Layer7 API Management

  • 1.  Offloading SSL in Loadbalancer

    Posted Apr 04, 2018 06:37 AM

    Hi All,

    We are currently designing the architecture for our environment.We have a public facing Loadbalancer and CA API gateway is placed in private network.We suggested Loadbalancer bypass the SSL and CA Gateway takes of SSL part.But LB team suggested that they will do the SSL authentication and forward the message with http protocol to CA API Gateway.Is this the correct approach.What is the best approach to design this requirement using ca api gw.I have three options in mind.

    1)Loadbalacer teriminates the SSL and send the plan text to CA Gateway.(when LB is not using the message why they need to decrypt it.

    2)Loadbalancer bypass the SSL ,CA gateway takes care of SSL authentication.

    3)Loadbalancer terminates the SSL at their end and agiain there will SSL connection b/w LB and CA API GW.

     

    Can anyone tell me which is the best approach to follow.



  • 2.  Re: Offloading SSL in Loadbalancer
    Best Answer

    Posted Apr 04, 2018 06:58 AM

    1)Loadbalacer teriminates the SSL and send the plain text to CA Gateway.(when LB is not using the message why they need to decrypt it.

    Terminating the SSL on LoadBalancer removes the extra CPU intensive jobs from the Gateway

     

    2)Loadbalancer bypass the SSL ,CA gateway takes care of SSL authentication.

    Terminating the SSL on the Gateway is needed for particular reasons for e.g if you are using any SOAP Service you want to download a WSDL for that particular Service then you need to Terminate ssl on the Gateway as wsdl which is fetched should have https Connection Endpoint Property in it.

    If the SSL is terminated on the LB then you will get a WSDL of http Endpoint as because LB is requesting the Gateway with HTTP Protocol .

    So in some scenarios you need to terminate the SSL on the gateway. You can open different ports for different service.

     

    3)Loadbalancer terminates the SSL at their end and agiain there will SSL connection b/w LB and CA API GW.

     

    One Major reason for SSL Termination on the LB is to get the Client IP which would be used for IP Whitelisting.

    The Load Balancer can only provide the Client ip only if the SSL is terminated on the LOAD Balancer.

     

    Please correct if i am wrong

     

     

    Thanks,

    Irfan