A10 Lightning ADC is the cloud-native ADC product line of A10 Networks. This is pure software, can be installed in any environment. A10 Lightning ADC instances are stateless and are fully managed by Harmony Controller. This is purpose built for web applications implementing micro-services architecture and deployed in cloud or containerized environment. However, it works equally well for traditional applications deployed in data centers.

A10 Lightning ADC instances are deployed in active-active cluster i.e. all the members of a cluster are always active and share the load. Having stateless instances, a cluster is elastic in nature - new instances can added any time or existing instances can be shut down without significantly impacting the running traffic.

Deploying A10 Lightning ADC Cluster

The A10 Lightning ADC cluster can either be deployed manually and associated with an A10 Lightning ADC cluster or allow the Harmony Controller to launch A10 Lightning ADC automatically. However, it also depends on cloud infrastructure user selects. The configuration page also provides user multiple options to deploy A10 Lightning ADC. Deploying A10 Lightning ADC depends on the underlying cloud infrastructure. At the very basic it is about setting up a virtual machine with the A10 Lightning ADC software.

Deploying in AWS Cloud

A10 Networks releases pre-built Amazon Machine Image (AMI) of A10 Lightning ADC for quick set-up. Harmony Controller is capable of launching A10 Lightning ADC in users AWS account if the user is comfortable providing permission to the system for the same. Else, a user can launch A10 Lightning ADC manually using a Cloud Formation Template (CFT), or from the Amazon marketplace.

Automatic Launch of A10 Lightning ADC Cluster by System

To automatically launch A10 Lightning ADC cluster, choose the option Automatic cluster type in Create Cluster screen. For the auto launch of A10 Lightning ADC cluster, an AWS credentials to be provided in the form of ARN by the user for the system to access various AWS resources of users AWS account.

See also

For more information on different user account authorization, please refer ARN Policy section in Infracredential configuration page.

With the above set of information, the user also needs to provide the exact location regarding AWS region, network, and subnets where the A10 Lightning ADC should be launched, and the scale up/down policy for the cluster in accordance with higher/lower CPU usage. When the required configuration is saved, the A10 Lightning ADC instances are launched and automatically registered with the system into the specified cluster. List of all AWS resources created during the process as well as their status is shown on the cluster page.

Follow the steps below to auto launch A10 Lightning ADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then select the cloud credentials if already created. By default cluster type would be set to Auto.

    _images/image5.1.png
    _images/image5.1345.png
  2. Once the above step is completed, select the Region and then select the Subnet(s) to launch the cluster, set the Min/Max Instances in the cluster. And then save the cluster, wait for the cluster to launch.

    _images/image5.2.png
  3. Wait for the status to change to Launch Successful as shown.

    _images/image5.3.png

Launching A10 Lightning ADC Cluster Manually using AWS CFT

The A10 Lightning ADC cluster is launched manually when the user is not comfortable authorizing the system to launch the instances and other resources to accesses users AWS account. And, if the user decides to use a Cloud Formation Template (CFT), all the steps are completely automated.

Follow the steps below to auto launch A10 Lightning ADC cluster by using CFT (Cloud Formation Template):

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.

    _images/image5.4.png
  2. Provide information about placement and scaling, but the system would not save this information.

    _images/image5.5.png
  3. Generate a CFT by clicking Export CFT button using the above information, select the AWS platform; and then download the CFT and save it.

    _images/image5.47.png
    _images/image5.6.png
  4. Upload the CFT to S3 bucket of AWS. Click Services > S3 > Create Bucket > Bucket Name > Region > Create > Double click CFT created > Upload > Add/Upload CFT > Double click CFT Properties > Copy the Link address > Goto Services > Cloud Formation > Launch CloudFormer > Paste the Link address in the field Specify an Amazon S3 template URL> Next > Provide Key and Value > Review > Create.

    _images/image5.7.png
    _images/image5.8.png
    _images/image5.9.png
    _images/image5.10.png
    _images/image5.11.png
    _images/image5.12.png
    _images/image5.13.png
    _images/image5.14.png
    _images/image5.15.png
    _images/image5.16.png
    _images/image5.17.png
    _images/image5.18.png
    _images/image5.19.png
    _images/image5.20.png

A10 Lightning ADC instances launched using a system provided CFT is automatically registered with the system into the specified cluster.

Launching A10 Lightning ADC Cluster Manually from AWS Marketplace

To launch the A10 Lightning ADC cluster manually from AWS Marketplace, use the A10 Lightning ADC AMI available in the AWS Marketplace. Follow the same process to launch A10 Lightning ADC cluster in EC2-Classic as well. By manually launching the A10 Lightning ADC instance, the user has the liberty to choose the placement of instances, but scaling and security implementation required to be configured manually by the user.

Follow the steps below to launch A10 Lightning ADC cluster in AWS Marketplace:

  1. Login to the A10 Lightning ADS and Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings as shown.

    name
    name
  2. Click this link https://aws.amazon.com/marketplace/ to access AWS Marketplace and search for A10 Lightning ADC or A10 Lightning ADC and click on A10 Lightning ADC.

    name
  3. Click Continue on this screen.

    name
  4. Click Manual Launch and select the region to launch A10 Lightning ADC close to your App server.

    name
  5. Click Next: Configure details.

    name
  6. In this screen, you are configuring the instance details as shown, after providing the basic configuration details click Advanced Details and here click the As text radio button and provide the information such as Cluster ID, Edge IP, and API Server URL as shown in the example below. Copy the below JSON code in the User data field and change only the Cluster ID rest all remains the same.

    User data JSON:

    {
      "cluster_id": "Cluster-ID_from_UI",
      "edge_ip": ["https://<harmony-controller-address>/api/v2"],
      "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
    }
    
    name
  7. Click Add Storage provide the storage requirements or leave it default.

    name
  8. Click Add Tags provide the Name and Value.

    name
  9. Click Next: Configure Security Group > Select an existing security group > Review and Launch

    name
  10. Click Launch

    name
  11. Select a Key pair and click Launch Instance.

    name
  12. Check the Launch Status.

    name
  13. Verify the cluster association with Harmony Controller in the cluster information page.

    name

Launching A10 Lightning ADC cluster in ASG (Auto Scaling Group) from AWS Marketplace

  1. Follow step 2 to 5 from the “Launching A10 Lightning ADC Cluster Manually from AWS Marketplace” before we proceed to next step.

  2. On this screen click Launch into Auto Scaling Group

    name
  3. Click Create Launch Configuration provide the Name, and then click Advanced Details and copy the below JSON code in the User data field and copy the Cluster ID from the cluster creation page as shown in step 6 above, and then click Add Storage.

    User data JSON:

    {
    "cluster_id": "Cluster-ID_from_UI",
    "edge_ip": ["https://<harmony-controller-address>/api/v2"],
    "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
    }
    
    name
    name
  4. Click Next: Configure Security Group > Select an existing security group > Review > Create Launch Configuration

    _images/image5.28.png
    _images/image5.29.png
    _images/image5.30.png
  5. Choose an existing key pair and click Create Launch Configuration

    _images/image5.31.png
  6. Provide the scaling group details, and then click Next: Configure Scaling Policies

    _images/image5.33.png
  7. Choose the option Use scaling policies to adjust the capacity of this group provide all the details and then click Next: Configure Notifications

    _images/image5.34.png
    _images/image5.35.png
    _images/image5.36.png
  8. Click Add Notifications

    _images/image5.37.png
    _images/image5.38.png
  9. Select a notification endpoint from the list if already created. Else, select create topic and follow step 10 to create a new notification endpoint.

    _images/image5.39.png
  10. Steps to create a new topic (notification endpoint)

    _images/image5.40.png
    _images/image5.41.png
    _images/image5.42.png
  11. Select the new notification endpoint created, as described in step 9, and then click Next: Configure Tags to reach the below screen. Provide the Key and Value and click Review

    _images/image5.43.png
  12. Review the configuration and click Create Auto Scaling group

    _images/image5.44.png
    _images/image5.45.png
  13. Below message is displayed, on successful creation of Auto Scaling group

    _images/image5.46.png
  14. Review the Autoscaling group created.

    name
  15. Verify the cluster association with A10 HarmonyTM Controller in the cluster information screen.

    name

Upgrading A10 Lightning ADC version in AWS Marketplace

The below steps are for the existing Harmony Controller customer’s who already have their A10 Lightning ADC instance(s)running in AWS account and want to upgrade it to the new version. For that, the user needs to have the cluster ID of the existing A10 Lightning ADC instance(s) running in AWS account and then follow the below steps.

Upgrading A10 Lightning ADC Manually in AWS Marketplace

  1. Login to Harmony Controller and look for the A10 Lightning ADC Cluster which has the A10 Lightning ADC instance already running in AWS account, then copy the Cluster ID as shown below.

    name
  2. Go to AWS console click EC2 > Launch Instance > AWS Marketplace > search |LADC| > Select

    name
    name
    name
    name
  3. Click Configure Instance Details

    name
  4. Click Advanced Details and copy the JSON code as shown below, and copy the Cluster ID of the existing A10 Lightning ADC.

    Note

    The JSON code format is changed, do not use the old format to input the User data. Use the below one.

    User data Snippet:

    {
       "cluster_id": "Cluster-ID_from_UI",
       "edge_ip": ["https://<harmony-controller-address>/api/v2"],
      "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
    }
    
    name
  5. Click Add Storage > Add Tag

    name
  6. Click Next: Configure Security Group > Select an existing security group > Review and Launch

    name
  7. Click Launch

    name
  8. Select a Key pair and click Launch Instance.

    name
  9. Check the Launch Status.

    name
  10. Verify the cluster association with Harmony Controller in the cluster Information screen. Delete the old A10 Lightning ADC instance once the new A10 Lightning ADC instance Association is displayed on the screen.

Auto Upgrading A10 Lightning ADC in AWS Marketplace

To upgrade the A10 Lightning ADC version in Auto Scaling Group(ASG) of AWS account. Follow the steps below.

  1. Login to Harmony Controller and search for the A10 Lightning ADC which is already in ASG of AWS.

  2. Look for the launch configuration information in the Cluster information screen.

  3. Click Launch Configuration in the AWS screen and search for the launch configuration which you found in Cluster screen.

    name
  4. Select the A10 Lightning ADC and click Actions > Copy launch configuration

    name
  5. From the Copy launch configuration screen click Edit AMI and then click AWS Marketplace search A10 Lightning ADC and select the radio button Yes, I want to continue with this AMI.

    name
    name
  6. Click Next: Configure details

    name
  7. In the Configure details screen click next.

    name
    name
  8. Select the existing security group for the A10 Lightning ADC instance running and click Review.

    name
  9. Click Create launch configuration

    name
  10. Select the existing key pair or create a new key pair.

    name
  11. Check for status.

    name
  12. Click Auto Scaling Group choose the existing A10 Lightning ADC instance and in the Details increase the desired instance (for example, if it is “1” change it to “2”) and wait for it to launch the new instance.

    name
    name
    name
  13. Now we have two A10 Lightning ADC instances, the old and the updated in the cluster page.

    name
  14. Check for CPU stats for the new A10 Lightning ADC instance, for analytics.

    name
    name
  15. In the AWS we have both the old and the updated A10 Lightning ADC instances running.

    name
  16. Hence, to make the updated A10 Lightning ADC instance(s) active delete the old instance(s) by reducing the desired instance (for example, if it is “2” change it to “1”) in “Auto Scaling Group” screen and the old instance is automatically deleted by AWS.

    name
  17. The old instance is terminated as shown.

    name
  18. The cluster screen now shows only the updated A10 Lightning ADC instance.

    name

Deploying in Google Cloud Platform (GCP)

Automatic Launch of A10 Lightning ADC Cluster by System in GCP

To automatically launch A10 Lightning ADC cluster, choose the option Auto(Launched by System) in the Add New Cluster page. For the Auto launch of A10 Lightning ADC cluster, an GCP credentials has to be provided for the system to access various GCP launch resources of users GCP account. User is also required to select the appropriate Project to associate the cluster.

See also

For more information on creating GCP Credentials, refer Onboarding an Application section in the document.

With the above set of information, the user also needs to provide the exact location regarding GCP region, network, and subnets where the A10 Lightning ADC should be launched, and the scale up/down policy for the cluster in accordance with higher/lower CPU usage. When the required configuration is saved, the A10 Lightning ADC instances are launched and automatically registered with the system into the specified cluster. List of all GCP resources created during the process as well as their status is shown on the cluster page.

Note

Please ensure that TCP port 5666 is open on your A10 Lightning ADC node. As a part of A10 Lightning ADC image creation, we install NRPE (Nagios Remote Plugin Executor) plugin which allows cloud team to monitor A10 Lightning ADC’s remotely. Services using NRPE daemon binds to port 5666 by default. This will allow us to alert your team in the occurrence of any events. If you have to monitor in place, you can decide NOT to open TCP port 5666. This holds good for both manual and auto launch of A10 Lightning ADC.

Follow the steps below to auto launch A10 Lightning ADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then attach the cloud credential, and select the appropriate Project as shown. By default cluster type would be set to Auto.

    _images/image5.53.png
    _images/image5.67.png
  2. Once the above step is completed, select the Region and then select the Subnet(s) to launch the cluster, set the Min/Max Instances in the cluster. And then save the cluster, wait for the cluster to launch.

    _images/image5.2.png
  3. Wait for the status to change to Launch Successful as shown.

    _images/image5.3.png

Launching A10 Lightning ADC Cluster Manually in GCP

The A10 Lightning ADC cluster is launched manually when the user is not comfortable authorizing the system to launch the instances and other resources to accesses users GCP account.

Follow the steps below to launch A10 Lightning ADC cluster manually in GCP:

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.

    _images/image5.4.png
  2. The View/Edit Cluster screen provides the user the metadata information like Cluster ID and API server URL which is used to associate the cluster with GCP.

    _images/image5.5.png
  3. Login to the GCP using the Google account credentials.

    _images/image5.56.png
  4. Click Product and Services on the left top corner, and from the drop-down select Compute Engine > Instance Templates > CREATE INSTANCE TEMPLATE.

    _images/image5.57.png
  5. Input the instance name and keep other fields as default, expand [Management, disk, networking, SSH keys] and then provide the metadata information(cluster ID and API server URL or Edge IP) exactly as shown in the figure below.

    name
    name
    name
    name
  6. Create an Instance group and associate the Instance template with the Instance group as shown. Keep all the fields set as default. Select an existing instance or select an instance template. And then, click Create.

    name
    name
    name
    name
  7. View the status of the A10 Lightning ADC cluster instance.

    name

Deploying in Azure Infrastructure

To launch the A10 Lightning ADC cluster in Azure account, use the Azure machine image provided by A10 Networks in Azure Marketplace. By manually launching the Lightning ADC instance the user has the liberty to choose the placement of instances. But, scaling and security implementation required to be configured manually by the user.

Automatic Launch of LADC Cluster by System in Azure

To automatically launch LADC cluster, choose the option Auto(Launched by System) in the Add New Cluster page. For the Auto launch of LADC cluster, Azure credentials should be provided for the system to access various Azure resources in User’s Azure account.

See also

For more information on creating Azure Credentials, refer Onboarding an Application section in the document.

Once the user selects Azure credentials, user has to select the region to launch the LADC Cluster. Using Azure credentials, system will search for all the networks in that region. User can filter the list of networks and subnets by name of the resource group to which they belong. Please note that in Azure, resource group can be in a region and resources inside that resource group can be in a different region. User interface shows all the resource groups which have virtual networks in the selected region.

LADC Cluster is launched in it’s own new resource group, but it will share the virtual network selected by the user. User should select appropriate network to provide required connectivity between application servers and LADC Cluster. On selecting the network, user needs to select instance type and number of instances required in the cluster. User can provide list of static IPs to be associated with the LADC instances. If no static IP is provided, system launches new LADC instance with new static IPs. Azure allocates the same IP to same VM, if the VM instance restarts for some reason.

System creates a new resource group in the selected region and launch selected number of LADC VM instances in that resource group. Each VM will have a NIC associated with a static IP and it will be in selected subnet or network. System also creates a Network Security Group (NSG) in the same resource group, and this NSG is associated with NIC of all the LADC VM instances. This NSG will have few incoming rules like SSH Port 22 allowed from whitelist IPs and TCP port 5666 allowed. Whenever an application is associated with this cluster, that application’s incoming ports is also added to this NSG to allow traffic through LADC. User should make sure that if there is an NSG associated with the subnet which the user selected in the configuration, the subnet NSG should have application traffic ports listed in the incoming rules.

Note

Please ensure that automatically launched LADC by system in Azure are not deleted manually from Azure Portal. If an auto launched LADC is manually deleted from Azure Portal, system will not be able to manage it and also there will be impact on application traffic with unknown consequences. Please ensure that TCP port 5666 is open on your LADC node. As a part of LADC image creation, we install Nagios Remote Plugin Executor (NRPE) plug-in which allows cloud team to monitor LADC’s remotely. Services using NRPE daemon binds to port 5666 by default. This will allow us to alert your team in the occurrence of any events. If you have to monitor in place, you can decide NOT to open TCP port 5666. This is applicable for both manual and auto launch of LADC.

Auto Scaling of LADC Cluster with Azure

User can provide a minimum and maximum number of instances for a LADC cluster. On launching, system will start minimum number of LADC instances. System will scale up the number of instances based on CPU utilization of running instances. If average CPU utilization of running instances goes above 50% for more than two minutes, system will scale up one more instance. System will not scale more than maximum number of LADC instances specified in configuration. If average CPU utilization of running instances goes below 20% for more than four minutes, it will scale down one instance. There is a cooling period of five minutes, between two scale events.

Follow the steps below to auto launch LADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then attach the cloud credential. By default cluster type would be set to Auto.
_images/new-cluster-azure1.png
_images/cluster-info-azure2.png
  1. Once the above step is completed, select the Region and then select the Network and Subnet(s) to launch the cluster, set the Max Instances in the cluster and select instance size. And then save the cluster, wait for the cluster to launch.
_images/LADC-launch-info-azure3.png
  1. Wait for the status to change to Launch Successful as shown.
_images/cloud-resources-azure4.png

To launch the A10 Lightning ADC cluster in Azure account, use the Azure machine image provided by A10 Networks in Azure Marketplace. By manually launching the Lightning ADC instance the user has the liberty to choose the placement of instances. But, scaling and security implementation required to be configured manually by the user.

Steps to launch A10 Lightning ADC Cluster manually in Azure Marketplace

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.

    name
  2. Login to Azure Marketplace and search for A10 Lightning ADC, from the search results select A10 Lightning ADC-BYOL to launch VM as shown.

    name
    name
    name
    name
    name
  3. After the successful launch of A10 Lightning ADC, SSH to A10 Lightning ADC instance with the user-defined username and password.

  4. Run the below command to gain required privileges:

    sudo su
    
  5. Run register-cli command to register A10 Lightning ADC to cluster as shown, and then follow the steps in the example below to launch A10 Lightning ADC successfully:

    register-cli

    Example:

    Welcome to A10 LADC Shell
    It is advised to change the default password
    Do you want to change password([Y]es/No) : No
    Password not changed.Continuing with registration
    --------------------------------------------------
    Do you want to register LADC([Y]es/No): Yes
    Register your A10 Lightning ADC with the Controller using
    Cluster ID and API Server URL. You can get them by logging into
    A10 Lightning ADS and selecting the cluster name from the left
    pane.
    -------------------------------------------------------------
    Input the API server URL and Cluster ID that is obtained from
    the A10 Lightning ADS UI
    Please enter API server URL: https://<harmony-controller-address>/api/v2
    Please enter the cluster id: ofvrgvdj6i
    API Server URL: https://<harmony-controller-address>/api/v2
    Cluster ID: ofvrgvdj6i
    Is this information correct([Y]es/No) : Yes
    Applying changes
    Waiting for the proxy to get registered.
    Trying to connect to API server
    Starting registration
    Updated cluster id
    Updated API Server
    Restarting services
    Services restarted
    Congratulations!
    LADC activation is completed successfully.!
    
  6. After successful registration of Lightning ADC in Azure Marketplace, go back to the A10 Lightning ADS Cluster page and refresh the page to view the association of A10 Lightning ADC with A10 Harmony Controller.

Upgrading A10 Lightning ADC Cluster in Azure Infrastructure

This section of the document provides the steps to upgrade the A10 Lightning ADC version in the Azure Infrastructure.

  1. Copy the cluster ID from the running A10 Lightning ADC cluster and keep it ready.

    name
  2. Login to Azure Marketplace and search for A10 Lightning ADC, from the search results select A10 Lightning ADC-BYOL to launch VM as shown.

    name
  3. After the successful launch of A10 Lightning ADC, SSH to A10 Lightning ADC instance with username and password.

  4. Run the below command to gain required privileges:

    sudo su
    
  5. Run register-cli command to register A10 Lightning ADC to cluster as shown:

    register-cli

    When the above command is executed it prompts for the cluster ID, the user can provide the cluster ID of the running A10 Lightning ADC.

    name
  6. After successful registration of Lightning ADC in Azure Marketplace, go back to the A10 Lightning ADS Cluster page and refresh the page to view the association of A10 Lightning ADC with A10 Harmony Controller.

    name
  7. Once the upgraded Harmony Controller associated with the A10 Harmony Controller, the user can delete the old A10 Lightning ADC.

    name
  8. On successful deletion of the old A10 Lightning ADC cluster, the cluster page displays only the upgraded A10 Lightning ADC cluster.

    name

Deploying in Docker Environment

Docker containers are based on open standards, enabling containers to run on all major Linux distributions and on Microsoft Windows and on top of any infrastructure.

Harmony Controller user can deploy A10 Lightning ADC instances in Docker container. This makes the deployment independent of underlying infrastructure and Lightning ADC can be deployed near to application servers where ever servers are deployed.

The user is expected to have the Docker engine installed, before starting the A10 Lightning ADC deployment. Also, the user should have the Lightning ADC cluster configured in Harmony Controller to obtain a cluster ID and API server URL.

Steps to configure a new cluster in Harmony Controller to obtain clusterID and API server URL:

  1. Login to Harmony Controller and click Add New Cluster provide the cluster name and select cluster type as Manual and then click Save.

    _images/image5.4.png
  2. Copy the cluster ID and API server URL from this page.

    _images/image5.5.png

Command to launch Lightning ADC in Docker

Syntax

Single Port Mapping between host and container:

docker run -tdi -e
ladc_api_svr_url="https://<harmony-controller-address>/api/v2" -e
ladc_cluster_id="<cluster-id>" --net=host --restart=always  --privileged=true a10networks/ladc

This docker command automatically restarts the container on a reboot. Note, this will make sure the container is restarted automatically if it is stopped. This applies on a reboot or in some circumstance the container exited for whatever reason.

Best practice is to map them to same port both on host and container. However, different ports can be used to map between host and container, just, make sure the host and the container port are mapped properly to avoid any port conflict.

Below is the example output of docker run command:

a10networks@a10networks-Vostro-2520:~/Documents$  docker run -
tdi -e ladc_api_svr_url=https://<harmony-controller-address>/api/v2 -e
ladc_cluster_id=pn446dtg7r -p 9001:9001 a10networks/ladc
Unable to find image 'a10networks/ladc:latest' locally
latest: Pulling from a10networks/ladc

45a2e645736c: Pull complete
56be6eca40c3: Pull complete
d6c162c01b87: Pull complete
2540ad4ea6ad: Pull complete
f9b8f9143c3e: Pull complete
2b591b61a96b: Pull complete
7a2396516d24: Pull complete
c54b1d1b3aef: Pull complete
20878495513c: Pull complete
545071a7d8d2: Pull complete
f375f2caa368: Pull complete
18d8f7e70311: Pull complete
Digest:sha256:c73976c943b0a9389cd56b9fc4b56ca37c2f1625e6cbcf18bceb3         257e372901f
Status: Downloaded newer image for a10networks/ladc:latest
ac240d887d4c1d7fca850acb5d0db93ff601ed5a1833da6d682c6fc0c29caf73

On-boarding an Application

An Application includes configurations that are required for Application delivery and allows the user to add many more complex policies as needed. To save an application, provide at least name of the application and traffic endpoint for the application. A user can add more configuration once the application is created. To activate an Application, the user must provide details of application servers which are serving application traffic and associate a valid A10 Lightning ADC cluster which has A10 Lightning ADCs launched and running.

To On-board a new Application follows the below sequence in Harmony Controller:

  1. Add Credentials or Use the existing.
  2. Add A10 Lightning ADC Clusters or Use the existing.
  3. Add a new Applications.

Adding a New Credential

Creating a AWS credential

Perform the steps below to add a new AWS Credential in Harmony Controller:

  1. Click + to add a new Credential.

    _images/add_new_credential.png
    _images/image4.0.png
  2. Select the Credential Type as Infrastructure Credentials.

  3. Enter the Name.

  4. Select the cloud type as AWS. Check the box Use same ARN for DNS (Route53) credential to provide the AWS account access for A10 Networks to manage Application configuration on the cloud.

  5. Input the ARN Role. Click View steps to get Role ARN, and follow the on-screen instructions to get the ARN role.

    _images/image4.15.png

Creating a GCP credential

Perform the steps below to add a new GCP Credential in Harmony Controller:

  1. Click + to add a new Credential.

    _images/add_new_credential.png
    _images/image4.1.png
  2. Select the Credential Type as Infrastructure Credentials.

  3. Enter the Name.

  4. Select the cloud type as GCP.

  5. Click View steps to get Service Account Credential, and follow the on-screen instructions to get the service account credentials.

Adding a New Cluster

Creating a AWS Cluster

Perform the below steps to create a new AWS Cluster in Harmony Controller:

  1. Click + to add a new Cluster.

    _images/image5.1345.png
  2. Under Cluster Information, provide the Cluster name and select the Cluster Type as Auto.

  3. Under Infrastructure Information, select the Cloud type as AWS and select the Cloud Credential which is already created. If not created, then click Add Credential button to create one. And then, Save the configuration.

    _images/image4.15.png

Creating a GCP Cluster

Perform the below steps to create a new GCP Cluster in Harmony Controller:

  1. Click + to add a new Cluster.

    _images/image5.53.png
  2. Under Cluster Information, provide the Cluster name and select the Cluster Type as either Auto.

  3. Under Infrastructure Information, select the Cloud type as GCP and select the existing GCP cloud credential. If not created, then click Add Credential button to create one. And then, Save the configuration.

  4. After selecting the GCP cloud credentials, select the appropriate project.

    _images/image4.17.png
  5. Fill-in all the fields under A10 Lightning ADC Launch Information and click Save and Launch.

  6. View the A10 Lightning ADC launch status on this screen.

Adding New Application

Perform the steps below to add a new Application in Harmony Controller:

  1. Click + to add a new Application.

    _images/image4.8.png
  2. Under Application Information, provide the Application Name, Application Endpoint (application URL), and then choose the product type as Basic or Pro

  3. Under Application Server Information, choose the Discover App Server Using option from the list; whichever is appropriate.

  4. Under A10 Lightning ADC Cluster Information, select the A10 Lightning ADC cluster which is already created. If not created, then click Add Cluster button to create one. And then, Save the configuration.

    name

Discover Application Server Using ELB

The steps below are to add a new application in A10 Lightning ADS and discovering application server using AWS ELB.

Assuming the customer is using the CNAME of ELB to load balance the traffic and wants to switch to A10 Lightning ADC DNS, in this case first do a nslookup and see what the endpoint name resolves to:

nslookup ezelb.greatco.org

Non-authoritative answer:
ezelb.greatco.org canonical name = ez-elbdemo-1915081478.us-east
-1.elb.amazonaws.com.
Name:    ez-elbdemo-1915081478.us-east-1.elb.amazonaws.com
Address: 34.202.89.44
Name:    ez-elbdemo-1915081478.us-east-1.elb.amazonaws.com
Address: 52.206.237.86

In the above nslookup output, application endpoint resolves to CNAME of ELB. Now, in the further steps, we can see how to change the DNS from CNAME of ELB to A10 Lightning ADC DNS.

  1. Click + to add a new application and provide all the information such as application name, application endpoint and so on. Then, in the Application Server Information section select AWS in the App Server Hosted With field and provide credentials and then, select ELB in the Discover App Server Using field as shown.

    name
  2. On selecting ELB in the Discover App Server Using field, the ELB name and app server IP is discovered by A10 Harmony Controller.

    name
  3. In this step, we can see the DNS is not updated yet and the application is still using the CNAME of ELB for load balancing the traffic.

    name
  4. Update the DNS credentials as shown, click Edit and update, and then select the DNS server and then click Update DNS. Updating the DNS will start routing the traffic through A10 Lightning ADC.

  5. On updating DNS credential, click Change DNS.

  6. On successful completion, the message is displayed.

Once the DNS is changed, run the nslookup again to confirm the changes as shown:

nslookup ezelb.greatco.org
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
ezelb.greatco.org    canonical name =
cafenode.10h4stkre2.stage.ladc.a10networks.com.
Name:    cafenode.10h4stkre2.stage.ladc.a10networks.com
Address: 52.206.216.180

Now, the nslookup output resolves to |LADC| DNS, which is to confirm that the traffic is routed through the A10 Lightning ADC DNS.

Reviewing Generated Configuration

Once the above steps are performed, verify the Application profile by reviewing the generated configuration from Configuration > Application

_images/image4.12.png

Security Configuration

Cloud security breaches are becoming an increasing threat with the unprecedented pace at which Cloud Service Delivery Model is getting adapted by businesses and governments. Although shifting to cloud technologies is affordable and fast, businesses are increasingly vulnerable to security breaches and are ill-equipped to counter the sophisticated security threats that can bring the infrastructure down and expose business critical and sensitive data to threats. Hence, it becomes increasingly important for organizations to have real-time insights into application traffic and have strong security policies and controls in place to counter these attacks.

This diagram shows the major concerns in cloud security-Data Privacy and Data Loss.

_images/image810.png

The Security Policies in A10 HarmonyTM Controller provides you with advanced techniques to control server response, prevent threats, and protect sensitive information. You can configure the application security policies and configurations in A10 HarmonyTM Controller from the Security tab in the Settings page, and the Security Policies tab in a SmartFlow.

Application Layer Data Theft Protection (WAF)

Harmony Controller Web Application Firewall (WAF) is an elastic service for application security with pre-configured rule sets and one-click provisioning. WAF helps defend against malicious activity, web attacks, and application attacks.

Inbound and Outbound Traffic Inspection by WAF

The figure below explains how WAF is deployed in the network traffic to perform inbound and outbound traffic inspection. Some of the attacks detected (For example, malware, web shells, backdoor, and so on) are detected at the response traffic, and the rest of the attacks (For example, application attacks) are detected at the request traffic.

_images/WAF.png

The cloud-specific WAF configured in the Lightning Application Delivery Controller provides real-time protection against application vulnerability attacks on a per application basis.

The Harmony Controller architecture provides the added advantage that when new A10 Lightning ADCs come up in your application infrastructure, the A10 Lightning ADCs can share the same WAF configurations. The elastic WAF service scales to ensure that sufficient resources are available to process the incoming traffic. Hence you need not re-configure WAF for each new A10 Lightning ADC added to the deployment. The application security policies (including the WAF policy) scales up as the application infrastructure expands.

The single pass integrated execution for WAF, load balancing, and other application delivery directives minimizes latency across the data plane. In Harmony Controller, security policies can be quickly enabled in the Cloud Services Controller (CSC) and changes are propagated to all A10 Lightning ADCs in an A10 Lightning ADC cluster. This way, an attack can be quickly mitigated.

The figure below shows a typical WAF deployment scenario in the A10 Lightning ADCs. WAF inspects incoming traffic and lets legitimate traffic flow through it.

_images/image276.png

Note

When configured in the Active mode, WAF blocks all malicious traffic based on the generic protection configuration. In Passive mode, WAF provides a warning to the user and lets all traffic (including malicious traffic) pass through it. See Configuring Web Application Firewall for more information.

One-Click Provisioning

Web Application Firewall (WAF) provides simpler provisioning of application-specific rules for modern web applications and safeguards cloud applications with higher levels of security and compliance. Provisioning and Updating security rules for the broad range of applications used by enterprises are incredibly complex and pose an ongoing challenge for IT teams. Harmony Controller significantly decreases the time required to a provision by providing a one-click rule set which instantly deploys thousands of preconfigured rules to secure popular applications against known threats immediately.

Harmony Controller WAF includes preconfigured rule sets that protect against top common vulnerabilities (such as SQL injection and Cross-site scripting), and specific attack vectors in popular Web Applications like Microsoft SharePoint, Outlook Web Access, WordPress, Joomla, and others. This capability takes the guesswork out of determining what security controls are essential for each application, reduces false positives, and reduces the time for deploying application security to seconds.

Note

See Configuring Web Application Firewall and Configuring Application Security WAF Policy for more information on WAF configuration.

Additionally, provides daily automatic ruleset updates, reducing the risks from emerging attack vectors, and minimizing the occurrence of false-positive vulnerability reports.

Inheriting WAF Security Policy

The WAF security policies can be applied both at Global/Application level as well as Smartflow level. When applied at Application level the same policies can be inherited at Smartflow Application Security. At the Smartflow level, the user gets to choose three application security policy setting options; those are Inherited, Enable, and Disable. To inherit the security policies same as the Global level user can choose an Inherited option. If the user prefers to customize the security policies at Smartflow Application Security level, then can select Enable option. Choose Disable option to disable the policy.

The below figure shows the Security policy option available at Application level:

_images/image2.31.png

The below figure shows the Security policy options available at Smartflow level:

_images/image2.30.png

WAF Operation Modes

WAF has two exclusive modes of operation:

Active mode: In Active Mode, WAF prevents common threats from reaching the application server based on the configurations in this mode.

Passive mode: In Passive Mode, WAF allows malicious traffic to pass through but with a warning to the IT administrator. In other words, in this mode, WAF raises alerts when threats are detected but do not block the threats.

_images/image1231.png

You can create custom alerts using Harmony Controller alert functionality.

Configuring WAF Operation Modes

Follow the below steps to configure WAF policies in Generic Protection Mode in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow

    _images/image2.0.png
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. And then, select an option to Enable, Disable, or to Inherit the policies at SmartFlow level.

    • Enable
      Enables the Application Security at SmartFlow level.
    • Disable
      Disables the Application Security at SmartFlow level.
    • Inherited
      Inherits the default security policies set at the Application level for the SmartFlow traffic.
    _images/image2.1.png
  3. Set the WAF policies for Generic Protection Mode.

_images/image2.31.png

WAF Protection Modes

Generic Protection Mode

Most common forms of threats, such as SQL Injection and Cross-Site Scripting, are prevented in this protection mode.

Generic Protection Mode

Perform the steps below to configure WAF policies in Harmony Controller in the Generic Protection Mode:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. Enable Application Security policy by clicking the Enable button. Select Active WAF Mode by choosing Active radio button.
_images/image2.31.png

Select the Protection Mode as Generic. Here, you can select the generic attack categories that should be identified and blocked from the generic attack categories listed on the screen.

  • SQL Injection
    Hackers inject SQL commands to access or delete database information.
  • Cross-Site Scripting (XSS)
    Attackers introduce client-side scripts in web pages to bypass access controls and bring down applications and websites.
  • Remote Command Execution
    Attackers, use a breached application to execute random commands on the host’s operating system.
  • Remote File Inclusion (RFI)
    This involves using remote files located on the server to launch an attack.
  • Local File Inclusion(LFI)
    This involves using local files located on the server to launch an attack, instead of remote files.
  • Broken Session Management
    By default Cross-Site Scripting and SQL Injection attacks are seen selected. You can select multiple categories using the Ctrl key or select all groups using Ctrl + A key combination.

IP Reputation

IP Reputation-based Traffic Filtering To prevent geographically distributed DoS attacks which can span multiple networks, Harmony Controller WAF provides the IP Reputation-based filter which can apply to applications in different geographic regions or collection of regions.

IP addresses can be filtered based on the following categories:

TOR Exit Nodes: The IP addresses that are identified as TOR nodes. Malicious Attack Sources Identified from Web Honeypots: Filter IP addresses of malicious sources identified from web honeypots. When malicious IP addresses are identified with the IP Reputation-based filter, WAF blocks these attacks and records attack-related information in the logs.

Configuring IP Reputation

Perform the steps below to configure IP Reputation-based traffic filtering in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable IP Reputation, check the box next to it, as shown on the screen. And then, save the security policy.
_images/image2.4.png

Block Sensitive Data

When Block Sensitive Data WAF policy is enabled it allows Harmony Controller to block certain patterns from being captured by the intruders who are trying to attack or capture such data. For now, this policy is designed to block sensitive data such as credit card or debit card number to be exposed to the outsiders.

Webshell/Backdoor Detection and Prevention

There are many methods attackers employ to upload Web shell backdoor code onto compromised web servers including Remote File Inclusion (RFI), WordPress Tim Thumb Plugin and even non-web attack vectors such as Stolen FTP Credentials. Web shells can be written in any language that a server supports and some of the most common are PHP and.NET languages. These shells can be extremely small, needing only a single line of code or can be fully featured with thousands of lines. Some are self-sufficient and contain all required functionality while others require external actions or a “Command and Control”9D (C&C) client for interaction. When the shell is installed, it will have the same permissions and abilities as the user who put it on the server. Harmony Controller can identify if a client is accessing a web shell/backdoor resource on your website/application by inspecting outbound HTTP data.

Harmony Controller implementation included access to thousands of captured web shells and developed custom detection rules including detections for:

  • C99 Shell
  • R57 Shell
  • WSO
  • PHP Shell
  • Stun Shell
  • JCE File Upload Shell
  • Basic File Uploader

Harmony Controller can detect and block any web shell/backdoor’s to your application.

Configuring Web shell

Perform the steps below to configure Web shell/Backdoor Detection in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Web shell, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.5.png

Botnet Attack Detection and Protection

Attackers build networks of infected computers, known as botnets, by spreading malicious software through emails, websites, and social media. Once infected, these machines can be controlled remotely, without their owner’s knowledge, and used as an army to launch an attack against any target. Botnet attacks attempt to execute botnet code on the server to spread infection.

Botnets can generate huge floods of traffic to overwhelm a target. These floods can be produced in multiple ways, such as sending more connection requests than a server can handle or having computers send the victim massive amounts of random data to use up the target’s bandwidth.

Enabling Botnet Protection at Layer 7 (Application Layer)

Perform the steps below to enable Botnet Protection in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Botnet, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.6.png

BOT Protection

A bot attack is an unwanted request or set of requests originating from a bad BOT client to your network. Bad bots consume bandwidth, slow down your server, steal your content and look for vulnerability to compromise your server.

An Internet Relay Chat (IRC) bot is a set of scripts or an independent program that connects IRC as a client and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user; it performs automated functions. Harmony Controller can detect and alert on standard attacks originating from IRC Bot clients.

Harmony Controller looks at URL, parameters, user agent, and request body in some cases, to detect a botnet attack. In particular, |ADS|checks the following categories to detect a dangerous Bot attack:

  • Common IRC Botnet attack command string
  • Common types of Remote File Inclusion (RFI) attack methods
  • URL Contains an IP Address
  • The PHP “include()”9D Function
  • RFI Data Ends with Question Mark(s) (?)
  • PHP Injection attack
  • RPC PHP Injection attack
  • SQL Injection attack
  • Local File Inclusion ENV Attack in User-Agent
  • e107 PHP Injection attack
  • XML-RPC PHP Injection attack
  • OsCommerce File Upload attack
  • Oscommerce File Disclosure and Admin ByPass
  • Zen Cart local file disclosure vulnerability
  • Opencart Remote File Upload Vulnerability
  • e107 Plugin my_gallery Exploit
  • Configuring protection against bad BOTs
  • Local File Inclusion attack

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

Harmony Controller subscribes to the IP reputation list as well as user-agent reputation list for identifying known bad BOTs. Eliminates the traffic from bad BOTs; hence, enhancing the performance of your application servers.

Analytics on BOT Protection

You can use the dashboard (Analytics > Dashboard) to get more insights on BOT Protection.

For example, you can view the percentage of BOTs in the total number of threats detected in the Top Threats pie diagram in the Dashboard.

_images/image80.png

Note

See Application Security Analytics and Insights section for more information.

Malware Protection

Web-based Malware is a growing threat to today’s Internet security. Attacks of these types are very prevalent in a cloud and lead to serious security consequences. Millions of malicious URLs are used as distribution channels to propagate malware all over the Web. After being infected, victim systems fall in control of attackers, who can utilize them for various cyber crimes such as stealing credentials, spamming, and distributed denial-of-service attacks. Moreover, it has been observed that traditional security technologies such as firewalls and intrusion detection systems have only limited capability to mitigate this issue.

Harmony Controller provides Web-based Malware detection by inspecting HTTP response. The Malware Detection checks the response data for malicious code aimed at attacking clients.

Payloads are matched against:

Location Response Headers that redirect users to malware sites, and Response Body Payloads that may contain off-site links (scripts and iframes) or full payloads.

Harmony Controller identifies Web-based Malware in many categories including:

  • Drive-by-Download URLs
  • Malicious Redirect URLs
  • Malicious JS Payloads

Configuring Web-based Malware Detection

Perform the steps below to enable Web-based Malware Detection in Harmony Controller:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Web-based Malware Detection, Check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.7.png

Cross-Site Request Forgery(CSRF)

Cross Site Request Forgery (CSRF) is one of the most common web application attacks. CSRF occurs when a malicious website, email, blog, or any other program which causes the user’s to perform an undesired function on a trusted site for which the user is currently authenticated. The request from the browser includes any information associated with the browser session or website, such as a cookie, passwords, and so on. A Cross Site Request Forgery (CSRF) attack occurs when the user is authenticated to the site, or when the user clicks on a malicious link, button or any malicious HTML element.

Hence, to overcome such attacks Harmony Controller implements a defense mechanism against CSRF by including a hash element in the form submitted by a user. Now, if the attacker wants to access the form submitted, he will need to know the unique key used to create the hash. To add more protection, the hash key generated is made unique for each user sessions. Hence, making it difficult for the attacker to predict its value, avoiding CSRF attacks. The CSRF security feature can be enabled either at the Application level or SmartFlow level by inheriting the default security policies set at the Application level or by enabling the Application security at SmartFlow only.

While enabling the CSRF, the form action URLs that need to be protected is an input parameter. A10 Lightning ADC looks at the responses and adds a hash to all the forms for which the action URL matches with the configured URL. It inspects the requests, and if the request URL matches with the configured form action URL, it verifies the hash value in the request. If the value is not present or is incorrect, then the request is blocked.

Configuring Cross Site Request Forgery (CSRF)

Perform the steps below to enable CSRF in Harmony Controller at the Application level:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Application > Security > Application Security
  2. In the Application Security screen. To enable CSRF, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.28.png

Function Level Access Control

The Function level access control attacks could result from the inadequate security of sensitive request handlers within an application. An application may only hide access to sensitive actions, fail to enforce sufficient authorization for certain activities, or inadvertently expose an action through a user-controlled request parameter. These attacks could be much more complex and be the result of subtle edge-cases in the underlying application logic.

A10s Function Level Access Control feature eliminates such attacks by adding a sign in all the links we get in Href, Form action, Iframe source, Frame Source, Location Response Header. If a sign mismatch is identified then the request is not allowed to proceed, thus eliminating Function Level Access Control attacks.

While enabling the Function Level Access Control, the form action URLs that need to be protected is an input parameter. A10 Lightning ADC looks at the responses and adds a hash to all the forms for which the action URL matches with the configured URL. It inspects the requests, and if the request URL matches with the configured form action URL, it verifies the hash value in the request. If the value is not present or is incorrect, then the request is blocked.

Configuring Function Level Access Control

Perform the steps below to enable Function Level Access Control in Harmony Controller at the Application level:

  1. In the Harmony Controller screen click on Tenant > Tenant Name > Edit Configuration > Application > Security > Application Security
  2. In the Application Security screen. To enable Function Level Access Control, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.29.png

Dealing with False Alarms

The Harmony Controller Application Security Exceptions feature allows a user to create an exception for application security rules to handle false positives (an attack detected by the application security, but not one). These false positives are blocked based on the conditions defined in the rules and many other parameters. In some cases, if the user wants such false positives to be allowed even if it looks like a threat or attack but not one, then exceptions are created to overwrite few conditions defined in rule and allow such false positives. The Application Security and Application Security Exceptions are two different policies. However, the exception policies can overlook the security policies set in Harmony Controller.

Creating Exception Rules

Follow the steps below to create an Application Security Exceptions:

  1. Click on Tenant > Tenant Name > Edit Configuration > Security > Application Security Exception

    _images/image2.8.png
  2. Click Add Rule > Select Rule Type > Select a URL condition form the list > Select a Parameter from the list > Select a Apply Rule On condition**

    _images/image2.9.png

However, these exceptions can also be set up from Analytics > Logs, or from Analytics > App Dashboard > Blocked Request > Logs screen. The Application Security and Application Security Exceptions are two different policies. However, the exception policies can take precedence over the security policies set in Harmony Controller.

SSL Termination

Secure Socket Layers (SSL) provides your visitors and businesses with an additional layer of security in deployment scenarios.

Elastic SSL refers to auto-scaling of SSL operations (handshake plus bulk encryption/decryption) based on SSL traffic. Harmony Controller provides elastic SSL that ensures auto-scaling of SSL resources with the increase in the user traffic to the site.

Harmony Controller offloads resource-intensive SSL encryption and decryption tasks to auto-scaling Cloud Services Proxy servers that are adjacent but separate from your dedicated application servers. This efficient architecture enables consistently high throughput at any traffic level providing processing efficiency and cost savings.

In a typical Harmony Controller deployment, the Lightning Application Delivery Controller is delivered as an elastic, highly available, resilient cluster. The cluster auto-scale to support variable workloads.

Use Harmony Controller’s elastic infrastructure to extend SSL capacity without changing your application code or web servers. Gain visibility into SSL traffic, behavior and potential attacks with Harmony Controller’s comprehensive application delivery analytics dashboards.

SSL between Client and Proxy

SSL Settings for an Application Domain

Harmony Controller accepts client requests for the domain names configured as application domains. When you onboard an application in Harmony Controller, an application domain is created by default (based on your application endpoint).

Follow the steps below to configure the SSL settings for an Application Domain(s):

  1. Click Tenant > Tenant Name > Edit Configuration on the Harmony Controller screen, from the drop-down list click Application.

  2. Click SSL Settings from the application settings screen.

    _images/image2.10.png
  3. For each Application Domain (FQDN) provide the SSL Settings inputs if SSL is enabled on the Harmony Controller.

    _images/image2.11.png

When you enable SSL in Harmony Controller, the following options are displayed:

Server Certificate Chain

For an SSL certificate to be trusted, the certificate issued must be by Certificate Authority(CA) that is included in the trusted store of the connecting device. If a trusted CA does not issue the certificate, the connecting device (For example, the web browser) displays an error. However, if the issued certificate is from a trusted source, then the connecting device establishes a secure and reliable connection. The list of certificates from the root certificate to the end-user certificate represents the SSL server certificate chain.

While entering the server certificate chain in the SSL settings for your application domain, you must link your server certificate chain of your CA to ensure that you are providing the complete server certificate chain.

Server key

The private key of the application server which is required to validate the SSL Certificate.

Choosing an SSL Versions

Harmony Controller uses TLS (Transport Layer Security), and SSL (Secure Sockets Layer) protocols for secure transmission of data between the Harmony Controller and Application servers.

You can select one or more TLS/SSL versions from this list.

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where the data is sent across an insecure network.

Note

That the terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is, in fact, the predecessor of the other SSL 3.0 served as the basis for TLS 1.0.

Choosing a Cipher

A cipher is an algorithm used to encrypt and decrypt data. When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends on the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list.

You can choose the supported cipher algorithms from the list for secure SSL connection between Harmony Controller and the application server.

Configuring SSL while adding Listening Ports

The application traffic is listened by Harmony Controller on the listening port. Note that, before adding any Http2 or SSL ports as a listener port make sure the SSL is enabled.

To enable the listener port to go to Application Settings screen and click Add Port/Listner. Here, enter the listening port number and choose SSL or Http2, and then, click Save button.

_images/image2.12.png

SSL between Proxy and Server

Secure Sockets Layer (SSL) can be enabled to establish a secure encrypted connection between A10 Lightning ADC and application servers. Hence, protecting the sensitive data exchanged during each session.

SSL certificate provided must be from a trusted source for an application server to install and enable SSL connection.

Follow the steps below to add a Service in Harmony Controller:

  1. Click Tenant > Tenant Name > Edit Configuration on the Harmony Controller screen, from the drop-down list click Services.

  2. Click ADD NEW SERVICE from the Services settings screen.

    _images/image2.10.png
  3. The Add New Service window displays the following SSL settings.

    _images/image2.14.png

Click on the relevant help buttons to get more information on these options; these options are displayed in the Add Service window if SSL is enabled.

Validate Certificate

Mark the check-box, if you want to enable SSL certificate validation.

The value of SSL is protected by a standard two-point validation process:

  1. Verify that the applicant owns, or has the legal right to use, the domain name featured in the application.
  2. Verify that the applicant is a legitimate and legally accountable entity.

Send Server Name

Mark the check-box, to enable send Server Name option. This flag enables or disables passing of server name through TLS Server Name Indicator (SNI) extension when establishing a connection with the HTTPS application server.

Server Name

If ‘Send Server Name’ is enabled, then this field will override the server name to be passed through SNI when establishing a connection with the HTTPS application server. User can also enter the domain name of the certificate.

  • $host
    The application domain for this service
  • $upstream_host
    The application server domain name (if domain name is not configured, then the IP address configured as application server is used).

Exposure Reduction

Header Rewrite

HTTP header rewrite helps to rewrite HTTP request or response headers of the content exchanged between a client and a server. It is often used to keep compatibility between old and new URLs, to turn user-friendly URLs into one’s CMS friendly, and so on. It is also used to mask the information leaked by the application servers in the HTTP headers. Attackers may use this leaked information to identify potential vulnerabilities and launch an attack.

Configuring Header Rewrite Policy

Follow the steps below to configure a rewrite policy for an HTTP header rule in Harmony Controller: To edit the default Smart Flow:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smart flow > Edit Smart Flow

    _images/image2.10.png
  2. Click on Security > Header Rewrites

    _images/image2.16.png
  3. Enable the access policy using the Enable button. By default, the screen displays three X-Forwarded header screens.

    _images/image2.17.png

Enter the header name for the required X-Forwarded header screen. Enter the variable names for Header Value.

For example, for X-Forwarded For screen, enter these variables: $http_x_forwarded_for

Enter the variable corresponding to the client IP address here. $remote_addr

Enter the variable corresponding to the proxy through which the request passes. Select the header rewrite Action. Enable the rules and save the policy. Save the SmartFlow.

The Action tab displays the following actions:

_images/image74.png

Returning Custom Content

Action Policies (Alias Response code or Redirect URL)

Action policies allow you to configure rules or action policies which specify a custom content return to the user (For example, an alias response code) for the response codes coming from an application server(s). The action policies enhance the user experienceE2f (For example, if you want to hide a particular response code from the user you can specify an alias code in the action policy configured in the A10 Lightning ADC so that the user sees the alias code instead of the response code that you want to hide).

Configuring Action Policy Rules

Follow the steps below to configure the Action policy in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smart flow > Edit Smart Flow

    _images/image2.10.png
  2. Under Policies> Traffic > Action > Enable to view the Action policy configuration screen.

    _images/image2.18.png

In the action policy rules, you can do the following:

  • Set up alias response codes or alias response URLs that A10 Lightning ADC should provide the user for response codes coming from the Application server.
  • Redirect the user to a redirect URL.
  • Add more than one action policy rule.
  • Configure Action policy rules from the Security tab (Path: Configuration> Security)by enabling Allow merging of rules.

Mask Policy

Masking allows you to control how servers respond to a user, thereby, increasing application security.

Configuring Mask Policy

Follow the steps below to configure the Mask policy in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > ADD SMARTFLOW > Edit SmartFlow

    _images/image2.10.png
  2. Under Policies> Security > Mask > Enable to view the Mask policy configuration screen.

    _images/image2.19.png

The Mask policy configuration has three options:

  • Remove Server Header from Response
    Turn on this option to prevent users from knowing what type of web server is used in your operations.
  • Remove ETag Header from Response
    Activate this option to avoid unethical users from knowing about your website hosting on multiple servers.
  • Return HTTP 404 if the server returns HTTP 5xx
    Enable this option to ensure users receive friendlier error messages, rather than having to read complicated error messages.

Sensitive Data Exposure

Access Control

IP Access Policy

Access Policies (Whitelists and Blacklists)

Access Policies allow you can define access policies by specifying allow or deny rules for traffic from IP addresses. Specify the IP address from which traffic should be allowed or denied. Hence, providing the mechanism to build whitelist (allow rules) and blacklists (deny rules) which allows requests based on the IP address or denies unwanted traffic.

Whitelist helps in preventing DDoS by allowing traffic only from trusted sources. Blacklist helps in preventing DDoS attacks by restricting traffic from known attackers.

Order of rules

User can specify network address instead of just IP The importance of the keyword ‘all’. An example displaying combination of allowing/deny rules using individual IP, network address, and ‘all’

Configuring Allow Rule

Perform the steps below to configure an Allow rule in Harmony Controller.

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow

  2. Under Policies> Security > Access > Enable to view the Allow Rule configuration screen.

  3. Add an Allow rule by entering the IP address and enable the rule or Enter the value all in the allow rule. Note, that all is the default value.

    _images/image2.21.png

You can add multiple allow rules using the Add Rule button.

  • Save the Rule and policy.
  • Save the SmartFlow.
  • Send request to the Lightning Application Delivery Controller from the IP which is allowed.

Expected Results

When a request is made from the Application server specified by the IP address in the Allow rule in the Access Policy, 200 OK response code is displayed along with the content in the reply. When you specify the option all in the Access policy, the user receives an appropriate response if he sends requests from any client IP addresses.

Configuring Deny Rule

Perform the steps below to configure a deny rule in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Security > Access > Deny > Enable to disable the Allow Rule configuration.

Add a Deny Rule

Enter the IP address (For example, 54.186.134.82). Disable the rule, save the rule and policy; save the SmartFlow. And then send a request to the Application Delivery Controller from the IP which is denied.

Add multiple deny rules as required, using the Add Rule button.

  • Save the rules and policy.
  • Save the Smart Flow.
  • Send request to the Application Delivery Controller from the IP addresses specified in the Deny rules.

Expected Results

When requests are made from the IP addresses specified by Deny rules, a 403 Forbidden response is displayed.

Disable Rule Feature

Perform the step below to disable a rule in Harmony Controller:

Select Tenant > Tenant Name > Edit Configuration> Services> default-smartflow> Edit SmartFlow to edit the default Smart Flow. Choose Security > Access and then disable the Access policy using the Disable option.

Geographic Access Control

Controlling Access based on any information in HTTP request.

Protection against DDoS Attacks

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A DDoS attack can cripple your network and take your servers offline, by flooding the network with malicious traffic leaving no room for legitimate traffic.

Harmony Controller monitors traffic patterns to identify and protect your business from application-layer Distributed Denial of Service (DDoS) attacks. Clean user traffic is allowed through while the system identifies and drops malicious traffic before it can impact app server resources and availability. Harmony Controller detects and mitigates application layer threats such as SlowLoris, Slow Post, HashDoS, and GET Floods.

_images/ddos1.png

Application availability is maximized using Harmony Controller DDoS protection even during attacks. The elastic infrastructure allows mitigation to keep pace with application traffic and keep latency to a minimum. The comprehensive traffic and security metrics in the Harmony Controller web interface helps you to learn about specific attacks and patterns in attack detection. Harmony Controller Blacklists and Whitelists and customized Web Application Firewall (WAF) rules help mitigate these attacks.

Harmony Controller Mitigation Mechanisms for DDoS Attacks

Harmony Controller provides different mitigation mechanisms to thwart Layer 4 network level attacks.

_images/image393.png

Types of Attacks

  • Mitigation Mechanisms
  • Volumetric/Flood Attacks
  • IP protection, Rate limiting, and Throttling
  • Session attacks
  • SSL termination and SSL re-negotiation validation

Elastic SSL with Auto-Scaling

Application Attacks, Blacklist and Whitelist support, Full proxy for HTTP, Anomaly detection, Web Application Firewall (WAF) Harmony Controller mitigates different types of DDoS attacks with security policies and features, as explained here:

By default, the mitigation mechanisms in Harmony Controller include connection pooling, surge protection, request queueing, and auto-scaling capabilities. These can absorb any small to medium intensity attacks. If the attack is planned to exploit HTTP 1.1 protocol limits and is made in the form of SlowLoris, SlowPost or other similar “low and slow”9D attacks, the aggressively configured restrictions in the `Surge Protection policy helps to mitigate the attack. Limiting the total number of user sessions and rate limiting traffic within a session using `Session Tracking policy prevents the attacker from creating junk connections and hogging server resources. If the attack is done using a tool or IP network that is known for bad BOT traffic, the attack is prevented by the configuration setting in Harmony Controller that prevents dangerous BOT attacks. Getting the IP addresses of attackers and create whitelists and blacklists (access/deny rules) or Access Policy rules prevents attacks from known IP addresses.

Connection Timeouts

Surge Protection Policy

Surge Protection policy is the security policy in Harmony Controller that protects your infrastructure from external network traffic surges caused by DDoS attacks which exploit conditions/parameters such as connection time, connection requests, or provisions of the HTTP protocol such as requests and responses. This policy allows you to specify the limits and timeouts for handling traffic surges present in the network or created by attacks, by aggressively closing the connections based on the policy configuration.

You can configure these functions in the Surge Protection policy screen in Harmony Controller:

  • Specify limits or timeouts for traffic surges by aggressively closing connections causing surges.
  • Prevent specific DDoS attacks such as SlowLoris and SlowPost by closing idle connections, or specifying limits for slow connections.
  • In attacks that exploit provisions of HTTP protocol, you can specify limits for the HTTP request body length or the maximum number of requests to process on a connection.

Configuring Surge Protection Policy

Perform the steps below to configure Surge Protection policy in Harmony Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration> Security tab > Surge Protection menu. Enable Surge Protection policy by clicking on the Enable button.
  2. The Surge Protection policy screen displays with these fields:
_images/image2.25.png

** Surge Protection limits can be set on these parameters:**

  • Maximum allowed Request Body (bytes) Size
    You can set a limit on the HTTP request body length that can be accepted by the HTTP Provider Service to protect your system from malicious Denial-of-Service (DoS) attacks. The system controls this limit by inspecting the Content-Length header of the request or monitoring the chunked request body (in case chunked encoding is applied to the message). If the value of the Content-Length header exceeds the maximum request body length, then the HTTP Provider Service rejects the request with a 413 “Request Entity Too Large”9D error response.
  • The maximum number of requests to process on a connection
    You can limit the number of HTTP requests per source IP address, on a connection from the client to the application server. The limit can be an integer value between 0 and 65536.
  • Close idle connection after (seconds)
    Some attacks involve malicious clients that linger on with partial requests and responses, and indulge in minimum interaction to prevent server idle times from expiring. The attacks slow down applications by consuming system resources, leading eventually to an inability to handle server traffic. These are the “low and slow”9D attacks, as a relatively small number of clients can DoS the server stealthily and slowly, without consuming any significant bandwidth on the network.

In Harmony Controller, this field allows setting the time within which the system should close idle connections so that low and slow attacks are prevented.

Protection against SlowLoris

Slow Loris is an attack tool that holds HTTP connections open by sending partial HTTP requests. The headers are sent at regular intervals to occupy the application stack and keep connections from closing. This keeps the server threads and network resources from being released, eventually leading to collapse. The web server quickly reaches its maximum application stack capacity and becomes unavailable for new connections by legitimate users. From a protocol compliance perspective, this appears to be normal traffic which the signature or blacklist-based devices do not detect.

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Performance > Compressions
_images/image2.26.png

In Harmony Controller, this field allows you to protect against SlowLoris attacks by closing HTTP connections when the headers are not received within the specified time interval (in seconds). The default allowed time is 60 seconds.

Close connection if all headers are not received in (seconds)- Protection Against SlowLoris: Set the time (in seconds) to close connections if HTTP headers are not received within the specified period.

Protection against SlowPost

SlowPost is an attack tool which brings down a web server by creating long form field submissions. This is done by iteratively injecting one byte into a web application post field followed by a sleep period. The result is that application threads become stuck because they are occupied with these one-byte POST fragments.

_images/image63.png

In A10 HarmonyTM Controller, this field allows you to protect against SlowLoris attacks by closing HTTP connections if the request body is not received within the specified time interval (in seconds). The default allowed time is 60 seconds.

Close connection if it goes idle while receiving request body for seconds)- Protection against SlowPost Set the time (in seconds) to close idle connections while receiving HTTP request body.

Terminate Connection after every request When you enable this button, a new connection is opened for every new request.(That is, the session is terminated after a request.)

Volumetric Traffic Limits

Session Tracking Policy

A session is a series of related browser requests that come from the same client during a period. Session tracking is a mechanism to track a customer session and enforce traffic management policies on sessions. During a session, a series of continuous web requests and responses from the same client to the server can cause traffic congestion and inadequate network bandwidth. This is because HTTP is a stateless protocol and the server does not store the incoming client information. Session tracking enables you to track a user’s progress over multiple servlets or HTML pages during a session. Session tracking mechanisms are required so that Volume-based DDoS attacks caused by large traffic generation from a single client, or a lot of connections created for a short duration from multiple clients can be detected and mitigated.

Session Timeout You can specify an interval of time after which HTTP sessions expire. When a session expires, all data stored in the session is discarded. The session timeout is 30 minutes as per industry standards.

Session Tracking Policy in Harmony Controller

Session Tracking policy in Harmony Controller allows you to track user sessions and then limit usage of resources by those sessions. The Harmony Controller performs session tracking to apply rate limits on incoming web requests from clients to servers.

_images/image64.png

You can set these parameters in the session tracking policy in Harmony Controller: - Number of simultaneous user sessions for an application.

Some simultaneous requests within a session. The rate of request per session. The rate of session creation per application.

Note

See Step 3 of Configuring Session Tracking Policy in Harmony Controller for more information.

Configuring Session Tracking Policy

Perform the step below to configure the session tracking policy in A10 HarmonyTM Controller:

Click on Tenant > Tenant Name > Edit Configuration > Security tab > Session Tracking to access the Session Tracking screen.

_images/image2.27.png

Configure the Session Tracking Mechanism. A10 HarmonyTM Controller provides these mechanisms for session tracking:

A10 Lightning ADC cookie
This session tracking mechanism uses cookies to track sessions. A10 HarmonyTM Controller inserts its cookie to track a session. A unique cookie identifies each session. This should be utilized when the traffic is expected from web clients supporting cookie’s typical example is a web browser.
Client IP
This session tracking mechanism is based on tracking the sessions originating from a customer IP address to the application server. A session is identified by the IP address of the web client. This should be used when clients do not support cookies (For example, mobile apps) but are expected to have different public IP addresses.

Configure the following parameters for session tracking:

Maximum concurrent sessions
The maximum number of concurrent users accessing the application.You can set any integer value in this field.
Session create rate
The rate at which users access the application. This parameter is measured in per second rate. Maximum concurrent requests per sessions. The highest number of concurrent requests per user session. This field is particularly useful in browser sessions (when users access the application through browsers). This parameter is measured in per second rate.
Maximum concurrent requests per session
The maximum number of concurrent requests in a user session.
Request rate per session
The number of requests in a user session. This field is particularly useful in API-based sessions. This parameter is measured in per second rate.

Note

Session Tracking can also be configured at the Smart Flow level.

Session Tracking Trend Graphs

You can view trend graphs and analytics of your session tracking policy from Analytics> Dashboard > Blocked Requests menu.

_images/image2.32.png

Exporting and Importing Application Configuration from A10 Lightning Controller

This section discusses in detail the ways to import and export application configuration to and from A10 Lightning Controller.

The export function stores the logical configuration of an application from the A10 Lightning Controller to a user specified location. The import function uploads the logical configuration from local storage and creates a logical entity for the application on the A10 Lightning Controller. The export and import can be done in two ways - unencrypted export/import and encrypted export/import.

When the configuration is exported without any password, it is an unencrypted export and the returned content is plain text. Where as, when we specify a password during export, the configuration returned is encrypted with the password. When such encrypted file is imported the controller uses the password provided by the user to decrypt the configuration file and create the logical entity. Both the import and export operations are performed using the APIs.

APIs to Export/Import Application Configuration

The export API exports the configuration for a specific or all the applications for a tenant. The API generates a JSON file and returns it to user with or without encryption. The user can store this file as a configuration backup and use it if there is a need to restore the application.

Note: There are two names for a tenant one being the display name and other being the tenant name. In the below mentioned APIs, only name should be used for tenant and not the display name.

To get the name of the tenant, invoke the following API:

API : GET /api/v2/providers/root/tenants HTTP/1.1

{
  "name" : "shared.1544D6813101544AF9231901C64B3DE665BC66AA",
  "displayName" : "tenant7.shared",
  "id" : "6b8a783b-45ed-482a-8dcb-40548d9230d8",
  "providerId" : "067e6162-3b6f-4ae2-a171-2470b63dff00",
  "state" : "ACTIVE",
  "createdAt" : "Mar 27, 2018 09:06:48 AM UTC",
  "lastModifiedAt" : "Mar 27, 2018 09:06:48 AM UTC",
  "lastModifiedBy" : "abc@xyz.com",
  "appCount" : 2,
  "clusterCount" : 1
}

{
  "name" : "t1",
  "displayName" : "t1",
  "id" : "49f96e1b-5ed8-417e-90c9-8904fe4c67a1",
  "providerId" : "067e6162-3b6f-4ae2-a171-2470b63dff00",
  "state" : "ACTIVE",
  "metadata" : {
  "marketPlace" : false,
  "accountType" : "SAAS"
}
  1. Export a specific application configuration for a tenant:

    GET http://<edge-ip>/api/v2/systems/configuration/<Application Name>/_exportconf
    **Parameters**
    
    - String password: Password, if provided then the returned configuration is encrypted.
    - Boolean excludeServers: If true, back-end servers are excluded from the exported application configurations.
    - Application Name : Application Name of the application to be exported.
    - Tenant: Tenant name to which this application belongs.
    - Provider: Provider name to which the tenant belongs.
    
  2. Export all the application configuration for a tenant:

    GET http://<edge-ip>/api/v2/systems/configuration/_exportconf
    **Parameters**
    
    - String password: Password, if provided then the returned configuration is encrypted.
    - Boolean excludeServers: If true, back-end servers are excluded from the exported application configurations.
    
  3. Import the application configuration(s) for a tenant:

    POST http://<edge-ip>/api/v2/systems/configuration/_importconf
    **Parameters**
    
    - @FormDataParam InputStream file: Encrypted or plain configuration file.
    - @FormDataParam String clusters: Comma separated list of clusters name corresponding to applications to be associated with.
    - String password: Optional, password to be used for decryption, when provided input file is encrypted.
    - String infraCredential: Infra-credential in the current tenant. If provided, then infra-credential available in the exported file is replaced by this.
    - String dnsCredential: Dns-credential in the current tenant. If provided, then dns-credential available in the exported file is replaced by this.
    - Boolean excludServers: If true, applications are imported excluding the back-end servers (even if exported configuration file has it).
    

Note 1: If user tries to import an application that already exists, the conflict is returned and user needs to delete the existing application and then can import the conflicted application.

Note 2: While importing multiple applications, even if failure happens for a single application, no application is imported.

A10 Lightning ADC Use Case Scenarios

This section of the document briefly discusses the various configuration scenarios which a user can implement using the features offered by A10 HarmonyTM Controller. These use cases help users to understand the A10 HarmonyTM Controller features better, and how these features can be effectively used to address various scenarios. For example, If a user wants to block his network for a specific country. In this case, a user can use the SmartFlow feature in A10 HarmonyTM Controller to create a service condition to block traffic for a specific country. Similarly, there are many other use case scenarios discussed in this section of the document.

Traffic Management Use Cases

1.1 Redirecting HTTP traffic to HTTPS

In an ideal scenario when you enter a URL (http://www.example.com) in your web browser, this sends an HTTP command to the Web server to fetch and transfer the requested web page. Here, your web browser is your client and your website host as a server. Sometimes, the clients may be exchanging private information with a server, which needs to be secured for preventing some hacking issue. For this reason, we are redirecting the traffic from HTTP to HTTPS using Smartflow feature in A10 HarmonyTM Controller. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

In order to redirect the traffic from HTTP to HTTPS in A10 HarmonyTM Controller user can use the SmartFlow feature in the A10 HarmonyTM Controller to create a smart flow condition for a particular service(s) so that any data exchange through A10 HarmonyTM Controller is secure. Rather creating a smart flow condition for each URL request, the user can use https://$host$request_uri as the input in the Redirect URL field and set the condition as Redirect the traffic which will redirect all the URL requests.

In this case, a request from the client hits the smart flow and if the condition matches, then the traffic is redirected from HTTP:// to HTTPS:// [temporarily or permanently] for the requested URL.

Steps to configure a Smartflow policy to redirect traffic:

  1. Login to the A10 HarmonyTM Controller.

  2. Click Configuration > Services > Smartflow

  3. Click Add a new Smartflow and set the conditions and then save.

    _images/image10.0.png

    See also

    Adding a Smartflow section under Traffic Management Configuration, for more information on Smartflow configuration.

1.2 Dealing with DDoS Attack

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (For example, a botnet) flooding the targeted system with traffic. In this use case, we are discussing the Surge protection feature in A10 HarmonyTM Controller which is designed to prevent such attacks.

If the attack is made in the form of SlowLoris, SlowPost or other similar low and slow attacks, the aggressively configured restrictions in the Surge Protection policy helps to mitigate such attacks. Thus, limiting the total number of user sessions and rate limiting traffic within a session using Session Tracking policy preventing the attacker from creating junk connections and consuming server resources.

See also

Protection against DDoS Attacks section under Security Configuration for more information on Surge Protection policies, and how to configure them.

1.3 Estimate the Rate Limit Configuration Values

This use case discusses the effort to estimate the Rate Limit configuration values considering the analytics of various other parameters.

Based on the session tracking and the per request analytic values combined together user can estimate the values for Rate Limit configuration.

A session is defined as a single user agent such as a browser or an API client. Each session has an idle expiry time that defaults to 30 minutes (this cannot be changed currently). A session can be tracked in two ways.

  1. LADC Cookie

    Cookies are maintained by LADCs and are returned with every response. Each user agent is uniquely identified by the combination of source IP and port.

  2. Client IP

    Only the source IP of the client is used to identify a user agent uniquely.

    Based on the values obtained from these four parameters as discussed below, the user can estimate the values to configure the Rate Limiting.

  3. A number of Concurrent Sessions

    The a maximum number of sessions (or user agents) that can be accepted at any given point in time. Suppose, it is set to a value of 100; then approximately a maximum of 100 user agents can be served at any point in time. Any more user agents will get a 403 forbidden response. This value can be retrieved from the “active sessions” value in the session tracking graphs (under App Dashboard > Blocked requests)

  4. A number of Concurrent Requests per Session

    The maximum number of open requests (for which a response has not been received yet) that can be accepted at any given point in time. This value can be derived from a total number of requests that can be served at any given point in time and the number of concurrent sessions. Number of concurrent requests per session = Total number of requests/Number of concurrent sessions. Let us suppose that it is known from the app server infrastructure/health that they can support a maximum of 10000 outstanding requests at any point in time and the maximum number of concurrent sessions (as seen from the graphs) is 1000. Therefore the number of concurrent requests per session can be set to 10.

  5. Session Rate

    The maximum number of sessions that can be accepted per second. In other words, this implies the maximum number of user agents that can be served per second. This can be used to block too many new user agents served by the App server infrastructure per second.

  6. Request Rate per Session

    The maximum number of requests per second that can be made over a session. This will block user agents to send too may request/per second over a session.

1.4 Release a New Version of the Application to a Specific Domain

When there is a requirement for a user to test the new version of the application with zero downtime. In this case, the user can use the Blue/Green feature in A10 HarmonyTM Controller to set the traffic steering policies for inbound traffic across old (blue) and new (green) deployments while both environments remain online. The user can monitor blue and green server behaviour and health metrics to adjust traffic steering rules in real-time.

The following use case helps the user to understand how to configure the Blue/Green deployment feature in A10 HarmonyTM Controller to steer traffic to a specific user domain, whenever there are any new additions to the application or to release a new version of the application.

In this use case, we are discussing four different Blue/Green deployment scenarios such as specific user, specific browser, specific country, and specific device. Basically, the Blue/Green policy steers the inbound traffic across old (blue) and new (green) deployments while both environments remain online based on the policy configured.

See also

Traffic Management Configuration for more information on Blue/Green deployment.

Configuring Blue/Green Policy

  1. Click Configuration > Blue/Green

  2. Click Configure a Blue/Green Deployment

    _images/image9.8.png
  3. Select the Blue Service from the drop-down.

    _images/image9.9.png
  4. Configure the condition(s) to direct the Green traffic based on requirement.

    _images/image9.10.png

The first four steps remain same for all the policy configuration only we are changing the conditions as shown below.

Specific User

To filter the User specific traffic set the conditions as shown below, here If condition can be Header, Cookie, or Query Parameter.

_images/image9.11.png

Specific Browser

To filter the Browser specific traffic set the conditions as shown below.

_images/image9.12.png

Specific Country

To filter the Country specific traffic set the conditions as shown below, and the value used should be the country code (For example, US).

_images/image9.13.png

Specific Device

To filter the Device specific traffic set the conditions as shown below.

_images/image9.14.png

Security Configuration Use Cases

1.1 Block Traffic from a Specific Country

The following use case addresses the user requirement for blocking the traffic from a specific country. For example, the user is required to block traffic from a specific country in order to prevent any malicious attacks to the network, in such case user can create a security policy in A10 HarmonyTM Controller and make the network much secure.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking off traffic for a specific country based on various parameters. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific Country.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP and Port Number.

  2. Set the Service conditions as shown and then Save. Here, US is the country code for the United States.

    _images/image9.0.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.1.png

1.2 Block Traffic from a Specific Network

Your network is always vulnerable to all kind of threats and attacks. The attack may happen from a known source of network or from an unknown network. In order to prevent such attacks, we need to block such networks. This use case demonstrates the steps to block traffic from such networks using the traffic blocking policy in A10 HarmonyTM Controller.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking off traffic for a specific Network using the IP address of the client network. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific Network.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number.

  2. Set the Service conditions as shown and then Save. Here, the value is the IP address of the network for which the traffic is blocked.

    _images/image9.2.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.3.png

1.3 Block Traffic from a Specific Browser

Sometimes it is required for a user to block traffic from a specific browser, in order to stop requests from a specific browser which the user application may not support or for many other reasons. For example, let’s say there is a request from Mozilla hits the server; and the application is not so compatible with Mozilla, in such case, the server may not respond to the request and there may be unnecessary space eaten up by such requests and may cause some downtime.

As a solution to overcome such issues the A10 HarmonyTM Controller allows a business to build a policy that enables blocking traffic for a specific browser based on conditions like header type, match if, case, and value. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific browser.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number.

  2. Set the Service conditions as shown and then Save. Here, define Header name as User-Agent and value as the name of the Browser (For example, Mozilla in this case).

    _images/image9.4.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.5.png

1.4 Block Traffic from a Specific Device

The following use case is very much similar to the use case to block traffic from a specific browser, the difference here is we are blocking traffic from a specific device.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking traffic for a specific device based on service policy conditions. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific device.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number.

  2. Set the Service conditions as shown and then Save. Here, define Header name as User-Agent and value as the name of the Device (For example, Macintosh in this case).

    _images/image9.6.png
  3. Activate the Service.

  4. Click Add SmartFlow > Set SmartFlow conditions > Save.

    _images/image9.7.png