For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
Sep 04, 2019

Access to AWS Hosted Websites.

Hey, all. I have a team who requires access to specific websites (hosted on AWS) to which they run thousands of daily transactions. As part of our routing scheme this traffic routes through our Big I...
application delivery
BIG-IP
LTM
I_R_101_110's avatar
I_R_101_110
Icon for Cirrus rankCirrus
Sep 05, 2019

You could likely use a performance virtual server with a fastl4 profile and http profile attached in order to apply an irule. The irule would evaluate the url, and forward the packets to the appropriate next hop via a single member pool. Something like:

 

when HTTP_REQUEST {

if {[HTTP::host] equals "www.transactioncompany.com" }{

node <next-hop-ip-node>

}

 

Be sure to disable port and address translation in the virtual server configuration.

 

The above irule would be more computationally efficient if implemented as an ltm policy so I'd suggest such but the logic remains the same.

 

You could alternatively route the entirety of the relevant availability zones statically on the F5 via AWS' IP Range publication (https://ip-ranges.amazonaws.com/ip-ranges.json) . Change of the entire CIDR for the availability zone is low in comparison to the IP changing within the CIDR space.

 

Good Luck

  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus
    Sep 05, 2019

    Sorry, I'm a little bit confused. In order to get the traffic to the Big IP would I need to make a DNS entry internally and set that IP to the VIP IP, then have all of their traffic flow to that. From there it would run the irule as suggested?

     

    Also, can you please explain the "nod <next-hop-ip-node>" line to me?

     

    Thanks.

    • I_R_101_110's avatar
      I_R_101_110
      Icon for Cirrus rankCirrus
      Sep 07, 2019

      Apologies as I had thought the F5 was inline of the traffic flow but just required proper routing based on url. If it is not inline, your idea will work fine. Have them point to an A record that is routed to the F5. Then use an ltm url rewrite policy to translate the GET to the proper URL.

      The "node <next-hop-ip-node>" is simply taking the action of forwarding the matched request to the proper layer 3 next-hop that leads to AWS being that from my understanding - the F5's installed default route does not properly route to your AWS environment. If you were to simply put the aws IP as the pool member, the F5 would route out the erroneous default route to find the pool member rather than the correct next-hop we're specifying here.

       

    • gdoyle's avatar
      gdoyle
      Icon for Cirrostratus rankCirrostratus
      Sep 09, 2019

      So I can essentially force routing out a particular interface using this "node <next-hop-ip-node>" line in the irule?