Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Multiple VIPs or Multiple SSL profiles for sites on same nodes?




No problem really, just would like to know which is considered 'best practice' or the most efficient way of deploying multiple VIPs which target the same 2 nodes.


Scenario: We have over 20 sites, each has a dedicated pair of VIPs, one for port 80 which has an irule forwarding to the port 443 VIP. Each 443 VIP has a it's own SSL client profile containing 1 website name specific SSL cert to terminate SSL connections. Then there is a dedicated pool for each VIP. However, All of the above point to just 2 web servers, so each pool for each VIP points to the same 2 web servers.


All of these sites are public facing as well, so IP address usage is duplicated as well. This obviously is not very efficient for the use of IP addresses and also creates administrative overheads for firewall maintenance whereby bespoke NAT rules are required for each public IP and VIP IP address.


I'd like to know if this is recommended configuration, or if something else would be better? Perhaps something like having 1 VIP using 1 IP (and thus 1 public IP natted to it), then a pool for each site (with site specific health monitors) going to the 2 web server nodes. On this single VIP, you could then have a single SSL profile containing all certs for the sites, or multiple SSL profiles, 1 profile per site. Then we could use a single irule to direct traffic based on HTTP request?


Would configuration such as the above be resource intensive for the BIG-IPs? would it result in slower web site speed as a result of potential increase in process requirements? Can you think of any other pros/cons of such a deployment?


Many thanks




I see the configuration you describe very regularly in Production.


A single VIP with multiple client SSL profiles leveraging SNI, and an iRule/local traffic policy forwarding traffic to different pools based on the HTTP host header in the request.


I have not seen any noticeable issues with a deployment such as this. I think one thing to be potentially aware is source port exhaustion if you have SNAT automap enabled and a minimal number of self IPs (you can create additional self IPs / use a SNAT pool to overcome this issue). The other complexity that may arise is if you have sites that require different SSL termination methods (e.g. 1 site needs SSL offload while another needs SSL bridging)