For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alan_Evans_1020's avatar
Alan_Evans_1020
Icon for Nimbostratus rankNimbostratus
Jul 30, 2010

Role of F5 and iRules (to iRule or not to iRule)

Disclaimer: I realize this post is inflammatory and may spark a lot of debate. That is my intent.     I have been working with F5s and iRules for more than 2 years now. While F5 devices can do...
config
design
Chris_Miller's avatar
Chris_Miller
Icon for Altostratus rankAltostratus
Jul 30, 2010
This is my opinion.

 

 

F5's BIG-IP products shouldn't be considered network appliances. They're "Application Delivery Controllers." If all you care about is layer 4 switching, you can almost certainly find something cheaper. F5 differentiates itself when you begin tailoring the product to specific scenarios. Being a full proxy allows you to do almost whatever you want with L7 requests while also optimizing TCP settings for client and server side traffic. The point to Application Delivery as I see it is about using context to determine the ideal way to deliver an application.

 

 

If you're asking whether an F5 iRule serving a redirect can do it more efficiently than Apache, the answer depends on what you're considering "efficient" Is it efficient to have that logic live on 10 different Apache servers instead of one F5? Does it make sense for traffic to come all the way to the server just to get redirected back through?

 

 

When you say network load balancing, are you simply considering layer 3 type? LACP for instance?

 

 

F5 does have a PerfL4 VIP type to optimize L4 connections that don't require L7 capabilities. That was offloaded to hardware. As the newer models have come out, there's actually little gain in doing that. Obviously using an iRule forces the box to inspect and react to L7 traffic though which will reduce performance a bit.

 

 

Using your cringe example - of /app1 and /app2, I don't necessarily agree that is the best method if there's a different way to do it. If you write an iRule properly though, you won't see much of a performance hit at all.

 

 

Your multiple customer scenario is a very good topic - you almost need to dedicate resources to each customer...don't want 1 busy Virtual Server to take resources from someone else.

 

 

Your specific questions:

 

 

1. How do I decide if an iRule is the right solution if there are other options?

 

A: My goal is to deliver applications to my users as efficiently as possible. There are times when response time is more important than cost and times when the opposite is true. It completely depends on your requirements, your environment, your expertise, etc. Using your cringing example again, why is that a requirement and what other options do you have? If you need to serve both of those apps off of www.example.com, you don't have much choice and should consider an iRule a wonderful tool.

 

 

2. Is it the right solution to use iRules to parse URLs and direct traffic to pools accordingly?

 

A. "Right" is a very tough word to use here. If you need traffic sent in such a manner, I would ask what other options you have? In your example, you wouldn't need an iRule if your folks used app1.example.com and app2.example.com. Of course, that requires multiple dns records. What happens when you have 40 apps? Is it "right" to have 40 dns records pointing to 40 different Virtual Servers using up 40 different public IPs?