I have a VCMP guest LTM virtual box with 1 Core running on BIG-IP 15.1.9.1 Build 0.0.5 Point Release 1
I have a requirement , With Single VIP listening on Port 443 and selecting the pool using iRules based on the URI for more that 200 Pools , Would there be a performance issue.
Please suggest if any solutions for this Requirement , Thanks.
there seems to be a wild mix of names and products.
VirtualBox is a virtualization platform by Oracle. Not officially supported. Hope you dont have that. VCMP Guest is better, hope you are using this.
Single VIP listening on port 443 and selecting the pool based on URI with an iRule is ok too. Just to clarify - based on URI or based on Hostname/FQDN? With a lot of certificates involved and lots of ssl profiles, you might end up with a cumbersome setup.
SSL handshakes will become an issue with only one core. Try to do some performance testing in that direction.
Thanks for the reply , Yes it is VCMP Guest with one core. With single VIP with Port 443 and Cert.
Irule to change the pool based on the URI. The pool members in the pool could be different and the pool members would also listen on a unique port.We will have more than 200 Pools in such a way.
Will it cause any Performance issue ? Please share if any solutions for this requirement.
@Jagadeesh This depends on multiple factors but at face value it shouldn't be an issue. If it's one URI per pool you might consider using a data-group to match in an iRule rather than a long iRule with 200+ entries. Make sure to keep what @Daniel_Wolf has stated into consideration.
@Jagadeesh I don't know of a KB article off the top of my head but I'm sure one exists. The following is what I put together assuming you have a default pool to handle all traffic that isn't defined in the data-group.
when CLIENT_ACCEPTED priority 500 {
set DEFAULT_POOL [LB::server pool]
}
when HTTP_REQUEST priority 500 {
set URI [string tolower [HTTP::uri]]
if { [class match -- ${URI} eq CLASS-URI-TO-POOL] } {
set TEMP_POOL [class match -- -value $URI eq CLASS-URI-TO-POOL]
pool ${TEMP_URI}
} else {
$DEFAULT_POOL
}
}
In your data-group called CLASS-URI-TO-POOL the string field would have the path and the value field will be the pool name that matches it.
Hi @Jagadeesh, the solution Paulius provided is the same way I'd recommend to solve the problem. iRules and data-groups are the way to go. This solution will perform.
For your question regarding the performace - there is not a straight yes or no answer. Just as an example - if you use RSA certificates with a key lenght of 4096 this is much heavier on the CPU than using ECC certificates with a key length of 384. While both offer similar level of security. Also we don't know how much troughtput and how many requests/sec you are expecting. Sizing a BIG-IP requires more than just the knowledge about one iRule.
My gut feeling is - one CPU is only for lab environments. For prod a I recommend a minimum of two.
I recommend that you monitor when using single virtual with 200 Pools but i have solution to optimize performance by using local traffic policy instead irules,
May i know if i can create a VIP with out default pool and do redirection based on uri to specific pool using LTM Policies and datagroups ? and May i know what happens when the condition fails ? Is there a a way we can return a generic error or response if the condition fails?
@Jagadeesh I'm not familiar with the traffic policy but I would imagine it would be similar and have a catchall with a specific response that you would like to provide if you do not find a match.
It's an either iRule or Local Traffic Policy decission. Last time I tried something like this with LTP, they could read from a datagroup but not use the return value. In other words, you would have to build and maintain a VERY LARGE Local Traffic Policy. With iRules it's just a datagroup, that you can easily maintain from the REST API.
