If I may add, a BIG-IP load balancing configuration can be as simple as a virtual server and a pool. The pool contains the real IP and port of the web servers, and the virtual server (VIP) defines the virtual destination address and port - the address that clients will contact to get to the web application. Create your pool. Create your VIP. And then bind the pool to the VIP. Done. When the client makes a TCP connection with the BIG-IP VIP, the client source address will, by default in a standard virtual server configuration, remain the same, while the destination address will change to the address of the chosen pool member. The web server will receive the request, and depending on routing, send the response back through the BIG-IP. Now, if the server knows of another route to the client that isn't through the BIG-IP (a default gateway perhaps), then you'll find yourself in an "asynchronous routing" problem, where the client will receive a response from an address that it doesn't know (the address of the web server). This is what SNAT is for. With a SNAT profile applied, the client's source address will be changed to an address that is managed by the BIG-IP, which will force the server to return the response through the BIG-IP. The problem with this of course is that you lose the client's true source address. There are at least two ways to manage this issue:
-
If this is HTTP traffic, the BIG-IP can inject an "X-Forwarded-For" header into the request that contains the client's true source address. For other protocols it may be possible to inject the source into other areas of the payload.
-
You can make the BIG-IP's internal self-IP address the default gateway for the web servers. This should guarantee return routing, but may also cause other implications for the web servers. For instance, if they need to be able to talk out to the world, you may need to put a forwarding VIP on the internal VLAN for these web servers.
As far as the virtual server goes, as I said, the simplest configuration can be nothing more than a VIP and a pool. If you need additional services, like persistence, iRules, SSL offload, and others, these are all profiles that are first created, and then bound to the VIP config.