Been using Brocade for over 15 years, recently we switch to F5, one thing I encountered is load balancing Multiple services for a virtual server. Two approaches I know so far are not what I expected.
Using iRules has a big security hole as iRule is executed after the connection is established.
The second way is to configure multiple virtual servers using the same VIP for each services. This extremely increases the number of virtual servers.
Any other good ways ?
?
Hi Gongya!
This statement threw me off a bit. Not sure if I understand, or have missed something.
Using iRules has a big security hole as iRule is executed after the connection is established.
You say this from a DDOS perspective, or how is it a security hole?
By default, the F5 only establishes the backend connection once a request has been received, and depending on your hardware/modules the unit can be very resilient SYN floods.
If hosting multiple services on one VIP you'd have to distinguish them somehow, right?
Here are two options (there are a lot more though).
Distributing HTTP services
Probably the most common way to do separate request between different pools is to use the host header. You can access this one via [HTTP::host] in the iRule if you have an HTTP profile assigned to the virtual server. You can easily combine the host header with a switch, if, data group list lookup to choose pools.
You can also use the URI, Cookies, Other headers and anything you can think of that the iRule HTTP commands supports. You can find all of them here: https://devcentral.f5.com/wiki/iRules.HTTP.ashx.
Distributing non HTTP services per port
With reservations that I consider this an ugly solution, this is an alternative. In this case you'd set up a wildcard virtual server that listens to all ports on one specific IP:
.png)
Then, you can use the event WHEN_CLIENT_ACCEPTED and throw [TCP::local_port] into a conditional statement.
If one is not very versed in iRules Traffic Policies might be easier to use. They've been much improved in later versions of TMOS and they are more efficient than iRules although not as flexible.
I also have some questions to and . How does this work for Radware/Brocade? Never had the pleasure of working with those devices. :)
/Patrik
When * is used for a VIP, all the ports are vulnerable to scan, even only some ports are used to be load balanced.
Brocade binds all the services to one virtual servers. Not responsing to any ports which are not load balanced.
If using iRule, F5 will send sync ack back the connection request before it blcoks the connection.