100+ Internal VIPs in AWS
Published Dec 20, 2016
Version 1.0Was this article helpful?
Gary,
Yes, you need to disable SRC/DST check. The SRC IP of the BIG-IP will still be the private address on the ENI, you do not need to SNAT to the 172.16.10.x network.
Hypothetical packet capture:
Client: 10.1.10.10
BIG-IP: 172.16.10.10 (fake), 10.1.20.10 (real)
Backend: 10.1.20.100
Client (src: 10.1.10.10, dst: 172.16.10.10) -> BIG-IP (src: 10.1.20.10, dst: 10.1.20.100)
-> Backend (src: 10.1.20.100, dst: 10.1.20.10) -> BIG-IP (src: 172.16.10.10, dst: 10.1.10.10)
-> Client
Eric