Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Mar 02, 2023

CIDR range redirection iRule

Hi,

We have a requirement - were Request coming from Azure instances should be routed to node in Azure & Request from other locations to be routed to node in DC.

For eg:

abc.local
Node1 - Azure-Node
Node2 - DC-Node

Request from Azure to abc.local to be routed to Azure-Node & rest to be routed to DC-Node

  • To achieve this requirement, you can use DNS-based traffic routing. You can configure your DNS server to respond to requests from Azure instances with the IP address of the Azure node and respond to requests from other locations with the IP address of the DC node. Here are the high-level steps to implement this:

    1. Create two A records in your DNS server, one for Azure-Node and another for DC-Node, both pointing to the same domain name (e.g., abc.local).

    2. Determine the IP addresses of the Azure-Node and DC-Node.

    3. Identify the IP address ranges of the Azure instances that should be routed to the Azure-Node. You can find this information in the Azure portal.

    4. Configure your DNS server to respond to requests from the IP address ranges of the Azure instances with the IP address of the Azure-Node. You can do this by creating a DNS zone for the IP address ranges and adding an A record for the abc.local domain pointing to the IP address of the Azure-Node.

    5. Configure your DNS server to respond to requests from all other IP addresses with the IP address of the DC-Node. You can do this by adding an A record for the abc.local domain pointing to the IP address of the DC-Node.

    Once you have completed these steps, requests from Azure instances should be routed to the Azure-Node, and requests from other locations should be routed to the DC-Node.

     
  • Preet_pk Assuming this is being balance by virtual server you would configure the virtual server with a pool that only has the DC node/s in it and then another pool with the Azure node/s in it. The following is the iRule that you would use followed by the internal data-group that you would use that contains the source IPs for your Azure requests as the F5 would see them when connecting to the virtual server. I have IPs currently in the data group that are just examples to show you how to configure it with a single host IP as well as a subnet. Configuring it in this manner would maintain persistence if you have any configured or will have any configured while sending traffic to the appropriate destination. Please keep in mind that the match for anything other than abc.local and Azure IP sources will end up going to the default pool. If you always want Azure requests to go to Azure nodes no matter the website then you can remove the HTTP::host match and just leave the address match.

    This is the iRule

     

    when CLIENT_ACCEPTED priority 500 {
    
        set DEFAULT_POOL [LB::server pool]
    
    }
    
    when HTTP_REQUEST priority 500 {
    
        if { ([HTTP::host] == "abc.local") && ([class -- match [IP::client_addr] == CLASS_Azure_subnets]) } {
            pool POOL-abc.local-AzureNodes
        } else {
            pool $DEFAULT_POOL
        }
    }

     

    This is the internal data-group CLI output

     

    ltm data-group internal CLASS_Azure_subnets {
        records {
            192.168.1.1/32 { }
            192.168.2.0/24 { }
        }
        type ip
    }

     

    If this is not what you have configured please provide additional detail on your configuration and what you're attempting to achieve and we should be able to assist you further.