Create services

Services represent the back-end servers in your VPC. These servers are the origin servers of your application.

  1. Click Create Service.
  2. Specify values for the following parameters:
    • Name
    • Protocol: Select HTTPS to create an SSL service. For more information, see Configure an SSL profile.
    • Port
    • App Server Type: Select from Auto Scaling Group, EC2 Instances, or Servers. Select an auto scaling group, EC2 instance, or server type respectively. Only app servers from the selected environment are displayed.

      • Server type includes two options: IP address and FQDN. Select an option.
      • Specify an IP address or FQDN, and click Add Server. The details appear in the List of Servers table.

        Create service with server option

  3. Click Create.

    Create service

  4. Click Next.

Self-heal slow application servers

A poorly performing server can affect the performance of your applications. If an Autoscale group is configured, the self-healing capability of the CADS service can detect a slow server and take remedial action accordingly.

For example, if the response time of one of the servers is consistently poor, the CADS service identifies this server, and gracefully replaces it with a healthy server.

The service considers the following conditions while replacing a faulty server:

  • All persistent connections are honored.
  • Existing connections are completed.
  • New connections aren’t accepted for the faulty server.

Related actions taken by the CADS service are logged and admins can view them in the Action History. For more information, see Monitor self-healing.

Configure detecting and auto-replacing a slow server

  1. Navigate to Applications > New Application.
  2. Type a name for the application, and select an environment.
  3. Click Next.
  4. Click Create Service.
  5. In the Create Service page, type values for the following parameters:
    • Name
    • Protocol
    • Port
    • App Server Type - Select Auto Scaling Group.
    • Select a group from the list.
  6. Slide the following toggles to enable the functionality:

    • Detect slow server
    • Auto-replace slow server

    Detect and auto replace a slow server

Configure an SSL profile

An SSL profile on the CADS service comprises settings related to SNI, server authentication, cipher suites, and protocol versions configured on an SSL service.

Support for SNI on the back-end application servers

The CADS service supports dynamic SNI on the back-end TLS connections. SNI helps to enable SSL encryption on multiple domains if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

If the back-end server is configured for multiple domains, the server can respond with the correct certificate based on the SNI received in the Client Hello message. The service learns the SNI in the client connection and uses it in the server-side connection. In other words, the common name received in the SNI extension of the Client Hello message is forwarded to the back-end SSL connection.

When server authentication is enabled, the server certificate is verified by the CA certificate and the common name/SAN entries in the server certificate are matched with the SNI. Therefore, the CA certificate must be bound to the service.

Configure SNI on the SSL profile

  1. Navigate to Applications > New Application.
  2. Type a name for the application, and select an environment.
  3. Click Next.
  4. Click Create Service.
  5. In the Create Service page, specify a name for the service and select HTTPS as the protocol.
  6. Click Bind SSL Profile.
  7. Click Add.
  8. Specify a name for the SSL policy, select SNI, and click Create.

    Select SNI

    The policy is listed on the Bind SSL Policy page.

  9. Select the policy and click Bind. The policy is listed on the Create Service page.

    Create an SSL service

You have successfully configured SNI on the back-end application servers.

Configure server authentication

Since the CADS service performs SSL offload and acceleration on behalf of an application server, the service does not usually authenticate the origin application server’s certificate. However, you can authenticate the server in deployments that require end-to-end SSL authentication.

In such a situation, the service becomes the SSL client and carries out a secure transaction with the back-end application server. It verifies that a CA whose certificate is bound to the service has signed the server certificate, and checks the validity of the server certificate.

To authenticate the server, enable server authentication and select the certificate of the CA that signed the server’s certificate to the SSL service.

Configure server authentication on the SSL profile

  1. Navigate to Applications > New Application.
  2. Type a name for the application, and select an environment.
  3. Click Next.
  4. Click Create Service.
  5. In the Create Service page, specify a name for the service and select HTTPS as the protocol.
  6. Click Bind SSL Profile.

    Bind SSL profile for server authentication

  7. Click Add.
  8. Specify a name for the SSL policy, select Server Authentication, and click Create. The policy is listed on the Bind SSL Policy page.

    Server authentication

    Bind SSL policy

  9. Select the policy and click Bind. The policy is listed on the Create Service page. Click Bind CA Certificates.

    Bind CA certificate for server authentication

  10. Click Create SSL Certificate.

  11. Specify a name for the certificate and choose a certificate file. CA certificates don’t need a key.

    Create CA certificate

  12. Click Create. The certificate is listed on the SSL certificates page.

    Certificate list

  13. Click Create.

    Create an SSL service

You have successfully configured server authentication in the SSL profile.

Configure SSL cipher suites and protocol

SSL cipher suites help to establish a secure connection between your app servers and the client. Select the cipher suites to use in your setup.

Protocol version is used during an SSL handshake. Select one or more protocol versions that your app servers support. By default, the highest protocol version that both peers support is selected.

Configure cipher suites and protocol version on the SSL profile

  1. Navigate to Applications > New Application.
  2. Type a name for the application, and select an environment.
  3. Click Next.
  4. Click Create Service.
  5. In the Create Service page, specify a name for the service and select HTTPS as the protocol.
  6. Click Bind SSL Profile.
  7. In the Bind SSL Policy page, click Add.
  8. Specify a name for the SSL policy.
  9. Click Select All Cipher or select individual cipher suites from the list. You can expand each group to view the ciphers that are part of the group and, select or unselect individual ciphers.
  10. Select the Protocol Version.
  11. Click Create.

    SSL cipher suites and protocol

    The policy is listed on the Bind SSL Policy page.

  12. Select the policy and click Bind. The policy is listed on the Create Service page.

    Create an SSL service

You have successfully created an SSL profile and bound it to an SSL service.

Create services