Forum Discussion

AlgebraicMirror's avatar
AlgebraicMirror
Icon for Altostratus rankAltostratus
Apr 19, 2017

Can F5 DNS Links be used to determine whether a datacenter is up or down?

I am working on setting up F5 DNS in two datacenters, after which I would like to do typical Global Server Load Balancing with wide IPs. In this environment, there is more than one path out of the datacenters: the typical forward facing link that a client would come in on from the Internet, and there is also an internal link that goes between the datacenters. I have an F5 DNS system in each datacenter, and they are in sync.

 

If the link between a datacenter and the Internet goes down, Internet clients won't be able to reach the hosts in that datacenter. My concern is that I think the F5 DNS system in the datacenter that is still alive will continue to direct users to virtual servers in that downed datacenter, because his iQuery connection goes over the internal link to get to the downed datacenter, and therefore if the internal link remains up he can still see the GTMs, LTMs, virtual servers, etc, even though an Internet client cannot.

 

I know one solution to this would be to send the iQuery connection between the two F5 DNS systems over the Internet, so that if a datacenter is cut off from the Internet, iQuery is too, and that will cause the datacenter to be marked down. But due to where the F5 DNS systems are positioned in the network, and the way the routes work, that is simply not possible to do - they always force the traffic through the internal link between datacenters.

 

So, I am wondering if there are any alternate ways to mark a datacenter as down. For example, can a link be added to each F5 DNS system, representing the link to the Internet, and if it can't contact the address on the other side, then the whole datacenter is marked down? Or are links only for load balancing ISP connections?

 

If links don't work this way, is there any other way to accomplish this? From a security perspective it would also be really nice to have a way to mark a datacenter down based on some sort of path monitor, because I would rather have ports 4353 and 22 take the internal path anyway and not be exposed to the Internet.

 

2 Replies

  • Theoretically yes, but F5 should be adding this in their documentation as a go to configuration item in the IMPLEMENTATION guide.

     

    I'm currently working on this and will let you know how it goes.

     

  • So per a WIP bases, you could create a dependency object

     

    I created one with my upstream router and a couple of transparent checks to 8.8.8.8 and 8.4.4.4 and 4.2.2.2.

     

    The other way I will be testing is creating links with the same links which will be a dependency on the whole data center.

     

    My only fear is that if something is configured wrong, it will mark everything down.

     

    There is a way to connect to the upstream router and grab more intelligent info but Im not there yet.