Virtual Service Sideband Profile

Overview

For compliance and auditing purposes, where deep inspection of traffic is required, incoming HTTP(S) traffic can be replicated to logging/sideband servers at the protocol level. For instance a web application firewall (WAF) appliance monitoring HTTP payloads for any anomalies. Additionally, for compliance and auditing purposes, deep inspection of the traffic is required.

How it Works

In the figure below, client traffic enters VS-1 via the front-end VIP network (color-coded in green). The sideband servers require and receive a subset of the inbound traffic (dashed green) over separate, secure connections between the SE and themselves. The sideband servers can be on a remote network, separated from the origin SE by one or more routers. Any responses from the sideband servers (color-coded in dashed orange) are dropped.

If a set of sideband servers is configured, the SEs distribute traffic to them in round-robin fashion, independent of the algorithm that chooses servers from within the virtual service’s back-end pool(s).

For the sake of performance, the clients’ POST payloads are partially sent to sideband servers. Payloads are limited to 1kB by default, but can be configured as high as 16kB.

Traffic between the SE and the back-end servers proceeds as usual.

Sideband profile configuration
Sideband configuration
NOTE: Do not confuse the sideband profile feature with Avi's traffic cloning feature. Both features replicate application traffic to an ancillary server or set of servers, but differ in several very important ways. For more information, refer Traffic Cloning and Traffic Replication Options With Avi Vantage KB.

Configuration

This feature is enabled by configuring a sideband profile for the virtual service, which can be configured with the sideband server’s IP address. Multiple sideband servers can be configured, in which case, traffic is sharded (round robin) among them.


[admin:10-10-22-34]: > configure virtualservice vs-1
[admin:10-10-22-34]: virtualservice> sideband_profile
[admin:10-10-22-34]: virtualservice:sideband_profile>
[admin:10-10-22-34]: virtualservice:sideband_profile> ip 1.1.1.1
[admin:10-10-22-34]: virtualservice:sideband_profile> ip 2.2.2.2
[admin:10-10-22-34]: virtualservice:sideband_profile> sideband_max_request_body_size 2048
[admin:10-10-22-34]: virtualservice:sideband_profile> save
[admin:10-10-22-34]: virtualservice> save