A10 Lightning ADC

A10 Lightning ADC is the cloud-native ADC product line of A10 Networks. This is pure software, can be installed in any environment. A10 Lightning ADC instances are stateless and are fully managed by Harmony Controller. This is purpose built for web applications implementing micro-services architecture and deployed in cloud or containerized environment. However, it works equally well for traditional applications deployed in data centers.

A10 Lightning ADC instances are deployed in active-active cluster i.e. all the members of a cluster are always active and share the load. Having stateless instances, a cluster is elastic in nature - new instances can added any time or existing instances can be shut down without significantly impacting the running traffic.

Deploying A10 Lightning ADC Cluster

The A10 Lightning ADC cluster can either be deployed manually and associated with an A10 Lightning ADC cluster or allow the Harmony Controller to launch A10 Lightning ADC automatically. However, it also depends on cloud infrastructure user selects. The configuration page also provides user multiple options to deploy A10 Lightning ADC. Deploying A10 Lightning ADC depends on the underlying cloud infrastructure. At the very basic it is about setting up a virtual machine with the A10 Lightning ADC software.

Deploying in AWS Cloud

A10 Networks releases pre-built Amazon Machine Image (AMI) of A10 Lightning ADC for quick set-up. Harmony Controller is capable of launching A10 Lightning ADC in users AWS account if the user is comfortable providing permission to the system for the same. Else, a user can launch A10 Lightning ADC manually using a Cloud Formation Template (CFT), or from the Amazon marketplace.

Automatic Launch of A10 Lightning ADC Cluster by System

To automatically launch A10 Lightning ADC cluster, choose the option Automatic cluster type in Create Cluster screen. For the auto launch of A10 Lightning ADC cluster, an AWS credentials to be provided in the form of ARN by the user for the system to access various AWS resources of users AWS account.

See also

For more information on different user account authorization, please refer ARN Policy section in Infracredential configuration page.

With the above set of information, the user also needs to provide the exact location regarding AWS region, network, and subnets where the A10 Lightning ADC should be launched, and the scale up/down policy for the cluster in accordance with higher/lower CPU usage. When the required configuration is saved, the A10 Lightning ADC instances are launched and automatically registered with the system into the specified cluster. List of all AWS resources created during the process as well as their status is shown on the cluster page.

Follow the steps below to auto launch A10 Lightning ADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then select the cloud credentials if already created. By default cluster type would be set to Auto.

    _images/image5.1.png
    _images/image5.1345.png
  2. Once the above step is completed, select the Region and then select the Subnet(s) to launch the cluster, set the Min/Max Instances in the cluster. And then save the cluster, wait for the cluster to launch.

    _images/image5.2.png
  3. Wait for the status to change to Launch Successful as shown.

    _images/image5.3.png

Launching A10 Lightning ADC Cluster Manually using AWS CFT

The A10 Lightning ADC cluster is launched manually when the user is not comfortable authorizing the system to launch the instances and other resources to accesses users AWS account. And, if the user decides to use a Cloud Formation Template (CFT), all the steps are completely automated.

Follow the steps below to auto launch A10 Lightning ADC cluster by using CFT (Cloud Formation Template):

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.

    _images/image5.4.png
  2. Provide information about placement and scaling, but the system would not save this information.

    _images/image5.5.png
  3. Generate a CFT by clicking Export CFT button using the above information, select the AWS platform; and then download the CFT and save it.

    _images/image5.47.png
    _images/image5.6.png
  4. Upload the CFT to S3 bucket of AWS. Click Services > S3 > Create Bucket > Bucket Name > Region > Create > Double click CFT created > Upload > Add/Upload CFT > Double click CFT Properties > Copy the Link address > Goto Services > Cloud Formation > Launch CloudFormer > Paste the Link address in the field Specify an Amazon S3 template URL> Next > Provide Key and Value > Review > Create.

    _images/image5.7.png
    _images/image5.8.png
    _images/image5.9.png
    _images/image5.10.png
    _images/image5.11.png
    _images/image5.12.png
    _images/image5.13.png
    _images/image5.14.png
    _images/image5.15.png
    _images/image5.16.png
    _images/image5.17.png
    _images/image5.18.png
    _images/image5.19.png
    _images/image5.20.png

A10 Lightning ADC instances launched using a system provided CFT is automatically registered with the system into the specified cluster.

Launching A10 Lightning ADC Cluster Manually from AWS Marketplace

To launch the A10 Lightning ADC cluster manually from AWS Marketplace, use the A10 Lightning ADC AMI available in the AWS Marketplace. Follow the same process to launch A10 Lightning ADC cluster in EC2-Classic as well. By manually launching the A10 Lightning ADC instance, the user has the liberty to choose the placement of instances, but scaling and security implementation required to be configured manually by the user.

Follow the steps below to launch A10 Lightning ADC cluster in AWS Marketplace:

  1. Login to the A10 Lightning ADS and Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings as shown.

    name
    name
  2. Click this link https://aws.amazon.com/marketplace/ to access AWS Marketplace and search for A10 Lightning ADC or A10 Lightning ADC and click on A10 Lightning ADC.

    name
  3. Click Continue on this screen.

    name
  4. Click Manual Launch and select the region to launch A10 Lightning ADC close to your App server.

    name
  5. Click Next: Configure details.

    name
  6. In this screen, you are configuring the instance details as shown, after providing the basic configuration details click Advanced Details and here click the As text radio button and provide the information such as Cluster ID, Edge IP, and API Server URL as shown in the example below. Copy the below JSON code in the User data field and change only the Cluster ID rest all remains the same.

    User data JSON:

    {
      "cluster_id": "Cluster-ID_from_UI",
      "edge_ip": ["https://<harmony-controller-address>/api/v2"],
      "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
    }
    
    name
  7. Click Add Storage provide the storage requirements or leave it default.

    name
  8. Click Add Tags provide the Name and Value.

    name
  9. Click Next: Configure Security Group > Select an existing security group > Review and Launch

    name
  10. Click Launch

    name
  11. Select a Key pair and click Launch Instance.

    name
  12. Check the Launch Status.

    name
  13. Verify the cluster association with Harmony Controller in the cluster information page.

    name

Launching A10 Lightning ADC cluster in ASG (Auto Scaling Group) from AWS Marketplace

  1. Follow step 2 to 5 from the “Launching A10 Lightning ADC Cluster Manually from AWS Marketplace” before we proceed to next step.

  2. On this screen click Launch into Auto Scaling Group

    name
  3. Click Create Launch Configuration provide the Name, and then click Advanced Details and copy the below JSON code in the User data field and copy the Cluster ID from the cluster creation page as shown in step 6 above, and then click Add Storage.

    User data JSON:

    {
    "cluster_id": "Cluster-ID_from_UI",
    "edge_ip": ["https://<harmony-controller-address>/api/v2"],
    "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
    }
    
    name
    name
  4. Click Next: Configure Security Group > Select an existing security group > Review > Create Launch Configuration

    _images/image5.28.png
    _images/image5.29.png
    _images/image5.30.png
  5. Choose an existing key pair and click Create Launch Configuration

    _images/image5.31.png
  6. Provide the scaling group details, and then click Next: Configure Scaling Policies

    _images/image5.33.png
  7. Choose the option Use scaling policies to adjust the capacity of this group provide all the details and then click Next: Configure Notifications

    _images/image5.34.png
    _images/image5.35.png
    _images/image5.36.png
  8. Click Add Notifications

    _images/image5.37.png
    _images/image5.38.png
  9. Select a notification endpoint from the list if already created. Else, select create topic and follow step 10 to create a new notification endpoint.

    _images/image5.39.png
  10. Steps to create a new topic (notification endpoint)

    _images/image5.40.png
    _images/image5.41.png
    _images/image5.42.png
  11. Select the new notification endpoint created, as described in step 9, and then click Next: Configure Tags to reach the below screen. Provide the Key and Value and click Review

    _images/image5.43.png
  12. Review the configuration and click Create Auto Scaling group

    _images/image5.44.png
    _images/image5.45.png
  13. Below message is displayed, on successful creation of Auto Scaling group

    _images/image5.46.png
  14. Review the Autoscaling group created.

    name
  15. Verify the cluster association with A10 HarmonyTM Controller in the cluster information screen.

    name

Upgrading A10 Lightning ADC version in AWS Marketplace

The below steps are for the existing Harmony Controller customer’s who already have their A10 Lightning ADC instance(s)running in AWS account and want to upgrade it to the new version. For that, the user needs to have the cluster ID of the existing A10 Lightning ADC instance(s) running in AWS account and then follow the below steps.

Upgrading A10 Lightning ADC Manually in AWS Marketplace

  1. Login to Harmony Controller and look for the A10 Lightning ADC Cluster which has the A10 Lightning ADC instance already running in AWS account, then copy the Cluster ID as shown below.

    name
  2. Go to AWS console click EC2 > Launch Instance > AWS Marketplace > search |LADC| > Select

    name
    name
    name
    name
  3. Click Configure Instance Details

    name
  4. Click Advanced Details and copy the JSON code as shown below, and copy the Cluster ID of the existing A10 Lightning ADC.

    Note

    The JSON code format is changed, do not use the old format to input the User data. Use the below one.

    User data Snippet:

    {
       "cluster_id": "Cluster-ID_from_UI",
       "edge_ip": ["https://<harmony-controller-address>/api/v2"],
      "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
    }
    
    name
  5. Click Add Storage > Add Tag

    name
  6. Click Next: Configure Security Group > Select an existing security group > Review and Launch

    name
  7. Click Launch

    name
  8. Select a Key pair and click Launch Instance.

    name
  9. Check the Launch Status.

    name
  10. Verify the cluster association with Harmony Controller in the cluster Information screen. Delete the old A10 Lightning ADC instance once the new A10 Lightning ADC instance Association is displayed on the screen.

Auto Upgrading A10 Lightning ADC in AWS Marketplace

To upgrade the A10 Lightning ADC version in Auto Scaling Group(ASG) of AWS account. Follow the steps below.

  1. Login to Harmony Controller and search for the A10 Lightning ADC which is already in ASG of AWS.

  2. Look for the launch configuration information in the Cluster information screen.

  3. Click Launch Configuration in the AWS screen and search for the launch configuration which you found in Cluster screen.

    name
  4. Select the A10 Lightning ADC and click Actions > Copy launch configuration

    name
  5. From the Copy launch configuration screen click Edit AMI and then click AWS Marketplace search A10 Lightning ADC and select the radio button Yes, I want to continue with this AMI.

    name
    name
  6. Click Next: Configure details

    name
  7. In the Configure details screen click next.

    name
    name
  8. Select the existing security group for the A10 Lightning ADC instance running and click Review.

    name
  9. Click Create launch configuration

    name
  10. Select the existing key pair or create a new key pair.

    name
  11. Check for status.

    name
  12. Click Auto Scaling Group choose the existing A10 Lightning ADC instance and in the Details increase the desired instance (for example, if it is “1” change it to “2”) and wait for it to launch the new instance.

    name
    name
    name
  13. Now we have two A10 Lightning ADC instances, the old and the updated in the cluster page.

    name
  14. Check for CPU stats for the new A10 Lightning ADC instance, for analytics.

    name
    name
  15. In the AWS we have both the old and the updated A10 Lightning ADC instances running.

    name
  16. Hence, to make the updated A10 Lightning ADC instance(s) active delete the old instance(s) by reducing the desired instance (for example, if it is “2” change it to “1”) in “Auto Scaling Group” screen and the old instance is automatically deleted by AWS.

    name
  17. The old instance is terminated as shown.

    name
  18. The cluster screen now shows only the updated A10 Lightning ADC instance.

    name

Deploying in Google Cloud Platform (GCP)

Automatic Launch of A10 Lightning ADC Cluster by System in GCP

To automatically launch A10 Lightning ADC cluster, choose the option Auto(Launched by System) in the Add New Cluster page. For the Auto launch of A10 Lightning ADC cluster, an GCP credentials has to be provided for the system to access various GCP launch resources of users GCP account. User is also required to select the appropriate Project to associate the cluster.

See also

For more information on creating GCP Credentials, refer Onboarding an Application section in the document.

With the above set of information, the user also needs to provide the exact location regarding GCP region, network, and subnets where the A10 Lightning ADC should be launched, and the scale up/down policy for the cluster in accordance with higher/lower CPU usage. When the required configuration is saved, the A10 Lightning ADC instances are launched and automatically registered with the system into the specified cluster. List of all GCP resources created during the process as well as their status is shown on the cluster page.

Note

Please ensure that TCP port 5666 is open on your A10 Lightning ADC node. As a part of A10 Lightning ADC image creation, we install NRPE (Nagios Remote Plugin Executor) plugin which allows cloud team to monitor A10 Lightning ADC’s remotely. Services using NRPE daemon binds to port 5666 by default. This will allow us to alert your team in the occurrence of any events. If you have to monitor in place, you can decide NOT to open TCP port 5666. This holds good for both manual and auto launch of A10 Lightning ADC.

Follow the steps below to auto launch A10 Lightning ADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then attach the cloud credential, and select the appropriate Project as shown. By default cluster type would be set to Auto.

    _images/image5.53.png
    _images/image5.67.png
  2. Once the above step is completed, select the Region and then select the Subnet(s) to launch the cluster, set the Min/Max Instances in the cluster. And then save the cluster, wait for the cluster to launch.

    _images/image5.2.png
  3. Wait for the status to change to Launch Successful as shown.

    _images/image5.3.png

Launching A10 Lightning ADC Cluster Manually in GCP

The A10 Lightning ADC cluster is launched manually when the user is not comfortable authorizing the system to launch the instances and other resources to accesses users GCP account.

Follow the steps below to launch A10 Lightning ADC cluster manually in GCP:

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.

    _images/image5.4.png
  2. The View/Edit Cluster screen provides the user the metadata information like Cluster ID and API server URL which is used to associate the cluster with GCP.

    _images/image5.5.png
  3. Login to the GCP using the Google account credentials.

    _images/image5.56.png
  4. Click Product and Services on the left top corner, and from the drop-down select Compute Engine > Instance Templates > CREATE INSTANCE TEMPLATE.

    _images/image5.57.png
  5. Input the instance name and keep other fields as default, expand [Management, disk, networking, SSH keys] and then provide the metadata information(cluster ID and API server URL or Edge IP) exactly as shown in the figure below.

    name
    name
    name
    name
  6. Create an Instance group and associate the Instance template with the Instance group as shown. Keep all the fields set as default. Select an existing instance or select an instance template. And then, click Create.

    name
    name
    name
    name
  7. View the status of the A10 Lightning ADC cluster instance.

    name

Deploying in Azure Infrastructure

To launch the A10 Lightning ADC cluster in Azure account, use the Azure machine image provided by A10 Networks in Azure Marketplace. By manually launching the Lightning ADC instance the user has the liberty to choose the placement of instances. But, scaling and security implementation required to be configured manually by the user.

Steps to launch A10 Lightning ADC Cluster manually in Azure Marketplace

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.

    name
  2. Login to Azure Marketplace and search for A10 Lightning ADC, from the search results select A10 Lightning ADC-BYOL to launch VM as shown.

    name
    name
    name
    name
    name
  3. After the successful launch of A10 Lightning ADC, SSH to A10 Lightning ADC instance with the user-defined username and password.

  4. Run the below command to gain required privileges:

    sudo su
    
  5. Run register-cli command to register A10 Lightning ADC to cluster as shown, and then follow the steps in the example below to launch A10 Lightning ADC successfully:

    register-cli

    Example:

    Welcome to A10 LADC Shell
    It is advised to change the default password
    Do you want to change password([Y]es/No) : No
    Password not changed.Continuing with registration
    --------------------------------------------------
    Do you want to register LADC([Y]es/No): Yes
    Register your A10 Lightning ADC with the Controller using
    Cluster ID and API Server URL. You can get them by logging into
    A10 Lightning ADS and selecting the cluster name from the left
    pane.
    -------------------------------------------------------------
    Input the API server URL and Cluster ID that is obtained from
    the A10 Lightning ADS UI
    Please enter API server URL: https://<harmony-controller-address>/api/v2
    Please enter the cluster id: ofvrgvdj6i
    API Server URL: https://<harmony-controller-address>/api/v2
    Cluster ID: ofvrgvdj6i
    Is this information correct([Y]es/No) : Yes
    Applying changes
    Waiting for the proxy to get registered.
    Trying to connect to API server
    Starting registration
    Updated cluster id
    Updated API Server
    Restarting services
    Services restarted
    Congratulations!
    LADC activation is completed successfully.!
    
  6. After successful registration of Lightning ADC in Azure Marketplace, go back to the A10 Lightning ADS Cluster page and refresh the page to view the association of A10 Lightning ADC with A10 Harmony Controller.

Upgrading A10 Lightning ADC Cluster in Azure Infrastructure

This section of the document provides the steps to upgrade the A10 Lightning ADC version in the Azure Infrastructure.

  1. Copy the cluster ID from the running A10 Lightning ADC cluster and keep it ready.

    name
  2. Login to Azure Marketplace and search for A10 Lightning ADC, from the search results select A10 Lightning ADC-BYOL to launch VM as shown.

    name
  3. After the successful launch of A10 Lightning ADC, SSH to A10 Lightning ADC instance with username and password.

  4. Run the below command to gain required privileges:

    sudo su
    
  5. Run register-cli command to register A10 Lightning ADC to cluster as shown:

    register-cli

    When the above command is executed it prompts for the cluster ID, the user can provide the cluster ID of the running A10 Lightning ADC.

    name
  6. After successful registration of Lightning ADC in Azure Marketplace, go back to the A10 Lightning ADS Cluster page and refresh the page to view the association of A10 Lightning ADC with A10 Harmony Controller.

    name
  7. Once the upgraded Harmony Controller associated with the A10 Harmony Controller, the user can delete the old A10 Lightning ADC.

    name
  8. On successful deletion of the old A10 Lightning ADC cluster, the cluster page displays only the upgraded A10 Lightning ADC cluster.

    name

Deploying in Docker Environment

Docker containers are based on open standards, enabling containers to run on all major Linux distributions and on Microsoft Windows and on top of any infrastructure.

Harmony Controller user can deploy A10 Lightning ADC instances in Docker container. This makes the deployment independent of underlying infrastructure and Lightning ADC can be deployed near to application servers where ever servers are deployed.

The user is expected to have the Docker engine installed, before starting the A10 Lightning ADC deployment. Also, the user should have the Lightning ADC cluster configured in Harmony Controller to obtain a cluster ID and API server URL.

Steps to configure a new cluster in Harmony Controller to obtain clusterID and API server URL:

  1. Login to Harmony Controller and click Add New Cluster provide the cluster name and select cluster type as Manual and then click Save.

    _images/image5.4.png
  2. Copy the cluster ID and API server URL from this page.

    _images/image5.5.png

Command to launch Lightning ADC in Docker

Syntax

Single Port Mapping between host and container:

docker run -tdi -e
ladc_api_svr_url="https://<harmony-controller-address>/api/v2" -e
ladc_cluster_id="<cluster-id>" --net=host a10networks/ladc

This docker command automatically restarts the container on a reboot. Note, this will make sure the container is restarted automatically if it is stopped. This applies on a reboot or in some circumstance the container exited for whatever reason.

Best practice is to map them to same port both on host and container. However, different ports can be used to map between host and container, just, make sure the host and the container port are mapped properly to avoid any port conflict.

Below is the example output of docker run command:

a10networks@a10networks-Vostro-2520:~/Documents$  docker run -
tdi -e ladc_api_svr_url=https://<harmony-controller-address>/api/v2 -e
ladc_cluster_id=pn446dtg7r -p 9001:9001 a10networks/ladc
Unable to find image 'a10networks/ladc:latest' locally
latest: Pulling from a10networks/ladc

45a2e645736c: Pull complete
56be6eca40c3: Pull complete
d6c162c01b87: Pull complete
2540ad4ea6ad: Pull complete
f9b8f9143c3e: Pull complete
2b591b61a96b: Pull complete
7a2396516d24: Pull complete
c54b1d1b3aef: Pull complete
20878495513c: Pull complete
545071a7d8d2: Pull complete
f375f2caa368: Pull complete
18d8f7e70311: Pull complete
Digest:sha256:c73976c943b0a9389cd56b9fc4b56ca37c2f1625e6cbcf18bceb3         257e372901f
Status: Downloaded newer image for a10networks/ladc:latest
ac240d887d4c1d7fca850acb5d0db93ff601ed5a1833da6d682c6fc0c29caf73

On-boarding an Application

An Application includes configurations that are required for Application delivery and allows the user to add many more complex policies as needed. To save an application, provide at least name of the application and traffic endpoint for the application. A user can add more configuration once the application is created. To activate an Application, the user must provide details of application servers which are serving application traffic and associate a valid A10 Lightning ADC cluster which has A10 Lightning ADCs launched and running.

To On-board a new Application follows the below sequence in Harmony Controller:

  1. Add Credentials or Use the existing.
  2. Add A10 Lightning ADC Clusters or Use the existing.
  3. Add a new Applications.

Adding a New Credential

Creating a AWS credential

Perform the steps below to add a new AWS Credential in Harmony Controller:

  1. Click + to add a new Credential.

    _images/add_new_credential.png
    _images/image4.0.png
  2. Select the Credential Type as Infrastructure Credentials.

  3. Enter the Name.

  4. Select the cloud type as AWS. Check the box Use same ARN for DNS (Route53) credential to provide the AWS account access for A10 Networks to manage Application configuration on the cloud.

  5. Input the ARN Role. Click View steps to get Role ARN, and follow the on-screen instructions to get the ARN role.

    _images/image4.15.png

Creating a GCP credential

Perform the steps below to add a new GCP Credential in Harmony Controller:

  1. Click + to add a new Credential.

    _images/add_new_credential.png
    _images/image4.1.png
  2. Select the Credential Type as Infrastructure Credentials.

  3. Enter the Name.

  4. Select the cloud type as GCP.

  5. Click View steps to get Service Account Credential, and follow the on-screen instructions to get the service account credentials.

Adding a New Cluster

Creating a AWS Cluster

Perform the below steps to create a new AWS Cluster in Harmony Controller:

  1. Click + to add a new Cluster.

    _images/image5.1345.png
  2. Under Cluster Information, provide the Cluster name and select the Cluster Type as Auto.

  3. Under Infrastructure Information, select the Cloud type as AWS and select the Cloud Credential which is already created. If not created, then click Add Credential button to create one. And then, Save the configuration.

    _images/image4.15.png

Creating a GCP Cluster

Perform the below steps to create a new GCP Cluster in Harmony Controller:

  1. Click + to add a new Cluster.

    _images/image5.53.png
  2. Under Cluster Information, provide the Cluster name and select the Cluster Type as either Auto.

  3. Under Infrastructure Information, select the Cloud type as GCP and select the existing GCP cloud credential. If not created, then click Add Credential button to create one. And then, Save the configuration.

  4. After selecting the GCP cloud credentials, select the appropriate project.

    _images/image4.17.png
  5. Fill-in all the fields under A10 Lightning ADC Launch Information and click Save and Launch.

  6. View the A10 Lightning ADC launch status on this screen.

Adding New Application

Perform the steps below to add a new Application in Harmony Controller:

  1. Click + to add a new Application.

    _images/image4.8.png
  2. Under Application Information, provide the Application Name, Application Endpoint (application URL), and then choose the product type as Basic or Pro

  3. Under Application Server Information, choose the Discover App Server Using option from the list; whichever is appropriate.

  4. Under A10 Lightning ADC Cluster Information, select the A10 Lightning ADC cluster which is already created. If not created, then click Add Cluster button to create one. And then, Save the configuration.

    name

Discover Application Server Using ELB

The steps below are to add a new application in A10 Lightning ADS and discovering application server using AWS ELB.

Assuming the customer is using the CNAME of ELB to load balance the traffic and wants to switch to A10 Lightning ADC DNS, in this case first do a nslookup and see what the endpoint name resolves to:

nslookup ezelb.greatco.org

Non-authoritative answer:
ezelb.greatco.org canonical name = ez-elbdemo-1915081478.us-east
-1.elb.amazonaws.com.
Name:    ez-elbdemo-1915081478.us-east-1.elb.amazonaws.com
Address: 34.202.89.44
Name:    ez-elbdemo-1915081478.us-east-1.elb.amazonaws.com
Address: 52.206.237.86

In the above nslookup output, application endpoint resolves to CNAME of ELB. Now, in the further steps, we can see how to change the DNS from CNAME of ELB to A10 Lightning ADC DNS.

  1. Click + to add a new application and provide all the information such as application name, application endpoint and so on. Then, in the Application Server Information section select AWS in the App Server Hosted With field and provide credentials and then, select ELB in the Discover App Server Using field as shown.

    name
  2. On selecting ELB in the Discover App Server Using field, the ELB name and app server IP is discovered by A10 Harmony Controller.

    name
  3. In this step, we can see the DNS is not updated yet and the application is still using the CNAME of ELB for load balancing the traffic.

    name
  4. Update the DNS credentials as shown, click Edit and update, and then select the DNS server and then click Update DNS. Updating the DNS will start routing the traffic through A10 Lightning ADC.

  5. On updating DNS credential, click Change DNS.

  6. On successful completion, the message is displayed.

Once the DNS is changed, run the nslookup again to confirm the changes as shown:

nslookup ezelb.greatco.org
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
ezelb.greatco.org    canonical name =
cafenode.10h4stkre2.stage.ladc.a10networks.com.
Name:    cafenode.10h4stkre2.stage.ladc.a10networks.com
Address: 52.206.216.180

Now, the nslookup output resolves to |LADC| DNS, which is to confirm that the traffic is routed through the A10 Lightning ADC DNS.

Reviewing Generated Configuration

Once the above steps are performed, verify the Application profile by reviewing the generated configuration from Configuration > Application

_images/image4.12.png

Traffic Management Configuration

Harmony Controller offers comprehensive load balancing functionalities such as elastic, secure, and centralized management of cloud applications. However, its main advantage comes from its use of cloud infrastructure to dramatically improve application deliveries in the cloud and data centre environments. The figure below shows the deployment of the Application Delivery System (ADS) on a full scale.

_images/image_ADS_Deployment.png

Harmony Controller uniquely enables the following load balancing capabilities of cloud application:

  • Layer 4 to Layer 7 advanced load balancing with auto-scale
    Extends the traditional load balancing services with content switching and session persistence.
  • Policy-based traffic management
    Specifies policies to optimally fulfill user requests.
  • Close-loop application delivery
    Offers real-time application analytics, also provides adjustments for loading balancing policies.

In the case, where your organization is migrating its legacy applications from the data center, or building a new container based micro service applications in the cloud. The Harmony Controller load balancer deploys in minutes through an application-intimate proxy in your availability zone.

The Harmony Controller Elastic Load Balancing(ELB) service enhances the cloud application capacity, flexibility, and visibility without any changes to application code.

Application Domain

Harmony Controller accepts the client requests for the domain names configured as application domains. When you on-board A10 HarmonyTM Controller, it creates an application domain by default (based on your application endpoint).

Adding and Removing a Domain

Adding a Domain

Follow the steps below for configuring an application domain in Harmony Controller:

  1. In Harmony Controller goto Tenant > Tenant Name > Edit Configuration > Application > Settings screen.

    _images/image1.0.png
  2. Select Add a Domain, enter the domain name (For example, www.example.com), and then click Save to add an application domain.

    _images/image1.2.png

Adding Multiple Application Domains

You can add as many Fully Qualified Domain Names (FQDNs) as application domains, using the Add a Domain option. Wildcard (*) may be used for specifying all the sub domains of a domain.

Deleting a Domain

If you have multiple domains, you can delete a domain by simply clicking Delete button, and then clicking the Delete Domain button.

Application DNS

Application DNS refers to the DNS name of A10 Lightning ADC. If you are using a third-party DNS provider, then when you choose the option Other while adding your application, you need to change the DNS record of your Application Domain in the DNS Provider such that it points to Application DNS. And then, manually replace the CNAME record in your DNS provider with the Application DNS URL in this field. If you choose Route 53 as your DNS provider, this step is automated.

_images/image1.5.png

Note

You need a public DNS entry (For example, www.example.com or app.example.com) with DNS service provider of your choice for enabling users to access your application. Typically, the DNS entry is a ‘CNAME’ record or an ‘A’ record in your application domain’s hosted zone file.

Changing DNS Entry for Enabling Traffic Flow

Once you have completed required configurations, select Change DNS on the Settings Page. A message pop-up is displayed asking if you want to update the DNS information.

When Change DNS button is selected, the traffic from the application domain is routed through the A10 Lightning ADC. The A10 Lightning ADCs deployed, are your application Front End at this step. Note, that until you enable Harmony Controller, traffic does not pass through the A10 Lightning ADC.

_images/image1.6.png

The above steps complete the on-boarding process in Harmony Controller.

Ports

Adding a Port

Harmony Controller listens for application traffic on the listening ports. To add a port(s)in the settings screen click on ADD PORT/LISTNER option. You can even add multiple listening ports if required.

_images/image1.7.png

Note

Before adding any HTTP2 or SSL ports make sure SSL is enabled.

Removing a Port

If you have multiple ports, you can delete a port by simply clicking Delete button, and then clicking the Delete option.

Note

Disabling SSL will also disable HTTP2

SSL Termination

Configuring SSL for a Domain

Each Application Domain with Fully Qualified Domain Names (FQDNs) requires its SSL settings if SSL is enabled on Harmony Controller. When you add a new application domain and want to copy the SSL settings of an existing domain to the new one, use the Copy SSL Settings option.

SSL Certificates (also called digital certificates) is enabled to establish a secure encrypted connection between Harmony Controller and Application Servers. The SSL connection protects sensitive data exchanged during each session.

To enable SSL, you need to have a valid SSL Certificate that identifies you and install it on the application server. A padlock icon is used to indicate the usage of SSL certificate in a web browser. However, it can also be shown by a green address bar. Once SSL installation is complete, you can access Harmony Controller securely by changing the URL from Http:// to Https://. When an SSL certificate is installed on the application server, you can be sure that the information you enter is secure.

_images/image1.10.png

When you enable SSL in A10 HarmonyTM Controller, the below options are displayed. Click on the relevant help buttons to get more information on these options.

  • Validate Certificate using server certificate chain/server key
  • Option to choose SSL Versions
  • Option to choose Ciphers
  • Option to choose Client Authentication

Copying SSL Properties to Multiple Domains

If SSL is already configured in a domain, we can copy the same config to newly added domains. Click on the Copy SSL settings and select the domain to copy SSL settings from in the left section. Select the domain to copy SSL settings to in the right section and click on Copy as shown in the figure below.

_images/image1.29.png

Http2

HTTP/2 is the next-generation protocol for transferring information on the web, improving upon HTTP/1.1 with more features leading to better performance. It manipulates HTTP traffic, with particular goals of reducing web page load latency and improves the web security. This policy can only be enabled with SSL.

Services

A service is identified by a traffic condition and a set of servers that serve traffic for client requests that match the traffic condition.

Default Service

When we configure an application a default service is created with the servers discovered/specified while onboarding an application.

Creating a Service

A new service is created under the following conditions:

  • When the traffic is served from a different set of servers.
  • When the traffic is served from various ports of the same set of servers.

Ordering of Services

If there are multiple services, they can be reordered using the up/down arrow icons based on which service the traffic should pass through.

_images/image1.31.png

Service Condition

When you add a service, you can configure traffic conditions within the service, and when there are client requests that match these service conditions they are served by the application servers.

_images/image_ServiceCondition.png

You can configure logical conditions for a service, using the following options:

  • URL Path
    Enter the URL path value.
  • Header
    Enter the header parameter name and value.
  • Cookie
    Enter the header parameter name and value.
  • Query Parameter
    Enter the query parameter name and value to present in the query string in a GET request.
  • Scheme
    Select the scheme as Http or Https.
  • Method
    The Http method on which this request is made. There are 4 Http methods; they are GET, POST, PUT, and DELETE.
  • Port
    Enter the port value.
  • POST Body Parameter
    Enter the POST Body Parameter value in the POST Request.
  • Country
    The country code for the client network. This code is a two letter or three letter code or full name of the country.
  • Network
    Network IP Address of the client network.

Use the logical operators AND and OR to combine multiple conditions and form a single final service condition. Once you have created a service, you can edit the service configurations later if required, using the pencil icon.

Servers

The Application Servers configured within the service are displayed in the Servers section. These servers provide/serve traffic that matches the conditions specified in the service. You can edit the application server configuration using the adjacent pencil icon (View/Edit Server Group).

_images/image1.31.png

The Edit Servers window is displayed where you can modify the application server information.

_images/image1.12.png

Load Balancing

Load balancing distributes client requests across multiple servers to optimize resource utilization. In a scenario where a limited number of servers provide service to a large number of clients, a server can become overloaded degrading server performance. Load balancing is used to prevent bottlenecks by forwarding the client requests to the servers best suited to handle them, thus balancing the load.

Load balancing uses algorithms called load balancing methods, to determine how the load is distributed among the servers.

In Harmony Controller, you can select any of these load balancing methods:

  • Least Connections
  • Round Robin
  • IP Hash
  • IP Port Hashing
  • Least Connections

When a load balancer is configured to use the least connection method, it selects the server with the least number of active connections to ensure that the load of the active requests is balanced on the services. This method is the default load balancing method because it provides the best performance.

This method is used when you do not want to overload a busy server and distribute the load to other servers which are relatively less loaded.

Round-Robin

Round-robin load balancing is one of the simplest methods for distributing client requests across a group of servers. In this mode of load balancing, the load balancer passes each new connection request to the next server in line, eventually distributing connections evenly across the array of machines being load balanced. When it reaches the end of the list, the load balancer loops back and goes down the list again (sends the next request to the first listed server, the one after that to the second server, and so on).

When configuring a service in Harmony Controller, choose the round-robin load balancing method if there are enough number of client requests and when they need to be processed almost equally and fast enough among the available servers. Also, note that round-robin method should be used when application servers are stateless and sessions are managed centrally at the back-end.

IP Hash

In the IP Hash load balancing, the client’s IP address is used as a hashing key to select the server (from the server group) to which the client’s requests are directed. This load balancing method ensures that the requests from the same client are always directed to this server, except when the server is unavailable.

This mode is particularly useful when you want to direct requests from the same client to the same server always. The IP hash method is useful when your application servers are stateful.

IP Port Hashing

In the IP Port Hash load balancing, the client’s IP address and Port number are used to calculate the hashing key to select the application server (from the server group) to which the client’s request is directed. As long as the IP address and the port number remain the same, the client’s requests are directed to the same server. But if the port number changes (but the IP address remains the same), the client’s requests are directed to a different server. Also, when the port number varies on the same client machine, the client’s requests are redirected to a different server.

In Harmony Controller, load balancing is always enabled and defaults to ‘Least Connections’ even if the checkbox is unchecked. You can choose ‘Round Robin’ or ‘IP Hash’ by selecting the corresponding radio button.

Session Persistence

Session persistence refers to directing a client’s requests to the same back-end web or application server for the duration of a “session” or the time it takes to complete a task or transaction. Also, we can redirect the same client to the same server, using the session persistence.

Note

A session is defined as a series of transactions between a client and a server, over some finite period of time– ranging from several minutes to hours.

When you enable Session Persistence in a service in Harmony Controller, the following options are displayed:

Query Parameter

The query parameter in the HTTP GET request. For example, in the HTTP request http:// www.abc.com/w/index.php?title=Main_page&action=raw, the query parameter name is the title.

Location Affinity

Location Affinity provides the capabilities to load balance the inter-zone traffic, distributing the traffic evenly across the application servers with location aware load balancing.

Location Affinity supports Affinity Only and Affinity Weight options which give the user the flexibility to load balance the traffic more precisely within the Zone.

Note

The Location Affinity is supported only in AWS.

Note

When Location Affinity is enabled, it is recommended to disable the Session Persistence to avoid any interoperability issues.

Affinity Only

When this option is enabled Lightning ADC will only use Application Servers with the same zone as itself. Other Application Servers will only be used in case all local Application Servers are out of service.

Note

When Affinity Only is enabled, Affinity Weight option is ignored.

Affinity Weight

When this option has been enabled the weight of the zone local server is multiplied by the Affinity Weight specified in the filed.

For example, Assume these are the servers configured along with their weights.

  • 190.168.128.31 - Weight 1
  • 190.168.128.32 - Weight 1

When Affinity Weight is set to 2 and assuming 190.168.128.31 is the zone local server, configuration will be written out as

  • 190.168.128.31 - Weight 2 (1 * 2)
  • 190.168.128.32 - Weight 1

For every 3 requests, A10 Lightning ADC will push 2 requests to 190.168.128.31 and 1 request to 190.168.128.32. By adjusting Affinity Weight, the user can keep more requests within the same zone as Lightning ADC.

Configuring Location Affinity

The Location Affinity is configurable both in the existing default service and also in the new service after on-boarding.

To configure Location Affinity in the default service, click View/Edit Server Group and enable the Location Affinity as shown. Note, by default the Location Affinity feature is disabled.

_images/image1.31.png
_images/image1.12.png

To configure Location Affinity for a New service in A10 Lightning ADC goto Services > Add New Service > Server Information > Location Affinity.

Select the AWS in the server field.

When Affinity Only is enabled the Affinity Weight is disabled and the Affinity Weight is enabled since Affinity Only is disabled.

Server Monitoring

When adding a new service in Harmony Controller, you can configure out-of-band monitoring of application servers where Harmony Controller probes actively whether the application servers are active or not. You need to specify the monitoring protocol (TCP/HTTP, or secure TCP/HTTP connections), monitoring interval, and timeout.

Note

You can monitor the Application Server Health from the Dashboard.

Description of Fields

  • Monitor Protocol
    You can set the protocol over which Harmony Controller provides application server monitoring. The protocol can be TCP or Http. For secure monitoring, use SSL over TCP or Http options.
  • Monitor URL
    When you select the monitor protocol such as Http or Https, you must also specify the Monitor URL. In this case, Harmony Controller probes the monitor URL specified. Note that this field is visible only when you select Http or Https.
  • Monitor Interval
    The time (in seconds) for which the application server is probed and monitored.
  • Monitor Timeout
    The time (in seconds) after which the monitoring probe should timeout, within the monitoring interval.

Server Limits

When you configure a new service in Harmony Controller, you can specify the required timeouts when requesting information from the application server or when getting a response from the application server.

Description of Fields

  • Close connection to server if cannot read for(seconds)

    Here you can specify the time within which you want to close the connection to the application server if you cannot read the required information from the server within this specified time.

    For example, suppose you have set this timeout value to 300 seconds. If you want to download information from the server, and if the task takes more than 300 seconds (say 500 seconds), your connection to the server closes in 300 seconds as the timeout value is 300 seconds. So you may increase this timeout value to 500 seconds so that your download is complete.

  • Close connection to the server if cannot write for(seconds)

    Here you can specify the time within which you want to close the connection to the application server if you cannot write the required information on the server within this specified time.

    For example, suppose you have set this timeout value to 300 seconds. If you want to upload information to the server, and if the task takes more than 300 seconds (say 500 seconds), your connection to the server closes in 300 seconds as the timeout value is 300 seconds. So you may increase this timeout value to 500 seconds so that your upload is complete.

SSL between Proxy and Server

Secure Sockets Layer(SSL) can be enabled to establish a secure encrypted connection between A10 Lightning ADC (or proxy) and application servers. The SSL connection protects sensitive data exchanged during each session.

To enable SSL, you need to get an SSL Certificate that identifies you and install it on the application server. When an SSL certificate is installed on the application server, you can be sure that the information you enter is secure.

When you enable SSL between A10 Lightning ADC (or proxy) and server, following options are displayed. Click on the relevant help buttons to get more information on these options.

  • Validate Certificate
  • Send Server Name
  • Option to choose SSL Versions
  • Option to choose Ciphers

Service Down Condition

When all the servers configured in a service are down (not functioning), the service is said to be down. Harmony Controller provides you three different options to account for this downtime:

Select the option to configure fall-back if all servers go down. To enable the options, do the following.

  • Use this service
    Choose an existing service to which you can redirect the traffic when your service is down.
  • Send static content
    Provide the response code and URL to which you can re-direct the traffic when your service is down.
  • Redirect to
    Provide the redirect URL to which you can redirect the traffic when your service is down.

Backend Server Surge Protection

The Backend Server Surge Protection policy prevents the backend server from getting overloaded with indefinite traffic, which may cause the server to perform inefficiently. With this policy, the user can limit the traffic flow to the server and limit the keep alive time for a connection based on the values set. The two fields which are Connection Keepalive Timeout and Maximum Number of Request Per Connection allows the user to set the connection keepalive time and maximum request allowed in a connection. It is recommended to set the connection keepalive timeout value as “4”, which means if the connection is ideal with no requests coming in for 4 seconds the connection is closed. Similarly, the user can set the maximum number of requests allowed per connection.

Activating and Deactivating a Service

Once you create a service, you need to activate the service so those | ADS| passes traffic through the application servers configured within the service.

Default service is activated once the cluster association is completed. New services, when created, has to be activated for the traffic to pass through. A service can be deactivated using the disable icon

Activating a New Service

Follow the steps below to Add a New Service and Activate the Service:

  1. Form the Services Screen click on ADD NEW SERVICE and in the next screen configure a new service.

    _images/image1.13.png
  2. Click on Activate button to enable the Service.

Deactivating a Service

To deactivate a service, click on De-activate button and then select De-activate option.

Smart Flow

Default SmartFlow

When you create a new service, a default SmartFlow is created with the traffic condition(s) defined in the service.

Adding a SmartFlow

New smart flow is created when policy configuration is required for a different smart flow condition. In this case, a request from the client will hit the smart flow if the condition matches. When multiple smart flows are created, it can be reordered as required.

SmartFlow Configuration

Follow the below steps to configure a SmartFlow:

  1. Click Tenant > Tenant Name > Edit Configuration > Application > Services

    _images/image1.31.png
  2. Click Add a SmartFlow and provide the Smartflow Service details as below.

    _images/image1.37.png
  3. Set the Smartflow conditions in the respective fields.

SmartFlow Conditions

List below describes the SmartFlow conditions:

  • URL Path
    Enter the URL path value.
  • Header
    Enter the header parameter name and value.
  • Cookie
    Enter the header parameter name and value.
  • Query Parameter
    Enter the query parameter name and value to present in the query string in a GET request.
  • Scheme
    Select the scheme as Http or Https.
  • Method
    The Http method on which this request is made. There are 4 Http methods; they are GET, POST, PUT, and DELETE.
  • Port
    Enter the port value.
  • POST Body Parameter
    Enter the POST Body Parameter value in the POST Request.
  • Country
    The country code for the client network. This code is a two letter or three letter code or full name of the country.
  • Network
    Network IP Address of the client network.
  • Allow Traffic
    If the smart flow condition matches, the policies configured will be applied if this is enabled
  • Redirect Traffic to
    If the smart flow condition matches, the traffic will be redirected [temporarily or permanently] to the URL specified
  • Deny all Traffic
    If the smart flow condition matches, all the requests will be denied with no response or the desired message entered by the user
  • Device Type
    User can select from the device types available in the drop-down as logical conditions and configure policies accordingly to create a new smart flow.
  • Client OS
    User can select from the available OS in the drop-down as logical conditions and configure policies accordingly to create a new smart flow.
  • Browser
    Users can select the browsers available in the drop-down and set policies to create a new smart flow.
  • Browser Version
    User can enter the browser version as condition and set policies to create a new smart flow. Logical Operators AND OR can also be used to combine multiple conditions such as browser AND browser version and form a single final service condition.
  • Client Authentication

SmartFlow Actions

Configuring Action Policy Rules

In the action policy rules, you can do these tasks:

You can specify rules or action policies that return custom content to the user (For example, an alias response code), for the response codes coming from the application server. This enhances the user experience, For example, if you want to hide a particular response code from the user, you can specify an alias code in the action policy configured in the A10 Lightning ADC, so that the user sees the alias code instead of the response code that you want to hide. In the action policy rules, you can do these tasks:

  • Set up alias response codes or alias response URLs that the A10 Lightning Application Delivery Controller should provide the user, for the response codes coming from the Application server.
  • Redirect the user to a redirect URL

Activating and Deactivating a SmartFlow

Whenever a new smart flow is created, it needs to be activated [using the enable/disable button]. In the case of multiple smart flows, if one is deactivated the traffic will hit the one which is below in order.

Traffic Manipulation Policies

URL Rewrite

The URL Rewrite policy helps you to rewrite complex URLs into user-friendly and search-friendly URLs without changing the page structure.

Note

When you have multiple URL rewrite rules and the action for all of them is to continue to next rule, at the end, Lightning ADC will see the URL is changed and will automatically trigger a new service and smart flow match. If you do not want to continue to the next rule, you must explicitly call break. URL rewrites must be used only if you want to modify the rewritten URL again.

Configuring URL Rewrite Policy

After rewriting the URL, do the following; Choose an option from After Rewrite drop-down box. These options are used to apply specific rules to re-written URLs. Enable the policy using the Enable button. Finally, enable the Case Insensitive button, this allows the server to ignore cases in rewritten URLs.

_images/image1.17.png

Response Body Rewrite

You can control the display of text, headers and error code to web page visitors by using Body Rewrites function.

Configuring Body Rewrites Policy

Enter the Regex or String value in the field named Match. Enter a new string value or Regex in the Replace With field, and click Enable button. Enable Case Insensitive button, this is optional.

_images/image1.18.png

Header Rewrite

HTTP rewriting is the technique which allows the proxy to change content on the fly while .We can Add/Delete/rewrite request and response headers. The following header requests are configured by default in the smart flows:

  • X-Forwarded-For adds the server IP
  • X-Forwarded-Proto adds the scheme
  • X-Forwarded-Port adds the server port
_images/image1.19.png

Cross-Origin Resource Sharing(CORS)

In Harmony Controller, you can specify a Cross-Origin Resource Sharing (CORS) policy which includes Http headers to allow communication between pages from different origins. You may want to enable CORS policy only if you have such a use case.

_images/image1.20.png

Specifying Allowed Domains

Here, you need to define the domains allowed to share resources with your servers. You should specify this using base URL where wildcard (*) denotes all subdomains. Only GET and POST methods are allowed. For example, specifying https://.example.com in the policy allows any page from any sub­domain of example.com to share a resource with your server over Https. You can specify more than one base URL by pressing the **+* Add More option.

Returning custom response

You can specify rules or action policies that return custom content to the user (For example, an alias response code), for the response codes coming from the application server. For instance, if you want to hide a particular response code from the user, you can specify an alias code in the action policy configured in the A10 Lightning ADC, so that the user sees the alias code instead of the response code that you want to hide. However, when Allow merging of Rules option is enabled then the Return custom content security policies set at the Application level is merged with the Action policies settings, if Allow merging of Rules option is disabled then policies set under Action policies holds good for Smartflow traffic. And, if Action policies are disabled, then by default Return custom content settings holds good for application traffic.

_images/image1.21.png

Traffic Optimization Policies

Compression

The compression policy is used to deliver content or data faster by reducing the amount of data that is transferred. The speed of data transfer increases with data compression. While defining the compression policy, you just need to provide the minimum size you want to compress and the type of content to be compressed. The minimum compression size is an integer value measured in bytes, and the type of content that to be compressed can be plain text/HTML or just plain text.

Follow the steps below to configure a compression policy in Harmony Controller:

  1. In Harmony Controller window click Tenant > Tenant Name > Edit Configuration > Services > Add a Smart Flow.

  2. Select Performance under Policies and then select Compression. Enter a number in the Min Compressible Size (bytes) box. This number specifies the minimum file size for compression. Compress any text or application content by choosing any one of the options as listed in Content types.

    • text/html
    • text/plain
    • text/css
    • application/json
    • application/xml
    • application/javascript
    _images/image1.23.png

Viewing the Compression Policy Metrics

You can use Analytics > Metrics menu to see the compression policy metrics for a selected service. Browse through the charts to see the Compression policy-related metrics.

_images/compression-policy.png

Caching

Caching reuses information stored earlier to respond to a client request, to reduce data traversing on a network and decreases response times.

Note

HTML pages are cached automatically, hence, activating this function will not impact transmission of such pages.

Viewing the Caching Policy Metrics

You can use Analytics > Metrics menu to see the Caching policy metrics for a selected service. Browse through the charts to see the Caching policy-related metrics.

_images/caching-metrics.png

PageSpeed

Page Speed policy accelerates delivery of both HMTL and non-HTML pages.

Note

HTML pages are delivered faster even without Page Speed because of Caching.

The surge queue trend graph is viewed from Analytics > Metrics menu.

_images/image63.png

This chart shows the pending requests from clients (queued within the surge queue) plotted against the number of claims or request count.

Blue/Green Deployments

A popular DevOps use case for Harmony Controller is automating Blue/Green deployments to enable continuous delivery with zero downtime. Use Harmony Controller to set traffic steering policies for inbound traffic across old (blue) and new (green) deployments while both environments remain online. Monitor blue and green server behavior and health metrics to adjust traffic steering rules in real-time. Harmony Controller improves productivity by providing a unified view of the entire Blue/Green deployment process.

_images/image_Blue-GreenDeploymentDiagram_NEW.png

Harmony Controller supports Blue/Green deployments and precise traffic steering between the different releases. Blue/Green deployment is a powerful technique for directing traffic between old (blue) and new (green)deployments while both environments remain online.

Harmony Controller allows its customers to define and manage a split traffic rule for their Blue/Green deployments. That is, customers can specify the IP addresses for their blue and green versions and control what portion of the live production traffic should be directed to which deployment. You can choose a simple percentage split or create a split rule based on anything in HTTP request object, such as a geographic region.

Another advantage is that the Harmony Controller customers gain precisely targeted phased rollouts without any effort on the development side, using Blue/Green deployment. Set and change the traffic split rule from the Harmony Controller user interface, where you can also monitor health and success metrics for both deployments. Drive more traffic to the green implementation when the confidence in the green release increases. If problems arise, direct all the traffic back to the blue release.

Here is the workflow for a typical Blue/Green deployment:

_images/image52.png

Configuring Blue-Green deployment in Harmony Controller

Follow the below steps to configure Blue/Green deployment in Harmony Controller:

  1. From Harmony Controller screen Select Tenant > Tenant Name > Edit Configuration > Blue/Green. The following settings screen is displayed, select Configure a Blue/Green Deployment.

    _images/image1.24.png
  2. Choose an existing service; this is marked as Blue service. At the same time, a clone is created which is characterized as Green service.

    _images/image1.25.png
  3. Select Next configure Green Service. The screen to configure Green service deployment is displayed.

    Enter the following details in the screen below:

    • Service name
      Enter the blue-green service name with a maximum of 30 characters.
    • Description
      Enter a description for the service.
    • Direct a set percentage traffic to Green Service
      Enter the integer value of the percentage of traffic that you want to direct to Blue Service and Green Service.
    • Mirror Traffic (Only GET requests)
      All the requests that hit green will be mirrored to blue service.
    • Direct traffic to Green service based on condition
      Enter a service condition, and based on this condition the traffic will be redirected to the Green service.
    _images/image1.26.png
  4. Select Next select servers for Green. The Add Servers for Green Service screen is displayed.

    You can add the servers manually by entering the IP Address and Port number.

    _images/image1.27.png

    (Or) choose the servers from Blue service.

    Select Save Blue/Green deployment, this saves the deployment. The blue-green service is visible from the Tenant > Tenant Name > Edit Configuration>Services tab. You can also edit the service from this tab.

Security Configuration

Cloud security breaches are becoming an increasing threat with the unprecedented pace at which Cloud Service Delivery Model is getting adapted by businesses and governments. Although shifting to cloud technologies is affordable and fast, businesses are increasingly vulnerable to security breaches and are ill-equipped to counter the sophisticated security threats that can bring the infrastructure down and expose business critical and sensitive data to threats. Hence, it becomes increasingly important for organizations to have real-time insights into application traffic and have strong security policies and controls in place to counter these attacks.

This diagram shows the major concerns in cloud security-Data Privacy and Data Loss.

_images/image810.png

The Security Policies in A10 HarmonyTM Controller provides you with advanced techniques to control server response, prevent threats, and protect sensitive information. You can configure the application security policies and configurations in A10 HarmonyTM Controller from the Security tab in the Settings page, and the Security Policies tab in a SmartFlow.

Application Layer Data Theft Protection (WAF)

Harmony Controller Web Application Firewall (WAF) is an elastic service for application security with pre-configured rule sets and one-click provisioning. WAF helps defend against malicious activity, web attacks, and application attacks.

Inbound and Outbound Traffic Inspection by WAF

The figure below explains how WAF is deployed in the network traffic to perform inbound and outbound traffic inspection. Some of the attacks detected (For example, malware, web shells, backdoor, and so on) are detected at the response traffic, and the rest of the attacks (For example, application attacks) are detected at the request traffic.

_images/WAF.png

The cloud-specific WAF configured in the Lightning Application Delivery Controller provides real-time protection against application vulnerability attacks on a per application basis.

The Harmony Controller architecture provides the added advantage that when new A10 Lightning ADCs come up in your application infrastructure, the A10 Lightning ADCs can share the same WAF configurations. The elastic WAF service scales to ensure that sufficient resources are available to process the incoming traffic. Hence you need not re-configure WAF for each new A10 Lightning ADC added to the deployment. The application security policies (including the WAF policy) scales up as the application infrastructure expands.

The single pass integrated execution for WAF, load balancing, and other application delivery directives minimizes latency across the data plane. In Harmony Controller, security policies can be quickly enabled in the Cloud Services Controller (CSC) and changes are propagated to all A10 Lightning ADCs in an A10 Lightning ADC cluster. This way, an attack can be quickly mitigated.

The figure below shows a typical WAF deployment scenario in the A10 Lightning ADCs. WAF inspects incoming traffic and lets legitimate traffic flow through it.

_images/image276.png

Note

When configured in the Active mode, WAF blocks all malicious traffic based on the generic or application protection configurations. In Passive mode, WAF provides a warning to the user and lets all traffic (including malicious traffic) pass through it. See Configuring Web Application Firewall for more information.

One-Click Provisioning

Web Application Firewall (WAF) provides simpler provisioning of application-specific rules for modern web applications and safeguards cloud applications with higher levels of security and compliance. Provisioning and Updating security rules for the broad range of applications used by enterprises are incredibly complex and pose an ongoing challenge for IT teams. Harmony Controller significantly decreases the time required to a provision by providing a one-click rule set which instantly deploys thousands of preconfigured rules to secure popular applications against known threats immediately.

Harmony Controller WAF includes preconfigured rule sets that protect against top common vulnerabilities (such as SQL injection and Cross-site scripting), and specific attack vectors in popular Web Applications like Microsoft SharePoint, Outlook Web Access, WordPress, Joomla, and others. This capability takes the guesswork out of determining what security controls are essential for each application, reduces false positives, and reduces the time for deploying application security to seconds.

Note

See Configuring Web Application Firewall and Configuring Application Security WAF Policy for more information on WAF configuration.

Additionally, provides daily automatic ruleset updates, reducing the risks from emerging attack vectors, and minimizing the occurrence of false-positive vulnerability reports.

Inheriting WAF Security Policy

The WAF security policies can be applied both at Global/Application level as well as Smartflow level. When applied at Application level the same policies can be inherited at Smartflow Application Security. At the Smartflow level, the user gets to choose three application security policy setting options; those are Inherited, Enable, and Disable. To inherit the security policies same as the Global level user can choose an Inherited option. If the user prefers to customize the security policies at Smartflow Application Security level, then can select Enable option. Choose Disable option to disable the policy.

The below figure shows the Security policy option available at Application level:

_images/image2.31.png

The below figure shows the Security policy options available at Smartflow level:

_images/image2.30.png

WAF Operation Modes

WAF has two exclusive modes of operation:

Active mode: In Active Mode, WAF prevents common threats from reaching the application server based on the configurations in this mode.

Passive mode: In Passive Mode, WAF allows malicious traffic to pass through but with a warning to the IT administrator. In other words, in this mode, WAF raises alerts when threats are detected but do not block the threats.

_images/image1231.png

You can create custom alerts using Harmony Controller alert functionality.

Configuring WAF Operation Modes

Follow the below steps to configure WAF policies in Generic Protection Mode in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow

    _images/image2.0.png
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. And then, select an option to Enable, Disable, or to Inherit the policies at SmartFlow level.

    • Enable
      Enables the Application Security at SmartFlow level.
    • Disable
      Disables the Application Security at SmartFlow level.
    • Inherited
      Inherits the default security policies set at the Application level for the SmartFlow traffic.
    _images/image2.1.png
  3. Set the WAF policies for Generic Protection Mode.

_images/image2.2.png

WAF Protection Modes

There are the two types of WAF protection modes.

  1. Generic Protection Mode

    Most common forms of threats, such as SQL Injection and Cross-Site Scripting, are prevented in this protection mode.

  2. Application Protection Mode

    Specific application types with known vulnerabilities are protected. There is also an option to disable the protection mode in WAF.

Generic Protection Mode

Perform the steps below to configure WAF policies in Harmony Controller in the Generic Protection Mode:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. Enable Application Security policy by clicking the Enable button. Select Active WAF Mode by choosing Active radio button.
_images/image2.2.png

Select the Protection Mode as Generic. Here, you can select the generic attack categories that should be identified and blocked from the generic attack categories listed on the screen.

  • SQL Injection
    Hackers inject SQL commands to access or delete database information.
  • Cross-Site Scripting (XSS)
    Attackers introduce client-side scripts in web pages to bypass access controls and bring down applications and websites.
  • Remote Command Execution
    Attackers, use a breached application to execute random commands on the host’s operating system.
  • Remote File Inclusion (RFI)
    This involves using remote files located on the server to launch an attack.
  • Local File Inclusion(LFI)
    This involves using local files located on the server to launch an attack, instead of remote files.
  • Broken Session Management
    By default Cross-Site Scripting and SQL Injection attacks are seen selected. You can select multiple categories using the Ctrl key or select all groups using Ctrl + A key combination.

Application Protection Mode

Perform the steps below to configure WAF policies in Harmony Controller in the Application Protection Mode:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. Enable Application Security policy by clicking the Enable button. Select Active WAF mode by choosing Active radio button.
_images/image2.3.png

Select the Protection Mode as Application. The Application Types are listed on the screen. Select the Application Types that should be protected from threats using WAF.

IP Reputation

IP Reputation-based Traffic Filtering To prevent geographically distributed DoS attacks which can span multiple networks, Harmony Controller WAF provides the IP Reputation-based filter which can apply to applications in different geographic regions or collection of regions.

IP addresses can be filtered based on the following categories:

TOR Exit Nodes: The IP addresses that are identified as TOR nodes. Malicious Attack Sources Identified from Web Honeypots: Filter IP addresses of malicious sources identified from web honeypots. When malicious IP addresses are identified with the IP Reputation-based filter, WAF blocks these attacks and records attack-related information in the logs.

Configuring IP Reputation

Perform the steps below to configure IP Reputation-based traffic filtering in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable IP Reputation, check the box next to it, as shown on the screen. And then, save the security policy.
_images/image2.4.png

Block Sensitive Data

When Block Sensitive Data WAF policy is enabled it allows Harmony Controller to block certain patterns from being captured by the intruders who are trying to attack or capture such data. For now, this policy is designed to block sensitive data such as credit card or debit card number to be exposed to the outsiders.

Webshell/Backdoor Detection and Prevention

There are many methods attackers employ to upload Web shell backdoor code onto compromised web servers including Remote File Inclusion (RFI), WordPress Tim Thumb Plugin and even non-web attack vectors such as Stolen FTP Credentials. Web shells can be written in any language that a server supports and some of the most common are PHP and.NET languages. These shells can be extremely small, needing only a single line of code or can be fully featured with thousands of lines. Some are self-sufficient and contain all required functionality while others require external actions or a “Command and Control”9D (C&C) client for interaction. When the shell is installed, it will have the same permissions and abilities as the user who put it on the server. Harmony Controller can identify if a client is accessing a web shell/backdoor resource on your website/application by inspecting outbound HTTP data.

Harmony Controller implementation included access to thousands of captured web shells and developed custom detection rules including detections for:

  • C99 Shell
  • R57 Shell
  • WSO
  • PHP Shell
  • Stun Shell
  • JCE File Upload Shell
  • Basic File Uploader

Harmony Controller can detect and block any web shell/backdoor’s to your application.

Configuring Web shell

Perform the steps below to configure Web shell/Backdoor Detection in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Web shell, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.5.png

Botnet Attack Detection and Protection

Attackers build networks of infected computers, known as botnets, by spreading malicious software through emails, websites, and social media. Once infected, these machines can be controlled remotely, without their owner’s knowledge, and used as an army to launch an attack against any target. Botnet attacks attempt to execute botnet code on the server to spread infection.

Botnets can generate huge floods of traffic to overwhelm a target. These floods can be produced in multiple ways, such as sending more connection requests than a server can handle or having computers send the victim massive amounts of random data to use up the target’s bandwidth.

Enabling Botnet Protection at Layer 7 (Application Layer)

Perform the steps below to enable Botnet Protection in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Botnet, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.6.png

BOT Protection

A bot attack is an unwanted request or set of requests originating from a bad BOT client to your network. Bad bots consume bandwidth, slow down your server, steal your content and look for vulnerability to compromise your server.

An Internet Relay Chat (IRC) bot is a set of scripts or an independent program that connects IRC as a client and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user; it performs automated functions. Harmony Controller can detect and alert on standard attacks originating from IRC Bot clients.

Harmony Controller looks at URL, parameters, user agent, and request body in some cases, to detect a botnet attack. In particular, |ADS|checks the following categories to detect a dangerous Bot attack:

  • Common IRC Botnet attack command string
  • Common types of Remote File Inclusion (RFI) attack methods
  • URL Contains an IP Address
  • The PHP “include()”9D Function
  • RFI Data Ends with Question Mark(s) (?)
  • PHP Injection attack
  • RPC PHP Injection attack
  • SQL Injection attack
  • Local File Inclusion ENV Attack in User-Agent
  • e107 PHP Injection attack
  • XML-RPC PHP Injection attack
  • OsCommerce File Upload attack
  • Oscommerce File Disclosure and Admin ByPass
  • Zen Cart local file disclosure vulnerability
  • Opencart Remote File Upload Vulnerability
  • e107 Plugin my_gallery Exploit
  • Configuring protection against bad BOTs
  • Local File Inclusion attack

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

Harmony Controller subscribes to the IP reputation list as well as user-agent reputation list for identifying known bad BOTs. Eliminates the traffic from bad BOTs; hence, enhancing the performance of your application servers.

Analytics on BOT Protection

You can use the dashboard (Analytics > Dashboard) to get more insights on BOT Protection.

For example, you can view the percentage of BOTs in the total number of threats detected in the Top Threats pie diagram in the Dashboard.

_images/image80.png

Note

See Application Security Analytics and Insights section for more information.

Malware Protection

Web-based Malware is a growing threat to today’s Internet security. Attacks of these types are very prevalent in a cloud and lead to serious security consequences. Millions of malicious URLs are used as distribution channels to propagate malware all over the Web. After being infected, victim systems fall in control of attackers, who can utilize them for various cyber crimes such as stealing credentials, spamming, and distributed denial-of-service attacks. Moreover, it has been observed that traditional security technologies such as firewalls and intrusion detection systems have only limited capability to mitigate this issue.

Harmony Controller provides Web-based Malware detection by inspecting HTTP response. The Malware Detection checks the response data for malicious code aimed at attacking clients.

Payloads are matched against:

Location Response Headers that redirect users to malware sites, and Response Body Payloads that may contain off-site links (scripts and iframes) or full payloads.

Harmony Controller identifies Web-based Malware in many categories including:

  • Drive-by-Download URLs
  • Malicious Redirect URLs
  • Malicious JS Payloads

Configuring Web-based Malware Detection

Perform the steps below to enable Web-based Malware Detection in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Web-based Malware Detection, Check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.7.png

Cross-Site Request Forgery(CSRF)

Cross Site Request Forgery (CSRF) is one of the most common web application attacks. CSRF occurs when a malicious website, email, blog, or any other program which causes the user’s to perform an undesired function on a trusted site for which the user is currently authenticated. The request from the browser includes any information associated with the browser session or website, such as a cookie, passwords, and so on. A Cross Site Request Forgery (CSRF) attack occurs when the user is authenticated to the site, or when the user clicks on a malicious link, button or any malicious HTML element.

Hence, to overcome such attacks Harmony Controller implements a defense mechanism against CSRF by including a hash element in the form submitted by a user. Now, if the attacker wants to access the form submitted, he will need to know the unique key used to create the hash. To add more protection, the hash key generated is made unique for each user sessions. Hence, making it difficult for the attacker to predict its value, avoiding CSRF attacks. The CSRF security feature can be enabled either at the Application level or SmartFlow level by inheriting the default security policies set at the Application level or by enabling the Application security at SmartFlow only.

While enabling the CSRF, the form action URLs that need to be protected is an input parameter. A10 Lightning ADC looks at the responses and adds a hash to all the forms for which the action URL matches with the configured URL. It inspects the requests, and if the request URL matches with the configured form action URL, it verifies the hash value in the request. If the value is not present or is incorrect, then the request is blocked.

Configuring Cross Site Request Forgery (CSRF)

Perform the steps below to enable CSRF in Harmony Controller at the Application level:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Application > Security > Application Security
  2. In the Application Security screen. To enable CSRF, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.28.png

Function Level Access Control

The Function level access control attacks could result from the inadequate security of sensitive request handlers within an application. An application may only hide access to sensitive actions, fail to enforce sufficient authorization for certain activities, or inadvertently expose an action through a user-controlled request parameter. These attacks could be much more complex and be the result of subtle edge-cases in the underlying application logic.

A10s Function Level Access Control feature eliminates such attacks by adding a sign in all the links we get in Href, Form action, Iframe source, Frame Source, Location Response Header. If a sign mismatch is identified then the request is not allowed to proceed, thus eliminating Function Level Access Control attacks.

While enabling the Function Level Access Control, the form action URLs that need to be protected is an input parameter. A10 Lightning ADC looks at the responses and adds a hash to all the forms for which the action URL matches with the configured URL. It inspects the requests, and if the request URL matches with the configured form action URL, it verifies the hash value in the request. If the value is not present or is incorrect, then the request is blocked.

Configuring Function Level Access Control

Perform the steps below to enable Function Level Access Control in Harmony Controller at the Application level:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Application > Security > Application Security
  2. In the Application Security screen. To enable Function Level Access Control, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.29.png

Dealing with False Alarms

The Harmony Controller Application Security Exceptions feature allows a user to create an exception for application security rules to handle false positives (an attack detected by the application security, but not one). These false positives are blocked based on the conditions defined in the rules and many other parameters. In some cases, if the user wants such false positives to be allowed even if it looks like a threat or attack but not one, then exceptions are created to overwrite few conditions defined in rule and allow such false positives. The Application Security and Application Security Exceptions are two different policies. However, the exception policies can overlook the security policies set in Harmony Controller.

Creating Exception Rules

Follow the steps below to create an Application Security Exceptions:

  1. Click on Tenant > Tenant Name > Edit Configuration > Security > Application Security Exception

    _images/image2.8.png
  2. Click Add Rule > Select Rule Type > Select a URL condition form the list > Select a Parameter from the list > Select a Apply Rule On condition**

    _images/image2.9.png

However, these exceptions can also be set up from Analytics > Logs, or from Analytics > App Dashboard > Blocked Request > Logs screen. The Application Security and Application Security Exceptions are two different policies. However, the exception policies can take precedence over the security policies set in Harmony Controller.

SSL Termination

Secure Socket Layers (SSL) provides your visitors and businesses with an additional layer of security in deployment scenarios.

Elastic SSL refers to auto-scaling of SSL operations (handshake plus bulk encryption/decryption) based on SSL traffic. Harmony Controller provides elastic SSL that ensures auto-scaling of SSL resources with the increase in the user traffic to the site.

Harmony Controller offloads resource-intensive SSL encryption and decryption tasks to auto-scaling Cloud Services Proxy servers that are adjacent but separate from your dedicated application servers. This efficient architecture enables consistently high throughput at any traffic level providing processing efficiency and cost savings.

In a typical Harmony Controller deployment, the Lightning Application Delivery Controller is delivered as an elastic, highly available, resilient cluster. The cluster auto-scale to support variable workloads.

Use Harmony Controller’s elastic infrastructure to extend SSL capacity without changing your application code or web servers. Gain visibility into SSL traffic, behavior and potential attacks with Harmony Controller’s comprehensive application delivery analytics dashboards.

SSL between Client and Proxy

SSL Settings for an Application Domain

Harmony Controller accepts client requests for the domain names configured as application domains. When you onboard an application in Harmony Controller, an application domain is created by default (based on your application endpoint).

Follow the steps below to configure the SSL settings for an Application Domain(s):

  1. Click Tenant > Tenant Name > Edit Configuration on the Harmony Controller screen, from the drop-down list click Application.

  2. Click SSL Settings from the application settings screen.

    _images/image2.10.png
  3. For each Application Domain (FQDN) provide the SSL Settings inputs if SSL is enabled on the Harmony Controller.

    _images/image2.11.png

When you enable SSL in Harmony Controller, the following options are displayed:

Server Certificate Chain

For an SSL certificate to be trusted, the certificate issued must be by Certificate Authority(CA) that is included in the trusted store of the connecting device. If a trusted CA does not issue the certificate, the connecting device (For example, the web browser) displays an error. However, if the issued certificate is from a trusted source, then the connecting device establishes a secure and reliable connection. The list of certificates from the root certificate to the end-user certificate represents the SSL server certificate chain.

While entering the server certificate chain in the SSL settings for your application domain, you must link your server certificate chain of your CA to ensure that you are providing the complete server certificate chain.

Server key

The private key of the application server which is required to validate the SSL Certificate.

Choosing an SSL Versions

Harmony Controller uses TLS (Transport Layer Security), and SSL (Secure Sockets Layer) protocols for secure transmission of data between the Harmony Controller and Application servers.

You can select one or more TLS/SSL versions from this list.

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where the data is sent across an insecure network.

Note

That the terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is, in fact, the predecessor of the other SSL 3.0 served as the basis for TLS 1.0.

Choosing a Cipher

A cipher is an algorithm used to encrypt and decrypt data. When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends on the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list.

You can choose the supported cipher algorithms from the list for secure SSL connection between Harmony Controller and the application server.

Configuring SSL while adding Listening Ports

The application traffic is listened by Harmony Controller on the listening port. Note that, before adding any Http2 or SSL ports as a listener port make sure the SSL is enabled.

To enable the listener port to go to Application Settings screen and click Add Port/Listner. Here, enter the listening port number and choose SSL or Http2, and then, click Save button.

_images/image2.12.png

SSL between Proxy and Server

Secure Sockets Layer (SSL) can be enabled to establish a secure encrypted connection between A10 Lightning ADC and application servers. Hence, protecting the sensitive data exchanged during each session.

SSL certificate provided must be from a trusted source for an application server to install and enable SSL connection.

Follow the steps below to add a Service in Harmony Controller:

  1. Click Tenant > Tenant Name > Edit Configuration on the Harmony Controller screen, from the drop-down list click Services.

  2. Click ADD NEW SERVICE from the Services settings screen.

    _images/image2.10.png
  3. The Add New Service window displays the following SSL settings.

    _images/image2.14.png

Click on the relevant help buttons to get more information on these options; these options are displayed in the Add Service window if SSL is enabled.

Validate Certificate

Mark the check-box, if you want to enable SSL certificate validation.

The value of SSL is protected by a standard two-point validation process:

  1. Verify that the applicant owns, or has the legal right to use, the domain name featured in the application.
  2. Verify that the applicant is a legitimate and legally accountable entity.

Send Server Name

Mark the check-box, to enable send Server Name option. This flag enables or disables passing of server name through TLS Server Name Indicator (SNI) extension when establishing a connection with the HTTPS application server.

Server Name

If ‘Send Server Name’ is enabled, then this field will override the server name to be passed through SNI when establishing a connection with the HTTPS application server. User can also enter the domain name of the certificate.

  • $host
    The application domain for this service
  • $upstream_host
    The application server domain name (if domain name is not configured, then the IP address configured as application server is used).

Exposure Reduction

Header Rewrite

HTTP header rewrite helps to rewrite HTTP request or response headers of the content exchanged between a client and a server. It is often used to keep compatibility between old and new URLs, to turn user-friendly URLs into one’s CMS friendly, and so on. It is also used to mask the information leaked by the application servers in the HTTP headers. Attackers may use this leaked information to identify potential vulnerabilities and launch an attack.

Configuring Header Rewrite Policy

Follow the steps below to configure a rewrite policy for an HTTP header rule in Harmony Controller: To edit the default Smart Flow:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smart flow > Edit Smart Flow

    _images/image2.10.png
  2. Click on Security > Header Rewrites

    _images/image2.16.png
  3. Enable the access policy using the Enable button. By default, the screen displays three X-Forwarded header screens.

    _images/image2.17.png

Enter the header name for the required X-Forwarded header screen. Enter the variable names for Header Value.

For example, for X-Forwarded For screen, enter these variables: $http_x_forwarded_for

Enter the variable corresponding to the client IP address here. $remote_addr

Enter the variable corresponding to the proxy through which the request passes. Select the header rewrite Action. Enable the rules and save the policy. Save the SmartFlow.

The Action tab displays the following actions:

_images/image74.png

Returning Custom Content

Action Policies (Alias Response code or Redirect URL)

Action policies allow you to configure rules or action policies which specify a custom content return to the user (For example, an alias response code) for the response codes coming from an application server(s). The action policies enhance the user experienceE2f (For example, if you want to hide a particular response code from the user you can specify an alias code in the action policy configured in the A10 Lightning ADC so that the user sees the alias code instead of the response code that you want to hide).

Configuring Action Policy Rules

Follow the steps below to configure the Action policy in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smart flow > Edit Smart Flow

    _images/image2.10.png
  2. Under Policies> Traffic > Action > Enable to view the Action policy configuration screen.

    _images/image2.18.png

In the action policy rules, you can do the following:

  • Set up alias response codes or alias response URLs that A10 Lightning ADC should provide the user for response codes coming from the Application server.
  • Redirect the user to a redirect URL.
  • Add more than one action policy rule.
  • Configure Action policy rules from the Security tab (Path: Configuration> Security)by enabling Allow merging of rules.

Mask Policy

Masking allows you to control how servers respond to a user, thereby, increasing application security.

Configuring Mask Policy

Follow the steps below to configure the Mask policy in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > ADD SMARTFLOW > Edit SmartFlow

    _images/image2.10.png
  2. Under Policies> Security > Mask > Enable to view the Mask policy configuration screen.

    _images/image2.19.png

The Mask policy configuration has three options:

  • Remove Server Header from Response
    Turn on this option to prevent users from knowing what type of web server is used in your operations.
  • Remove ETag Header from Response
    Activate this option to avoid unethical users from knowing about your website hosting on multiple servers.
  • Return HTTP 404 if the server returns HTTP 5xx
    Enable this option to ensure users receive friendlier error messages, rather than having to read complicated error messages.

Sensitive Data Exposure

Access Control

IP Access Policy

Access Policies (Whitelists and Blacklists)

Access Policies allow you can define access policies by specifying allow or deny rules for traffic from IP addresses. Specify the IP address from which traffic should be allowed or denied. Hence, providing the mechanism to build whitelist (allow rules) and blacklists (deny rules) which allows requests based on the IP address or denies unwanted traffic.

_images/image2.21.png

Whitelist helps in preventing DDoS by allowing traffic only from trusted sources. Blacklist helps in preventing DDoS attacks by restricting traffic from known attackers.

Order of rules

User can specify network address instead of just IP The importance of the keyword ‘all’. An example displaying combination of allowing/deny rules using individual IP, network address, and ‘all’

Configuring Allow Rule

Perform the steps below to configure an Allow rule in Harmony Controller.

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow

  2. Under Policies> Security > Access > Enable to view the Allow Rule configuration screen.

  3. Add an Allow rule by entering the IP address and enable the rule or Enter the value all in the allow rule. Note, that all is the default value.

    _images/image2.21.png

You can add multiple allow rules using the Add Rule button.

  • Save the Rule and policy.
  • Save the SmartFlow.
  • Send request to the Lightning Application Delivery Controller from the IP which is allowed.

Expected Results

When a request is made from the Application server specified by the IP address in the Allow rule in the Access Policy, 200 OK response code is displayed along with the content in the reply. When you specify the option all in the Access policy, the user receives an appropriate response if he sends requests from any client IP addresses.

Configuring Deny Rule

Perform the steps below to configure a deny rule in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Security > Access > Deny > Enable to disable the Allow Rule configuration.

Add a Deny Rule

Enter the IP address (For example, 54.186.134.82). Disable the rule, save the rule and policy; save the SmartFlow. And then send a request to the Application Delivery Controller from the IP which is denied.

Add multiple deny rules as required, using the Add Rule button.

  • Save the rules and policy.
  • Save the Smart Flow.
  • Send request to the Application Delivery Controller from the IP addresses specified in the Deny rules.

Expected Results

When requests are made from the IP addresses specified by Deny rules, a 403 Forbidden response is displayed.

Disable Rule Feature

Perform the step below to disable a rule in Harmony Controller:

Select Tenant > Tenant Name > Edit Configuration> Services> default-smartflow> Edit SmartFlow to edit the default Smart Flow. Choose Security > Access and then disable the Access policy using the Disable option.

Geographic Access Control

Controlling Access based on any information in HTTP request.

Protection against DDoS Attacks

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A DDoS attack can cripple your network and take your servers offline, by flooding the network with malicious traffic leaving no room for legitimate traffic.

Harmony Controller monitors traffic patterns to identify and protect your business from application-layer Distributed Denial of Service (DDoS) attacks. Clean user traffic is allowed through while the system identifies and drops malicious traffic before it can impact app server resources and availability. Harmony Controller detects and mitigates application layer threats such as SlowLoris, Slow Post, HashDoS, and GET Floods.

_images/ddos1.png

Application availability is maximized using Harmony Controller DDoS protection even during attacks. The elastic infrastructure allows mitigation to keep pace with application traffic and keep latency to a minimum. The comprehensive traffic and security metrics in the Harmony Controller web interface helps you to learn about specific attacks and patterns in attack detection. Harmony Controller Blacklists and Whitelists and customized Web Application Firewall (WAF) rules help mitigate these attacks.

Harmony Controller Mitigation Mechanisms for DDoS Attacks

Harmony Controller provides different mitigation mechanisms to thwart Layer 4 network level attacks.

_images/image393.png

Types of Attacks

  • Mitigation Mechanisms
  • Volumetric/Flood Attacks
  • IP protection, Rate limiting, and Throttling
  • Session attacks
  • SSL termination and SSL re-negotiation validation

Elastic SSL with Auto-Scaling

Application Attacks, Blacklist and Whitelist support, Full proxy for HTTP, Anomaly detection, Web Application Firewall (WAF) Harmony Controller mitigates different types of DDoS attacks with security policies and features, as explained here:

By default, the mitigation mechanisms in Harmony Controller include connection pooling, surge protection, request queueing, and auto-scaling capabilities. These can absorb any small to medium intensity attacks. If the attack is planned to exploit HTTP 1.1 protocol limits and is made in the form of SlowLoris, SlowPost or other similar “low and slow”9D attacks, the aggressively configured restrictions in the `Surge Protection policy helps to mitigate the attack. Limiting the total number of user sessions and rate limiting traffic within a session using `Session Tracking policy prevents the attacker from creating junk connections and hogging server resources. If the attack is done using a tool or IP network that is known for bad BOT traffic, the attack is prevented by the configuration setting in Harmony Controller that prevents dangerous BOT attacks. Getting the IP addresses of attackers and create whitelists and blacklists (access/deny rules) or Access Policy rules prevents attacks from known IP addresses.

Connection Timeouts

Surge Protection Policy

Surge Protection policy is the security policy in Harmony Controller that protects your infrastructure from external network traffic surges caused by DDoS attacks which exploit conditions/parameters such as connection time, connection requests, or provisions of the HTTP protocol such as requests and responses. This policy allows you to specify the limits and timeouts for handling traffic surges present in the network or created by attacks, by aggressively closing the connections based on the policy configuration.

You can configure these functions in the Surge Protection policy screen in Harmony Controller:

  • Specify limits or timeouts for traffic surges by aggressively closing connections causing surges.
  • Prevent specific DDoS attacks such as SlowLoris and SlowPost by closing idle connections, or specifying limits for slow connections.
  • In attacks that exploit provisions of HTTP protocol, you can specify limits for the HTTP request body length or the maximum number of requests to process on a connection.

Configuring Surge Protection Policy

Perform the steps below to configure Surge Protection policy in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration> Security tab > Surge Protection menu. Enable Surge Protection policy by clicking on the Enable button.
  2. The Surge Protection policy screen displays with these fields:
_images/image2.25.png

** Surge Protection limits can be set on these parameters:**

  • Maximum allowed Request Body (bytes) Size
    You can set a limit on the HTTP request body length that can be accepted by the HTTP Provider Service to protect your system from malicious Denial-of-Service (DoS) attacks. The system controls this limit by inspecting the Content-Length header of the request or monitoring the chunked request body (in case chunked encoding is applied to the message). If the value of the Content-Length header exceeds the maximum request body length, then the HTTP Provider Service rejects the request with a 413 “Request Entity Too Large”9D error response.
  • The maximum number of requests to process on a connection
    You can limit the number of HTTP requests per source IP address, on a connection from the client to the application server. The limit can be an integer value between 0 and 65536.
  • Close idle connection after (seconds)
    Some attacks involve malicious clients that linger on with partial requests and responses, and indulge in minimum interaction to prevent server idle times from expiring. The attacks slow down applications by consuming system resources, leading eventually to an inability to handle server traffic. These are the “low and slow”9D attacks, as a relatively small number of clients can DoS the server stealthily and slowly, without consuming any significant bandwidth on the network.

In Harmony Controller, this field allows setting the time within which the system should close idle connections so that low and slow attacks are prevented.

Protection against SlowLoris

Slow Loris is an attack tool that holds HTTP connections open by sending partial HTTP requests. The headers are sent at regular intervals to occupy the application stack and keep connections from closing. This keeps the server threads and network resources from being released, eventually leading to collapse. The web server quickly reaches its maximum application stack capacity and becomes unavailable for new connections by legitimate users. From a protocol compliance perspective, this appears to be normal traffic which the signature or blacklist-based devices do not detect.

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Performance > Compressions
_images/image2.26.png

In Harmony Controller, this field allows you to protect against SlowLoris attacks by closing HTTP connections when the headers are not received within the specified time interval (in seconds). The default allowed time is 60 seconds.

Close connection if all headers are not received in (seconds)- Protection Against SlowLoris: Set the time (in seconds) to close connections if HTTP headers are not received within the specified period.

Protection against SlowPost

SlowPost is an attack tool which brings down a web server by creating long form field submissions. This is done by iteratively injecting one byte into a web application post field followed by a sleep period. The result is that application threads become stuck because they are occupied with these one-byte POST fragments.

_images/image63.png

In A10 HarmonyTM Controller, this field allows you to protect against SlowLoris attacks by closing HTTP connections if the request body is not received within the specified time interval (in seconds). The default allowed time is 60 seconds.

Close connection if it goes idle while receiving request body for seconds)- Protection against SlowPost Set the time (in seconds) to close idle connections while receiving HTTP request body.

Terminate Connection after every request When you enable this button, a new connection is opened for every new request.(That is, the session is terminated after a request.)

Volumetric Traffic Limits

Session Tracking Policy

A session is a series of related browser requests that come from the same client during a period. Session tracking is a mechanism to track a customer session and enforce traffic management policies on sessions. During a session, a series of continuous web requests and responses from the same client to the server can cause traffic congestion and inadequate network bandwidth. This is because HTTP is a stateless protocol and the server does not store the incoming client information. Session tracking enables you to track a user’s progress over multiple servlets or HTML pages during a session. Session tracking mechanisms are required so that Volume-based DDoS attacks caused by large traffic generation from a single client, or a lot of connections created for a short duration from multiple clients can be detected and mitigated.

Session Timeout You can specify an interval of time after which HTTP sessions expire. When a session expires, all data stored in the session is discarded. The session timeout is 30 minutes as per industry standards.

Session Tracking Policy in Harmony Controller

Session Tracking policy in Harmony Controller allows you to track user sessions and then limit usage of resources by those sessions. The Harmony Controller performs session tracking to apply rate limits on incoming web requests from clients to servers.

_images/image64.png

You can set these parameters in the session tracking policy in Harmony Controller: - Number of simultaneous user sessions for an application.

Some simultaneous requests within a session. The rate of request per session. The rate of session creation per application.

Note

See Step 3 of Configuring Session Tracking Policy in Harmony Controller for more information.

Configuring Session Tracking Policy

Perform the step below to configure the session tracking policy in A10 HarmonyTM Controller:

Click on Tenant > Tenant Name > Edit Configuration > Security tab > Session Tracking to access the Session Tracking screen.

_images/image2.27.png

Configure the Session Tracking Mechanism. A10 HarmonyTM Controller provides these mechanisms for session tracking:

A10 Lightning ADC cookie
This session tracking mechanism uses cookies to track sessions. A10 HarmonyTM Controller inserts its cookie to track a session. A unique cookie identifies each session. This should be utilized when the traffic is expected from web clients supporting cookie’s typical example is a web browser.
Client IP
This session tracking mechanism is based on tracking the sessions originating from a customer IP address to the application server. A session is identified by the IP address of the web client. This should be used when clients do not support cookies (For example, mobile apps) but are expected to have different public IP addresses.

Configure the following parameters for session tracking:

Maximum concurrent sessions
The maximum number of concurrent users accessing the application.You can set any integer value in this field.
Session create rate
The rate at which users access the application. This parameter is measured in per second rate. Maximum concurrent requests per sessions. The highest number of concurrent requests per user session. This field is particularly useful in browser sessions (when users access the application through browsers). This parameter is measured in per second rate.
Maximum concurrent requests per session
The maximum number of concurrent requests in a user session.
Request rate per session
The number of requests in a user session. This field is particularly useful in API-based sessions. This parameter is measured in per second rate.

Note

Session Tracking can also be configured at the Smart Flow level.

Session Tracking Trend Graphs

You can view trend graphs and analytics of your session tracking policy from Analytics> Dashboard > Blocked Requests menu.

_images/image2.32.png

Exporting and Importing Application Configuration from A10 Lightning Controller

This section discusses in detail the ways to import and export application configuration to and from A10 Lightning Controller.

The export function stores the logical configuration of an application from the A10 Lightning Controller to a user specified location. The import function uploads the logical configuration from local storage and creates a logical entity for the application on the A10 Lightning Controller. The export and import can be done in two ways - unencrypted export/import and encrypted export/import.

When the configuration is exported without any password, it is an unencrypted export and the returned content is plain text. Where as, when we specify a password during export, the configuration returned is encrypted with the password. When such encrypted file is imported the controller uses the password provided by the user to decrypt the configuration file and create the logical entity. Both the import and export operations are performed using the APIs.

APIs to Export/Import Application Configuration

The export API exports the configuration for a specific or all the applications for a tenant. The API generates a JSON file and returns it to user with or without encryption. The user can store this file as a configuration backup and use it if there is a need to restore the application.

Note: There are two names for a tenant one being the display name and other being the tenant name. In the below mentioned APIs, only name should be used for tenant and not the display name.

To get the name of the tenant, invoke the following API:

API : GET /api/v2/providers/root/tenants HTTP/1.1

{
  "name" : "shared.1544D6813101544AF9231901C64B3DE665BC66AA",
  "displayName" : "tenant7.shared",
  "id" : "6b8a783b-45ed-482a-8dcb-40548d9230d8",
  "providerId" : "067e6162-3b6f-4ae2-a171-2470b63dff00",
  "state" : "ACTIVE",
  "createdAt" : "Mar 27, 2018 09:06:48 AM UTC",
  "lastModifiedAt" : "Mar 27, 2018 09:06:48 AM UTC",
  "lastModifiedBy" : "abc@xyz.com",
  "appCount" : 2,
  "clusterCount" : 1
}

{
  "name" : "t1",
  "displayName" : "t1",
  "id" : "49f96e1b-5ed8-417e-90c9-8904fe4c67a1",
  "providerId" : "067e6162-3b6f-4ae2-a171-2470b63dff00",
  "state" : "ACTIVE",
  "metadata" : {
  "marketPlace" : false,
  "accountType" : "SAAS"
}
  1. Export a specific application configuration for a tenant:

    GET http://<edge-ip>/api/v2/systems/configuration/<Application Name>/_exportconf
    **Parameters**
    
    - String password: Password, if provided then the returned configuration is encrypted.
    - Boolean excludeServers: If true, back-end servers are excluded from the exported application configurations.
    - Application Name : Application Name of the application to be exported.
    - Tenant: Tenant name to which this application belongs.
    - Provider: Provider name to which the tenant belongs.
    
  2. Export all the application configuration for a tenant:

    GET http://<edge-ip>/api/v2/systems/configuration/_exportconf
    **Parameters**
    
    - String password: Password, if provided then the returned configuration is encrypted.
    - Boolean excludeServers: If true, back-end servers are excluded from the exported application configurations.
    
  3. Import the application configuration(s) for a tenant:

    POST http://<edge-ip>/api/v2/systems/configuration/_importconf
    **Parameters**
    
    - @FormDataParam InputStream file: Encrypted or plain configuration file.
    - @FormDataParam String clusters: Comma separated list of clusters name corresponding to applications to be associated with.
    - String password: Optional, password to be used for decryption, when provided input file is encrypted.
    - String infraCredential: Infra-credential in the current tenant. If provided, then infra-credential available in the exported file is replaced by this.
    - String dnsCredential: Dns-credential in the current tenant. If provided, then dns-credential available in the exported file is replaced by this.
    - Boolean excludServers: If true, applications are imported excluding the back-end servers (even if exported configuration file has it).
    

Note 1: If user tries to import an application that already exists, the conflict is returned and user needs to delete the existing application and then can import the conflicted application.

Note 2: While importing multiple applications, even if failure happens for a single application, no application is imported.

A10 Lightning ADC Use Case Scenarios

This section of the document briefly discusses the various configuration scenarios which a user can implement using the features offered by A10 HarmonyTM Controller. These use cases help users to understand the A10 HarmonyTM Controller features better, and how these features can be effectively used to address various scenarios. For example, If a user wants to block his network for a specific country. In this case, a user can use the SmartFlow feature in A10 HarmonyTM Controller to create a service condition to block traffic for a specific country. Similarly, there are many other use case scenarios discussed in this section of the document.

Traffic Management Use Cases

1.1 Redirecting HTTP traffic to HTTPS

In an ideal scenario when you enter a URL (http://www.example.com) in your web browser, this sends an HTTP command to the Web server to fetch and transfer the requested web page. Here, your web browser is your client and your website host as a server. Sometimes, the clients may be exchanging private information with a server, which needs to be secured for preventing some hacking issue. For this reason, we are redirecting the traffic from HTTP to HTTPS using Smartflow feature in A10 HarmonyTM Controller. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

In order to redirect the traffic from HTTP to HTTPS in A10 HarmonyTM Controller user can use the SmartFlow feature in the A10 HarmonyTM Controller to create a smart flow condition for a particular service(s) so that any data exchange through A10 HarmonyTM Controller is secure. Rather creating a smart flow condition for each URL request, the user can use https://$host$request_uri as the input in the Redirect URL field and set the condition as Redirect the traffic which will redirect all the URL requests.

In this case, a request from the client hits the smart flow and if the condition matches, then the traffic is redirected from HTTP:// to HTTPS:// [temporarily or permanently] for the requested URL.

Steps to configure a Smartflow policy to redirect traffic:

  1. Login to the A10 HarmonyTM Controller.

  2. Click Configuration > Services > Smartflow

  3. Click Add a new Smartflow and set the conditions and then save.

    _images/image10.0.png

    See also

    Adding a Smartflow section under Traffic Management Configuration, for more information on Smartflow configuration.

1.2 Dealing with DDoS Attack

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (For example, a botnet) flooding the targeted system with traffic. In this use case, we are discussing the Surge protection feature in A10 HarmonyTM Controller which is designed to prevent such attacks.

If the attack is made in the form of SlowLoris, SlowPost or other similar low and slow attacks, the aggressively configured restrictions in the Surge Protection policy helps to mitigate such attacks. Thus, limiting the total number of user sessions and rate limiting traffic within a session using Session Tracking policy preventing the attacker from creating junk connections and consuming server resources.

See also

Protection against DDoS Attacks section under Security Configuration for more information on Surge Protection policies, and how to configure them.

1.3 Estimate the Rate Limit Configuration Values

This use case discusses the effort to estimate the Rate Limit configuration values considering the analytics of various other parameters.

Based on the session tracking and the per request analytic values combined together user can estimate the values for Rate Limit configuration.

A session is defined as a single user agent such as a browser or an API client. Each session has an idle expiry time that defaults to 30 minutes (this cannot be changed currently). A session can be tracked in two ways.

  1. LADC Cookie

    Cookies are maintained by LADCs and are returned with every response. Each user agent is uniquely identified by the combination of source IP and port.

  2. Client IP

    Only the source IP of the client is used to identify a user agent uniquely.

    Based on the values obtained from these four parameters as discussed below, the user can estimate the values to configure the Rate Limiting.

  3. A number of Concurrent Sessions

    The a maximum number of sessions (or user agents) that can be accepted at any given point in time. Suppose, it is set to a value of 100; then approximately a maximum of 100 user agents can be served at any point in time. Any more user agents will get a 403 forbidden response. This value can be retrieved from the “active sessions” value in the session tracking graphs (under App Dashboard > Blocked requests)

  4. A number of Concurrent Requests per Session

    The maximum number of open requests (for which a response has not been received yet) that can be accepted at any given point in time. This value can be derived from a total number of requests that can be served at any given point in time and the number of concurrent sessions. Number of concurrent requests per session = Total number of requests/Number of concurrent sessions. Let us suppose that it is known from the app server infrastructure/health that they can support a maximum of 10000 outstanding requests at any point in time and the maximum number of concurrent sessions (as seen from the graphs) is 1000. Therefore the number of concurrent requests per session can be set to 10.

  5. Session Rate

    The maximum number of sessions that can be accepted per second. In other words, this implies the maximum number of user agents that can be served per second. This can be used to block too many new user agents served by the App server infrastructure per second.

  6. Request Rate per Session

    The maximum number of requests per second that can be made over a session. This will block user agents to send too may request/per second over a session.

1.4 Release a New Version of the Application to a Specific Domain

When there is a requirement for a user to test the new version of the application with zero downtime. In this case, the user can use the Blue/Green feature in A10 HarmonyTM Controller to set the traffic steering policies for inbound traffic across old (blue) and new (green) deployments while both environments remain online. The user can monitor blue and green server behaviour and health metrics to adjust traffic steering rules in real-time.

The following use case helps the user to understand how to configure the Blue/Green deployment feature in A10 HarmonyTM Controller to steer traffic to a specific user domain, whenever there are any new additions to the application or to release a new version of the application.

In this use case, we are discussing four different Blue/Green deployment scenarios such as specific user, specific browser, specific country, and specific device. Basically, the Blue/Green policy steers the inbound traffic across old (blue) and new (green) deployments while both environments remain online based on the policy configured.

See also

Traffic Management Configuration for more information on Blue/Green deployment.

Configuring Blue/Green Policy

  1. Click Configuration > Blue/Green

  2. Click Configure a Blue/Green Deployment

    _images/image9.8.png
  3. Select the Blue Service from the drop-down.

    _images/image9.9.png
  4. Configure the condition(s) to direct the Green traffic based on requirement.

    _images/image9.10.png

The first four steps remain same for all the policy configuration only we are changing the conditions as shown below.

Specific User

To filter the User specific traffic set the conditions as shown below, here If condition can be Header, Cookie, or Query Parameter.

_images/image9.11.png

Specific Browser

To filter the Browser specific traffic set the conditions as shown below.

_images/image9.12.png

Specific Country

To filter the Country specific traffic set the conditions as shown below, and the value used should be the country code (For example, US).

_images/image9.13.png

Specific Device

To filter the Device specific traffic set the conditions as shown below.

_images/image9.14.png

Security Configuration Use Cases

1.1 Block Traffic from a Specific Country

The following use case addresses the user requirement for blocking the traffic from a specific country. For example, the user is required to block traffic from a specific country in order to prevent any malicious attacks to the network, in such case user can create a security policy in A10 HarmonyTM Controller and make the network much secure.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking off traffic for a specific country based on various parameters. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific Country.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP and Port Number.

  2. Set the Service conditions as shown and then Save. Here, US is the country code for the United States.

    _images/image9.0.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.1.png

1.2 Block Traffic from a Specific Network

Your network is always vulnerable to all kind of threats and attacks. The attack may happen from a known source of network or from an unknown network. In order to prevent such attacks, we need to block such networks. This use case demonstrates the steps to block traffic from such networks using the traffic blocking policy in A10 HarmonyTM Controller.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking off traffic for a specific Network using the IP address of the client network. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific Network.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number.

  2. Set the Service conditions as shown and then Save. Here, the value is the IP address of the network for which the traffic is blocked.

    _images/image9.2.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.3.png

1.3 Block Traffic from a Specific Browser

Sometimes it is required for a user to block traffic from a specific browser, in order to stop requests from a specific browser which the user application may not support or for many other reasons. For example, let’s say there is a request from Mozilla hits the server; and the application is not so compatible with Mozilla, in such case, the server may not respond to the request and there may be unnecessary space eaten up by such requests and may cause some downtime.

As a solution to overcome such issues the A10 HarmonyTM Controller allows a business to build a policy that enables blocking traffic for a specific browser based on conditions like header type, match if, case, and value. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific browser.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number.

  2. Set the Service conditions as shown and then Save. Here, define Header name as User-Agent and value as the name of the Browser (For example, Mozilla in this case).

    _images/image9.4.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.5.png

1.4 Block Traffic from a Specific Device

The following use case is very much similar to the use case to block traffic from a specific browser, the difference here is we are blocking traffic from a specific device.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking traffic for a specific device based on service policy conditions. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific device.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number.

  2. Set the Service conditions as shown and then Save. Here, define Header name as User-Agent and value as the name of the Device (For example, Macintosh in this case).

    _images/image9.6.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.7.png