Forum Discussion
Need help to understand operation between RE and CE ?
Hi all,
We have installed CE site in our network and this site has established IPSEC tunnels with RE nodes. The on-prem DC site has workloads (e.g actual web application servers that are serving the client requests). I have citrix netscaler background and the Citrix Netscalers ADCs are configured with VIPs which are the frontend for the client requests coming from outside (internet), when the request land on VIPs, it goes through both source NAT and destination NAT, its source address is changed to private address according to the service where the actual application servers are configured and then sent to the actual application server after changing the destination to IP address of the server.
In XC, the request will land to the cloud first because the public IP, which is assigned to us will lead the request to RE. I have few questions regarding the events that will happen from here after
- Will there going to be any SNAT on the request or will it send it as it is to the site? And if there is SNAT then what IP address will it be ? and will it be done by the RE or on-prem CE
- There has to be destination NAT. Will this destination NAT is going to be performed by the XC cloud or the request will be sent to the site and site will do the destination NAT ?
- When the request will land the CE it will be landed in VN local outside so this means that we have to configure the network connector between the VN Local outside and the VN in which the actual workloads are configured, what type of that VN would be ?
- When the request will be responded by the application server in local on-prem the site the request has to go out to the XC cloud first, it will be routed via IPSEC tunnel so this means that we have to install the network connector between the Virtual network where the workloads are present and site local outside, do we have to install the default route in application VN ?
- Is there any document, post or article that actually help me to understand the procedure (frankly I read a lot of F5 documents but couldn’t able to find the answers
Better book the XC training Administering Applications in F5 Distributed Cloud Services (instructor-led) to understand this. Also you can review the aglity labs that have XC CE and RE deployment models F5 Appworld Labs Getting Started Doc
Also there is this free XC Distributed Cloud Training:
- usmansa1Altostratus
Mate, I have taken that training and also did the MCN labs, just for reference my animal name was "golden viper" but frankly this is some of the most basic information which should be mentioned in F5 documents but it is nowhere
- usmansa1Altostratus
Moreover, these labs may also need to include the basic setup
A fast summary is that SNAT is always performed by XC and this is why you need to use Proxy Protocol or XFF HTTP header to see the real client IPs in the backend. The SNAT on the CE is the exit interface IP address. On the RE as each RE location is made of several servers/devices the source up address will change based on the list https://docs.cloud.f5.com/docs/reference/network-cloud-ref . If your HTTP LB is on the RE and the origin is on the CE then the SNAT will be done on the CE. The destination NAT is just the NAT of the origin servers as to change the address of the HTTP lb to the one of the selected origin servers. When you mention network connector you probably mean Customer Edge(CE) and as I mentioned SNAT is always performed, so the origin servers just need to return it to the CE interface ip address or in case with the RE without a CE the servers need internet access . You can use static routing or bgp on the CE for it to know how to reach the origin servers if they are not connected directly on layer 2 with the CE interfaces.
- usmansa1Altostratus
thanks alot mate, well that actually cleared lot of things in my mind, however I have one more vital question and I will be really thankful if you can help me to understand this whole process,
lets say my HTTP LB is on the RE. When the request falls on the LB-RE and LB checks that origin server is on the site (via origin pool) and then :-
- will it send the request directly to CE via IPSEC or SSL tunnels OR (?)
- Will it check the origin server, do the destination NAT and then send the request to CE site (?)
Now suppose whatever is the case the request has now reached to Site and it will land on site local outside VN because here we have IPSEC tunnels configured, now technically the procedure will be something like below: (Please correct where I am wrong)
- Site local outside should check the routing and then see that destination address is inside the "site local inside"
- Site local outside will pass the request to site local inside while the request is being passed, the SNAT has to be done on the request. I assume that this SNAT will be the IP address (either interface IP or virtual IP) of the site local inside
- Will this SNAT will happen automatically or needs to be defined via network connector (?)
- Site local inside will check the address and then send it to the respective server (Simple case of connectivity)
- Once the server responds back to the request, it will come to the site local inside IP address and then the NAT will occur and the request will be sent to the site local outside
- Before sending it to site local outside it should have some kind of routing to be installed
- Technically this should be default route, so can we add it separately (?)
- The site local outside have three interfaces
- Two of them are IPSEC interface
- One of them the real physical interface
- The real physical interface has DHCP IP addresses which means that the default route is automatically installed in the network but this request needs to go via IPSEC so this means that during the bootstrap process when the network service becomes active it must have changed the routes (Please correct me if I am wrong)
- When I was doing the lab I tried to check the routing table but I couldn't able to check it because "help" showed me network status command but I couldn't able to run
Based on all the above understanding and almost all the documents which I read what I think we need network connectors between SLI and SLO and there are only three types of network connectors so what type of those network connectors will that be ? otherwise How the routing will be done, how the SNAT will occur and how the reverse routing will be performed.
PS: Once I am able to understand I will write an article with Figures so it will help for someone like me
As you had this question Difference between site local inside and site local outside ? | DevCentral if the origin servers are on the SLI and the clients connect on SLO if the HTTP lb is advertised on it or if coming from RE this by default will just work as there is no need to do anything to allow the request and response to travel between SLI and SLO 🙂
- usmansa1Altostratus
but dont we need network connector to allow requests between both networks because in F5 documents it is mentioned as that SLI and SLO are virtual networks and virtual network is a similar concept as of VRF and network is required for communication to work ?
As I mentioned no you don’t the connectors are for cases where you need the servers on the SLI to have internet access through the SLI for example or to connect them to the XC global network as other servers on other CE to reach them and that are complex use cases that you can review with F5 sales. I suggest asking F5 sales to install a test CE for you to see it in action.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com