For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
Sep 04, 2019

Access to AWS Hosted Websites.

Hey, all. I have a team who requires access to specific websites (hosted on AWS) to which they run thousands of daily transactions. As part of our routing scheme this traffic routes through our Big I...
application delivery
BIG-IP
LTM
I_R_101_110's avatar
I_R_101_110
Icon for Cirrus rankCirrus
Sep 05, 2019

You could likely use a performance virtual server with a fastl4 profile and http profile attached in order to apply an irule. The irule would evaluate the url, and forward the packets to the appropriate next hop via a single member pool. Something like:

 

when HTTP_REQUEST {

if {[HTTP::host] equals "www.transactioncompany.com" }{

node <next-hop-ip-node>

}

 

Be sure to disable port and address translation in the virtual server configuration.

 

The above irule would be more computationally efficient if implemented as an ltm policy so I'd suggest such but the logic remains the same.

 

You could alternatively route the entirety of the relevant availability zones statically on the F5 via AWS' IP Range publication (https://ip-ranges.amazonaws.com/ip-ranges.json) . Change of the entire CIDR for the availability zone is low in comparison to the IP changing within the CIDR space.

 

Good Luck

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
Sep 05, 2019

Sorry, I'm a little bit confused. In order to get the traffic to the Big IP would I need to make a DNS entry internally and set that IP to the VIP IP, then have all of their traffic flow to that. From there it would run the irule as suggested?

 

Also, can you please explain the "nod <next-hop-ip-node>" line to me?

 

Thanks.