iRule that checks client IP and send to a pool.

Richard_Grigsb1 · ‎06-Oct-2022

I have a case where a Mulesoft private IP address cannot use the FQDN and must use the IP address of the F5 LTM VIP as the host name. I need to limit this access to only IP addresses for the Mulesoft subnet. Here is what I have but is is not working at this time. I can accespt the request is I remove the checking for client IP.

#DA7POLBACORE-TEST-iRule_CONE_Mulesoft_Non-Prod_VPC_Exclude_ver5
when HTTP_REQUEST {
if { ([HTTP::host] equals "testwebsiteadminservice.tcbna.net") } {
if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
pool DA7POLBACORE-TEST-Pool-1135-OLB-CONE_8444
}
}
if { ([HTTP::host] equals "10.144.112.71") } {
if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
pool DA7POLBACORE-TEST-Pool-1135-OLB-CONE_8444
}
if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
reject
}
}
}

Kevin_Stewart · ‎06-Oct-2022

Try this:

when HTTP_REQUEST {
    switch [HTTP::host] {
        "testwebsiteadminservice.tcbna.net" -
        "10.144.112.71" {
            if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
                pool DA7POLBACORE-TEST-Pool-1135-OLB-CONE_8444
            }
        }
        default {
            reject
        }
    }
}

Also, if the source addresses are in a single contiguous subnet, you could actually just define this subnet in the Source Address field of the VIP.

Sajid · ‎06-Oct-2022

an effortless way to achieve your requirement.

Data Group List defined under irule >

when HTTP_REQUEST {
if { ( [class match [IP::client_addr] equals access_list]) } {
pool node_test1_pool
} else {
pool node_test2_pool
}
}

DevCentral

iRule that checks client IP and send to a pool.

Sep 26th, 2023
MFA required on DevCentral

DevCentral

iRule that checks client IP and send to a pool.

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral