AVI Use Case Testing

# AVI Use Case Testing ###### tags: `AVI use case`, `how-to` ## Table of Content [ToC] ## Lab Diagram - Physical ![](https://i.imgur.com/v8Qsm4e.png) ## Lab Diagram Logical ![](https://i.imgur.com/Ku8P1o2.png) ## Scenarios 1. SSL bridging Use case with two-way ssl with Http context path modification with custom persistence . 2. Use case scenario with Custom http Request rewriting for client and http header modification for server side. http-x-forward function to be enabled 4. Explicit Proxy use case for Avi 5. Use case with SNI based URI routing with Custom snat IP address for different Pool 6. GSLB + AVI Load balancer use case with Geo Proximity with Fall back Pool 7. AVI Load balancer use case with support for WebSocket protocol with FQDN pool member 8. Layer 4 Load balancing without SNAT ## 1. SSL Bridging This scenario involves a two-way SSL (client side and server side) with HTTP context path modification and custom persistence ### Enable two-way SSL (client side and server side) Enable SSL on Virtual Service (Client side) ![](https://i.imgur.com/16E0wSa.png) Enable SSL on Pool (server side) ![](https://i.imgur.com/nch2VIn.png) ### Create HTTP context path modification Edit the HTTP Request policy in the Virtual Service, choose the match (in this case: Path) ![](https://i.imgur.com/jo3avIN.png) Choose the action (in this case: Content Switch) ![](https://i.imgur.com/FhXlPpA.png) Choose the other pool to switch into, you can create new pool as well. ![](https://i.imgur.com/Vnlpwrv.png) ### Create Custom Persistence Persistence profile can be attached to the pool ![](https://i.imgur.com/bMDjvLC.png) You can create custom profile based on specific app cookie or custom HTTP header ![](https://i.imgur.com/zSAPNRw.png) ## 2. Custom HTTP Request Rewriting This scenario is a custom HTTP request rewriting for client and HTTP header modification for server side. ### Create Custom HTTP Request Rewrite The options for match: - Client IP - Service Port - Protocol type - HTTP Method - Path - Query - Headers - Cookie - Host Header ![](https://i.imgur.com/jvbTL3z.png) For action, you have options to modify the header or to rewrite the path ![](https://i.imgur.com/KI0noRG.png) ### Adding x-forwarded-for Adding the x-forwarded-for is available in the application profile attached to the Virtual Service. In this case it's HTTPS application profile. In this HTTP profile, you have option to enable: - Connection multiplex - X-forwarded-for - Read true Client IP in HTTP header - Enforce HTTPS by redirecting or inserting HSTS response - Do client SSL certificate validation (in HTTPS app profile) - Enable compression and caching - Configure DDoS profile such as rate limit or timeout settings ![](https://i.imgur.com/3DJBW3b.png) ![](https://i.imgur.com/iC81dKk.png) ## 3. Explicit Proxy AVI does not do forward proxy ## 4. SNI based URI routing This scenario is a Virtual service which has routing based on Server Name Indication (SNI) and custom SNAT IP for different pool ### Create Parent VS The configuration for SNI based routing is using parent-child concept. The parent VS will receive all new client connection and will do internal handoff to the child VS with specified SNI. The parent VS will logs the TCP and SSL handshake. The parent VS can also be configured with wildcard SSL certificate. SSL certificate configured in parent VS will be used if the client does not send an SNI hostname TLS extension or if the client's TLS SNI hostname does not match any of the child's VS domain name. More details: [here](https://avinetworks.com/docs/latest/server-name-indication/) Here is example of creating parent VS ![](https://i.imgur.com/yK4rmj9.png) ### Create Child Virtual Service with SNI Certificate (if available) ![](https://i.imgur.com/speTOj5.png) ### Using custom SNAT IP address for server connection By default, AVI will use the SE IP (self ip) as SNAT to the server. This can be changed into: - VIP address as SNAT or - Custom SNAT address The configuration is per VS basis, so it is available in the VS configuration like below ![](https://i.imgur.com/iRYF2u1.png) ## 5. GSLB With Geo-proximity This scenario is creating GSLB service with geolocation based algorithm and fall back pool. ### Enabling Geo Profile AVI has built-in Geo DB files in the controller. However, custom geo-db file can be uploaded into the controller. ![](https://i.imgur.com/XOS8mhZ.png) Create geo profile to attached the geo-db file. ![](https://i.imgur.com/D3XinaK.png) ### Configuring GSLB Service with Geo-location Algorithm In the GSLB service (wide ip) configuration, you can use Geo location-based algorithm for specific GSLB service (wide ip). ![](https://i.imgur.com/GzcwstG.png) You can configure pools for the GSLB service. Notice that within the pool, you can specify load balancing algorithm. This is the algorithm within the pool member. If you have multiple local DC within the same region (like different AZs), this is the algorithm used for this GSLB pool group. ![](https://i.imgur.com/3ZXln0Y.png) ### Configuring fall back You can configure fallback IP in the case of failure for all VS configured in the pool member. GSLB will response with this IP address for the DNS queries. ![](https://i.imgur.com/ureU5UQ.png) ## 6. Websocket Protocol Enabling VS with websocket protocol support can be done from the HTTP/HTTPS profile ![](https://i.imgur.com/pjVjz7i.png) ### FQDN Pool Member In pool configuration, you can insert FQDN of the servers by inserting it in the "Server IP Address" column. It will resolve using local DNS server. Local DNS server is configured during the first initialization of Controller. DNS configuration can be found in the Administration - Settings - DNS/NTP ![](https://i.imgur.com/ohzO0Oh.png) ![](https://i.imgur.com/9vYt5HH.png) ## 7. Layer 4 Load Balancing Without SNAT You can disable SNAT by using Auto Gateway feature ![](https://i.imgur.com/yJNKSK7.png) This Auto Gateway works similarly like Auto Last Hop feature from LTM.