GSLB Service Configuration
Overview
This article explains various methods and available options for GSLB service configuration.
Within a single Avi GSLB configuration, a set of identical services running at multiple sites can be formed into a GSLB service. This article explains various methods and options available to configure GSLB service.
Note: Starting with Avi Vantage release 18.2.9, IPv6 address for GSLB is supported.
Prerequisite
A user with write access is required to configure GSLB Services, as shown below in the GSLB section of the Tenant-Admin role.
Configuring GSLB Service Basic Setup
-
Navigate to Applications > GSLB Services. Click on the Create option, and select the Basic Setup option.
-
Name – The
GslbService
object parameter that will appear in other UI screens. This is a reference to the global application hosted on Avi Vantage -
Application Name – This field concatenated with the Subdomain forms the FQDN of the application.
-
Subdomain – This drop-down menu is pre-populated with the subdomains associated with the GSLB configuration. Add or subtract to the set by navigating to Infrastructure > GSLB > Site Configuration.
Notes:
- When first entered, a sub-domain should take the form
alpha.beta.com
. When it appears in the pulldown, Avi Vantage automatically prefixes it with a dot. - To support aliasing, a GSLB service could have one or more FQDNs associated with it. For example,
www.foo.com
andwww.foo.us
may point to the same GSLB service. Aliasing avoids having to create multiple identical GSLB services.
- When first entered, a sub-domain should take the form
-
Health Monitor – If the DNS Service Engine is to generate synthetic traffic via which to mark a service up or down, this field specifies which monitor to use. Five are included by default and automatically appear in the drop-down list:
- System-GSLB-UDP
- System-GSLB-HTTPS
- System-GLSB-HTTP
- System-GSLB-TCP
- System-GSLB-Ping
Use the Create option to create a custom monitor. Alternatively, navigate to Templates > Profiles > Health Monitors to define a custom monitor to use with the global application.
-
Health Monitor Scope – By default, health monitors will assess the health of all GSLB pool members (Avi virtual services or external (third-party) VIPs). Choose Only Non Avi Members if the data path monitoring of Avi members is redundant to the control path health monitoring.
-
Controller Health Status – The default is to assess the health of Avi member services by collecting virtual service health status from their local Avi Controllers. This option is irrelevant to external VIPs, whose health can only be assessed via data path health checks.
-
Groups Load Balancing Algorithm – The load balancing algorithm picks a GSLB pool within the GSLB service list of available pools. Choose one of two algorithms, priority- or geolocation-based.
-
Minimum number of Servers – The minimum number of members to which to distribute traffic. If non-zero, this value ranges from 1 to 65535. Zero is a special case which disables limiting. The min_members is similar to the min_servers for pool groups.
Consider the following set-up:
- Two GSLB pools
- P1 (4 members ) of priority 10
- P2 (3 members) priority 5
- min_members value is set to 3.
As long as P1 had at least 3 members up, only P1 is chosen. If the number of servers which are in up state in P1 goes below 3, then P1 and P2 are chosen equally.”
- Two GSLB pools
-
Site Persistence – Check this box to enable site persistence for the GSLB service. For more information, refer to GSLB Site Cookie Persistence.
-
Application Persistence Profile – Click on Create to launch an editor to create a new Site Cookie Application Persistence profile.
-
Select Group Type – Select the behavior for pools. If the default Active Active is chosen, one of four load balancing algorithms can be chosen.
- Pool Members Load Balancing Algorithm – For Active Active pool configurations, choose a load balancing algorithm that will pick a local member within the GSLB services list of available members.
The following are the options:
- Round Robin(the default)
- Consistent Hash
- Geo
- Topology
- Preference Order
-
IP Address/Virtual Service –
Accept Virtual Service (the default) to identify a native Avi Vantage virtual service. If the IP Address is selected, a different set of options appear. These are explained in the list of steps following this list.
Choose IP Address to identify an external (third-party) GSLB pool member. Refer to the related Avi GSLB in an AWS Multi-Region, Multi-AZ Deployment and Third-Party Site Configuration and Operations articles.Note: A third-party Controller — redundantly configured or not — is optional for third-party members. If you have chosen the IP Address option, skip the following steps.
-
Site Cluster Controller – To identify a native Avi virtual service, it is first required to select its Controller via this field. The Controller must be pre-configured for its name to be present in the drop-down list.
-
Virtual Service – This field only appears after a site cluster Controller has been chosen. Select a pre-configured virtual service from the drop-down list.
-
Public IP Address – This is an alternative IP address for the pool member. In usual deployments, the VIP in the virtual service is a private IP address; it gets configured in the IP field of the GSLB service. In this field you can identify the public IP address for the VIP; it will get translated to the private IP by a firewall. Client DNS requests coming in from the intranet should have the private IP served in the A record, while requests from outside should be served the public IP address. For more information, refer to NAT-aware Public-Private GSLB Configuration article.
-
Description – Insert a comment is required.
- Add GSLB Pool Member – After the first (minimum required) member service has been defined for the GSLB pool, click on this hyperlink to create an additional one.
If IP Address was selected in the above steps to identify an external pool member, the below alternative display will appear. Follow the below steps instead of the options shown above.
-
IP(v4/v6) Address or FQDN – The external pool member is configured with a fully qualified domain name, which is resolved to an IP address by the Controller. The DNS service health monitors the resolved address while returning the FQDN(cname).
-
Public IP(v4/v6) Address – This is an alternative IP address for the pool member. In usual deployments, the VIP of the third-party service is a private IP address; it gets configured in the IP field of the GSLB service. In this field you can identify the public IP address for the VIP; it will get translated to the private IP by a firewall. Client DNS requests coming in from within the intranet should have the private IP served in the A record, while requests from outside should be served the public IP address.
-
Third-party Site Cluster Controller – From the drop-down, select the third-party site name to which the third-party VIP is to be associated.
-
Description – Insert into this free-form field whatever comments you like.
-
Add GSLB Pool Member – After the first (minimum required) member service has been defined for the GSLB pool, click this hyperlink to create an additional one.
GSLB Service Advanced Setup
This section discusses the additional parameters available using the advanced setup option on Avi UI.
Navigate to Applications > GSLB Services. Click on Create, and select the Advanced Setup option. Notice the Pool Member section of the basic setup editor has been replaced by the GSLB pool section shown below.
Click on the edit icon to open the GSLB Pool editor. These additional options are not available in the Basic Setup editor. The editor is described in a subsequent section. The other options are available as follow:
- Priority – The DNS service chooses the pool with the highest priority that is operationally up. The value of this optional parameter ranges between 0 and 100. Non-unique values among groups are allowed. It may be left unset. The value of 10 is merely a placeholder.
- LB Algorithm – For Active Active pool configurations, choose either round-robin (the default), consistent hash, geo, topology, or preference order.
- Number of IPs returned by DNS Service – If 0, then all IP addresses are returned. You can specify a count between 1 and 20.
- TTL served by DNS service – If the default from the DNS service is not suitable, a value between 1 and 86400 seconds may be chosen for all DNS records served on behalf of all GSLB pool members.
- Down Response – When the service is down, this field will govern the response from the DNS. You can choose no response, an empty response, a fallback IP, or a response containing all records.
- Resolve CNAME – Check this box to resove CNAME
Fallback CNAME as Down Response
Starting with NSX Advanced Load Balancer 22.1.5, CNAME is also available as one of the down responses when a GSLB Service is down.
Follow the below steps to configure CNAME as a down response for a GSLB Service:
- Log in to NSX Advanced Load Balancer CLI and use the
configure gslbservice <GSLB Service Name >
mode to perform the configuration changes. - Use
gslb_service_down_response_cname
as the CNAME type for the down response. - Specify the fallback CNAME.
[admin:controller-1-site-a]: > configure gslbservice gs-1
Updating an existing object. Currently, the object is:
+----------------------------------+--------------------------------------------------+
| Field | Value |
+----------------------------------+--------------------------------------------------+
| uuid | gslbservice-3b271257-9d30-4429-8fd5-ac25285a9720 |
| name | gs-1 |
| domain_names[1] | foo.avi.com |
| groups[1] | |
| name | gs-1-pool |
| priority | 9 |
| algorithm | GSLB_ALGORITHM_ROUND_ROBIN |
| members[1] | |
| ip | 1.1.1.1 |
| ratio | 1 |
| enabled | True |
| resolve_fqdn_to_v6 | False |
| preference_order | 1 |
| enabled | True |
| manual_resume | False |
| down_response | |
| type | GSLB_SERVICE_DOWN_RESPONSE_NONE |
| controller_health_status_enabled | True |
| health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS |
| enabled | True |
| use_edns_client_subnet | True |
| wildcard_match | False |
| site_persistence_enabled | False |
| pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY |
| min_members | 0 |
| resolve_cname | False |
| is_federated | True |
| tenant_ref | admin |
| topology_policy_enabled | False |
+----------------------------------+--------------------------------------------------+
[admin:controller-1-site-a]: gslbservice> down_response
[admin:controller-1-site-a]: gslbservice:down_response> type gslb_service_down_response_cname
Overwriting the previously entered value for type
[admin:controller-1-site-a]: gslbservice:down_response> fallback_cname cname1.foo.avi.com
[admin:controller-1-site-a]: gslbservice:down_response> save
[admin:controller-1-site-a]: gslbservice> save
+----------------------------------+--------------------------------------------------+
| Field | Value |
+----------------------------------+--------------------------------------------------+
| uuid | gslbservice-3b271257-9d30-4429-8fd5-ac25285a9720 |
| name | gs-1 |
| domain_names[1] | foo.avi.com |
| groups[1] | |
| name | gs-1-pool |
| priority | 9 |
| algorithm | GSLB_ALGORITHM_ROUND_ROBIN |
| members[1] | |
| ip | 1.1.1.1 |
| ratio | 1 |
| enabled | True |
| resolve_fqdn_to_v6 | False |
| preference_order | 1 |
| enabled | True |
| manual_resume | False |
| down_response | |
| type | GSLB_SERVICE_DOWN_RESPONSE_CNAME |
| fallback_cname | cname1.foo.avi.com |
| controller_health_status_enabled | True |
| health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS |
| enabled | True |
| use_edns_client_subnet | True |
| wildcard_match | False |
| site_persistence_enabled | False |
| pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY |
| min_members | 0 |
| resolve_cname | False |
| is_federated | True |
| tenant_ref | admin |
| topology_policy_enabled | False |
+----------------------------------+--------------------------------------------------+
[admin:controller-1-site-a]: >
In the configuration example shown above, the fallback CNAME is configured as cname1.foo.avi.com.
GSLB Pool Editor
The GSLB pool editor window displays different options depending on the GSLB pool member identified in the Pool Member section.
Identifying GSLB Pool Member by IP Address
-
IP(v4/v6) Address or FQDN – The pool member can be identified by its IP address or an FQDN that is resolved to an IP address by the Controller. The DNS service will monitor the health of the resolved IP address. If the user has configured an IP address (in addition to the FQDN), then the IP address will get overwritten whenever the periodic FQDN refresh is done by the Controller.
-
Public IP(v4/v6) Address – This field is used to host the public IP address for the virtual service. It gets translated to the private IP by a firewall. Client DNS requests coming in from within the intranet should have the private IP served in the A record, and requests from outside should be served the public IP address.
-
Third-party Site Cluster Controller – Refer to the Third-Party Site Configuration and Operations article.
-
Ratio – This field overrides the default ratio of 1. It reduces the percentage the load-balancing algorithm would pick the GSLB pool member associated with its peers. The allowed value ranges between 1 and 20.
-
Enabled – Set to ON by default so that the IP address of this member will be provided in DNS responses.
-
Geo Location Source – Specify the geo location source or set the User Configured option from the pulldown to enter data about a particular location. Refer to Geolocation-based Load Balancing Algorithm for GSLB Members for more details.
-
Description – Insert into this free-form field whatever comments you like.
Identifying GSLB Pool Member by Virtual Service
While configuring the GSLB service, the virtual service selection will list the service based on the tenants in GSLB Config. By default, in the GSLB service, the system will display all the virtual services. However, starting with Avi Vantage version 20.1.5, you can change tenant_scope
to see only tenant scoped virtual services.
The tenant_scope
is the GSLB specific configuration parameter to restrict virtual service selection from the current tenant when it is set to True (Default), or allow virtual service selection from all accessible tenants when set to False.
Note: The default behavior in Avi Vantage version 20.1.5 is tenant_scoped
set to True.
Example:
To set tenant_scoped
, you can use the following CLI:
[admin:avi-controller]: > configure gslb glb-1
[admin:avi-controller]: gslb> tenant_scoped
[admin:avi-controller]: gslb> save
To unset tenant_scoped
, you can use the following CLI:
[admin:avi-controller]: > configure gslb glb-1
[admin:avi-controller]: gslb>no tenant_scoped
[admin:avi-controller]: gslb> save
-
Site Cluster Controller– Cluster UUID of the site.
-
Public IP(v4/v6) Address – This field is used to host the public IP address for the virtual service. It gets translated to the private IP by a firewall. Client DNS requests coming in from within the intranet should have the private IP served in the A record, and requests from outside should be served the public IP address.
-
Ratio – Overrides the default ratio of 1. It reduces the percentage the load-balancing algorithm would pick the GSLB pool member associated with its peers. The value ranges between 1 and 20.
-
Enabled – Defaulted ON so that the IP address of this member will be provided in DNS responses.
-
Geo Location Source – Specify the geo location source or set the User Configured option from the pulldown to enter data about a particular location. Refer to Geolocation-based Load Balancing Algorithm for GSLB Members for more details.
-
Description – Insert the desired description.
Hostname Field for GSLB Pool Member
Starting with release 18.2.6, Avi Vantage supports the configuration of a hostname field for GSLB pool members. If configured, this field is used as the host header in GSLB HTTP and HTTPS health monitor. CNAME/FQDN is used in the GSLB monitor if the hostname field is not configured.
Configuring hostname field using Avi CLI
Login to the Avi CLI and use the hostname <hostname_string>
command under select gslbservice
mode to use hostname for GSLB monitor for the desired GSLB service.
The detailed steps are mentioned below:
-
Select GSLB service.
[admin:ctlr-1]: > configure gslbservice <gslb service name>
- Identify pool (group) index using where command:
[admin:ctlr-1]: gslbservice> where ------------------------------------------------------------------------------------+ Field Value ------------------------------------------------------------------------------------+ uuid gslbservice-ebdd873c-85e8-41d5-be5d-7f0145c68831 name gs1 domain_names[1] abcd.com groups[1] name gs1-pool priority 9 algorithm GSLB_ALGORITHM_ROUND_ROBIN members[1] ip 10.140.61.13 ratio 1 enabled True hostname xyz enabled True down_response type GSLB_SERVICE_DOWN_RESPONSE_NONE health_monitor_refs[1] System-GSLB-HTTPS controller_health_status_enabled True
In above example 1 is the index value for gs-pool1.
-
Use the
group index
command to select the desired pool.[admin:ctlr-1]:gslbservice> groups index <pool_index>
- Identify pool member index using where command:
[admin:ctlr-1]:gslbservice:groups> where ----------------------------------------+ Field Value ----------------------------------------+ name gs1-pool priority 9 algorithm GSLB_ALGORITHM_ROUND_ROBIN members[1] ip 10.140.61.13 ratio 1 enabled True hostname xyz enabled True ----------------------------------------+
In above example pool member(10.140.61.13) index is 1
-
Select pool member using the index value.
[admin:ctlr-1]:gslbservice:groups> members index <pool_memeber_index>
-
Configure hostname once the pool member is selected.
[admin:ctlr-1]:groups:members> hostname <hostname_string>
- Save the configuration (pool member configuration)
[admin:ctlr-1]:groups:members>save pool -> save gslbservice
Note: Starting with Avi Vantage release 18.2.6, SNI extension is also supported for GSLB HTTPS health monitor. In this method, the hostname is used as the server name. If the hostname is not configured, CNAME or FQDN is used for the health monitor.
Recent Avi UI Changes for GSLB Service Configuration
The option to create a GSLB pool is same as previous to the Avi Vantage release 18.2.6. Following is the navigation path to create the same.
Infrastructure > GSLB Service > Add Service > Advanced > Add Pool.
Starting with Avi Vantage release 18.2.6, location for the load balancing algorithm for pool and group has been changed for the basic and advanced set-up.
The options available under GSLB service creation have changed with Avi Vantage release 18.2.6. The following is the navigation path to create a GSLB basic service. Infrastructure > GSLB Service > Add Service > Basic.
18.2.6 Avi UI has options for Application name, Subdomain, and Pool Members Load Balancing Algorithm. Below is the screenshot of Avi UI for a GSLB service creation when the active/active mode is selected and the Pool Members Load Balancing Algorithm is set as Geo.
- Pool Members Load Balancing Algorithm is available regardless of the GSLB mode chosen (active/active or active/standby).
Prior to 18.26, this option was only available if the active/active mode was selected.
-
Fallback algorithm option is available now while creating a GSLB service using the Basic option from Avi UI.
-
Group Type selection is available with Groups Load Balancing Algorithm dropdown. Only Groups Load Balancing Algorithm dropdown is available if Active Active mode is selected.
-
Pool Members Fallback Load Balancing Algorithm dropdown is available when Geo is selected as the load balancing algorithm for pool members.
Prior to 18.2.6 release, it was available under GSLB Service > Create > Advanced > Add Pool.
Changes to Avi UI Access based on Privileges
Starting with Avi Vantage version 18.2.6, if the privilege setting for the GSLB configuration is set to No Access and the privilege for the GSLB Service is set to Read or Write, the GSLB Services tab on the Avi UI is accessible.
The following are the additional features available but with some limitations as mentioned below:
- The access mentioned above is available only in a Read only mode. You will not be able to edit existing GSBL Services or create a new GSLB service.
- You will be able to view the table, click on the Service, and see Member Status and Events sub-tabs, but not the FQDN Insights subtab.
- The Create option is greyed out, with hover text reading: GSLB Config permissions must be set to read or write to create a GSLB Service.
The following are the options which remain the same:
-
If the privileges for the GSLB Service is set to Read only mode, and GSLB Configuration is Read or Write, then you will still be in Read only mode, but FQDN Insights sub-tab will be available.
-
If GSLB Services is set to No Access, the entire GSLB Services tab is not available.
-
If the GSLB Service permission is set to Write, but the service site is a child site, the Create option will be greyed out, and the Avi UI exhibits GSLB Site {Leader Site Name} is the leader.
Note: GSLB site can be configured based on the privileges for GSLB admin.
Associating a Virtual Service (Configured with Site Persistence) with Multiple GSLB Services
Prior to NSX Advanced Load Balancer 22.1.3, an Avi GS member had to be unique across all GSLB services i.e., a virtual service cannot be GSLB pool member for to multiple GSLB services configured with site persistence. Also, only one site persistence pool associated with a Avi virtual service was allowed.
Starting with NSX Advanced load balancer 22.1.3, multiple GSLB Services configured with site persistence can have same GSLB pool members (Avi virtual service). Also, multiple site persistence pools can be associated with a single virtual service.
The below diagram exhibits the behaviour prior to NSX Advance load balancer version 22.1.3.
The following diagram exhibits the added feature starting with NSX Advanced load balancer version 22.1.3. As shown below, pools (SP-pool-GS-1, SP-pool-GS-2) are now associated with multiple virtual services.
Notes:
- For this functionality to work effectively, all the GSLB leaders and followers should have version greater than or equal to 22.1.3.
- You can now create different PKI profiles for the GLSB Services configured with site persistence. Prior to this feature, only one PKI profile was used among all federations when GSLB service with site persistence was used.
Configuration Steps
Use the steps mentioned below to associate GSLB service with a PKI profile.
To configure PKI profile , navigate to Templates > Security > PKI Profile and click CREATE.
In the creation dialog box, select the Is Federated checkbox and add Certificate Authority/Certificate Revocation list as required.
Debug and Logs
-
The following significant logs are observed when a virtual service with more than 1 site persistence pool receives a request with a cookie which does not have any gs_info or has a gs_info which does not match the GS attached to it .
-
Use the
debug virtualservice <virtual service name>
command to enable debug logs for the virtual service. The debug logs are available in the /opt/avi/log/glog/ directory on the SE. - The following show commands are useful in troubleshooting GSLB persistence issues.
- Use the
show gslbservice <GSLB service name>
command to check various attributes of the GSLB service.- domain_names - FQDN list.
- members - List of participating virtual services
- pki_profile_ref - Reference to the associated PKI profile.
- Use the
- Use the
show virtualservice <virtualservice name>
to check the various attributes of the virtual service.- sp_pool_refs - References to the associated SP pools
- Use the
show pool <SP poolname>
command to check the various attributes of the site persistence pool.- application_persistence_profile_ref - Reference to the associated application persistence profile.
Note: Both PKI profile and application persistence profile should be configured in order to enable site persistence.
- application_persistence_profile_ref - Reference to the associated application persistence profile.
Additional Notes
- Multiple site persistence feature requires Service Engine groups to be of a version >= 22.1.3.
- When there are multiple site persistence pools attached to a virtual service, the virtual service should be accessed via the FQDN , else the cookie returned will not be valid for site persistence operations (not proxied).
- A cookie generated on a higher version Service Engine is not supported on a lower version SE. However, a cookie generated on lower version Service Engine is supported on higher versions.
- The maximum value of supported FQDN length is 128 bytes. If the FQDN length is greater than 128, only the first 128 bytes is stored in the cookie, and used for matching.
References
- Geolocation-based Load Balancing Algorithm for GSLB Members
- GSLB Wildcard FQDNs
- Third-Party Site Configuration and Operations
- Preference Order Load Balancing Algorithm
Document Revision History
Date | Change Summary |
---|---|
July 15, 2022 | Updated preference order details in Configuring GSLB Service Basic Setup using Avi UI and Avi UI GSLB Service Advanced Setup sections (Version 22.1.1) |
April 15, 2021 | Updated virtual servicde related details in 'Identifying GSLB Pool Member by Virtual Service' section |