mTLS (mutual Transport Layer Security) is an extension of the TLS standard. It refers to TLS authentication established at both client and server sides.
Prior to Avi Load Balancer 22.1.3, enabling mTLS on GSLB health monitor was not permitted as some of the required configuration objects like PKI profile and SSL profiles were not federated. Starting with 22.1.3, mTLS can be enabled on GSLB health monitors.
The GSLB HTTPS health monitor can now be enabled to have SSL attributes associated with it. GSLB HTTPS health monitor associated with SSL attributes allows the client-side authentication while health monitoring the GSLS service pool members (virtual services), thus achieving mTLS authentication.
Enabling mTLS in GSLB Health Monitor
Follow the steps mentioned below to complete the required configuration for enabling mTLS for a GSLB health monitor.
SSL Profile:
Navigate to
and create a SSL profile.Select the Is Federated check box as shown below.
For more details about SSL profile, see SSL/TLS Profile in the VMware Avi Load Balancer Configuration Guide.
SSL Key and Certificate:
Navigate to
and create a SSL key and certificate.Enable the Is Federated check box as shown below.
For more details about SSL Key and certificate, see SSL Certificates in the VMware Avi Load Balancer Configuration Guide.
PKI Profile:
Navigate to
and create a PKI profile.Enable the Is Federated check box as shown below.
For more details about PKI profile, see PKI Profile in the VMware Avi Load Balancer Configuration Guide.
Health Monitors:
Navigate to Is Federated as shown below.
and create a health monitor of the type HTTPS and enable check box forNavigate to the Server Maintenance Mode tab for the health monitor created in the previous step, and enable SSL Attributes check box.
-
Select the SSL profile, SSL certificate, and PKI profile created in the previous step.
Associate the health monitor created in the previous step to the GSLB Service as per the requirement.
Support for Manual Resume/Manual Failback for GSLB Service
Consider a GLSB Setup using GSLB service configured with the priority-based algorithm. Pool 1 is configured with priority 1, and pool 2 is configured with priority 10. With the default setting, Pool 1 servers all the traffic as it has the highest priority. When Pool 1 status goes down, Pool 2 handles all the requests. Once Pool 1 comes up, the request will be accepted by Pool 1, not Pool 2.
Starting with Avi Load Balancer 22.1.3, a manual resume for GSLB pool member is available for GSLB Services. If the manual resume option is enabled for a GSLB pool, a pool member once goes down is kept in the down state unless it is deactivated and enabled again. User can manually resume traffic to a pool member by deactivating and enabling the pool member.
When the manual resume option is enabled for a group or pool, the backup pool member will keep accepting requests even when the primary pool member comes up. Once manual resume is deactivated, the request is accepted by the primary pool or load balanced as per the algorithm.
The following steps demonstrate how to enable and deactivate the manual resume option for a GSLB pool. Log into the Controller, and use the configure gslbservice <service name>, use the enable manual_resume for the desired group.
+----------------------------------+--------------------------------------------------+ [admin:controller-1-site-a]: > configure gslbservice GS-test Updating an existing object. Currently, the object is: +----------------------------------+--------------------------------------------------+ | Field | Value | +----------------------------------+--------------------------------------------------+ | uuid | gslbservice-1a412ece-6f24-458e-af7d-a3e53b0f75ea | | name | GS-test | | domain_names[1] | resume.avi.com | | groups[1] | | | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | False | | down_response | | | type | GSLB_SERVICE_DOWN_RESPONSE_NONE | | health_monitor_refs[1] | System-GSLB-HTTP | | controller_health_status_enabled | True | | health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS | | enabled | True | | use_edns_client_subnet | True | | wildcard_match | False | | site_persistence_enabled | False | | pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY | | min_members | 0 | | resolve_cname | False | | is_federated | True | | tenant_ref | admin | +----------------------------------+--------------------------------------------------+ gr[admin:controller-1-site-a]: gslbservice> groups index 1 [admin:ncontroller-1-site-a]: gslbservice:groups> manual_resume Overwriting the previously entered value for manual_resume sa[admin:controller-1-site-a]: gslbservice:groups> save save [admin:controller-1-site-a]: gslbservice> save +----------------------------------+--------------------------------------------------+ | Field | Value | +----------------------------------+--------------------------------------------------+ | uuid | gslbservice-1a412ece-6f24-458e-af7d-a3e53b0f75ea | | name | GS-test | | domain_names[1] | resume.avi.com | | groups[1] | | | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | True | | down_response | | | type | GSLB_SERVICE_DOWN_RESPONSE_NONE | | health_monitor_refs[1] | System-GSLB-HTTP | | controller_health_status_enabled | True | | health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS | | enabled | True | | use_edns_client_subnet | True | | wildcard_match | False | | site_persistence_enabled | False | | pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY | | min_members | 0 | | resolve_cname | False | | is_federated | True | | tenant_ref | admin | +----------------------------------+--------------------------------------------------+ [admin:controller-1-site-a]: >
Use the no manual_resume command to deactivate the manual resume option for the desired group for a GSLB service.
[admin:controller-1-site-a]: > configure gslbservice GS-test Updating an existing object. Currently, the object is: +----------------------------------+--------------------------------------------------+ | Field | Value | +----------------------------------+--------------------------------------------------+ | uuid | gslbservice-1a412ece-6f24-458e-af7d-a3e53b0f75ea | | name | GS-test | | domain_names[1] | resume.avi.com | | groups[1] | | | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | True | | down_response | | | type | GSLB_SERVICE_DOWN_RESPONSE_NONE | | health_monitor_refs[1] | System-GSLB-HTTP | | controller_health_status_enabled | True | | health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS | | enabled | True | | use_edns_client_subnet | True | | wildcard_match | False | | site_persistence_enabled | False | | pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY | | min_members | 0 | | resolve_cname | False | | is_federated | True | | tenant_ref | admin | +----------------------------------+--------------------------------------------------+ [admin:controller-1-site-a]: gslbservice> groups index 1 [admin:controller-1-site-a]: gslbservice:groups> no manual_resume +----------------------+-------------------------------------------------+ | Field | Value | +----------------------+-------------------------------------------------+ | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | False | +----------------------+-------------------------------------------------+ [admin:controller-1-site-a]: gslbservice:groups> save save [admin:controller-1-site-a]: gslbservice> save +----------------------------------+--------------------------------------------------+ | Field | Value | +----------------------------------+--------------------------------------------------+ | uuid | gslbservice-1a412ece-6f24-458e-af7d-a3e53b0f75ea | | name | GS-test | | domain_names[1] | resume.avi.com | | groups[1] | | | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | False | | down_response | | | type | GSLB_SERVICE_DOWN_RESPONSE_NONE | | health_monitor_refs[1] | System-GSLB-HTTP | | controller_health_status_enabled | True | | health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS | | enabled | True | | use_edns_client_subnet | True | | wildcard_match | False | | site_persistence_enabled | False | | pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY | | min_members | 0 | | resolve_cname | False | | is_federated | True | | tenant_ref | admin | +----------------------------------+--------------------------------------------------+ [admin:controller-1-site-a]: >
The manual resume option is a group-level knob, but it applies to all the pool members of the specified group.
Each pool member must be associated with an Avi Load Balancer site or a third-party site.
If a pool member goes down on one site, it goes down on all the SEs hosting the GSLB Service on all the sites.
Deactivating and enabling of site, will translate to deactivating and enabling of each member belonging to that site.
Propagation of status depends upon the control plane syncing interval gslb_send interval.
Manual Resume Option for Multiple Group Setup
The same steps are applicable for the GSLB Service configured with multiple groups.
[admin:controller-1-site-a]: > configure gslbservice GS-test Updating an existing object. Currently, the object is: +----------------------------------+--------------------------------------------------+ | Field | Value | +----------------------------------+--------------------------------------------------+ | uuid | gslbservice-1a412ece-6f24-458e-af7d-a3e53b0f75ea | | name | GS-test | | domain_names[1] | resume.avi.com | | groups[1] | | | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | members[2] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.86 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | True | | groups[2] | | | name | GS-test-pool-2 | | priority | 10 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-5e47e567-5542-4c03-bad8-84dbc882be69 | | ip | 100.66.122.87 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | members[2] | | | cluster_uuid | tp_cluster-2a7b5f95-8a25-4130-ae23-549a9e258f5d | | ip | 100.66.122.88 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | False | | down_response | | | type | GSLB_SERVICE_DOWN_RESPONSE_NONE | | health_monitor_refs[1] | System-GSLB-HTTP | | controller_health_status_enabled | True | | health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS | | enabled | True | | use_edns_client_subnet | True | | wildcard_match | False | | site_persistence_enabled | False | | pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY | | min_members | 0 | | resolve_cname | False | | is_federated | True | | tenant_ref | admin | +----------------------------------+--------------------------------------------------+ [admin:controller-1-site-a]: gslbservice> groups index 2 ma[admin:controller-1-site-a]: gslbservice:groups> manual_resume Overwriting the previously entered value for manual_resume [admin:controller-1-site-a]: gslbservice:groups> save sa[admin:controller-1-site-a]: gslbservice> save +----------------------------------+--------------------------------------------------+ | Field | Value | +----------------------------------+--------------------------------------------------+ | uuid | gslbservice-1a412ece-6f24-458e-af7d-a3e53b0f75ea | | name | GS-test | | domain_names[1] | resume.avi.com | | groups[1] | | | name | GS-test | | priority | 9 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.85 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | members[2] | | | cluster_uuid | tp_cluster-ef618334-10ba-42bc-8252-37cf51107a5d | | ip | 100.66.122.86 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | True | | groups[2] | | | name | GS-test-pool-2 | | priority | 10 | | algorithm | GSLB_ALGORITHM_ROUND_ROBIN | | members[1] | | | cluster_uuid | tp_cluster-5e47e567-5542-4c03-bad8-84dbc882be69 | | ip | 100.66.122.87 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | members[2] | | | cluster_uuid | tp_cluster-2a7b5f95-8a25-4130-ae23-549a9e258f5d | | ip | 100.66.122.88 | | ratio | 1 | | enabled | True | | resolve_fqdn_to_v6 | False | | preference_order | 1 | | enabled | True | | manual_resume | True | | down_response | | | type | GSLB_SERVICE_DOWN_RESPONSE_NONE | | health_monitor_refs[1] | System-GSLB-HTTP | | controller_health_status_enabled | True | | health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS | | enabled | True | | use_edns_client_subnet | True | | wildcard_match | False | | site_persistence_enabled | False | | pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY | | min_members | 0 | | resolve_cname | False | | is_federated | True | | tenant_ref | admin | +----------------------------------+--------------------------------------------------+ [admin:controller-1-site-a]: >