Configure a Layer 7 Load Balancer
A Layer 7 load balancer enables cloud-native ingress and handles load distribution, routing decisions, and SSL/TLS termination for the C3 Agentic AI Platform. As part of Layer 7 load balancer configuration, you set up a web application firewall (WAF) to provide further security for your applications and data.
Depending on your cloud provider, Layer 7 load balancer is also known as the following terms:
- AWS: Application Load Balancer (ALB)
- Azure: Application Gateway
- GCP: HTTPS Load Balancer
Prerequisites
See the following documentation before you configure a Layer 7 load balancer:
- Non-Standard Deployment Requirements
- Secret Creation for Installation and Deployment
- C3 AI Helm Chart Overview and Installation
Layer 7 load balancer configuration requires the following inputs:
- WAF policy: The C3 AI deployment Terraform scripts outputs a WAF policy for your cloud provider. Obtain the WAF policy from your cloud provider:
- AWS: WAFv2 ARN
- Azure: WAF policy resourceID
- GCP: Cloud Armor policy name
- SSL policy: Obtain the SSL policy name from your cloud provider.
Configure a Layer 7 load balancer
Set up a Layer 7 load balancer when you configure the c3aiops and c3server Helm charts. The following code snippets show you how to set values in the c3aiops and c3server Helm charts.
c3aiops
In the c3aiops Helm chart, configure the c3IngressController and provide your SSL policy. By default these settings are enabled:
c3IngressController:
enabled: true
cloudNativeIngress:
enabled: true
controllerConfig:
aws:
sslPolicy: "<ssl_policy_name>" # Obtain SSL policy from your cloud provider
waf:
enabled: true
wafv2:
enabled: true
shield:
enabled: truec3server
The following snippets from the c3server Helm chart are an example settings to configure a Layer 7 load balancer. The comments provide information about each field.
Set a Web Application Firewall (WAF) policy and specify ingress hosts. Replace the following values according to your own cloud provider:
cloudNativeLoadBalancerToNginx: # Ingress controller for Layer 7 load balancer. Refers to the WAF and attaches it to the Layer 7 load balancer
enabled: true # Set to true to enable the Layer 7 load balancer
azure: # or aws or gcp
wafPolicyForPath: "/subscriptions/<azure_subscription_id>/resourceGroups/<cluster_id>-rsgp-c3-01/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/<cluster_id>-waf-pol-01" # Replace <cluster_id> and <azure_subscription_id> with your own
# AWS example, replace <cluster_id>, <aws_region>, and <aws_account_id> with your own:
# aws:
# wafv2:
# aclArn: "arn:aws:wafv2:<aws_region>:<aws_account_id>:regional/webacl/<cluster_id>-waf-acl-01/<waf_acl_id>"
# ingressSecurityGroups: "<cluster_id>-sg-dmz-01"
# GCP example, replace <cluster_id> with your own:
# gcp:
# securityPolicyName: "<cluster_id>-securitypolicy-lb"
# ingress:
# hosts:
# - "*.<example_url>"
ingress:
hosts: # Must match cluster hostname. The Layer 7 load balancer uses this hostname.
- "*.<example_url>" # Use wildcard to allow multiple AppUrls under a single domain. If multiple domains require a single Layer 7 load balancer, pass each domain as a separate entry.Enable Nginx to create the K8sClusterRole and K8sClusterRoleBinding to differentiate between various K8singressClass names:
c3-nginx-ingress:
#...
- name: docker-registry-secret # Set secret name
controller:
image:
registry: registry.c3.ai # Set registry
autoscaling: # Determines how Nginx ingress controller scales
enabled: true
maxReplicas: 20
minReplicas: 2 # Set to 1 to use less resources
config:
force-ssl-redirect: false # Set to false to allow HTTP traffic through the load balancer that handles TLS termination, and disable SSL direct for the Nginx service
# ...
enableHttp: false # Set to false to disable the HTTP port in the default Nginx service(For AWS) Import certificate to the Amazon Certificate Manager
If your cloud provider is AWS, import the certificate used to validate HTTPS calls to the ALB to the Amazon Certificate Manager (ACM). See Import certificates into AWS Certificate Manager in the AWS documentation.
(Optional) Additional configurations
The following fields provide additional configurability. Add them to the c3server Helm chart to specify health check settings, request timeout settings, and more.
If you do not set these fields, the platform uses recommended defaults.
cloudNativeLoadBalancerToNginx:
# NGINX health check configurations
healthCheck:
protocol: HTTP # Protocol used for health checks (HTTP/HTTPS)
interval: 30 # Interval in seconds between health checks
timeout: 10 # Timeout in seconds for each health check
healthyThreshold: 2 # Number of successful checks before marking healthy
unhealthyThreshold: 2 # Number of failed checks before marking unhealthy (ignored for Azure)
path: /healthz # Path to check for health
port: 10254 # Port used for health checks
successCodes: "200" # Expected HTTP status codes for a successful check
requestTimeout: 3600 # Request timeout in seconds
sslRedirect: true # Enable SSL redirection
# Annotations for the load balancer
ingress:
defaultAnnotations: true # Use default annotations
additionalAnnotations: {} # Additional annotations for the load balancer
tlsSecret: tls-cert # TLS secret for SSL terminationFor Azure, the platform has the following additional configurations for the Layer 7 load balancer:
c3-nginx-ingress:
controller:
config:
keep-alive: "320" # Set to the maximum idle timeout value for each provider + 20s buffer (for example, 320 seconds for Azure)For AWS, the platform has the following additional configurations for the Layer 7 load balancer:
cloudNativeLoadBalancerToNginx:
aws:
idleTimeout: 3600 # Idle timeout in seconds for the Layer 7 load balancer
c3-nginx-ingress:
controller:
config:
keep-alive: "3620" # Set to the maximum idle timeout value for each provider + 20s buffer (for example, 3620 seconds for AWS)