Service Engine Group (required)
Instance of Load balancer (Preparing by HI GIO support)
Server Pool (required)
Pool member VMs that are running the same application
Monitor Profile (required)
Define how Load balancer health check Pool member’s application status.
HI GIO Portal has built-in support for Monitor Profile (Ping/TCP/HTTP/HTTPS,…) default that can be used.
Persistence Profile (optional)
How load balancer to direct all requests originating from a single client to a single backend VM
SSL Certificate (optional)
If you want to do SSL termination on the Load balancer, you must register an SSL certificate on Portal.
Virtual Service (required)
Virtual Services (VIP) is the main object of load balancing, which is a service representing the pool server backend.
The private key must be in PKCS8 encoded format.
You cannot import a certificate that already exists on the portal.
To renew SSL:
Delete the current SSL.
Import a new one.
Please arrange the maintenance time for it.
Step 1: Log in to the HI GIO Portal as an Organization Administrator and Navigate to
Administration > Certificate Management > Certificates Library.
Step 2: Press IMPORT to Import the Certificate and Private Key for application traffic encryption.
Friendly Name: type your Certificate Name (for example, IIJVN-Cert). Click NEXT
Step 3: Click SELECT CERTIFICATE FILE to upload your Certificate file
Step 4: Select your Certificate file (DER encoded or PEM format) and import it to HI GIO Portal. Click Open
Step 5: Review your Certificate information. Click NEXT
Step 6: Click SELECT PRIVATE KEY to import Private Key
Step 7: Select your Private Key import to HI GIO Portal. Click Open
Input Private Key Passphrase if your Private Key is protected by password. Click IMPORT
Input Private Key Passphrase if your Private Key is protected.
New Certificate and Key were imported as below.
This document guides how to use WAF on the HI GIO Portal to protect your virtual services from attacks and proactively prevent threats.
Configure Allowlist Rules for a Virtual Service
Edit the WAF Signatures for a Virtual Service
Step 1: Log in to the HI GIO portal, select Networking > Edge Gateways > Select Edge Gateway name from the primary left navigation panel.
Step 2: Select Virtual Services > Click the virtual service name on the Load Balancer menu.
Step
Step 4: Enter the rule name > To activate the rule upon creation, turn on the Active
toggle > Select match criteria > Select an action to apply upon a match > Add.
Client IP Address
Select Is or Is Not to indicate whether to perform an action if the client IP matches or doesn't match the value that you enter.
Enter an IPv4 address, or an IPv6 address, or a range, or a CIDR notation.
(Optional) To add more IP addresses, click Add IP.
HTTP Method
Select Is or Is Not to indicate whether to perform an action if the HTTP method matches or doesn't match the value that you enter.
From the drop-down menu, select one or more HTTP methods.
Path
Enter a path string.
The path doesn't need to begin with a forward slash (/).
(Optional) To add more paths, click Add Path.
Host Header
Select a criterion for the host header.
Enter a value for the header.
Actions
Description
Bypass
The WAF does not execute any further rules and the request is allowed.
Continue
Stops the allowlist execution and proceeds with WAF signature evaluation.
Detection Mode
The WAF evaluates and processes the incoming request, but does not perform a blocking action. A log entry is created when the request is flagged.
You can edit the WAF signatures for a virtual service - you can change a signature mode from Detection to Enforcement or the reverse, or, if necessary, deactivate a signature or a signature group.
Step 1: In the WAF tab, under the General section > click EDIT to edit the WAF configuration
Step 2: Edit WAF general settings
Settings
WAF State
Step 3: In the WAF tab, under the Signature Groups section, you can see the signature groups included in your WAF policy. You can see if they are actively in use or not. You can also see the number of active rules in each group and the number of rules that have been overridden manually.
Step 4: Under Signature Groups, click the expand button on the left of the signature group you want to edit.
Step 5: To edit the signatures of a group, click Edit Signatures and select an action > SAVE.
Step 1: Log in to the HI GIO PORTAL as an Organization Administrator and Navigate to
Networking > Edge Gateway > Load Balancer > Pool.
Step 2: Press ADD to create and configure a load balancer pool.
General Settings Tab:
Name: type Pool name (example IIS-Web-Pool)
Default Server Port: The destination server port used by the traffic sent to the member (example 80)
Load Balancer Algorithm: (example Round Robin)
NSX ALB supports various Load-balancing methods:
Consistent Hash
Core Affinity
Fastest Response
Fewest Servers
Least Connections
Least Load
Round Robin
Persistence: The persistence profile will ensure that the same user sticks to the same server for a desired duration of time (e.g. Client IP)
NSX ALB supports various Persistence types:
System-Persistence-App-Cookie
System-Persistence-Client-IP
System-Persistence-Custom-HTTP-Header
System-Persistence-HTTP-Cookie
System-Persistence-TLS
Active Health Monitor: (example HTTP - This will send periodic HTTP HEAD requests to each server in the Pool to check the availability)
Add two/or more entries in the Members tab and enter the IP Addresses and Port from the Virtual Machines running the application Servers.
Press SAVE to create a non-encrypted pool.
General Settings Tab:
Name: type Pool name (example IIS-Web-Pool)
Default Server Port: The destination server port used by the traffic sent to the member (example 443)
HTTP/HTTPS:
Send Interval: 10s
Receive Timeout: 4s
Successful Checks: 3
Log in to the HI GIO portal as an Organization Administrator and Navigate to
Networking > Edge Gateway > Load Balancer > Virtual Services.
Click ADD.
Virtual Service can be created with the required properties:
· Name: Virtual Service name
· Service-Engine-Group: select SEG which assign for each Tenant
· Load Balancer Pool: select Loadbalancer Pool (example select App-587-Pool)
· Virtual IP: Select 01 public IP for VIP
· Service Type:
Active/Deactive
Mode
Detection: In this mode, WAF policy will evaluate the incoming request. A log entry is created when this request is flagged.
Enforcement: In this mode, WAF policy will evaluate and block the request based on the specified rules.
NSX ALB supports various Load-balancing methods:
Consistent Hash
Core Affinity
Fastest Response
Fewest Servers
Least Connections
Least Load
Round Robin
Persistence: The persistence profile will ensure that the same user sticks to the same server for a desired duration of time (e.g. Client IP)
NSX ALB supports various Persistence types:
System-Persistence-App-Cookie
System-Persistence-Client-IP
System-Persistence-Custom-HTTP-Header
System-Persistence-HTTP-Cookie
System-Persistence-TLS
Active Health Monitor: (example HTTPS - This will send periodic HTTPS HEAD requests to each server in the Pool to check the availability)
Add two/or more entries in the Members Tab and enter the IP Addresses and Port from the Virtual Machines running the application Servers.
In the SSL Settings Tab:
SSL Enable: Enable
Hide Service Certificates: disable
Select one or more certificates to be used by the Load Balancer Pool: Select your Certificate
Press SAVE to create an encrypted pool.
Failed Checks: 3
Health Monitor Port: use the Default Server Port of the pool.
HTTP request: HEAD / HTTP/1.0
Response Code: 2xx, 3xx
TCP:
Send Interval: 10s
Receive Timeout: 4s
Successful Checks: 2
Failed Checks: 2
Health Monitor Port: use the Default Server Port of the pool.
UDP:
Send Interval: 4s
Receive Timeout: 2s
Successful Checks: 2
Failed Checks: 2
Health Monitor Port: use the Default Server Port of the pool.
PING:
Send Interval: 10s
Receive Timeout: 4s
Successful Checks: 2
Failed Checks: 2
· Port: application port (example 587)
o If the Server Pool is running port 443 encryption (example select IIS-Web-443-Pool)
· Virtual IP: Virtual Service IP Address (VIP)
· Service Type: HTTPS
· Certificate: Select your Certificate
· Port: application port (443 SSL and 80 no-SSL)
*Note: we add port 80 no-SSL for redirect HTTP-to-HTTPS request automatically. Usually End users prefer to type domain rather than type https://domain-name.
Press SAVE to create the Virtual Service. When this is the first Virtual Service, this might take some time because the Service Engine Virtual Machines need to be deployed. Subsequent virtual services will be faster as they just require a route addition. After a couple of minutes, you should be able to access the Virtual Service.
In some cases, Virtual Service has DOWN status (Health). We have to check Server Pool Status to handle this situation. Example: IIS-Web-443-VS is DOWN.
Let’s check Pool Server. We see that IIS-Web-443-VS is mapping to IIS-Web-443-Pool.
This Pool has only 01 Server.
Let's continue to check the server. We see Server 10.1.20.10:443 is DOWN.
Usually, there are 2 situations:
The server is Off, we need Power it On;
Or Disable Firewall Rule Server port 443.
After powering on the VM. The Pool Server is UP again.
So Virtual Service IIS-Web-443-VS is UP also and working.
Step 1: Log in to the HI GIO PORTAL as an Organization Administrator and Navigate to
Networking > Edge Gateway > Load Balancer > Virtual Services.
Step 2: Click on the “ >>” icon beside the virtual service you want to monitor.
HI GIO LB support Statistics Chart:
By the time (Past 30 minutes, 6 Hours,….)
Application Metrics: End-to-End Timing, Throughput, Open Connection,…
Total time for End-to-End RTT.
Step 1: Log in to the HI GIO PORTAL as an Organization Administrator and Navigate to
Networking > Edge Gateway > Load Balancer > Pool.
Step 2: Click on “>>” icon beside Pool that you want to monitor.
HI GIO LB support Statistics Chart:
By the time (Past 30 minutes, 6 Hours,….)
Total time for End-to-End RTT.
The default Edge gateway firewall rule on Tenant is set to Deny all. We must create firewall rules for traffic to virtual services from the internet. More detail on edge way firewall.
Step 1: Log in to the HI GIO PORTAL as an Organization Administrator and Navigate to
Step 2: Networking > Edge Gateway > Security > IP Sets.
Press NEW to define the IP Set for VIPs.
Name: type IP Set name (example VIP-Web)
IP Address: type IP Address or IP Range (this IP for VIP that was created before).
Step 1: Log in to the HI GIO PORTAL as an Organization Administrator and Navigate to
Networking > Edge Gateway > Services > Firewall.
Step 2: Press EDIT RULES to add NEW RULE for VIPs.
Name: type Rule name (example Allow_VSWeb)
Applications: choose your application types (example: HTTP and HTTPS)
Source: Any (for internet users)
Destination: Select IP Set configured before (example VS_192.168.2.10)
Action: Allow
Step 3: Click Save to complete EDIT RULES
In case we’re using a distributed firewall in our environment. we should create and distribute firewall rules for virtual service and pool
