Forum Discussion
Virtual F5 vs Hardware which one is best for application with SSL and WAF and traffic around 1Gbps
- Jul 10, 2023
Hi RajaShajeelAhmed,
while sizing of an F5 instance is not voodoo, it requires more information than SSL, WAF and the expected traffic in GBps. Been there, failed, learned, repeat. 🙂
I recommend you to reach out to a F5 partner in your region and do the sizing together with an expert.A couple of examples:
SSL is not SSL. You might use mostly RSA keys with 4096 bit key length. Or you use ECC keys with 384 bit key length. Both offer equally strong security, while ECC keys with 384 bit key length require significantly less compute power and can run in a VE. Using ECC keys you might not need to buy hardware F5, because the ASICs won't make a large impact. Modern CPUs have a build-in support for certain SSL related hardware accelerations, BIG-IP can use these in a VM environment.
Which features of AWAF do you plan to use? Some feature are more computationally expensive than others (yes, looking at you Data Guard!). You might need a license that allows more throughput, just because it allows you to use more vCPUs.
HTTP requests per second and Transactions per second are other measurements that require to be considered when sizing an AWAF VE.Rather than buying a hardware BIG-IP, consider scaling horizontally. Use a F5 LTM VE cluster for SSL offloading and loadbalance only HTTP traffic to a larger cluster of smaller AWAF VEs. This might safe you some $$$ compared to a hardware cluster.
KR
Daniel
Hi RajaShajeelAhmed,
while sizing of an F5 instance is not voodoo, it requires more information than SSL, WAF and the expected traffic in GBps. Been there, failed, learned, repeat. 🙂
I recommend you to reach out to a F5 partner in your region and do the sizing together with an expert.
A couple of examples:
SSL is not SSL. You might use mostly RSA keys with 4096 bit key length. Or you use ECC keys with 384 bit key length. Both offer equally strong security, while ECC keys with 384 bit key length require significantly less compute power and can run in a VE. Using ECC keys you might not need to buy hardware F5, because the ASICs won't make a large impact. Modern CPUs have a build-in support for certain SSL related hardware accelerations, BIG-IP can use these in a VM environment.
Which features of AWAF do you plan to use? Some feature are more computationally expensive than others (yes, looking at you Data Guard!). You might need a license that allows more throughput, just because it allows you to use more vCPUs.
HTTP requests per second and Transactions per second are other measurements that require to be considered when sizing an AWAF VE.
Rather than buying a hardware BIG-IP, consider scaling horizontally. Use a F5 LTM VE cluster for SSL offloading and loadbalance only HTTP traffic to a larger cluster of smaller AWAF VEs. This might safe you some $$$ compared to a hardware cluster.
KR
Daniel
But what about performance for the VE appliance? And in case of issues responsibility is divided between Virtualized platform and the F5 VE how to cop that part. Further can you shed some light on SSL part as most of traffic is SSL and we are using RSA key and yes we have WAF and HTTP analytics enabled.
- Daniel_WolfJul 13, 2023MVP
I agree with your concern regarding the shared responsibility between hypervisor and BIG-IP VE when it comes to troubleshooting issues. Really depends on your organisation. I've had customers who bought hardware for this exact reason - clear segregation of responsibilities. No joint effort required to do troubleshooting.
Regarding the performance of VE vs hardware BIG-IP:
- The license determines how many vCPUs you can assign to your BIG-IP VE. The more, the better.
- ASM signatures and many other AWAF protection features do regex checking. This is handled in CPU, no need for appliance hardware.
Lastly, I have a couple of PPT slides on the subject of modern and robust encryption. You can DM me and I will share those you.
My conclusion back than was: ECC certificates offer stronger security and smaller certificates - e.g., a 256-bit ECC key is equivalent to a 3072-bit RSA key.
The difference between RSA vs ECC certificates is in the encryption strength. ECC provides an equivalent level of encryption strength as RSA algorithm with a shorter key length. As a result, the speed and security offered by an ECC certificate are higher than an RSA certificate.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com