Forum Discussion
CirrostratusASM VE performance scalling
Hi,
I wonder if there is any good article about sizing VM for ASM/AFM deployment. Or maybe someone already did such deployment and can share some figures. What number of vCPU/RAM/Other resources to assign?
Let's say there will be no SSL Offload involved and we talking about 50k+ concurrent TCP connections per second creating HTTP Transactions.
Is that at all possible to use VE?
Piotr
6 Replies
Hannes_RappNimbostratus
I do not have an exact answer for your environment, I'm just giving you the base configuration. Use these values to make adjustments according to your own needs:
ASM+AFM+LTM Setup
- 16GB memory, 4 vCPU, VE with 1Gbps license
You can use the VE BigIP. It's actually the most cost efficient BigIP deployment option in no-SSL TPS environments. Another good thing with VE is that if you run short of available bandwidth (1Gbps initial license limit), it takes very little effort to upgrade the license to 3Gbps.
dragonflymrHi,
Thanks for hints. If I am not wrong limit for VE ends at 10Gb throughput? I am asking because right now under attack customer is reporting hardware BIG-IP as bottleneck (don't know yet what is HW). Wonder is alternative could be some LB pointing to ASM VE pool to create LB at the attack time in cost effective manner.
As far as I know ASM is most resource intensive module on BIG-IP.
Piotr
- Hannes_Rapp10Gbps is indeed the current maximum supported by VE. Your next question is thougher, it's for sure that you can deploy ASM on a separate BigIP, and route requests to it from another AFM/LTM box. What I do not know is if you can implement some sort of balancing from a single AFM/LTM appliance/cluster to multiple ASM boxes. Not even sure if it will help you remedy the effects of a DOS attack significantly. Personally, I would leave out the balancing to multiple ASM appliances since the ASM module is quite costly and the desired solution is not guaranteed, but instead look into possibilities to take down the attack on the AFM/LTM box, and if the attack is huge (i.e the on-site appliance couldn't cope), manually activate the cloud-based DOS attack mitigation (i.e pay to subscribe service from F5 Silverline or Prolexic). Just some ideas.
- dragonflymrOK, but we are not really talking about volumetric attack saturating Internet pipe. We are talking about exhausting current ASM device resources - sure simplest solution is to buy bigger BIG-IP box but could be no way here. Customer however have quite substantial VMWare based resources so spinning few ASM VE could be an option. Piotr
- Hannes_RappGive it a go then :). I cannot confirm for sure, but I think that even if the 1st line of appliances are configured as active-standby, you should be able to deploy the 2nd line of appliances (VE ASM) in active-active mode to really widen the existing bottleneck.
