical object oriented database view of an authentication system. Avi Load Balancer supports LDAP authentication for virtual services. To know more, see the Basic Authentication section in the VMware Avi Load BalancerAdministration guide.

    OAuth
  5. Click Next.