Allow only internal access to load balanced website

Well, first thought is to simply disable access to the external VLAN. Barring that, you could use an iRule and data group, or packet filter rules. The beauty of enabling specific VLANs or using packet filter rules, is that request are immediately reset, where an iRule would allow a 3-way TCP handshake before discarding the traffic.

Here's what the iRule might look like:

when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        discard
    }
}

where "my_ip_dg" is an address-based data group. I'm assuming here that you probably don't need to evaluate the Host header (because the user could be trying with an IP address), and that the pool is assigned to the virtual server. You just need to block access if the client source doesn't come from an approved list. The address-based data group can contain single IP addresses and IP subnets.

Hello Kevin

That does the trick. Thx. However it blocks now everything :-). I just also had to put $::my_ip_dg in front of it. my_ip_dg list: 10.0.0.0 /255.0.0.0 192.168.0.0 / 255.255.0.0 172.16.0.0 /255.255.0.0

I have an internal IP of 10.3.x.x It might be that the list is not complete?

I just also had to put $::my_ip_dg in front of it

Can you clarify? What F5 version are you running?

BIG-IP 11.2.1 Build 1179

I edited this earlier in the iRule editor 0.11.0.2 (where I got the error). Now edited in iRule directly in BigIP, removed the $::, it worked.

Problem solved! Good job. Thx for the follow up.