Forum Discussion
CirrostratusAccess to AWS Hosted Websites.
Hey, all. I have a team who requires access to specific websites (hosted on AWS) to which they run thousands of daily transactions. As part of our routing scheme this traffic routes through our Big IP and is part of a SNAT pool, then it goes out the rest of the way (hitting pertinent firewalls and such on the way).
Our issue is that the company that runs these websites doesn't pay AWS for fixed IP addresses, so the IP to which these transactions are sent change. Sometimes they change weekly, sometimes daily, and sometimes not for a month. The only thing that we know is that they will change. The problem with this is that this traffic does not take the default route out of the Big IP, so when these IP addresses change they hit the wrong interface at the next hop and return routing is not in place for that.
We have developed a solution to the firewall rules to resolve this, now the only issue remaining is the Big IP routing. I'm looking for a solution to this so that we don't have to add routes into the Big IP each time. Would it be possible to have the customer point their traffic to a VIP on the Big IP which could then do a lookup for the real URL the customer wants to go to and be forced to send all traffic out of a particular interface?
For example, instead of the customer sending their traffic to www.transactioncompany.com they would send it to a VIP on the Big IP www.BigIPTransactionVIP.com which then forwards all traffic to www.transactioncompany.com?
Thanks.
I_R_101_110Cirrus
You could likely use a performance virtual server with a fastl4 profile and http profile attached in order to apply an irule. The irule would evaluate the url, and forward the packets to the appropriate next hop via a single member pool. Something like:
when HTTP_REQUEST {
if {[HTTP::host] equals "www.transactioncompany.com" }{
node <next-hop-ip-node>
}
Be sure to disable port and address translation in the virtual server configuration.
The above irule would be more computationally efficient if implemented as an ltm policy so I'd suggest such but the logic remains the same.
You could alternatively route the entirety of the relevant availability zones statically on the F5 via AWS' IP Range publication (https://ip-ranges.amazonaws.com/ip-ranges.json) . Change of the entire CIDR for the availability zone is low in comparison to the IP changing within the CIDR space.
Good Luck
gdoyleSorry, I'm a little bit confused. In order to get the traffic to the Big IP would I need to make a DNS entry internally and set that IP to the VIP IP, then have all of their traffic flow to that. From there it would run the irule as suggested?
Also, can you please explain the "nod <next-hop-ip-node>" line to me?
Thanks.
- I_R_101_110
Apologies as I had thought the F5 was inline of the traffic flow but just required proper routing based on url. If it is not inline, your idea will work fine. Have them point to an A record that is routed to the F5. Then use an ltm url rewrite policy to translate the GET to the proper URL.
The "node <next-hop-ip-node>" is simply taking the action of forwarding the matched request to the proper layer 3 next-hop that leads to AWS being that from my understanding - the F5's installed default route does not properly route to your AWS environment. If you were to simply put the aws IP as the pool member, the F5 would route out the erroneous default route to find the pool member rather than the correct next-hop we're specifying here.