Forum Discussion

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Mar 26, 2016

It can. You cannot use the BIG-IP priority group activation method for this, because it has a different meaning than what you describe above, but you can define two pools, one for each "priority group". You would then select the "priority group" based on the header field. You would set the Virtual Server LB method to "Ratio" and define the pool member ratios in each pool. It would look something like this (untested!):

when HTTP_REQUEST {
    if { [HTTP::header exists "iSession"] && [persist lookup uie [HTTP::header "iSession"]] } {
        persist uie [HTTP::header "iSession"]
    }
    else {
        switch [HTTP::header "iPGroup"] {
            "One" {
                pool pool-One
            }
            
            "Two" {
                pool pool-Two
            }
        }
        
        if { [HTTP::header exists "iSession"] } {
            persist uie [HTTP::header "iSession"]
        }
    }
}

In this configuration, you should also define a default pool for the Virtual Server, which would be used if iPGroup is not set or is not a value in the set ["One", "Two"].

  • ppltam_183867's avatar
    ppltam_183867
    Icon for Cirrus rankCirrus
    Mar 28, 2016
    Really Thanks Vernon for sharing the technical insight and would like to go a bit further. Traffic from the LTM Virtual Server going to the actual Node members who run web services are actually encrypted running SSL. On the LTM virtual server, we have defined two SSL profiles (One Client SSL and One Server SSL profile) as end-to-end encryption is a mandatory requirement due to confidentiality of the application. Question is can we still use the iRules suggested e.g. <<********************>> when HTTP_REQUEST { if { [HTTP::header exists "iSession"] && [persist lookup uie [HTTP::header "iSession"]] } { persist uie [HTTP::header "iSession"] } else { switch [HTTP::header "iPGroup"] { "One" { pool pool-One } "Two" { pool pool-Two } } ......... <<*****************> in combination with the SSL profiles defined or do we have to perform encryption / decryption/ re-encryption on the iRules level and write extra iRule coding in order to achieve the end-to-end traffic encryption as well as the persistent session requirements. Many thanks in advance. Regards Patrick
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Mar 28, 2016
    As long as the Virtual Server has a client-ssl profile and an http profile, the rules above will work. The addition of a server-ssl profile does not change that.