Virtual F5 vs Hardware which one is best for application with SSL and WAF and traffic around 1Gbps
I am planning to move from hardware appliance to virtual , how you guys rate it and whats suggested that one should move to the virtual if F5 is serving from critical application with zero downtime.
Feedback will be appricated. All insight of license models and limitions you guys face in virtual appliance will be highly appricated.
while sizing of an F5 instance is not voodoo, it requires more information than SSL, WAF and the expected traffic in GBps. Been there, failed, learned, repeat. 🙂
I recommend you to reach out to a F5 partner in your region and do the sizing together with an expert.
A couple of examples:
SSL is not SSL. You might use mostly RSA keys with 4096 bit key length. Or you use ECC keys with 384 bit key length. Both offer equally strong security, while ECC keys with 384 bit key length require significantly less compute power and can run in a VE. Using ECC keys you might not need to buy hardware F5, because the ASICs won't make a large impact. Modern CPUs have a build-in support for certain SSL related hardware accelerations, BIG-IP can use these in a VM environment.
Which features of AWAF do you plan to use? Some feature are more computationally expensive than others (yes, looking at you Data Guard!). You might need a license that allows more throughput, just because it allows you to use more vCPUs.
HTTP requests per second and Transactions per second are other measurements that require to be considered when sizing an AWAF VE.
Rather than buying a hardware BIG-IP, consider scaling horizontally. Use a F5 LTM VE cluster for SSL offloading and loadbalance only HTTP traffic to a larger cluster of smaller AWAF VEs. This might safe you some $$$ compared to a hardware cluster.