Forum Discussion

Richard_Grigsb1's avatar
Richard_Grigsb1
Icon for Altostratus rankAltostratus
Oct 06, 2022

iRule that checks client IP and send to a pool.

I have a case where a Mulesoft private IP address cannot use the FQDN and must use the IP address of the F5 LTM VIP as the host name.  I need to limit this access to only IP addresses for the Mulesoft subnet.   Here is what I have but is is not working at this time.  I can accespt the request is I remove the checking for client IP.

#DA7POLBACORE-TEST-iRule_CONE_Mulesoft_Non-Prod_VPC_Exclude_ver5
when HTTP_REQUEST {
if { ([HTTP::host] equals "testwebsiteadminservice.tcbna.net") } {
if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
pool DA7POLBACORE-TEST-Pool-1135-OLB-CONE_8444
}
}
if { ([HTTP::host] equals "10.144.112.71") } {
if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
pool DA7POLBACORE-TEST-Pool-1135-OLB-CONE_8444
}
if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
reject
}
}
}

application delivery

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 06, 2022

    Try this:

    when HTTP_REQUEST {
    switch [HTTP::host] {
        "testwebsiteadminservice.tcbna.net" -
        "10.144.112.71" {
            if { [class match [IP::client_addr] equals Mulesoft_Non-Prod_VPC] } {
                pool DA7POLBACORE-TEST-Pool-1135-OLB-CONE_8444
            }
        }
        default {
            reject
        }
    }
}

    Also, if the source addresses are in a single contiguous subnet, you could actually just define this subnet in the Source Address field of the VIP.

  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    Oct 07, 2022

     

    an effortless way to achieve your requirement.

    Data Group List defined under irule > 

    when HTTP_REQUEST {
    if { ( [class match [IP::client_addr] equals access_list]) } {
    pool node_test1_pool
    } else {
    pool node_test2_pool
    }
    }