Role of F5 and iRules (to iRule or not to iRule)

Question

Disclaimer: I realize this post is inflammatory and may spark a lot of debate.  That is my intent.&nbsp;
&nbsp;I have been working with F5s and iRules for more than 2 years now.  While F5 devices can do some really great stuff with iRules but what troubles me is whether or not it is appropriate to use the F5 in this way or not.  I consider the F5 to primarily be a Network device, albeit a really really capable Network device.&nbsp;
&nbsp;So when I get 'load balancing requests' to 'send traffic for path /app1 one pool and traffic for /app2 to another pool' on the load balancer I cringe.  I am a firm believer in "just because you can doesn't mean you should" and I feel that applies here.&nbsp;
&nbsp;I have to suspect that the performance of an iRule on an F5 has to be less than the performance of Apache doing the same thing.  Especially if you have multiple Apache (or other web servers for that matter) doing the same work.  Also correct me if I am wrong but iRules are likely processed by a general CPU where straight 'network' load balancing, is probably processed by ASICs dedicated to such things.  Is this correct?&nbsp;
&nbsp;What's more is our F5s are used to support multiple customers and I would not want to end up in a situation where one customer's web site chews up a disproportionate amount of resources on our F5s.  I fear that using iRules blindly to do things could lead to this situation.&nbsp;
&nbsp;I suppose if I were to ask specific questions I might be looking for answers to the following:&nbsp;
&nbsp;- How do you decide if an iRule is the right solution if there are other options?
&nbsp;- More specifically, is it the right solution to use iRules to parse URLs and direct traffic to pools accordingly?&nbsp;
&nbsp;But as I said above I intended to start a discussion.  Please discuss...  I can't imagine my organization is the only facing these concerns.&nbsp;
&nbsp;Regards,
&nbsp;-Alan&nbsp;

chris_miller · Answer

This is my opinion. 
&nbsp;  
&nbsp; F5's BIG-IP products shouldn't be considered network appliances. They're "Application Delivery Controllers." If all you care about is layer 4 switching, you can almost certainly find something cheaper. F5 differentiates itself when you begin tailoring the product to specific scenarios. Being a full proxy allows you to do almost whatever you want with L7 requests while also optimizing TCP settings for client and server side traffic. The point to Application Delivery as I see it is about using context to determine the ideal way to deliver an application. 
&nbsp;  
&nbsp; If you're asking whether an F5 iRule serving a redirect can do it more efficiently than Apache, the answer depends on what you're considering "efficient" Is it efficient to have that logic live on 10 different Apache servers instead of one F5? Does it make sense for traffic to come all the way to the server just to get redirected back through?  
&nbsp;  
&nbsp; When you say network load balancing, are you simply considering layer 3 type? LACP for instance?  
&nbsp;  
&nbsp; F5 does have a PerfL4 VIP type to optimize L4 connections that don't require L7 capabilities. That was offloaded to hardware. As the newer models have come out, there's actually little gain in doing that. Obviously using an iRule forces the box to inspect and react to L7 traffic though which will reduce performance a bit. 
&nbsp;  
&nbsp; Using your cringe example - of /app1 and /app2, I don't necessarily agree that is the best method if there's a different way to do it. If you write an iRule properly though, you won't see much of a performance hit at all.  
&nbsp;  
&nbsp; Your multiple customer scenario is a very good topic - you almost need to dedicate resources to each customer...don't want 1 busy Virtual Server to take resources from someone else. 
&nbsp;  
&nbsp; Your specific questions: 
&nbsp;  
&nbsp; 1. How do I decide if an iRule is the right solution if there are other options? 
&nbsp; A: My goal is to deliver applications to my users as efficiently as possible. There are times when response time is more important than cost and times when the opposite is true. It completely depends on your requirements, your environment, your expertise, etc. Using your cringing example again, why is that a requirement and what other options do you have? If you need to serve both of those apps off of www.example.com, you don't have much choice and should consider an iRule a wonderful tool. 
&nbsp;  
&nbsp; 2. Is it the right solution to use iRules to parse URLs and direct traffic to pools accordingly? 
&nbsp; A. "Right" is a very tough word to use here. If you need traffic sent in such a manner, I would ask what other options you have? In your example, you wouldn't need an iRule if your folks used app1.example.com and app2.example.com. Of course, that requires multiple dns records. What happens when you have 40 apps? Is it "right" to have 40 dns records pointing to 40 different Virtual Servers using up 40 different public IPs?

jrahm · Answer

Alan,  we hosted our DevCentral MVPs at the F5 Summit in Chicago earlier this week.  After we wrapped our agenda for the day, the MVPs, a few F5 FSEs, the DevCentral team, and a couple core developers tackled your question in roundtable format.  We'll get the video processed early next week and I'll post the link here.  I hope it answers your questions. 
&nbsp;  
&nbsp; Chris,  that's a very thoughful response and you make some very good points.  It's tough to make blanket statements that iRules are good/bad or right/wrong.  It al boils down to knowing the tools you have at your disposal and making an informed decision.

chris_miller · Answer

Posted By Jason Rahm on 08/05/2010 03:06 PM
&nbsp;
Alan,  we hosted our DevCentral MVPs at the F5 Summit in Chicago earlier this week.  After we wrapped our agenda for the day, the MVPs, a few F5 FSEs, the DevCentral team, and a couple core developers tackled your question in roundtable format.  We'll get the video processed early next week and I'll post the link here.  I hope it answers your questions. 
&nbsp;  
&nbsp; Chris,  that's a very thoughful response and you make some very good points.  It's tough to make blanket statements that iRules are good/bad or right/wrong.  It al boils down to knowing the tools you have at your disposal and making an informed decision.
&nbsp;&nbsp;

Jason - looking forward to the video. I was at the summit but didn't get to spend enough time stalking the DevCentral folks.

jrahm · Answer

Man, I guess I missed you.  Next time I suppose.

chris_miller · Answer

The more we talk about using LTM as a centralized location which is not only reducing the amount of places the logic has to exist, but is also getting the logic closer to the user; I start liking more and more F5's "strategic point of control" mantra.

Forum Discussion

Role of F5 and iRules (to iRule or not to iRule)

6 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

Recommended Study Guide, Books or Labs for F5 ASM/AWAF Module

used trial license and takeout production license

irule help - pool command and ERR_RTE Routing problem

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Credentialed Scanning - F5OS - Rseries

Related Content

iRules Style Guide

Hey Claude, can you write iRules?

Hey DeepSeek, can you write iRules?

BIG-IP Next: iRules pool routing

Json parsing with iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS