Thanks Murali for your response. > - any reason why you choose assignTo/RemoveFrom load balancer rule API's
I thought this made more sense than create/updateLoadbalancerRule as we would have to call update to delete a cert which I find somewhat confusing. Also this is semantically similar to attaching instances as in you have a separate entity which is being bound to different LBs. > - to me SSL termination is value added service from providers perspective, > So only if network offering permits, SSL termination can be used. Got it. This seems the logical way. Good point. > I see session persistence based on SSL session id's please see if > this can supported. I was looking at persistence based on SSL session id's [1] and found that this is supported for SSL bridge type of configuration where netscaler just bridges the data without any encryption/decryption. I am not sure about health checks and autoscale. I will look that up. > - on the requirement #4, don't infer protocol based on the public/private > ports and impose restrictions. Current createLoadBalancer API does not > take protocol parameter so its inferred at device layer. NetScaler seems > to support SSL with other TCP ports as well. Would it be a good Idea to add protocol to the createLoadBalancer API. I think this makes sense in the long run as currently I cannot create a HTTP loadbalncer for port 8080 from cloudstack. > One general implementation note, network rules can be reprogrammed. So > operations to configure SSL cert, binding cert to virtual server etc need > to be idempotent at NetScaler resource. Thanks. I'll keep that in mind when implementing the resource layer. Thank a lot again for the replies. This is really helpful. -- REFERENCES -- [1] http://support.citrix.com/proddocs/topic/netscaler-load-balancing-93/ns-lb-persistence-configuring-ssl-session-id-tsk.html -Syed On Wed, Oct 9, 2013 at 5:57 AM, Murali Reddy <murali.re...@citrix.com> wrote: > Thanks Syed for the FS. > > Couple of comments: > > - any reason why you choose assignTo/RemoveFrom load balancer rule API's > to assign/remove certificate to LB rules? These api's are basically for > controlling VM membership with a load balancer rule. Can > create/updateLoadBalancerRule api's b used for registering and > de-registering certificate with load balancer rule? > > - to me SSL termination is value added service from providers perspective, > its better we expose service differentiation in the network offering (e.g > dedicated load balancer capability of LB service in the network offering). > So only if network offering permits, SSL termination can be used. > > - does adding SSL termination support to load balancer affect/complement > current session persistence, health monitoring, auto scale functionality > anyway? I see session persistence based on SSL session id's please see if > this can supported. > > - as commented by other, fail fast at service layer on invalid certificate. > > - on the requirement #4, don't infer protocol based on the public/private > ports and impose restrictions. Current createLoadBalancer API does not > take protocol parameter so its inferred at device layer. NetScaler seems > to support SSL with other TCP ports as well. > > One general implementation note, network rules can be reprogrammed. So > operations to configure SSL cert, binding cert to virtual server etc need > to be idempotent at NetScaler resource. > > [1] > http://support.citrix.com/proddocs/topic/netscaler-ssl-93/ns-ssl-offloading > -other-tcp-protocols-tsk.html > > On 08/10/13 11:44 PM, "Syed Ahmed" <sah...@cloudops.com> wrote: > >>Hi, >> >>I have been working on adding SSL offload functionality to cloudstack >>and make it work for Netscaler. I have an initial design documented at >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+Supp >>ort >>and I would really love your feedback. The bug for this is >>https://issues.apache.org/jira/browse/CLOUDSTACK-4821 . >> >>Thanks, >>-Syed >> >> >> > >
