Enhanced Virtual Hosting in AKO

Overview

AKO currently creates an SNI child virtual service to a parent shared virtual service for the secure hostname. The SNI virtual service is used to bind the hostname to a sslkeycert object. The sslkeycert object is used to terminate the secure traffic on Avi’s service engine. On the SNI virtual service, AKO creates httppolicyset rules to route the terminated (insecure) traffic to the appropriate pool object using the host/path specified in the rules section of this ingress object.

With EVH (Enhanced Virtual Hosting) support in Avi, virtual hosting on virtual service can be enabled irrespective of the SNI. Also, the SNI can only handle HTTPS (HTTP over SSL) traffic whereas EVH children can handle both HTTP and HTTPS traffic. Unlike SNI which switches only TLS (Transport Layer Security) connections based on one-to-one mapping of children to FQDN (Fully Qualified Domain Name), EVH maps one FQDN to many children based on the resource path requested.

With EVH enabled host rule CRD’s can be applied to insecure ingress as well.

Naming of AVi Objects with EVH enabled

Shared Virtual Service Names

The shared virtual service names are derived based on a combination of fields to keep it unique per Kubernetes cluster. This is the only object in Avi that does not derive its name from any of the Kubernetes objects.
ShardVSName = clusterName + "--Shared-L7-EVH-" + <shardNum>

Here,

  • clusterName is the value specified in values.yaml during install.
  • Shared-L7 is a constant identifier for Shared virtual services
  • shardNum is the number of the shared virtual service generated based on either hostname or namespace based shards.

EVH child Virtual Service Names

vsName = clusterName + "--" + hostName

EVH Pool Names

The formula to derive the Child EVH virtual service’s pools is as follows:

poolName = clusterName + "--" + namespace + "-" + host + "_" + path + "-" + ingName + ServiceName

Here the host and path variables denote the secure hosts’ hostname and path specified in the ingress object.

EVH Pool Group Names

poolgroupname = clusterName + "--" + namespace + "-" + host + "_" + path + "-" + ingName</pre>

Document Revision History

Date Change Summary
April 28, 2021 Published the article for Enhanced Virtual Hosting supported in AKO 1.4.1