Forum Discussion

Surendar1's avatar
Surendar1
Icon for Nimbostratus rankNimbostratus
Jan 26, 2024

Create One VirtualServer[VIP] with Multiple Ports

Hi,

Currently the setup I have is, on a single partition I have 100+ VIP's with same ip, pointing to different ports. The reason for this setup is, we have postgres & redis-opendb database running on our k8's clusters whereas earlier these database instances had dependency to have setup in this way to have  -> 1 VIP having several ports.

Kubernetes - v1.23.16

CIS - 2.9.1

AS3 - 3.28.0

I am creating the VIP's using the TransportServer object where CIS controller running on k8's cluster will auto create and delete these VIP's. Now I am in the phase to migrate these architecture to have "ONE VIP with Multiple ports." I have read through the docs, where it is mentioned i can either use TrafficPolicy or iRule to achieve however not finding valid docs which explains in detail to achieve. 

Can someone please assist on whether this is achievable if yes please point to right resources to get this implemented & tested

  • Why are you not using a wildcard vip listening on   :0   and translating to :0 on the backend?

    in on 443 = out on 443,  in on 8443 out on 8443, in on 9443 out on 9443....

    • PhatANhappy's avatar
      PhatANhappy
      Icon for MVP rankMVP

      f5 will answer listen most specific to least specific.   you can apply both in some cases -I have setup 3 vips on one IP address
      80----8080,  443 --- 8443, and also a wild card to pickup a range   :0   to :0
      I prefer to set the firewall rule to limit the port range at layer 3/4, setting the ingress firewall rule to allow 80,443, 10000-20000.
      in that case - pattern match for 80/443 will do a redirect as needed - and the f5 will take all other ports "that arrive" on the interface as a 1:1 mapping  10000---10000,  10001-10001 etc.    since the firewall (ingress rule) is restricted to the range,   traffic will not arrive on ports 20 or 21 or 40,000....
      if all your mappings are straight across 80-80, 443-443 ---- you can use a wildcard for all of them, keeping in line with the firewall rule to prevent the bad.