Lab Guide: Modern Load Balancing
This lab will walk you through the basics of load balancing with Avi.

Demo Avi

Feel free to play around with the system. This is a demo environment. You can't hurt it!

  • Access the lab environment via us.academy.demoavi.us or europe.academy.demoavi.us
  • Username is your email address (lowercase), password is Aviclass123
  • These credentials will be valid for a short period of time. Contact Avi for longer access.

Virtual Service

Create a virtual service

Create a Virtual Service wizard
Figure 1: Create a Virtual Service wizard in the Avi UI
  1. Select the Applications menu at the top, then Virtual Services on the left
  2. Start the VS Creation Wizard.
    • Under Virtual Services on the left, click the blue CREATE pulldown.
    • Select Basic Setup
  3. VS Name: Choose a name even your own name
  4. Use the default application type HTTP.

Create a VS VIP

  1. Scroll down to the VIP Address Section.
  2. Do not use any of the existing configured VIPs in the drop-down.
  3. Click the vertical dots  to the right, then click the Create button.
  4. This opens the Create VS VIP window.
  5. Name: Leave the default name or give the VIP object any name.
  6. VIPs: Click the ADD button.
  7. Enable VIP should be  CHECKED 
  8. Availability Zone:  Select the first / top option in the drop-down menu.
  9. Private IP: Auto Allocate (Avi will acquire the IP from the configured IPAM).
  10. VIP Address Allocation Network:  then select Public AZ1 (be sure to select Public, not Private).
  11. IPv4 Subnet:  select 10.0.20.0/22
  12. Public IP: Select Auto-Allocate (This is the private to public NAT).
  13. Click SAVE to close the EDIT VIP window
  14. Click SAVE again to complete the VS VIP and return to the New Virtual Service window.

Create a server pool

  1. Scroll down to the Pool Section.
  2. Select Servers: Click the blue on white BY NETWORK button on the right
  3. Network:    select Private-AZ1 network
  4. Servers: Click to    the box to the left of each server to select server1 through server4
  5. Click the ADD button at the bottom right to ADD the servers (Don't forget this ADD button step)
  6. This returns you to the NEW VIRTUAL SERVICE window
  7. Click the SAVE button in the bottom right to complete the VS creation
  8. The new virtual service will be opened to the Analytics tab
  9. If you hover your mouse over the name of the virtual service, various status updates will be displayed

 

Congratulations! You have created a new virtual service!

 

 

Verify

Service Engine creation

  • If this is the first VS created in your environment, the Avi Controller must first create Service Engines (load balancers)
  • SE creation takes about 3 minutes
  • Select the Applications menu at the top, then Virtual Services on the left
  • The VS health score is next to the VS name, initially will be red with a low score
  • The health should change to green once the SEs are created and the score will improve
  • Hover your mouse over the health score periodically to see the progress of the SE creation

Test the VS

  1. Once your VS score is green, you can test it
  2. Click the name of your new VS to open the VS details.
  3. Hover your mouse over the Virtual Service: name text at the top of the window
  4. The mouse pop-out box shows additional information about the virtual service
  5. The NATed public IP for the virtual service should be below the internal private VIP
    1. If there is no pubic IP, you may have forgotten to enable the public VIP
  6. Copy the public VIP address
  7. Open a new browser tab and enter http://yourpublicvip with the IP you copied
  8. If your virtual service works then depending on which server load balances the request:
    • You should see a basic web page directory with two txt files
    • or
    • You should see a full web page returned
  9. If it's not working, edit the VS and confirm correct configuration
  10. Common items to check include:
    1. Selected the correct AZ and network for the VIP address
    2. Pool is configured with servers
    3. Application type and port
    4. The logs in the verify section could be useful
  11. Edit your virtual servies and Enable Non Significant logs
    1. If in the VS detail screen, use the edit icon  in the top right
    2. If viewing the main VS list, click more dots  at the right and select Edit
    3. Click the Analytics tab
    4. Check to Enable Non Significant Logs
    5. Click SAVE to save and close the VS editing window

Verify - Check the logs

  • In the VS details view, click on the Logs tab
  • Check  the box to show Non-Significant log entries
  • Testing and refreshing your virtual service should generate traffic to show in the log
  • Expand an individual log by clicking on the  expand icon on the right side of the log
  • Close the expanded log by click the up arrow close button
  • Expose the full log details by clicking on the three dots and selecting Log detail
  • Close the detailed log by clicking the X in the top right corner
  • Avi can be set to higher logging levels with increased verbosity for advanced troubleshooting

SSL/TLS

Add SSL/TLS encryption to your VS

  1. Select the Applications menu at the top, then Virtual Services on the left
  2. Edit your VS click the more dots ⋮ at the right and select Edit
  3. Select the Service tab, Under Service Ports, Click ADD 
  4. Enter 443 and check  to box to Enable SSL termination, Click the SAVE button
  5. An SSL Settings section will appear under the Service Ports section
  6. Veriy the the SSL Profile is set to Systems-Standard (default) – This defines the SSL/TLS versions and ciphers to support
  7. For the SSL Certificate
    • Verify System-Default-Cert is set (default) (RSA cert)
    • Click the  pulldown and add System-Default-Cert-EC (EC cert)
    • Click SAVE 

Test the site via https://yourPublicVSIP – You will get an SSL certificate error as the cert is self-signed

Which certificate did your browser negotiate? EC or RSA? Take a look in the logs to find out.

HTTPS Redirect

Automatically redirect clients from HTTP to HTTPS

There are several ways to accomplish redirection with increasing levels of sophistication and flexibility.

This exercise shows one example of accomplishing this task.

  1. Edit the VS as explained in the previous sections
  2. Look in the General tab, below Application Type is the Application Profile section, by default set to System-HTTP
  3. Click the more dots  on the right, then Create to open the NEW APPLICATION PROFILE window
  4. Give the new HTTP profile any name
  5. The Type should default to HTTP
  6. Select the Security tab at the top
  7. Check  the box for SSL Everywhere – This will enable HTTP to HTTPS redirect, rewrite server redirects, and enable common SSL tasks
  8. Click SAVE to save the new profile, then Click SAVE again to save the changes to the VS
  9. Verify the redirect by accessing the site per earlier testing using HTTP and verify browser redirects to HTTPS

Server Health

Troubleshoot problematic servers

  1. Open your VS details by clicking on the name
  2. Select the Topology Tab
  3. Click the  icons to EXPAND the VS VIPS, Pool, and Servers detail pages
  4. Examine the application server status:
    • To see why a server is marked down, hover the mouse over the red health score
    • The servers that are green / up are not entirely problem free
    • Refresh the site a few times and check the logs, filtering for Significant (the red logs)
    • Issues range from intermittent server slowdowns to missing files to simply the wrong content

Apply a custom health monitor

  1. Navigate to the top Applications menu, then select Pools on the left
  2. Click the yourVSname-pool to open pool details
  3. Select the Servers tab of this pool to view its servers
  4. Edit the pool via the  pencil icon in the top right
    1. (if you get an object not found error, just DISMISS)
  5. Select the Health Monitor tab
  6. Remove the default System-HTTP health monitor – this monitor is very basic, validating a 200 OK response came back, not the content
    • Check  the box next to the default System-HTTP moniter, then Click blue on white REMOVE button
  7. Add a more robust HTTP Health Check
    • Click the ADD button
    • Click the  pulldown, scroll to the bottom of the list and Select Avi Rocks health monitor 
      • This health monitor looks for specific content to be returned
    • Click SAVE to save the pool configuration
  8. One or more of the servers is now marked down because of a content response mismatch
  9. Click on the server3 name to drill in further to this server, Click the RED down arrow in the Status column to expand the health check details
  10. DISCUSSION:  What content is this server returning versus expected content from the new health monitor?

Advanced Virtual Services

  • This lab explores a few interesting advanced features

Step 1: Create VS using Advanced Setup

  1. Select the Applications menu at the top, then Virtual Services on the left
  2. Start the VS Creation Wizard.
    • Under Virtual Services on the left, click the blue CREATE pulldown.
    • Select Advanced Setup
  3. VS Name: Choose a name different from your previous VS
  4. Use the default application type HTTP.

Step 2: Create VS VIP

  1. Scroll down to the VIP Address Section.
  2. Do not use any of the existing configured VIPs in the drop-down.
  3. Click the vertical dots to the right, then click the Create button.
  4. This opens the Create VS VIP window.
  5. Name: Leave the default name or give the VIP object any name.
  6. VIPs: Click the ADD button.
  7. Enable VIP should be CHECKED
  8. Availability Zone: Select the first / top option in the drop-down menu.
  9. Private IP: Auto Allocate (Avi will acquire the IP from the configured IPAM).
  10. VIP Address Allocation Network: then select Public AZ1
  11. IPv4 Subnet: select 10.0.20.0/22
  12. Public IP: Select Auto-Allocate
  13. Click SAVE to close the EDIT VIP window
  14. Click SAVE again to complete the VS VIP and return to the New Virtual Service window.

Step 3: Create VS Tageting VS pool

  • With advanced setup, the pool is NOT automatically required, allowing for more unique configurations
  • In this case we will be targeting another VS in the Admin tenant, the IP to target is: 10.0.22.3 
  1. Under the Pools section, Click on the more  dots on the right and then select Create to open the CREATE POOL window
  2. Accept the default pool name or provide a new one
  3. Scroll down to Servers section or Select the Servers tab
  4. Under Select Servers By setting ensure IP Address, Range or DNS Name is selected (default)
  5. Click into the data field and enter the IP address and port: 10.0.22.3:80 then Click the ADD button and make sure the IP is added in the Servers table
  6. Click SAVE to close the pool and return to creating the virtual service

Step 4: Configure HTTP Policies

  1. Select the Policies tab, Under HTTP Policy Sets, Click the ADD button
  2. Do not select an existing policy, Click the more  dots on the right, then select Create to create a new HTTP policy
  3. In the NEW HTTP Policy Set, enter a name, something like advanced-vs-modify-header
  4. Under HTTP Request Rules, click ADD to add a rule
  5. In the NEW HTTP REQUEST RULE window, add a name for the request rule something like: advanced-add-header
  6. Under Action, Click ADD and then select Modify Header 
    • In the Action section use the  pulldown to change from Remove header to Add header 
    • Enter a specific header name: test
    • The value field should be set to: Custom Value (default)
    • Set the custom value: true
    • Click SAVE to complete the new HTTP request rule
  7. Click SAVE again to complet the new HTTP policy set

Should be back to the NEW VIRTUAL SERVICE window

Step 5: Advanced Network Settings

  1. Select the Service tab, look under Service Ports
  2. Expand the Advanced Network Settings 
  3. Scroll down to the SNAT section
  4. Check  the box Use VIP as SNAT
    • Enables the Service Engine to use a unique source address when initiating traffic to remote networks
    • Overcomes some routing challenges

Step 6: Enable deeper Analytics

  1. Scroll to Analytics or Select the Analytics tab
  2. Under Client Logging check  Log all Headers
    • This will increase the logging level to capture client headers, cookies, etc.
  3. Check  Enable Non Significant Logs
    • Enables including the Non Significant log option in VS Logs

Step 7: Hostname Translation

  1. Scroll to Pools or Select Pools tab
  2. Find the setting under the pool configuration: Hostname Translation
  3. Enter a strange or fun hostname such as: nomoreproxypass.com 
    • This will change the hostname requested by the client from the IP address to this hostname before the request is forwarded to the server
  4. Remember to click SAVE to save your new advanced virtual service

Test and validate the advanced VS

  • Access the new VS to generate some traffic
    • Find the public IP in the VS details, hover over the VS Name at the top
    • In a new browser tab:  http://VSPublicIP  refresh the site several times to generate more logs
    • The website being returned is a simple DataScript on another VS that reflects the headers it received, a fun way to compare what the server sees versus what the client sent
       
  • Explore VS Logs
    • Check  Non-Significant Logs to show more logs
    • Try different filtering options availabe for log entries
       
  • Expand log entries using the  pulldown
    • How much is different compared to Log Details?
       
  • View log details, clicking on the more  dots, then selecting Log Detail 
    • Avi Load Balancer Detail Logs expose very detailed traffic information without packet logging
    • Explore the different tabs such as the Headers tab

 

Learn More

Interested in taking Avi for a real spin? Here are some suggestions