100+ Internal VIPs in AWS

  Amazon Web Services (AWS) limits the number of private/public IPs that you can attach to an interface.  The following is a workaround to create a private network within an Amazon Virtual...
Published Dec 20, 2016
Version 1.0
application delivery
AWS
cloud
Eric_Chen's avatar
Eric_Chen
Icon for Employee rankEmployee
Feb 19, 2019

Gary,

Yes, you need to disable SRC/DST check. The SRC IP of the BIG-IP will still be the private address on the ENI, you do not need to SNAT to the 172.16.10.x network.

Hypothetical packet capture:

Client: 10.1.10.10
BIG-IP: 172.16.10.10 (fake), 10.1.20.10 (real)
Backend: 10.1.20.100

Client (src: 10.1.10.10, dst: 172.16.10.10) -> BIG-IP (src: 10.1.20.10, dst: 10.1.20.100) 
       -> Backend (src: 10.1.20.100, dst: 10.1.20.10) -> BIG-IP (src: 172.16.10.10, dst: 10.1.10.10)
           -> Client

Eric