Forum Discussion

BK1's avatar
BK1
Icon for Cirrus rankCirrus
Apr 16, 2021

Efficient way to manage apps

Hi, is there any recommendations or best practices to manage multiple apps or urls using one single virtual server?

  • Another approach would be, you will have the one virtual server listening on 443. Here assuming that all your external services would be accessible on https(443 port). And backend apps/server port would be anything. With this you have options to use either LTM policy or iRule to manage traffic and forwarding it to desired pool based on the host. Below post talks about the same use case using iRule.

     

    https://devcentral.f5.com/s/question/0D51T00007MxMr8SAF/multiple-web-applications-behind-single-vs

     

     

    Hope it helps!

  • Hello guys, after lots of internal discussions over the weekend, the second approach suggested by  suits our requirement and so for now we are configuring the URLs using irule given on single virtual server.      Thank you guys for ​your comments. I appreciate your help.

  • Thank you so much for your replies guys. I appreciate your help and time here.

    From all the above post, now I realized that there are multiple options available on F5 to have multiple options behind single Virtual Server. Everything is dependent on the use cases, I can use the better approach for the configuration. I will thoroughly check my application requirements and then select the best approach. At least, now I am confident to proceed further. Thank you again. I will keep you updated.

  • There's many ways to do this, but it matters on specification & requirement.

    You can use a single VIP & put irule to route to different pools based on the host header too. So its just 1 VIP, multiple pools inside it. But make sure your VIP doesn't go bottleneck on peak traffic,,,

  • Another approach would be, you will have the one virtual server listening on 443. Here assuming that all your external services would be accessible on https(443 port). And backend apps/server port would be anything. With this you have options to use either LTM policy or iRule to manage traffic and forwarding it to desired pool based on the host. Below post talks about the same use case using iRule.

     

    https://devcentral.f5.com/s/question/0D51T00007MxMr8SAF/multiple-web-applications-behind-single-vs

     

     

    Hope it helps!

    • spalande's avatar
      spalande
      Icon for Nacreous rankNacreous

      yes. But this approach just forwarding based on HOST header to the pool becomes cumbersome to maintain in many scenerios. e.g.

      • app1 and app2 needs differen kind of session persistence
      • app1 needs some custom content based routing to diffrent pool based on uri
      • app3 needs have custom requirement to add some custom header and many more.

       

      So, I would suggest understand your requiement clearly and what future changes those applications need and select what is best for you.

  • I can't say if this is recommended or best practice, but I prefer SNI setup for hosting multiple applications using single virtual server address. It can host upto 65536 applications/virtual servers with a single IP address. Also, it gives the privilege to maintain SSL certificate, session persistence, custom iRule or any other custom need per individual application.

     

    Assuming your all applications are TLS based. You can configure master TLS SNI VIP. Let's assume you want to host applications app1.example.com to app10.example.com using same VIP.

     

    sni_vs_80 ---> 10.10.10.10:80 ---> this will have redirect iRule/ltm policy to redirect to default https

    sni_vs_443 ---> 10.10.10.10:443 ---> standard VIP. configure snat set to automap, default persistence profile as ssl and would have custom ltm policy (policy_sni). Please note, this VIP shouldn't have http profile, iRule, ssl profile or pool attach to it. details of ltm policy below.

     

    policy_sni

    Rule1 - ssl extension server name is any of <app1.example.com> at SSL clienthello forward traffic to virtualserver app1.example.com_8443 at SSL clienthello. You can keep on adding rules for each application in the same policy.

     

    Now you can configure the virtual server for app1.example.com_8443 using same VIP and 8443 port (10.10.10.10:8443). This VIP can be configured standard VIP and with a standard pool with all regular or custom settings you need.

     

    You can keep on adding with any of the custom port you want to host a new application. e.g. as below

    app1.example.com_8443 ---> 10.10.10.10:8443

    app2.example.com_8444 ---> 10.10.10.10:8444

    app3.example.com_8445 ---> 10.10.10.10:8445

     

    ---------------------------------------------------

     

    Now, for all applications just listening without TLS you can follow similar approach but forward based on HOST header.