cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Create "Health Monitor" rule for Existing Local Traffic Policy

Racquel_Mays
F5 Employee
F5 Employee

I have a working, existing policy, which allows specific service ports to 1 VS. However, I also need to allow an external HTTP a Health Check [rule], which would respond with a string and a "200 OK" over a specific port, ie. 8686.

 

The healthcheck, along with 1 VS multiple specific ports, does work; with irule applied as well on my A10's, from which I am migrating to F5. However, I cannot got a rule to allow the external monitor to work. Also, i tried just adding the irule to the VIP along with the policy. However, it doesn't work most likely because my policy has a default deny at the end- and policy executes before the irule.

 

Is there anyway to achieve this with a rule for the external monitor?

0691T00000CBIbKQAX.png

1 ACCEPTED SOLUTION

crodriguez
F5 Employee
F5 Employee

I checked BIG-IP v16.0 and iRules are still the way to go if you want to send a custom HTTP response. There is no functionality to be able to do this from a local traffic policy.

View solution in original post

6 REPLIES 6

crodriguez
F5 Employee
F5 Employee

You could try adding a rule specifically for the port 8686 traffic before default_deny_rule and set the action to Ignore. That should allow the connection to continue on to layer 7 where I'm guessing your iRule is sending the external monitor response on the HTTP_REQUEST event. Something like: If TCP port is 8686 at client accepted time, ignore. Since you've masked the ports for the other rules, it is hard for me to tell whether or not one of those rules would catch the port 8686 traffic first.

Racquel_Mays
F5 Employee
F5 Employee

Thanks for your response. None of the redacted rules will catch 8686.

 

Port 8686 is the port that the external monitor uses to monitor the VS. So, the monitor connects, on 8686, performs a GET and I need a Policy which will return a string, with 200 OK.

 

Also, creating an HTTP_REQUEST rule is not an option. I do see HTTP_METHOD and since the monitor is sending a GET this could work if with "at request time". In the action, or , "Do the following when the traffic is matched" section. I need to understand the syntax I am to configure to return a string with 200 OK.

 

I want a policy to perform this function. If it is not possible, creating a [policy] rule 8686 and setting ignore makes sense in conjunction with placing an iRule, for the health monitor, on the VS.

 

I read that a tcl: variable could be set in order to use iRule functionality in the Local traffic Policy as well.

 

I hope my goals are more clear to you now.

 

 

Racquel_Mays
F5 Employee
F5 Employee

#policy #ltm #rule #HTTP_REQUEST

crodriguez
F5 Employee
F5 Employee

Thank you for the additional information, Racquel. It does help. Unfortunately, as far as I can tell, there is no way to send a custom HTTP response from a local traffic policy. The functionality does not exist in v15.1 and earlier. I haven't checked in v16.0 yet, but will, just in case. So it would seem an iRule is your only option for sending the custom response string the external monitor application needs from the BIG-IP system, rather than from the application server itself.

 

Your iRule might look like this:

when HTTP_REQUEST { if { [TCP::local_port] == 8686 } { HTTP::respond 200 content "<response-string>" } }

I don't think it's necessary to check the HTTP method if no other requests occur to port 8686.

 

I'll let you know if I find a local traffic policy solution in v16.0.

Racquel_Mays
F5 Employee
F5 Employee

Thank you so much for checking. This helps.

crodriguez
F5 Employee
F5 Employee

I checked BIG-IP v16.0 and iRules are still the way to go if you want to send a custom HTTP response. There is no functionality to be able to do this from a local traffic policy.