Forum Discussion
Surendar1
Nimbostratus
NimbostratusCreate One VirtualServer[VIP] with Multiple Ports
Hi,
Currently the setup I have is, on a single partition I have 100+ VIP's with same ip, pointing to different ports. The reason for this setup is, we have postgres & redis-opendb database running on our k8's clusters whereas earlier these database instances had dependency to have setup in this way to have -> 1 VIP having several ports.
Kubernetes - v1.23.16
CIS - 2.9.1
AS3 - 3.28.0
I am creating the VIP's using the TransportServer object where CIS controller running on k8's cluster will auto create and delete these VIP's. Now I am in the phase to migrate these architecture to have "ONE VIP with Multiple ports." I have read through the docs, where it is mentioned i can either use TrafficPolicy or iRule to achieve however not finding valid docs which explains in detail to achieve.
Can someone please assist on whether this is achievable if yes please point to right resources to get this implemented & tested
- PhatANhappy
MVP
Why are you not using a wildcard vip listening on :0 and translating to :0 on the backend?
in on 443 = out on 443, in on 8443 out on 8443, in on 9443 out on 9443....
Surendar1in that case, will it not be a multiple VIP entries?
- PhatANhappy
f5 will answer listen most specific to least specific. you can apply both in some cases -I have setup 3 vips on one IP address
80----8080, 443 --- 8443, and also a wild card to pickup a range :0 to :0
I prefer to set the firewall rule to limit the port range at layer 3/4, setting the ingress firewall rule to allow 80,443, 10000-20000.
in that case - pattern match for 80/443 will do a redirect as needed - and the f5 will take all other ports "that arrive" on the interface as a 1:1 mapping 10000---10000, 10001-10001 etc. since the firewall (ingress rule) is restricted to the range, traffic will not arrive on ports 20 or 21 or 40,000....
if all your mappings are straight across 80-80, 443-443 ---- you can use a wildcard for all of them, keeping in line with the firewall rule to prevent the bad.
