Forum Discussion

vf-mt_243104's avatar
vf-mt_243104
Icon for Altocumulus rankAltocumulus
Nov 07, 2017

Forwarding Traffic to URL rather than Pool

Hi,

 

In our current implementation of LTM, we create multiple virtual servers with each having it's own Policy. In the Policy, rules define domain based or URI path based requests, and forward to specific pools. Pools are made of predefined nodes specified using IP Port Pairs.

 

Going forward, we are servicing clients who also host their applications on HA instances but rather of having one VIP, they have multiple masked behind a URL which is publicly accessible i.e. a DNS record is in place.

 

From the LTM, we've tried using iRules with redirects, nslookups and also trying to avoid the use of pools, given that a node in the pool is created and always resolves to a particular IP. Our concern is; should a new IP behind the DNS be created and we are not aware, then traffic will never reach this node.

 

Current setup

Client Request to DNS/VIP --> F5 (Virtual Server -> Policy -> Rules -> forward to Pool) --> Nodes defined in Pool

 

What we want to Achieve

Client Request to DNS/VIP --> F5 (Virtual Server -> Policy -> Rules -> forward to URL) --> URL rather than Node

 

What has been used iRules setup to cater for redirects : HTTP::redirect "; iRules setup to cater for resolution : [lindex [RESOLV::lookup @8.8.8.8 -a $host] 0]

 

Thanks for your help, Stefan

 

application delivery
BIG-IP
LTM
  • Henrik_S_142222's avatar
    Henrik_S_142222
    Icon for Altostratus rankAltostratus
    Nov 07, 2017

    The whole concept of LTM is to either respond directly or to forward requests to pool member. As long as the service you want to forward requests to is publicly available, why not just make the LTM respond with a normal HTTP::redirect ? If not you could probably leverage SNAT and create a pool with FQDN pool member. You can configure the LTM to auto populate and you can choose the interval that the LTM re-queries DNS. By default auto populate is on and re-checks once an hour. If an IP is not returned that was originally it will be removed and subsequently, if a new IP is returned it will be added.

     

  • vf-mt_243104's avatar
    vf-mt_243104
    Icon for Altocumulus rankAltocumulus
    Nov 08, 2017
    Hi Henrik S,

    What I tried implementing was by attaching as simple log in iRule to understand what's happening as follows: when HTTP_REQUEST { log local0. "server is currently at IP [RESOLV::lookup @8.8.8.8 "abc.com"]" }

     

    I noticed I wasn't able to reach the Google DNS so I had to resolve to the local Domain DNS and reach the service through the firewall from there onwards.

     

    I also found the following link useful https://clouddocs.f5.com/api/irules/resolv__lookup.html

     

    and also to request traffic to the newly resolved IP: https://devcentral.f5.com/s/feed/0D51T00006i7RxBSAU

     

    The SNAT looks interesting, however I didn't fully understand. Any Links that further explain this please?

     

    If not you could probably leverage SNAT and create a pool with FQDN pool member. You can configure the LTM to auto populate and you can choose the interval that the LTM re-queries DNS. By default auto populate is on and re-checks once an hour. If an IP is not returned that was originally it will be removed and subsequently, if a new IP is returned it will be added.

     

    Hi boneyard

    as explained above, it seems like I had an issue reaching a public DNS.

     

    After additional tests following the links mentioned above, I am now able to redirect to an IP after resolving the DNS name and also returning a 503 should the resolution or IP on the other end fail.

     

    Thanks, Stefan
  • Henrik_S_142222's avatar
    Henrik_S_142222
    Icon for Altostratus rankAltostratus
    Nov 08, 2017

    If you could clearify just what you would like to achieve, that would be helpful. 1: HTTP redirect? Typically leverages with iRules: when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "; } { HTTP::respond 301 Location "; } }

     

    2: Forward of traffic through your LTM towards the another LTM/proxy out of your control? You would need SNAT and FQDN/IP pool members.

     

  • vf-mt_243104's avatar
    vf-mt_243104
    Icon for Altocumulus rankAltocumulus
    Nov 08, 2017

    Hi,

     

    Managed to solve this by identifying the public DNS was not reachable from behind our firewall so going through the internal routes through the firewall I could resolve the address.

     

    I also found the following link useful https://devcentral.f5.com/wiki/irules.resolv__lookup.ashx

     

    and also to request traffic to the newly resolved IP: https://devcentral.f5.com/questions/irule-to-redirect-to-specific-node

     

    Also, had some issues with variables when using iRules, however, hard coding everything in one line was successful.

     

    Stefan

     

  • vf-mt_243104's avatar
    vf-mt_243104
    Icon for Altocumulus rankAltocumulus
    Nov 08, 2017
    Hi Henrik,

    The redirect was a test to check if the LTM is processing the traffic accordingly and that was successful.

     

    The end game here was to forward requests to a URL rather than a set of IPs/Nodes in a Pool. So yes, option 2 is the end goal.

     

    In the SNAT, how do you go about configuring an fqdn/dns? Given that the fqdn/dns is hosted on other appliances outside our realm, we wouldn't be aware if an IP changes behind the DNS, hence a static pool with pre-defined nodes using IP addresses is out of the question.

     

    Stefan