1
00:00:01,020 --> 00:00:07,530
Come back more Elby questions what types of security policies are supported by the elastic load balancer

2
00:00:07,650 --> 00:00:12,120
for and negotiations between the Albi and clients choose to.

3
00:00:12,540 --> 00:00:15,780
And I think from the previous lecture this is obvious.

4
00:00:15,870 --> 00:00:24,210
So a custom security policies be ill be pre-define security policies see security groups D none of the

5
00:00:24,210 --> 00:00:24,850
above.

6
00:00:25,050 --> 00:00:26,490
OK so this is not right.

7
00:00:26,490 --> 00:00:27,450
This is not right.

8
00:00:27,480 --> 00:00:29,830
And this one is correct this one is correct.

9
00:00:29,890 --> 00:00:34,810
Now if they mentioned to you what types of security policies are supported by the classic look balancer

10
00:00:34,830 --> 00:00:41,490
for SS in negotiations between the Elby and the two instances so that becomes the back and you know

11
00:00:41,520 --> 00:00:49,410
be inclined is front and Elby and easy two instances or back in two instances or four back end listeners

12
00:00:49,650 --> 00:00:55,140
than it would have been only the predefined security policy because this one doesn't apply for the backend.

13
00:00:55,200 --> 00:00:55,760
OK.

14
00:00:56,070 --> 00:01:03,000
So in the US the correct answer is C and D are not correct and Argerich and those are inby.

15
00:01:02,990 --> 00:01:04,740
Here is another question.

16
00:01:04,740 --> 00:01:12,740
So our user has configured Elby with a TZP listener and they'll be as well as on the back end instances.

17
00:01:12,780 --> 00:01:22,200
So TZP listeners on the beat and the back end if you do instances the user wants to enable a proxy protocol

18
00:01:23,150 --> 00:01:26,790
so the user wants to enable a proxy protocol.

19
00:01:27,040 --> 00:01:33,800
Of course that is only Elby to capture the source and destination IP information in the header.

20
00:01:33,830 --> 00:01:35,120
So who's going to capture that.

21
00:01:35,120 --> 00:01:37,640
This is the application right here.

22
00:01:37,640 --> 00:01:45,710
When the packet is sent through with the proxy there in added into the packet to instance we'll be able

23
00:01:45,710 --> 00:01:54,530
to read the header and find out the actual exactly the actual client that sent that request.

24
00:01:56,720 --> 00:01:59,850
Which of the below mentioned statements helps.

25
00:01:59,980 --> 00:02:00,280
OK.

26
00:02:00,310 --> 00:02:02,420
This is where I get irritated.

27
00:02:02,420 --> 00:02:05,000
This is where the attention has to be.

28
00:02:05,000 --> 00:02:07,490
Is it help or does not help.

29
00:02:07,760 --> 00:02:08,840
Here it says help.

30
00:02:08,840 --> 00:02:09,940
So that's fine.

31
00:02:09,980 --> 00:02:17,480
So I shouldn't be worried about getting answers and all that understand what does enabling proxy protocol

32
00:02:17,480 --> 00:02:20,120
with DCP configuration on the BE do.

33
00:02:20,490 --> 00:02:26,020
So we need one statement because we don't have multiple choices here.

34
00:02:26,020 --> 00:02:33,610
One statement that would help the user understand the effect or the impact of enabling the proxy protocol

35
00:02:33,610 --> 00:02:35,890
with DCB configurations on the LP.

36
00:02:36,280 --> 00:02:43,360
So the answers are A If the end user is requesting behind a proxy server then they use that should not

37
00:02:43,390 --> 00:02:52,030
enable a proxy protocol on the A B B B does not support a proxy protocol except with the DP listeners

38
00:02:52,030 --> 00:02:59,920
configured at the front and C to enable proxy protocol they'll be must have SSL both for front and back

39
00:02:59,920 --> 00:03:07,370
and listeners the you can enable proxy protocol disregarding whether the user is behind a proxy the

40
00:03:07,370 --> 00:03:11,730
back in instances can read more than one proxy header in the packet.

41
00:03:11,800 --> 00:03:13,530
Let's look at the analysis.

42
00:03:13,540 --> 00:03:15,710
So a if the end user.

43
00:03:15,880 --> 00:03:20,230
Which indeed are we talking about you're talking about the clients the ones who are connected through

44
00:03:20,230 --> 00:03:26,110
the Internet through it enabling us to the Elby.

45
00:03:26,110 --> 00:03:29,920
So these are the end users if they are behind a proxy.

46
00:03:29,920 --> 00:03:35,720
So if they have the traffic that comes from the user machine or the laptop or handheld or whatever.

47
00:03:36,070 --> 00:03:45,140
If it passes through a proxy if there is a proxy server then the user should not enable a proxy protocol.

48
00:03:45,160 --> 00:03:48,340
So which user here we're talking about the end user or the client.

49
00:03:48,340 --> 00:03:49,890
Here we're talking about the administrator.

50
00:03:49,900 --> 00:03:58,100
Whoever runs the will be should not enable a proxy protocol on the Albi so you should not enable proxy

51
00:03:58,100 --> 00:04:06,110
protocol and they will be if that traffic would arrive at the Elby already had passed through a proxy.

52
00:04:06,110 --> 00:04:07,740
Is this one correct or wrong.

53
00:04:08,030 --> 00:04:13,690
What do you think we are looking for one that would help the user understand or to understand.

54
00:04:13,730 --> 00:04:14,250
Not sure.

55
00:04:14,270 --> 00:04:15,640
So let's leave it for now.

56
00:04:16,010 --> 00:04:23,590
Be be does not support a proxy protocol except to have HDTV as listeners configured at the front.

57
00:04:23,590 --> 00:04:25,870
And this is like obviously wrong.

58
00:04:25,880 --> 00:04:26,830
Why.

59
00:04:26,840 --> 00:04:33,090
Because to enable proxy protocol we have to deal with these TZP and SSL H.T. to be an entity to be has

60
00:04:33,110 --> 00:04:34,920
are not in the picture at all.

61
00:04:34,940 --> 00:04:36,780
We are talking about proxy protocol.

62
00:04:37,010 --> 00:04:37,950
So this one is wrong.

63
00:04:39,500 --> 00:04:46,290
To enable proxy protocol there will be must have SSL both for front end and back end listeners.

64
00:04:46,370 --> 00:04:47,290
This is wrong.

65
00:04:47,450 --> 00:04:55,550
And in fact that proxy protocol is only supported if you have DCP DCP front end and back end or SSL

66
00:04:55,610 --> 00:05:00,830
front end and DCP back and will cover that in one of the next questions.

67
00:05:00,920 --> 00:05:08,330
The you can enable proxy protocol disregarding whether the user is behind a proxy the back end instances

68
00:05:08,330 --> 00:05:10,900
can read more than one proxy header in the packet.

69
00:05:10,910 --> 00:05:12,380
And this is obviously wrong.

70
00:05:12,380 --> 00:05:13,530
So we are left with this one.

71
00:05:13,550 --> 00:05:15,320
This one is the correct one.

72
00:05:15,320 --> 00:05:16,100
I just left it.

73
00:05:16,090 --> 00:05:21,950
I knew what the answer was but I just left it because I wanted to make sure that you guys can kind of

74
00:05:21,950 --> 00:05:29,090
trigger your memory and remember the critical part of a b and this was explicitly mentioned.

75
00:05:29,330 --> 00:05:31,470
One of the sleights.

76
00:05:31,590 --> 00:05:39,430
So the application that you are using or the web server the Apache the etch a proxy or whatever you

77
00:05:39,430 --> 00:05:46,390
are using here it can if it can support proxy headers it will it will expect to see one proxy header

78
00:05:46,690 --> 00:05:52,540
in the packet not multiple proxy headers because that could cause errors the application would be confused

79
00:05:52,570 --> 00:05:59,290
as which one it reads and if it reads the wrong one then it may do actions based on how you have configured

80
00:05:59,320 --> 00:06:04,270
and scripted the application made to actions based on our own input.

81
00:06:05,620 --> 00:06:09,800
So if the packet comes through a proxy don't enable proxy on the Albi.

82
00:06:09,850 --> 00:06:16,300
Now one would ask me OK so how can the application then find about the source.

83
00:06:16,300 --> 00:06:18,580
The ones who sent the request.

84
00:06:18,580 --> 00:06:19,810
How can that be conveyed.

85
00:06:19,810 --> 00:06:20,990
You have another option.

86
00:06:21,010 --> 00:06:25,910
I remember in HDTV HTB as you have the x will forward the for right.

87
00:06:25,930 --> 00:06:29,240
So we have another option to do that.

88
00:06:29,280 --> 00:06:38,320
So the answers are is correct B is incorrect C is incorrect and the is incorrect as well.

89
00:06:38,460 --> 00:06:40,460
So the correct answer is A.

90
00:06:40,830 --> 00:06:45,040
OK so take a quick break and we'll pick it up again in the next lecture and see the.