GSLB Site Cookie Persistence
Long-lived transactions from clients in a GSLB application can be configured to persist to the sites in which their transactions were initiated. This feature is implemented using HTTP site cookies created by Avi Service Engines.
Overview
Some applications require stickiness between a client and a server. That is to say, all requests in a long-lived transaction from a client must be sent to the same server; otherwise, the application session may be broken, with negative impact on the client. This is accomplished by turning on GSLB site cookie persistence, which takes precedence over the configured GSLB algorithm.
In an active-active GSLB deployment, site persistence is extremely important. Typically, site persistence is not an issue in active-standby deployments.
Restrictions
Avi Vantage checks for the below-listed conditions and will emit appropriate error messages if violations are attempted. The need for these restrictions is better understood after reading this entire article.
-
Site persistence applies only to Avi VIPs; non-Avi (aka third party) VIPs cannot participate.
-
Site persistence across multiple virtual services within the same Controller cluster is not supported.
-
For site persistence to be turned on for a global application, all of its individual members must run on active sites. Conversely, a site cannot transition from active to passive if an Avi GS member participating in a site-persistent GSLB service runs on it.
-
For site persistence to work, an Avi GS member must be unique across all GSLB services. That is to say, it cannot be a GSLB pool member in more than one GSLB service.
Note: Starting from NSX ALB 22.1.3, this restriction is not applicable anymore. An Avi GS member can be part of multiple GSLB services as explained in Associating a GS member with multiple GSLB services. -
A site-persistence pool is an internal pool construct created by the Controller and associated with GSLB VS members when site persistence is turned on. Users may not perform or change this association. Avi’s pool group feature can’t be configured for site-persistence pools.
-
The
is_federated
option is added to the required PKI profile to ensure the profile can be replicated across all GSLB members. There can be only oneis_federated
PKI profile defined. Because there is only one, there is no need to explicitly associate the federated PKI profile with any GSLB service. -
Federated PKI and application persistence profiles cannot be
- Associated with unfederated profiles.
- Created if GSLB is not turned on.
How Cookie-Based Site Persistence Works
The image below depicts Phase 1 in the life of a long-lived transaction.
-
The client asks its DNS resolver to resolve `x.foo.com.
-
The corporate DNS determines that there are two authoritative DNSs (at Site1 and Site2), and recommends that the DNS resolver try the Site1 DNS.
-
The DNS at Site1 receives the DNS resolver’s query and — using whatever global load balancing algorithm is in force — recommends VS1 at Site1 to the DNS resolver and sets the TTL.
-
In turn, the DNS resolver passes the recommendation and TTL on to the client.
-
Each SE in the group implementing VS1 is aware that site persistence is ON. The client’s first request contains no site cookie, so the SE creates one and passes it back. The cookie is AES-256-encrypted and based on the
cluster_uuid
andvs_uuid
strings. Below is an example of such a cookie:Set-Cookie: FOO=1S509ceebd-0913-4aomuTiRccdU0ujbfY6eCVkL9muOBwIsnT5fhrMTMMM4-fapeQ2SEGb3ny69-iJQYG6Xg6SmLq9x7crxFEZbZVsCNDYdqXSwx5GIiuEJqlXFbehC2obJUDbYBciac; path=/
-
The two-way dialog indicated by the double-ended blue arrow continues as long as SEs in the group see this cookie.
The below image shows what happens some time, later, after the TTL has expired.
- That expiration forces the client to once again ask the DNS resolver to provide an IP address for
x.foo.com
. - The DNS resolver once again requests the corporate DNS to provide an authoritative DNS. From its cache, the corporate DNS happens to recommend Site2’s DNS.
- The client queries the Site2 DNS and this time provides VIP2, the IP of address of VS2, which is local to it.
In the image below, you can see the client initiating a dialog with VS2 at Site2. However, the cookie previously obtained accompanies that request.
- An SE at Site2 receives the request with site cookie attached. It decrypts the cookie, and immediately can tell this request is part of an ongoing conversation that did not start on its site. Rather, the conversation needs to be proxied to VS1 at Site1.
- In proxying the request to VS1, VS2 passes the request to it, making sure to set the return address to itself.
- The SE responds to the client, using content provided by VS1 at Site1.
Configuring GSLB Site Cookie Persistence
Outline of Steps to be Taken
The below steps assume a basic GSLB configuration already exists.
- Configure exactly one federated PKI profile. This one-time operation is most easily done via the Avi UI and applies to all GSLB services.
- Configure a federated application persistence profile. Multiple such profiles may be defined.
- Configure a health monitor. Multiple such health monitors may be defined.
- Configure the GSLB service. Identify it as being site-persistent, and associate it with:
a. One federated application persistence profile
b. One or more health monitors
Note: When running Avi Vantage releases prior to 18.1.2, all these steps can be accomplished using the Avi UI with the exception of step 4a. Full UI support is available starting with 18.1.2 (as documented in step 4b).
Starting with Avi Vantage version 21.1.1, Avi Vantage supports setting an HTTP-Only flag for the cookie set by Avi. Setting this attribute helps to prevent the third-party scripts from accessing this cookie if supported by the browser. This feature will activate for any HTTP or terminated HTTPS virtual service.
When you set a cookie with the HTTP-Only flag, it informs the browser that this special cookie should only be accessed by the server. Any try to access the cookie from client side script is strictly forbidden.
The following is the CLI command to enable HTTP-Only attribute:
[admin:admin-controller2]: > configure applicationpersistenceprofile System-Persistence-Http-Cookie
Updating an existing object. Currently, the object is:
+---------------------------------+--------------------------------------------------------------------+
| Field | Value |
+---------------------------------+--------------------------------------------------------------------+
| uuid | applicationpersistenceprofile-04ca34e1-ab0b-4a1d-a19f-d19641dd68af |
| name | System-Persistence-Http-Cookie |
| persistence_type | PERSISTENCE_TYPE_HTTP_COOKIE |
| server_hm_down_recovery | HM_DOWN_PICK_NEW_SERVER |
| http_cookie_persistence_profile | |
| cookie_name | VAJOSFML |
| key[1] | |
| name | 40015eba-ee51-40c6-8f8d-06e2ec0516e9 |
| aes_key | b'WX9pow2nYKYTfENMZSdwODZQu8e37ZdraoovtMjzSWE=' |
| is_federated | False |
| tenant_ref | admin |
+---------------------------------+--------------------------------------------------------------------+
[admin:admin-controller2]: applicationpersistenceprofile> http_cookie_persistence_profile
[admin:admin-controller2]: applicationpersistenceprofile:http_cookie_persistence_profile> http_only
[admin:admin-controller2]: applicationpersistenceprofile:http_cookie_persistence_profile> save
[admin:admin-controller2]: applicationpersistenceprofile> save
+---------------------------------+--------------------------------------------------------------------+
| Field | Value |
+---------------------------------+--------------------------------------------------------------------+
| uuid | applicationpersistenceprofile-04ca34e1-ab0b-4a1d-a19f-d19641dd68af |
| name | System-Persistence-Http-Cookie |
| persistence_type | PERSISTENCE_TYPE_HTTP_COOKIE |
| server_hm_down_recovery | HM_DOWN_PICK_NEW_SERVER |
| http_cookie_persistence_profile | |
| cookie_name | VAJOSFML |
| key[1] | |
| name | 40015eba-ee51-40c6-8f8d-06e2ec0516e9 |
| aes_key | b'WX9pow2nYKYTfENMZSdwODZQu8e37ZdraoovtMjzSWE=' |
| always_send_cookie | False |
| http_only | True |
| is_federated | False |
| tenant_ref | admin |
+---------------------------------+--------------------------------------------------------------------+
Configuration via Avi UI
Step 1. Configure the PKI Profile
- Navigate to Templates > Security > PKI Profile. Click on Create, and be sure to select Is Federated option. This is a one-time operation.
Note: Where applicable, the is_federated
option of an Avi object describes its replication scope. If the option is set to false, then the object is visible only within the Controller cluster and its associated Service Engines. If the option is set to true, the object is replicated across the federation.
Once the federated PKI profile is created and a site-persistent GSLB is enabled, the PKI profile cannot be deleted. If the box at left were checked and the Delete button pressed, the following error message is displayed:
Step 2. Configure a Federated Application Persistence Profile
- Navigate to Templates > Profiles > Persistence and click on Create to open the persistence profile editor. Be sure to set the Type field to GSLB Site and click on the Is Federated option.
The below image shows a partial list of configured persistence profiles, the first three of which have their Type field set to GSLB Site.
Step 3. Configure a Health Monitor
Navigate to Templates > Profiles > Health Monitors and click on Create to open the health monitor editor. Once again, be sure to check the Is Federated option.
Step 4. Configure the GSLB Service
- Navigate to Applications > GSLB Services. Click on Create, and select Advanced Setup. Be sure to specify a health monitor profile and check the Site Persistence option.
Step 4a. Associating GSLB service with federated application profile via Avi CLI
As mentioned, for releases prior to 18.1.2, this step must be performed via the Avi CLI. To sketch the simple steps,
- Log into the Avi
shell
of the appropriate Controller cluster. - Type
configure gslbservice gs-1
- In response to the
gslbservice
prompt, typeapplication_persistence_profile_ref gap-1
- To have the association take effect, type
save
For reference, following are all parameters for the enabled GSLB service named gs-1
:
+-------------------------------------+-----------------------------------------------------+
| Field | Value |
+-------------------------------------+-----------------------------------------------------+
| uuid | gslbservice-2efeea54-12b4-4c1d-9fe0-ffd58e5125c3 |
| name | gs-1 |
| domain_names[1] | a.com |
| groups[1] | |
| name | group1 |
| priority | 13 |
| algorithm | GSLB_ALGORITHM_ROUND_ROBIN |
| members[1] | |
| cluster_uuid | cluster-a7ba9c02-adf6-48d7-aa3d-41f664d45f85 |
| vs_uuid | virtualservice-da9efdc9-7204-4b69-afc2-4fccaf961e1d |
| ip | 10.90.173.73 |
| ratio | 1 |
| enabled | True |
| groups[2] | |
| name | group2 |
| priority | 12 |
| algorithm | GSLB_ALGORITHM_ROUND_ROBIN |
| members[1] | |
| cluster_uuid | cluster-fc6fa719-054d-42d0-a18b-a8a7577a3829 |
| vs_uuid | virtualservice-f4bdb96d-4de3-4b2f-bf51-1bb924783443 |
| ip | 10.90.174.72 |
| ratio | 1 |
| enabled | True |
| health_monitor_refs[1] | ghm-ping |
| controller_health_status_enabled | True |
| health_monitor_scope | GSLB_SERVICE_HEALTH_MONITOR_ALL_MEMBERS |
| enabled | True |
| use_edns_client_subnet | True |
| wildcard_match | False |
| site_persistence_enabled | True |
| application_persistence_profile_ref | gap-1 |
| pool_algorithm | GSLB_SERVICE_ALGORITHM_PRIORITY |
| min_members | 0 |
| is_federated | True |
| tenant_ref | admin |
+-------------------------------------+-----------------------------------------------------+
Step 4b. Associating GSLB service with federated application profile via Avi UI
As shown in the image below, starting with release 18.1.2, a fourth field, Application Persistence Profile, has been added to the last section of the Advanced Setup Editor.
Configuring GSLB Site Cookie Persistence Using the UI
Starting with NSX Advanced Load Balancer version 21.1.3, the field is_persistent_cookie
is introduced, which when set to True
, enables persistence in a GSLB site cookie. By default this field is set to False
, which
implies the cookie is a session cookie by default.
To enable cookie persistence using the UI:
-
From the NSX Advanced Load Balancer UI, navigate to Templates > Profiles > Persistence.
-
Enter a unique Name for the profile.
- Set Select New Server When Persistent Server Down as Immediate or Never to define the behavior of the persistent server when the server is marked down, such as by a health monitor or when it has reached a connection limit.
- Immediate: Avi Vantage will immediately select a new server to replace the one marked down and switch the persistence entry to the new server.
- Never: No replacement server will be selected. Persistent entries will be required to expire normally based upon the persistence type.
-
Set the Type as GSLB Site. Changing the type will change the profile to another persistence method.
-
Enter HTTP Cookie Name to insert the cookie in a user-chosen custom name. If left blank, Avi auto-generates a random eight-character alphabetic name.
-
Click Is Persistence Cookie to enable persistence. If this option is not enabled, the cookie is a session cookie.
- By default, a persistence cookie is sent once at the beginning of a session to the client. Clients will then respond back with the cookie with each request. However, some web applications, such as those incorporating Java or Javascript, may not include the cookie in their request if it was not received in the previous response. Enabling Always Send causes Avi Vantage to include the cookie on every response.
The persistence cookie is as shown below:
Commands for Configuring GSLB Site Cookie Persistence via the Avi CLI
In the below examples, we use the same object names as were used in the above UI configuration, i.e., gs-1
, gpki-server
, gap-1
, and ghm-ping
. Each shell command has many subcommands; we show only the ones that are especially relevant to GSLB site persistence.
Step 1. Configure the PKI Profile
Shell command: configure pkiprofile gpki-server
Subcommands: is_federated
Step 2. Configure a Federated Application Persistence Profile
Shell command: configure applicationpersistenceprofile gap-1
Subcommands: is_federated
, persistence_type
, server_hm_down_recovery
Step 3. Configure a Health Monitor
Shell command: configure healthmonitor ghm-ping
Subcommands: is_federated
Step 4. Configure the GSLB Service
Shell command: configure gslbservice gs-1
Subcommands: application_persistence_profile_ref
, health_monitor_refs
, is_federated
, site_persistence_enabled
Global Services That Define Both HTTP and HTTPS Ports
Special consideration is required when a global service with site persistence (SP=ON) defines both HTTP and HTTPS ports, be they the default ports (80 and 443) or some other port-pair.
Case 1: Same global application exposes HTTP on port 80 and HTTPS on port 443
You need only set http_to_https
to True in the application profile associated with the every virtual service participating in the global service. In the Avi UI, use the application profile as shown below.
Case 2: Same global application exposes non-default HTTP and non-default HTTPS ports
To illustrate by example, suppose the virtual services participating in the global service with site persistence (SP=ON) are defined with port 91 for HTTP and port 9443 for HTTPS.
In addition to optioning http_to_https
ON (via the UI, CLI or REST API), define an HTTP rule for each participating virtual service such that HTTP port 91 is redirected to HTTPS port 9443, as illustrated below.
CASE 3: No HTTP-to-HTTPS redirect is in place
Whether the port settings are the default ones (80 and 443) or some other values, without the HTTP-to-HTTPS redirect in place, site-persistence flow will not work.
Cookie Persistence Timeout
Persistence profiles allow the configuration of a persistence timeout. The persistence timeout sets the maximum amount of time a persistence cookie is valid.
The persistence timeout applies to persistence cookies that are created by Avi Vantage for individual client sessions with virtual services that use the persistence profile.
Generally, the client or browser is responsible to clear a persistent session cookie after the session the cookie was for is terminated, or when the browser is closed. Setting a persistence timeout takes care of cases where the client or browser does not clear the session cookies.
If the persistence timeout is set, the maximum lifetime of any session cookie that is created based on the profile is set to the timeout. In this case, the cookie is valid for a maximum of the configured timeout, beginning when Avi Vantage creates the cookie.
For example, if the persistence timeout is set to 720 minutes, a cookie created based on the profile is valid for a maximum of 12 hours, beginning as soon as the cookie is created. After the persistence timeout expires, the cookie expires and is no longer valid.
By default, there is no timeout and the cookie sent is a session cookie, which is cleared by the client after the session ends.
Starting with NSX Advanced Load Balancer version 21.1.3,
- The timeout field in a
GSLBSiteCookiePersistenceProfile
is translated tomax-age
. - The
max-age
attribute represents the number of seconds for the cookie to expire. - If the value of
max-age
is either zero or lesser (negative numbers), then the cookie expires instantly.
Notes:
- If the flag
is_persistent_cookie
is disabled, the timeout behavior remains unchanged (the cookie is expired according to the non-zero value of the timeout) - If the flag is enabled and the value of
timeout
is zero, the cookie expires immediately, since themax-age
is set to zero.
To configure cookie persistence timeout use Set-Cookie: <cookie-name>=<cookie-value> Max-Age=<number>
For example, Set-Cookie: FOO=026cc2fffb-b95b-41-dxgObfTEe_IrnYmysot-VOVY1_EEW55HqmENnvC; path=/ ; Max-Age=3600
.
Operations
This section covers the CLI commands by which to
- Check the operational state of a site-persistent GSLB service.
- Determine the percentage of requests that are proxied from other virtual services back to the one to which clients are to be persisted.
In the following CLI sequences we have:
- A global service named
gs-1
- The global service is comprised of two virtual services named
pay@site_A
andpay@site_B
. - These virtual services run on their correspondingly named active sites,
site_A
andsite_B
. - A site-persistence proxy pool at each site, correspondingly named
SP-gs-1-pay@site_A
andSP-gs-1-pay@site_B
. Note that Avi Vantage automatically forms a site’s proxy pool name by prependingSP-
to the hyphenated concatenation of the GSLB service name and the VS name. - The operational status with regard to site persistence is up.
GSLB Service Site Persistence Status
The output of the below show
command reflects points 1 through 5. To the right of the command’s output we have inserted annotations to guide you where to look. These data are available from any active site.
Note: To view site-persistence-related data you must include the arguments runtime filter sp_status
.
show gslbservice gs-1 runtime filter sp_status
+-------------------------+------------------------------------------------------------------+
| Field | Value |
+-------------------------+------------------------------------------------------------------+
| uuid | gslbservice-ff1b4e8d-663d-4cb9-932b-d007c81efba6 |
| name | gs-1 | POINT 1
| ldr_state | |
| last_changed_time | Tue Feb 6 00:11:02 2018 ms(242588) UTC |
| flr_state[1] | |
| status | SYSERR_SUCCESS |
| reason | |
| site_uuid | cluster-1e560f44-c898-41c3-818b-3433edbf9391 |
| last_changed_time | Tue Feb 6 00:11:02 2018 ms(904114) UTC |
| groups[1] | |
| name | group2 |
| members[1] | |
| cluster_uuid | cluster-1e560f44-c898-41c3-818b-3433edbf9391 |
| site_name | site_B | POINT 3
| vs_uuid | virtualservice-8a68c656-6a89-46d7-b9a5-1b693ae9798a |
| vs_name | pay@site_B | POINT 2
| ip | 10.90.174.72 |
| oper_ips[1] | 10.90.174.72 |
| vip_type | AVI_VIP |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| app_type | APPLICATION_PROFILE_TYPE_HTTP |
| sp_pools[1] | |
| uuid | pool-8a68c656-6a89-46d7-b9a5-1b693ae9798a |
| name | SP-gs-1-pay@site_B | POINT 4
| num_servers | 1 |
| num_servers_up | 1 |
| controller_status | |
| state | OPER_UP |
| last_changed_time | Tue Feb 6 00:15:17 2018 ms(352917) UTC |
| groups[2] | |
| name | group1 |
| members[1] | |
| cluster_uuid | cluster-3a179b95-dff9-444b-9986-ba89c4e19c44 |
| site_name | site_A | POINT 3
| vs_uuid | virtualservice-dc871051-35e8-4bec-bd1f-3c63fb6b7087 |
| vs_name | pay@site_A | POINT 2
| ip | 10.90.173.73 |
| oper_ips[1] | 10.90.173.73 |
| vip_type | AVI_VIP |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| app_type | APPLICATION_PROFILE_TYPE_HTTP |
| sp_pools[1] | |
| uuid | pool-dc871051-35e8-4bec-bd1f-3c63fb6b7087 |
| name | SP-gs-1-pay@site_A | POINT 4
| num_servers | 1 |
| num_servers_up | 1 |
| controller_status | |
| state | OPER_UP |
| last_changed_time | Tue Feb 6 00:15:17 2018 ms(353741) UTC |
| services_state | Services-In-Sync |
| tenant_name | admin |
| checksum | e298eb000bb6d5bcaeaaf10d08e609441823c69fc83e7d9a50014769d7ed2b03 |
| sp_oper_status | |
| state | OPER_UP | POINT 5
| last_changed_time | Tue Feb 6 00:15:17 2018 ms(353976) UTC |
+-------------------------+------------------------------------------------------------------+
Status of the GSLB Service’s Member Virtual Services
For details about the individual virtual services that comprise a GSLB service, one must log onto the site that pertains. The below show virtualservice
command was executed on site_A
to report on a local VS, pay@site_A
. Note the site-persistence pool reference toward the very bottom. The SP pool on site_A
engages the service of some VS on another active site, the site to which the client’s request must be persisted. In this example, there’s only one other site (site_B
), but in general there could be many.
show virtualservice pay@site_A
+------------------------------------+-----------------------------------------------------+
| Field | Value |
+------------------------------------+-----------------------------------------------------+
| uuid | virtualservice-dc871051-35e8-4bec-bd1f-3c63fb6b7087 |
| name | pay@site_A |
| enabled | True |
| services[1] | |
| port | 80 |
| enable_ssl | False |
| port_range_end | 80 |
| application_profile_ref | System-HTTP |
| network_profile_ref | System-TCP-Proxy |
| pool_ref | pay |
| se_group_ref | Default-Group |
| analytics_policy | |
| full_client_logs | |
| enabled | True |
| duration | 0 min |
| all_headers | True |
| throttle | 0 per_second |
| client_insights | NO_INSIGHTS |
| udf_log_throttle | 10 per_second |
| significant_log_throttle | 10 per_second |
| enabled | True |
| vrf_context_ref | global |
| enable_autogw | False |
| analytics_profile_ref | System-Analytics-Profile |
| weight | 1 |
| delay_fairness | False |
| max_cps_per_client | 0 |
| limit_doser | False |
| type | VS_TYPE_NORMAL |
| cloud_type | CLOUD_NONE |
| use_bridge_ip_as_vip | False |
| flow_dist | LOAD_AWARE |
| ign_pool_net_reach | False |
| ssl_sess_cache_avg_size | 1024 |
| remove_listening_port_on_vs_down | False |
| close_client_conn_on_config_update | False |
| tenant_ref | admin |
| cloud_ref | Default-Cloud |
| east_west_placement | False |
| scaleout_ecmp | False |
| active_standby_se_tag | ACTIVE_STANDBY_SE_1 |
| flow_label_type | NO_LABEL |
| vip[1] | |
| vip_id | 0 |
| ip_address | 10.90.173.73 |
| enabled | True |
| auto_allocate_ip | False |
| auto_allocate_floating_ip | False |
| avi_allocated_vip | False |
| avi_allocated_fip | False |
| vsvip_ref | vsvip-5c8iRv |
| sp_pool_refs[1] | SP-gs-1-pay@site_A | SP POOL ON site_A
| use_vip_as_snat | False |
+------------------------------------+-----------------------------------------------------+
Proxy Pools Appear Alongside Others
The below show pool
command, executed on site_A
illustrates the fact that site-persistence pools appear just as others do. In contrast to the last four listed, the two SP pools have “servers” that are actually virtual services on the one and only other site.
show pool
+--------------------------+------+---------------+------------+--------------------+
| Name | Port | Cloud | Oper State | Servers (up/total) |
+--------------------------+------+---------------+------------+--------------------+
| SP-gs-2-securepay@site_A | 80 | Default-Cloud | OPER_UP | 1/1 |
| SP-gs-1-pay@site_A | 80 | Default-Cloud | OPER_UP | 1/1 |
| ship | 80 | Default-Cloud | OPER_UP | 1/1 |
| securepay | 80 | Default-Cloud | OPER_UP | 2/2 |
| pay | 80 | Default-Cloud | OPER_UP | 1/1 |
| secureship | 80 | Default-Cloud | OPER_UP | 2/2 |
+--------------------------+------+---------------+------------+--------------------+
Proxy Pool Status
Details about a proxy pool are not rolled up at the GSLB level. One needs to log onto the site that pertains, and then use the show pool
command on the proxy pool associated with the particular GSLB service. In the below example, we’re logged into site_A
, looking at the site-persistence pool named sp-gs-1-pay@site_A
.
Note that the one “server” in the SP pool is identified by the VIP (10.90.174.72
) of a virtual service on site_B
.
show pool sp-gs-1-pay@site_A
+---------------------------------------+------------------------------------------------------------------+
| Field | Value |
+---------------------------------------+------------------------------------------------------------------+
| uuid | pool-dc871051-35e8-4bec-bd1f-3c63fb6b7087 |
| name | SP-gs-1-pay@site_A |
| default_server_port | 80 |
| graceful_disable_timeout | 1 min |
| connection_ramp_duration | 10 min |
| max_concurrent_connections_per_server | 0 |
| health_monitor_refs[1] | ghm-ping |
| servers[1] | | "SERVER" IS A VS ON site_B
| ip | 10.90.174.72 | 10.90.174.72 IS ON site_B
| hostname | 10.90.174.72 |
| enabled | True |
| ratio | 1 |
| verify_network | False |
| resolve_server_by_dns | False |
| prst_hdr_val | 16077db5be5a5402f8185e02769756a3f0deffcdc0ab28fe8a60ac13d0219e32 |
| static | False |
| rewrite_host_header | False |
| description | Gslb site-persistence server |
| server_count | 1 |
| lb_algorithm | LB_ALGORITHM_LEAST_CONNECTIONS |
| application_persistence_profile_ref | gap-1 |
| inline_health_monitor | True |
| use_service_port | True |
| capacity_estimation | False |
| server_auto_scale | False |
| vrf_ref | global |
| fewest_tasks_feedback_delay | 10 sec |
| enabled | True |
| request_queue_enabled | False |
| request_queue_depth | 128 |
| host_check_enabled | False |
| sni_enabled | True |
| rewrite_host_header_to_sni | False |
| rewrite_host_header_to_server_name | False |
| lb_algorithm_core_nonaffinity | 2 |
| gslb_sp_enabled | True |
| lookup_server_by_name | False |
| description | Gslb site-persistence proxy pool |
| tenant_ref | admin |
| cloud_ref | Default-Cloud |
+---------------------------------------+------------------------------------------------------------------+
Determining the Fraction of Client Requests Proxied
On a per-GSLB-service basis, use the Avi UI to monitor the per-pool activity on active sites running the GSLB service’s VS members. For each site, collect:
- the in-bound request rate for the GSLB service’s local VS, and
- its SP pool request rate.
Calculate the total for 1 and the total for 2 across all sites. If the overall SP pool rate is large compared to the overall VS request rate, you may wish to increase the value of TTL.
Secure/HTTP_Only flag to GSLB Site Persistence Cookie
Starting with Avi Vantage release 21.1.1, the flag http_only
is supported for the HTTP cookie persistence profile. This flag is used to set the http_only attribute for the cookie used in GSLB site persistence. This prevents the client side scripts from accessing the GSLB site persistence cookie (if supported by the browser).
When you set a cookie with the http_only flag, it informs the browser that only this cookie should be accessed or allowed by the server. Access using any other cookie from client side script is strictly forbidden.
Use the http_cookie_persistence_profile
option to set the http_only flag while configuring an application persistence profile as show below.
[admin:avi-controller]: > configure applicationpersistenceprofile System-Persistence-Http-Cookie
Updating an existing object. Currently, the object is:
+---------------------------------+--------------------------------------------------------------------+
| Field | Value |
+---------------------------------+--------------------------------------------------------------------+
| uuid | applicationpersistenceprofile-c23015dd-8e50-4843-a21a-1e99d699fe9e |
| name | System-Persistence-Http-Cookie |
| persistence_type | PERSISTENCE_TYPE_HTTP_COOKIE |
| server_hm_down_recovery | HM_DOWN_PICK_NEW_SERVER |
| http_cookie_persistence_profile | |
| cookie_name | HPWKEKQZ |
| key[1] | |
| name | e55bc50c-5c89-4fe6-a61a-be2ef34490d0 |
| aes_key | b'Vmwr8mRPUdIPnMEgHyh9l5OXUoyRWIdubKFvBgjeNdQ=' |
| is_federated | False |
| tenant_ref | admin |
+---------------------------------+--------------------------------------------------------------------+
[admin:avi-controller]: applicationpersistenceprofile> http_cookie_persistence_profile
[admin:avi-controller]: applicationpersistenceprofile:http_cookie_persistence_profile> http_only
[admin:avi-controller]: applicationpersistenceprofile:http_cookie_persistence_profile> save
[admin:avi-controller]: applicationpersistenceprofile> save
+---------------------------------+--------------------------------------------------------------------+
| Field | Value |
+---------------------------------+--------------------------------------------------------------------+
| uuid | applicationpersistenceprofile-c23015dd-8e50-4843-a21a-1e99d699fe9e |
| name | System-Persistence-Http-Cookie |
| persistence_type | PERSISTENCE_TYPE_HTTP_COOKIE |
| server_hm_down_recovery | HM_DOWN_PICK_NEW_SERVER |
| http_cookie_persistence_profile | |
| cookie_name | HPWKEKQZ |
| key[1] | |
| name | e55bc50c-5c89-4fe6-a61a-be2ef34490d0 |
| aes_key | b'Vmwr8mRPUdIPnMEgHyh9l5OXUoyRWIdubKFvBgjeNdQ=' |
| always_send_cookie | False |
| http_only | True |
| is_federated | False |
| tenant_ref | admin |
+---------------------------------+--------------------------------------------------------------------+
[admin:avi-controller]: >