Forwarding to virtual server on another LTM controller

Question

My organization is preparing to run a test and target campaign, where they want to route a small subset of traffic to a new version of the application seamlessly. This works fine if both the old and new version are behind the same controller, and I can have an iRule simply select the pool of old version servers or the pool of new version servers. I've got logic to persist the initial selection with a cookie, and allow adjusting the ratio between A and B. However, in our production environment, the new and the old versions are not on servers that can be behind the same LTM controllers. So, to route to experience B I need my iRule to be able to forward traffic to a VIP on another controller. How can I achieve this? I tried adding the remote VIP as a node on the controller for A and just selecting the node, but that doesn't seem to work.

cory_50405 · Answer

Is the traffic in question HTTP?  If so, this can be done via an HTTP redirect.&nbsp;
If not, then your approach of sending to site B's virtual server via site A's LTM should work.  You'll need to ensure you perform the appropriate SNAT on site A's LTM so the return traffic will come back through LTM A.  You'll also need to ensure the routing and access control within the network is setup to allow the communications from LTM A's SNAT address to the virtual server on LTM B.&nbsp;

rayd · Answer

The traffic in question is all HTTP.  A redirect would be simple, but the business partners want the ability to turn off experience B and have the clients all return to A on demand.  I was hoping to be able to do that from a single place.  The SNAT might be my problem.  I suppose the source address is being sent to controller B as the original client still.  I need to override that with a SNAT address from controller A, so controller B sends the reply back there.  In fact, that's exactly what the tcpdump output shows now that I know to look for it.  Thanks.

cory_50405 · Answer

You can do the HTTP redirect from LTM A.  LTM A could be your single place of turning on/off experience B.  If you can't get the SNAT communications working between LTM A and B and you want to pursue HTTP redirection, I can assist with an iRule to do so.

kevin_stewart · Answer

I may be missing something here, but there's no reason why you can't define a pool on one controller to contain VIP addresses on another controller. SNAT would only be necessary if return routing was an issue.
client -&gt; LTM A VIP -&gt; (pool) -&gt; LTM B VIP -&gt; (pool) -&gt; server

With address translation enabled in each VIP, LTM A will change the destination address to that of the pool member (LTM B's VIP). Traffic arriving at the LTM B VIP will be translated to the server's address. If you don't apply SNAT, then the source address arriving at the server will be the true client address. You then just need to make sure that 1) the server responds back through LTM B, and 2) that LTM B responds back through LTM A, which may require SNATs applied in either or both locations.

Forum Discussion

Forwarding to virtual server on another LTM controller

4 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Distributed caching of authentication requests with NGINX Ingress Controller

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Overview of API Access Control and implementing API key access control with BIG-IP APM

ExternalName Service and Authentication Subrequests with NGINX Ingress Controller