Forum Discussion
Virtual F5 vs Hardware which one is best for application with SSL and WAF and traffic around 1Gbps
Hello,
I am planning to move from hardware appliance to virtual , how you guys rate it and whats suggested that one should move to the virtual if F5 is serving from critical application with zero downtime.
Feedback will be appricated. All insight of license models and limitions you guys face in virtual appliance will be highly appricated.
Thanks
Hi RajaShajeelAhmed,
while sizing of an F5 instance is not voodoo, it requires more information than SSL, WAF and the expected traffic in GBps. Been there, failed, learned, repeat. 🙂
I recommend you to reach out to a F5 partner in your region and do the sizing together with an expert.A couple of examples:
SSL is not SSL. You might use mostly RSA keys with 4096 bit key length. Or you use ECC keys with 384 bit key length. Both offer equally strong security, while ECC keys with 384 bit key length require significantly less compute power and can run in a VE. Using ECC keys you might not need to buy hardware F5, because the ASICs won't make a large impact. Modern CPUs have a build-in support for certain SSL related hardware accelerations, BIG-IP can use these in a VM environment.
Which features of AWAF do you plan to use? Some feature are more computationally expensive than others (yes, looking at you Data Guard!). You might need a license that allows more throughput, just because it allows you to use more vCPUs.
HTTP requests per second and Transactions per second are other measurements that require to be considered when sizing an AWAF VE.Rather than buying a hardware BIG-IP, consider scaling horizontally. Use a F5 LTM VE cluster for SSL offloading and loadbalance only HTTP traffic to a larger cluster of smaller AWAF VEs. This might safe you some $$$ compared to a hardware cluster.
KR
Daniel
Hi RajaShajeelAhmed,
while sizing of an F5 instance is not voodoo, it requires more information than SSL, WAF and the expected traffic in GBps. Been there, failed, learned, repeat. 🙂
I recommend you to reach out to a F5 partner in your region and do the sizing together with an expert.A couple of examples:
SSL is not SSL. You might use mostly RSA keys with 4096 bit key length. Or you use ECC keys with 384 bit key length. Both offer equally strong security, while ECC keys with 384 bit key length require significantly less compute power and can run in a VE. Using ECC keys you might not need to buy hardware F5, because the ASICs won't make a large impact. Modern CPUs have a build-in support for certain SSL related hardware accelerations, BIG-IP can use these in a VM environment.
Which features of AWAF do you plan to use? Some feature are more computationally expensive than others (yes, looking at you Data Guard!). You might need a license that allows more throughput, just because it allows you to use more vCPUs.
HTTP requests per second and Transactions per second are other measurements that require to be considered when sizing an AWAF VE.Rather than buying a hardware BIG-IP, consider scaling horizontally. Use a F5 LTM VE cluster for SSL offloading and loadbalance only HTTP traffic to a larger cluster of smaller AWAF VEs. This might safe you some $$$ compared to a hardware cluster.
KR
DanielBut what about performance for the VE appliance? And in case of issues responsibility is divided between Virtualized platform and the F5 VE how to cop that part. Further can you shed some light on SSL part as most of traffic is SSL and we are using RSA key and yes we have WAF and HTTP analytics enabled.
I agree with your concern regarding the shared responsibility between hypervisor and BIG-IP VE when it comes to troubleshooting issues. Really depends on your organisation. I've had customers who bought hardware for this exact reason - clear segregation of responsibilities. No joint effort required to do troubleshooting.
Regarding the performance of VE vs hardware BIG-IP:
- The license determines how many vCPUs you can assign to your BIG-IP VE. The more, the better.
- ASM signatures and many other AWAF protection features do regex checking. This is handled in CPU, no need for appliance hardware.
Lastly, I have a couple of PPT slides on the subject of modern and robust encryption. You can DM me and I will share those you.
My conclusion back than was: ECC certificates offer stronger security and smaller certificates - e.g., a 256-bit ECC key is equivalent to a 3072-bit RSA key.
The difference between RSA vs ECC certificates is in the encryption strength. ECC provides an equivalent level of encryption strength as RSA algorithm with a shorter key length. As a result, the speed and security offered by an ECC certificate are higher than an RSA certificate.
Hardware is needed if you have a datacenter or co-location, especially if you deal with a large amount of SSL termination. Remember, F5 hardware has custom ASICs for SSL and compression.
If the above is not a concern, deploy an instance of F5 BIG-IP VE on two different VMware clusters, at at a minimum, set affinity to ensure that both VE instances never run on the same host. Then of course setup HA across 2 units. Migrate over the UCS with the no platform check and no license options, repoint VLANs to correct VE interfaces, and test.
- muhamed_elfikyAltocumulus
Hello,
performance depends on the resources you allocate to your equipment. but in any case the use of hardware is always more robust in terms of performance.the hardware part allows to do some operations with dedicated asic (compression, acceleration, SSL decryption, ...):
Message from F5 (Salim): Software is the same (TMOS and modules). Obviously physical connectivity (interfaces, trunks) are not relevant in a VE environment. Performance is the major difference of course. There is a throughput limitation on VEs based on the hypervisor you are using, the TMOS version of your VE and the license you purchased.
Regards,
Do you have experece with virtual and hardware appliance for the same exposed application? how it goes?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com