Working with Networks 1.11

 

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      If the Firewall screen is not already visible under the Services section, click the Firewall tab.

4      Click Edit Rules.

5      Click the New On Top button.

A row for the new rule is added above the selected rule.

6      Configure the firewall rule.

Option	Description
Name	Enter a name for the rule.
State	To enable the rule upon creation, turn on the State toggle.
Applications	(Optional) To select a specific port profile to which the rule applies, turn on the Applications toggle and click Save.
Source	Select an option and click Keep. ■       To allow or deny traffic from any source address, toggle on Any Source. ■       To allow or deny traffic from specific firewall groups, select the firewall groups from the list.
Destination	Select an option and click Keep. ■       To allow or deny traffic to any destination address, toggle on Any Destination. ■       To allow or deny traffic to specific firewall groups, select the firewall groups from the list.
Action	From the Action drop-down menu, select an option. ■       To allow traffic from or to the specified sources, destinations, and services, select Accept. ■       To block traffic from or to the specified sources, destinations, and services, without notifying the blocked client select Drop. ■       To block traffic from or to the specified sources, destinations, and services, and to notify the blocked client that traffic was rejected, select Reject.
IP Protocol	Select whether to apply the rule to IPv4 or IPv6 traffic.
Direction	Select the traffic direction to which to apply the rule.   Note In Cyfuture Cloud Console 10.2.1 and later versions, this option is no longer available.
Enable logging.	To have the address translation performed by this rule logged, turn on the Enable logging toggle.

 

7      Click Save.

 

8      To configure additional rules, repeat these steps.

Results

After the firewall rules are created, they appear in the Edge Gateway Firewall Rules list. You can move up, move down, edit, or delete the rules as needed.

Add an SNAT or a DNAT Rule to an Advanced Networking edge Gateway

To change the source IP address from a private to a public IP address, you create a source NAT (SNAT) rule. To change the destination IP address from a public to a private IP address, you create a destination NAT (DNAT) rule.

When you configure a SNAT or a DNAT rule on an edge gateway in the Cyfuture Cloud Console environment, you always configure the rule from the perspective of your organization VDC.

An SNAT rule translates the source IP address of packets sent from an organization VDC network out to an external network or to another organization VDC network.

A NO SNAT rule prevents the translation of the internal IP address of packets sent from an organization VDC out to an external network or to another organization VDC network.

A DNAT rule translates the IP address and, optionally, the port of packets received by an organization VDC network that are coming from an external network or from another organization VDC network.

A NO DNAT rule prevents the translation of the external IP address of packets received by an organization VDC from an external network or from another organization VDC network.

Cyfuture Cloud Console supports automatic route redistribution when you use NAT services on an Advanced Networking Data Center edge gateway.

Important- If you are using Tanzu Kubernetes clusters, make note of the system SNAT rule created on the edge gateway to avoid creating a conflicting rule.

Prerequisites

The public IP addresses must have been added to the edge gateway interface on which you want to add the rule.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway and, under Services, click NAT.

3      To add a rule, click New.

4      Configure an SNAT or NO SNAT rule (inside going outside).

Option	Description
Name	Enter a meaningful name for the rule.
Description	(Optional) Enter a description for the rule.
Interface type	From the drop-down menu, select SNAT or NO SNAT.

External IP	Depending on the type of rule that you are creating, choose one of the options. ■       If you are creating a SNAT rule, enter the public IP address of the edge gateway for which you are configuring the SNAT rule. ■       If you are creating a NO SNAT rule, leave the text box empty.
Internal IP	Enter the IP address or a range of IP addresses of the virtual machines for which you are configuring SNAT, so that they can send traffic to the external network.
Destination IP	(Optional) If you want the rule to apply only for traffic to a specific domain, enter an IP address for this domain or an IP address range in CIDR format. If you leave this text box blank, the SNAT rule applies to all destinations outside of the local subnet.
Advanced Settings (Optional)	Click the Advanced Settings tab for some additional settings.   State

 

5      Configure a DNAT or NO DNAT rule (outside going inside).

 

Option	Description
Name	Enter a meaningful name for the rule.
Description	(Optional) Enter a description for the rule.
Interface type	From the drop-down menu, select DNAT or NO DNAT.
External IP	Enter the public IP address of the edge gateway for which you are configuring the DNAT rule. The IP addresses that you enter must belong to the suballocated IP range of the edge gateway.

External Port	(Optional) Enter a port into which the DNAT rule is translating for the packets inbound to the virtual machines.
Internal IP	Depending on the type of rule that you are creating, choose one of the options. ■       If you are creating a DNAT rule, enter the IP address or a range of IP addresses of the virtual machines for which you are configuring DNAT, so that they can receive traffic from the external network. ■       If you are creating a NO DNAT rule, leave the text box empty.
Application	(Optional) Select a specific application port profile to which to apply the rule. The application port profile includes a port and a protocol that the incoming traffic uses on the edge gateway to connect to the internal network.
Advanced Settings (Optional)	Click the Advanced Settings tab for some additional settings.       State          To enable the rule upon creation, toggle on the State option.       Logging            To have the address translation performed by this rule logged, toggle on the Logging option.          Priority             If an address has multiple NAT rules, you can assign these rules different priorities to determine the order in                which they are applied. A lower value means a higher priority for this rule.          Firewall Match            You can set a firewall match rule to determine how firewall is applied during NAT. From the drop-down menu,               select one of the following options.             ■       To apply firewall rules to the internal address of a NAT rule, select Match Internal Address.             ■       To apply firewall rules to the external address of a NAT rule, select Match External Address.             ■       To skip applying firewall rules, select Bypass.

 

      Click Save.

 

7      To configure additional rules, repeat these steps.

Configure a DNS Forwarder Service on an Advanced Networking edge Gateway

To forward DNS queries to external DNS servers, configure a DNS forwarder.

As part of your DNS forwarder service configuration, you can also add conditional forwarder zones. A conditional forwarder zone is configured as a list containing up to five FQDN DNS zones. If a DNS query matches a domain name from that list, the query is forwarded to the servers from the corresponding forwarder zone.

 IPsec Policy-Based VPN for Advanced Networking Data Center Edge Gateways

Starting with version 10.1, Cyfuture Cloud Console supports site-to-site policy-based IPSec VPN between an Advanced Networking Data Center edge gateway instance and a remote site.

IPSec VPN offers site-to-site connectivity between an edge gateway and remote sites which also use Advanced Networking Data Center or which have either third-party hardware routers or VPN gateways that support IPSec.

Policy-based IPSec VPN requires a VPN policy to be applied to packets to determine which traffic is to be protected by IPSec before being passed through a VPN tunnel. This type of VPN is considered static because when a local network topology and configuration change, the VPN policy settings must also be updated to accommodate the changes.

Advanced Networking Data Center edge gateways support split tunnel configuration, with IPSec traffic taking routing precedence.

Cyfuture Cloud Console supports automatic route redistribution when you use IPSec VPN on an Advanced Networking edge gateway.

 

Configure Advanced Networking Policy-Based IPSec VPN

You can configure site-to-site connectivity between an Advanced Networking Data Center edge gateway and remote sites. The remote sites must use Advanced Networking Data Center, have third-party hardware routers, or VPN gateways that support IPSec.

Cyfuture Cloud Console supports automatic route redistribution when you configure IPSec VPN on an Advanced Networking Data Center edge gateway.

 

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      Under Services, click IPSec VPN.

4      To configure an IPSec VPN tunnel, click New.

5      Enter a name and, optionally, a description for the IPSec VPN tunnel.

6      To enable the tunnel upon creation, toggle on the Enabled option.

7      Choose a pre-shared key to enter.

Note- The pre-shared key must be the same on the other end of the IPSec VPN tunnel.

8      Enter one of the IP addresses that are available to the edge gateway for the local endpoint.

Note- The IP address must be either the primary IP of the edge gateway, or an IP address that is separately allocated to the edge gateway from the external network

9      Enter at least one local IP subnet address in CIDR notation to use for the IPSec VPN tunnel.

10   Еnter the IP address for the remote site.

11   Enter at least one remote IP subnet address in CIDR notation to use for the IPSec VPN tunnel.

12   (Optional) To enable logging, toggle on the Logging option.

13   Click Save.

14   To verify that the tunnel is functioning, select it and click View Statisticts.

If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.

Results

The newly created IPSec VPN tunnel is listed in the IPSec VPN view. The IPSec VPN tunnel is created with a default security profile.

What to do next

You can edit the IPSec VPN tunnel settings and customize its security profile as needed.

 Customize the Security Profile of an IPSec VPN Tunnel

If you decide not to use the system-generated security profile that was assigned to your IPSec VPN tunnel upon creation, you can customize it.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      Under Services, click IPSec VPN.

4      Select the IPSec VPN tunnel and click Security Profile Customization.

5      Configure the IKE profiles.

The Internet Key Exchange (IKE) profiles provide information about the algorithms that are used to authenticate, encrypt, and establish a shared secret between network sites when you establish an IKE tunnel.

a         Select an IKE protocol version to set up a security association (SA) in the IPSec protocol suite.

 

Option	Description
IKEv1	When you select this option, IPSec VPN initiates and responds to IKEv1 protocol only.
IKEv2	The default option. When you select this version, IPSec VPN initiates and responds to IKEv2 protocol only.
IKE-Flex	When you select this option, if the tunnel establishment fails with IKEv2 protocol, the source site does not fall back and initiate a connection with the IKEv1 protocol. Instead, if the remote site initiates a connection with the IKEv1 protocol, then the connection is accepted.

 

b         Select a supported encryption algorithm to use during the Internet Key Exchange (IKE) negotiation.

c         From the Digest drop-down menu, select a secure hashing algorithm to use during the IKE negotiation.

d         From the Diffie-Hellman Group drop-down menu, select one of the cryptography schemes that allows the peer site and the edge gateway to establish a shared secret over an insecure communications channel.

e         (Optional) In the Association Lifetime text box, modify the default number of seconds before the IPSec tunnel needs to reestablish.

6      Configure the IPSec VPN tunnel.

a      To enable perfect forward secrecy, toggle on the option.

b      Select a defragmentation policy.

The defragmentation policy helps to handle defragmentation bits present in the inner packet.

 

Option	Description
Copy	Copies the defragmentation bit from the inner IP packet to the outer packet.
Clear	Ignores the defragmentation bit present in the inner packet.

 

c         Select a supported encryption algorithm to use during the Internet Key Exchange (IKE) negotiation.

d         From the Digest drop-down menu, select a secure hashing algorithm to use during the IKE negotiation.

e         From the Diffie-Hellman Group drop-down menu, select one of the cryptography schemes that allows the peer site and the edge gateway to establish a shared secret over an insecure communications channel.

f          (Optional) In the Association Lifetime text box, modify the default number of seconds before the IPSec tunnel needs to reestablish.

7      (Optional) In the Probe Interval text box, modify the default number of seconds for dead peer detection.

8      Click Save.

 

Results

In the IPSec VPN view, the security profile of the IPSec VPN tunnel displays as User Defined.

Configure Dedicated External Network Services

To provide a fully routed network topology in a virtual data center, a system administrator can dedicate an external network to a specific Advanced Networking Data Center edge gateway.

Procedure

1      Manage Route Advertisement

By using route advertisement, you can create a fully routed network environment in an organization virtual data center (VDC).

2      Configure BGP General Settings

You can configure an external or internal Border Gateway Protocol (eBGP or iBGP) connection between an Advanced Networking Data Center edge gateway that has a dedicated external network and a router in your physical infrastructure.

3      Create an IP Prefix List

You can create IP prefix lists which contain single or multiple IP addresses. You use IP prefix lists to assign BGP neighbors with access permissions for route advertisement.

4      Add a BGP Neighbor

You can configure individual settings for the BGP routing neighbors when you add them.

 

Manage Route Advertisement

By using route advertisement, you can create a fully routed network environment in an organization virtual data center (VDC).

 

 

 

 

 

Prerequisites

n         Verify that the system administrator dedicated an external network to an Advanced Networking Data Center edge gateway in your organization.

n         Verify that you are an organization administrator or you are assigned a role that includes an equivalent set of rights.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      Under Routing, click Route Advertisement and Edit.

4      To add a subnet to be advertised, click Add.

5      Add an IPv4 or IPv6 subnet.

Use the format network_gateway_IP_address/subnet_prefix_length, for example,

192.167.1.1/24.

 

Configure BGP General Settings

You can configure an external or internal Border Gateway Protocol (eBGP or iBGP) connection between an Advanced Networking Data Center edge gateway that has a dedicated external network and a router in your physical infrastructure.

BGP makes core routing decisions by using a table of IP networks, or prefixes, which designate multiple routes between autonomous systems (AS).

The term BGP speaker refers to a networking device that is running BGP. Two BGP speakers establish a connection before any routing information is exchanged.

The term BGP neighbor refers to a BGP speaker that has established such a connection. After establishing the connection, the devices exchange routes and synchronize their tables. Each device sends keep-alive messages to keep this relationship alive.

Note- In an edge gateway that is connected to an external network backed by a VRF gateway, the local AS number and graceful restart settings are read-only. Your system administrator can edit these settings on the parent tier-0 gateway in Advanced Networking Data Center.

Prerequisites

n         Verify that the system administrator dedicated an external network to an Advanced Networking Data Center edge gateway in your organization.

n         Verify that you are an organization administrator or you are assigned a role that includes an equivalent set of rights.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      Under Routing, click BGP and, under Configuration, click Edit.

4      Toggle on the Status option to enable BGP.

5      Enter an autonomous system (AS) ID number to use for the local AS feature of the protocol.

 

Cyfuture Cloud Console assigns the local AS number to the edge gateway. The edge gateway advertises this ID when it connects with its BGP neighbors in other autonomous systems.

6      From the drop-down menu, select a Graceful Restart Mode option.

 

Option	Description
Helper and graceful restart	It is not a best practice to enable the graceful restart capability on the edge gateway because the BGP peerings from all gateways are always active. In case of a failover, the graceful restart capability increases the time a remote neighbor takes to select an alternate tier-0 gateway. This delays BFD-based convergence.
	Note   The edge gateway configuration applies to all BGP neighbors unless the neighbor-specific configuration overrides it.
Helper only	Useful for reducing or eliminating the disruption of traffic associated with routes learned from a neighbor that is capable of graceful restart. The neighbor must be able to preserve its forwarding table while it undergoes a restart.
Disable	Disable graceful restart mode on the edge gateway.

 

7      (Optional) Change the default value for the graceful restart timer.

 

8      (Optional) Change the default value for the stale route timer.

 

9      Toggle on the ECMP option to enable ECMP.

10   Click Save.

What to do next

n         Create an IP Prefix List

n         Add a BGP Neighbor

Create an IP Prefix List

You can create IP prefix lists which contain single or multiple IP addresses. You use IP prefix lists to assign BGP neighbors with access permissions for route advertisement.

The IP prefix lists are referenced through BGP neighbor filters to limit the number of BGP updates that are exchanged between BGP peers. By using route filtering, you can reduce the amount of system resources needed for BGP updates.

For example, you can add the IP address 192.168.100.3/27 to the IP prefix list and deny the route from being redistributed to the edge gateway.

You can also append an IP address with less than or equal to (le) and

greater than or equal to (ge) modifiers to grant or limit route redistribution. For example, 192.168.100.3/27 ge 26 le 32 modifiers match subnet masks greater than or equal to 26-bits and less than or equal to 32-bits in length.

  Prerequisites

n         Verify that the system administrator dedicated an external network to an Advanced Networking Data Center edge gateway in your organization.

n         Verify that you are an organization administrator or you are assigned a role that includes an equivalent set of rights.

n         Configure BGP General Settings.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      Under Routing, click BGP and IP Prefix Lists.

4      To add an IP prefix list, click New.

 

5      Enter a name and, optionally, a description for the prefix list.

6      Click New and add a CIDR notation for the prefix.

7      From the drop-down menu, select an action to apply to the prefix.

8      (Optional) Enter greater than or equal to and less than or equal to modifiers to grant or limit route redistribution.

What to do next

n         You can edit or delete the IP prefix list as needed.

 

n         Configure route filtering. See Add a BGP Neighbor.

Add a BGP Neighbor

You can configure individual settings for the BGP routing neighbors when you add them.

Prerequisites

n         Verify that the system administrator dedicated an external network to an Advanced Networking Data Center edge gateway in your organization.

n         Verify that you are an organization administrator or you are assigned a role that includes an equivalent set of rights.

n         Verify that you configured the global BGP settings for the edge gateway. See Configure BGP General Settings.

n         If you use route filtering, verify that you created IP prefix lists. See Create an IP Prefix List.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the edge gateway.

3      Under Routing, click BGP and Neighbors.

4      To add a new BGP neighbor, click New.

5      Enter the general settings for the new BGP neighbor.

a         Enter an IPv4 or IPv6 address for the new BGP neighbor.

b         Enter a remote Autonomous System (AS) number in ASPLAIN format.

c         Enter a time interval between sending keep-alive messages to a BGP peer.

d      Enter a time interval before declaring a BGP peer dead.

e         From the drop-down menu, select a Graceful Restart Mode option for this neighbor.

 

Option	Description
Disable	Overrides the global edge gateway settings and disables graceful restart mode for this neighbor.
Helper only	Overrides the global edge gateway settings and configures graceful restart mode as Helper only for this neighbor.
Graceful restart and Helper	Overrides the global edge gateway settings and configures graceful restart mode as Graceful restart and Helper for this neighbor.

 

f          Toggle on the AllowAS-in toggle to enable receiving routes with the same AS.

g         If the BGP neighbor requires authentication, enter the password for the BGP neighbor.

6      Configure the Bidirectional Forwarding Detection (BFD) settings for the new BGP neighbor.

      a      (Optional) Toggle on the BFD option to enable BFD for failure detection.

b         In the BDF interval text box, define the time interval for sending heartbeat packets.

c         In the Dead Multiple text box, enter the number of times the BGP neighbor can fail to send heartbeat packets before the BFD declares it is down.

7      (Optional) Configure route filtering.

a      From the IP Address Family drop-down menu, select an IP address family.

b      To configure an inbound filter, select an IP prefix list.

c      To configure an outbound filter, select an IP prefix list.

8      Click Save.

What to do next

You can view the status of each BGP neighbor, edit, or delete BGP neighbors as needed. 

Working with NSX Advanced Load Balancing

As an organization administrator, by configuring virtual services which distribute traffic across multiple server pools, you can balance the workloads in your data centers that are backed by Advanced Networking Data Center. 

Starting with version 10.2, Cyfuture Cloud Console provides load-balancing services by using the capabilities of Cyfuture Cloud NSX Advanced Load Balancer (Avi Networks).

Cyfuture Cloud Console supports L4 and L7 load balancing that you can configure on an Advanced Networking Data Center edge gateway.

Level 4 load balancing (L4) directs traffic based on data from network and transport layer protocols, such as IP address and TCP port.

Level 7 load balancing (L7) distributes traffic based on attributes such as HTTP header, uniform resource identifier, SSL session ID, and HTML form data.

 

Enable Load Balancer on an Advanced Networking Data Center Edge Gateway

Before an organization administrator can configure load balancing services, a system administrator must enable the load balancer on the Advanced Networking Data Center edge gateway.

Prerequisites

n         Verify that you are a system administrator.

n         Verify that you integrated Cyfuture Cloud NSX Advanced Load Balancer in your cloud infrastructure. For more information on managing NSX Advanced Load Balancer, see Cyfuture Cloud Console Service Provider Admin Portal Guide.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the Advanced Networking Data Center edge gateway on which you want to enable load balancing.

3      Under Load Balancer, click General Settings.

4      Click Edit and toggle on the Load Balancer State option.

5      Enter a network CIDR for a service network subnet from which to use IP addresses for creation of virtual services.

You can use the default service network subnet, by selecting the Use Default check box. 

6      Click Save.

 

What to do next

Assign a Service Engine Group to an Advanced networking Data Center Edge Gateway.

Assign a Service Engine Group to an advanced networking Data Center Edge Gateway

Before an organization administrator can configure load balancing services on an Advanced Networking Data Center edge gateway, a system administrator must assign a service engine group to the edge gateway.

The load balancing compute infrastructure provided by Networking Advanced Load Balancer is organized into service engine groups. A system administrator can assign one or more service engine groups to an advanced networking Data Center edge gateway.

Prerequisites

n         Verify that you are a system administrator.

n         Enable Load Balancer on an advanced networking Data Center Edge Gateway.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the Advanced networking Data Center edge gateway to which you want to assign a service engine group.

3      Under Load Balancer, click Service Engine Groups.

4      Click Add.

5      Select an available service engine group from the list.

6      Enter a number for the maximum number of virtual services that can be placed on the edge gateway.

7      Enter a number for the guaranteed virtual services available to the edge gateway.

8      To confirm your settings, click Save.

Edit the Settings of a Service Engine Group

A system administrator can edit the maximum number of supported virtual services and the number of reserved virtual services for a service engine group.

After you sync a service engine group, if the new maximum number of supported virtual services is lower than the number of reserved virtual services, the service engine group is marked as overallocated.

If a service engine group is overallocated, the creation of a new virtual service might fail, even if the edge gateway on which you create the virtual service has enough reserved capacity.

To avoid failure of virtual service creation, when you edit the settings of a service engine group, do not reduce the maximum number of supported virtual services below the number of initially reserved virtual services.

 

Prerequisites

 

n         Verify that you are a system administrator.

n         Enable Load Balancer on an advanced networking Data Center Edge Gateway.

n         Assign a Service Engine Group to an advanced networking Data Center Edge Gateway.

Procedure

 

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

 

2      Click the advanced networking Data Center edge gateway to which the service engine group is assigned.

 

3      Under Load Balancer, click Service Engine Groups.

4      Click Edit.

5      Edit the number for the maximum allowed virtual services that the edge gateway can use.

Do not reduce the number unless mandatory. Otherwise, you might face failures when you create virtual services.

6      Edit the number for the guaranteed virtual services available to the edge gateway.

7      Click Save.

Add a Load Balancer Server Pool

A server pool is a group of one or more servers that you configure to run the same application and to provide high availability.

 

  Prerequisites

n         Verify that you are an organization administrator.

n         Verify that your system administrator has enabled load balancing on the Advanced Networking edge gateway.

n         Verify that your system administrator has assigned at least one service engine group to the edge gateway.

 

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the advanced networking Data Center edge gateway for which you want to configure a load balancer pool.

3      Under Load Balancer, click Pools, and then click Add.

4      Configure the general settings for the load balancer pool.

 

a      Enter a meaningful name and, optionally, a description for the server pool.

b     Select an algorithm balancing method.

The load balancing algorithm defines how incoming connections are distributed among the members of the server pool.

 

Option	Description
Least Connections	New connections are sent to the server that currently has the fewest connections.
Round Robin	New connections are sent to the next eligible server in the pool in a sequential order.
Fastest Response	New connections are sent to the server that provides the fastest response to new connections or requests.
Consistent Hash	New connections are distributed across the servers by using the IP address of the client to generate an IP hash key.
Least Load	New connections are sent to the server with the lightest load, regardless of the number of connections that server has.
Fewest Servers	Instead of attempting to distribute all connections or requests across all servers, the load balancer determines the fewest number of servers required to satisfy the current client load.
Random	The load balancer picks servers at random.
Fewest Tasks	Load is adaptively balanced, based on the server feedback.
Core Affinity	Each CPU core uses a subset of servers, and each server is used by a subset of cores. Essentially, it provides a many-to-many mapping between servers and cores.

 

c         To enable the server pool upon creation, toggle on the State option.

d         Enter a default destination server port to be used for the traffic to the pool member.

e         (Optional) In the Graceful Disable Timeout text box, enter the maximum time in minutes to disable gracefully a pool member.

The virtual service waits for the specified time before closing the existing connections to disabled members.

f          (Optional) To enable a passive health monitor, toggle on the Passive Health Monitor

option.

g         (Optional) Select an active health monitor.

 

Option	Description
HTTP	An HTTP request and response are used to validate the health.
HTTPS	Used against HTTPS encrypted web servers to validate the health.
TCP	A TCP connection is used to validate the health.
UDP	A UDP datagram is used to validate the health.
PING	An ICMP ping is used to validate the health.

 

5      Add a member to the server pool.

 

a         Click the Members tab and click Add.

b         Enter an IP address for the pool member.

c         Toggle on the State option to enable the pool member.

d         (Optional) Add a custom port for the server pool member.

The port number defaults to the destination port that you entered for the pool. e Enter a ratio for the pool member.

The ratio of each pool member denotes the traffic that goes to each server pool member. A server with a ratio of 2 gets twice as much traffic as a server with a ratio of 1. The default value is 1.

6      On the SSL Settings tab, configure the SSL settings for validating the certificates presented by the members of the load balancer pool.

a         To enable SSL, toggle on the SSL Enable option.

b         To hide certificates with private keys and see a list of CA certificates only, select the Hide service certificates check box.

7      To enable common name check for server certificates, toggle on the Common Name Check

option and enter up to 10 domain names for the pool.

8      Click Save.

What to do next

Create a Virtual Service.

Create a Virtual Service

A virtual service listens for traffic to an IP address, processes client requests, and directs valid requests to a member of the load balancer server pool.

To secure SSL termination for a virtual service, you can use a certificate from the certificate library. For more information, see Import Certificates to the Certificates Library.

Prerequisites

n         Verify that you are an organization administrator.

n         Verify that your system administrator has enabled load balancing on the Advanced Networking edge gateway.

n         Verify that your system administrator has assigned at least one service engine group to the edge gateway.

n         Add a Load Balancer Server Pool.

Procedure

1      In the top navigation bar, click Networking and click the Edge Gateways tab.

2      Click the Advanced Networking Data Center edge gateway on which you want to create a virtual service.

3      Under Load Balancer, click Virtual Services, and then click Add.

4      Enter a meaningful name and, optionally, a description, for the virtual service.

5      To activate the virtual service upon creation, toggle on the Enabled option.

 

6      Select a service engine group for the virtual service.

 

7      Select a load balancer pool for the virtual service.

8      Enter an IP address for the virtual service.

9      Select the virtual service type.

 

Option	Description
HTTP	The virtual service listens for non-secure layer 7 HTTP requests. When you select this service type, it autopopulates the service port text box to 80, which you can replace with another valid port number.
HTTPS	The virtual service listens for secure level 7 HTTPS requests. When you select this service type, it autopopulates the service port text box to port 443, which you can replace with another valid port number. Select an SSL certificate to be used for SSL termination.

10    

 

L4	The virtual service listens for layer 4 requests. When you select this service type, it autopopulates the service port text box to 80, which you can replace with another valid port number.
L4 TLS	The virtual service listens for secure layer 4 TLS requests. When you select this service type, it autopopulates the service port text box to TCP port 443, which you can replace with another valid port number. Select an SSL certificate to be used for SSL termination.

 

11   Click Save.