Recently, the performance of F5 BIG-IP and Citrix NetScaler Load balancer has been compared and tested, so I wrote this article to record the common application configuration methods of F5 BIG-IP.
At present, many vendors have launched load balancers dedicated to balancing server load, such as F5 network BIG-IP, Citrix NetScaler. F5 BIG-IP ltm official name is called local traffic manager, can do 4-7 layer load balancing, server Load balancer, application switching, session switching, status monitoring, smart network address translation, General persistence, response error handling, IPv6 gateway, advanced routing, smart port image, SSL Acceleration, smart HTTP compression, TCP optimization, 7th layer rate shaping, content buffering, content conversion, connection acceleration, high-speed cache, Cookie encryption, selective content encryption, application attack filtering, DoS) attack and SYN flood protection, firewall-packet filtering, packet disinfection, and other functions.
The following are the main features of F5 BIG-IP as an HTTP Load balancer:
① F5 BIG-IP provides 12 flexible algorithms to distribute all traffic evenly to each server, but to the user, just a virtual server.
② F5 BIG-IP can confirm whether the application can return the corresponding data to the request. If a server after F5 BIG-IP has a service stop, crash and other faults, F5 will check out and mark the server as down, therefore, the user's access request is not sent to the faulty server. In this way, user access will not be affected as long as other servers are normal. Once the downtime is fixed, the F5 BIG-IP automatically verifies that the application has responded correctly to customer requests and resumes delivery to the server.
(3) F5 BIG-IP has the dynamic session persistence function.
④ F5 BIG-IP irules function can do HTTP content filtering, according to different domain name, URL, the access request is sent to different servers.
①. Assume that the domain name blog.s135.com is resolved to the public/public network virtual IP address of F5: 61.1.1.3 (vs_squid). The virtual IP Address has a server pool (pool_squid ), the server pool contains two real squid servers (192.168.1.11 and 192.168.1.12 ).
② If the Squid cache does not hit, it will request the F5 Intranet virtual IP Address: 192.168.1.3 (vs_apache), which has a default server pool (pool_apache_default ), the server pool contains two real Apache servers (192.168.1.21 and 192.168.1.22). When the virtual IP address matches the irules rule, it will access another server pool (pool_apache_irules ), the server pool also contains two real Apache servers (192.168.1.23 and 192.168.1.24 ).
③ In addition, the default gateway of all real servers points to the internal network IP address of F5, that is, 192.168.1.2.
④ All real servers access the Internet through the snat ip address 61.1.1.4.
2. Log On later:
Log On Through the F5 BIG-IP's own Internet IP address.
1. Assume that the external IP address of F5 is 61.1.1.2, And you can log on through https: // 61.1.1.2.
② You can also log on through SSH. the user name is root, and the password is the same as the web-managed password.
1. Create a VLAN: internal (Intranet)
On the "Network> VLANs" page, click the "Create" button:
① Fill in the Name field: internal (enter an English name)
② Fill in the tag field: 4093 (fill in a number)
③ Interfaces column: Pull "1.1" of the available column to the untagged column. 1.1 represents the first Nic of the F5 BIG-IP.
2. Create a VLAN: external (Internet)
On the "Network> VLANs" page, click "CREATE" to create a VLAN:
① Fill in the Name field: internal (enter an English name)
② Fill in the tag field: 4094 (fill in a number)
③ Interfaces column: Pull "1.2" of the available column to the untagged column. 1.2 represents the second Nic of the F5 BIG-IP.
1. Create an intranet IP Address: 192.168.1.2
On the "Network → self IPS" page, click the "Create" button:
① Fill in 192.168.1.2 in the IP address field (fill in the Intranet IP address)
② Fill in "255.255.255.0" in The netmask column (fill in the Intranet subnet mask)
③ Select internal In the VLAN bar.
④ Select allow default in the port lockdown column (default)
2. Create an Internet IP Address: 61.1.1.2
On the "Network → self IPS" page, click the "Create" button:
① Fill in the IP address field 61.1.1.2 (fill in the Internet IP address)
② Fill in "255.255.255.0" in The netmask column (fill in the Internet subnet mask)
③ Select External In the VLAN bar.
④ Select allow default in the port lockdown column (default)
1. Create a default gateway route
On the "Network> routes" page, click the "Create" button:
① Select the default gateway in the type column (default)
② Select "use gateeay..." in the resource field and enter the gateway IP address 61.1.1.1 in the input box (assume that this IP address is the Internet gateway address)
1. Create a custom HTTP health check: monitor_http
On the "local traffic → monitors" page, click the "Create" button:
① Enter monitor_http in the name column (enter an English name)
② Select HTTP in the type column
③ Select HTTP in the import settings column.
④ Fill in the "interval" column: 5 (indicating a health check every five seconds)
⑤ Fill in the timeout field: 16 (indicating that the connection timeout time for health check is 16 seconds)
6. Enter get/In the send string column (you can also send requests of other methods, such as head/or get/index.htm) as needed)
7. Enter in the receive string column: (enter the corresponding return string, which is left blank by default)
1. Create a squid server pool: pool_squid
On the "local traffic → pools" page, click the "Create" button:
① Fill in the Name field: pool_squid (enter an English name)
② Health monitors column: Pull the custom HTTP health check "monitor_http" created in Step 4 from the available column to the active column
③ Select "Round Robin" in the load balancing method column. (The Server Load balancer method is round robin. You can also select another method)
④ New members column: first select new address, then add the IP addresses 192.168.1.11, 192.168.1.12, and their ports 80 of the two squid servers.
2. Create the first Apache server pool: pool_apache_default
On the "local traffic → pools" page, click the "Create" button:
① Fill in the Name field: pool_apache_default (enter an English name)
② Health monitors column: Pull the custom HTTP health check "monitor_http" created in Step 4 from the available column to the active column
③ Select "Round Robin" in the load balancing method column. (The Server Load balancer method is round robin. You can also select another method)
④ New members column: first select new address, then add the IP addresses 192.168.1.21, 192.168.1.22, and their ports 80 of the first two Apache servers.
3. Create the second Apache server pool: pool_apache_irules
On the "local traffic → pools" page, click the "Create" button:
① Fill in the Name field: pool_apache_irules (enter an English name)
② Health monitors column: Pull the custom HTTP health check "monitor_http" created in Step 4 from the available column to the active column
③ Select "Round Robin" in the load balancing method column. (The Server Load balancer method is round robin. You can also select another method)
④ New members column: first select new address, then add the IP addresses 192.168.1.23, 192.168.1.24, and their ports 80 of the second group of two Apache servers.
1. Create profiles configuration: profile_http
On the "local traffic → profiles" page, click the "Create" button:
① Fill in the Name field: profile_http (enter an English name)
② Select HTTP in the parent profile Column
③ Insert xforwarded for column: If necessary, you can select the box and enable (insert the X-forwarded-for Mark in the header, so that the user's real IP address can be obtained during layer-7 load balancing. In this article, the squid server enables follow_x_forwarded_for allow all, so F5 does not need to be set)
Note: On this setting page, there are compression and other optimization functions. You can set them as needed.
8. Create irules rules 1. Create an irules rule: irules_apache
On the "local traffic → profiles" page, click the "Create" button:
① Fill in the Name field: irules_apache (enter an English name)
All requests starting with "/read. php" are forwarded to the server pool "pool_apache_irules": View plainprint?
1. Create a squid virtual server in "layer-4" Load Balancing mode: vs_squid
On the "local traffic → virtual servers" page, click the "Create" button:
(1) General properties:
① Enter vs_squid In the Name field (enter an English name)
② Destination column: select host and fill in the squid server's Internet virtual IP (VIP): 61.1.1.3
③ Fill in the service port field: 80
(2) Configuration:
① Select advanced in the configuration column (this step is very important to select Advanced Mode)
② Select performance (Layer 4) in the type column)
③ Select none in the SNAT pool column (Note: This step is very important. In layer-4 mode, make sure this option is set to none)
(3) resources:
① Select pool_squid in the default pool bar.
Note: layer-4 Server Load balancer of F5 is processed by hardware chips, which can handle larger traffic without consuming CPU resources. In layer-4 Server Load balancer mode, the default gateway of a real server must point to the internal IP address of F5, that is, 192.168.1.2.
2. Create an Apache Virtual Server in layer-7 Load Balancing mode: vs_apache
On the "local traffic → virtual servers" page, click the "Create" button:
(1) General properties:
① Enter vs_apache in the name column (enter an English name)
② Destination bar: select host and fill in the Intranet virtual IP address (VIP) of the Apache server: 192.168.1.3
③ Fill in the service port field: 80
(2) Configuration:
Select advanced in the configuration column. This step is important)
① Select standard in the type column (standard mode, that is, layer-7 Load Balancing Mode)
② Select profile_http in the HTTP profile column. (Note: When this item is set to none, the irules rule cannot be used. Therefore, you must select one. Select profile_http created in Step 6)
③ Select Auto map in the SNAT pool column (note: this is required in the architecture of this article, for the following reasons)
Note: When a squid server "192.168.1.11" does not hit the cache, it will access the virtual IP Address "192.168.1.3 ". If the default value is none for the SNAT pool, the virtual IP Address "192.168.1.3" is used as the backend Apache server, and the real IP Address "192.168.1.11" of the squid server is displayed ". Because the IP addresses of squid and Apache servers belong to the same network segment, the Apache server does not need to go through the F5 Gateway "192.168.1.2" and directly returns the packet to the squid server "192.168.1.11" through the switch ", in this way, the virtual IP Address "192.168.1.3" will not receive the response packet information, and the HTTP request cannot be completed. Therefore, you need to select Auto map for address translation so that the backend Apache server can see the internal network IP address of F5 and send it back to F5.
(3) resources:
① Irules column: Pull "irules_apache" in the available column to the enabled column.
② Select pool_apache_default in the default pool bar.
(4) After vs_apache is created on the Apache Virtual Server, if you need to modify it, complete the following two configuration pages:
★Modify virtual server demo page 1: http://blog.s135.com/book/f5/vs_properties.htm
★Modify virtual server demo page 2: http://blog.s135.com/book/f5/vs_resources.htm
1. Create SNAT: snat_all_server
On the "local traffic → snats" page, click the "Create" button:
① Fill in the Name field: snat_all_server (enter an English name)
② Select IP address in the translation column and fill in snat ip Address: 61.1.1.4 (you can also select automap to use F5's own Internet IP address as the snat ip address)
③ Select address list in the origin column.
④ Address list column: ① Select host in type column, and fill in the Intranet IP address to access the Internet and send emails externally. ② Or select Network in the type column, and fill in the network segment and subnet mask to access the Internet and send emails externally.
⑤ Select Enabled on in the VLAN traffic bar...
6. VLAN list column: Pull "internal" in the available column to the selected column.
Note: The default gateway of the Real Server must point to the internal network IP address of F5, that is, 192.168.1.2, in order to access the Internet through SNAT and send emails externally.
Appendix 1:F5 BIG-IP ltm configuration Manual
Appendix 2:
Using F5 BIG-IP as part of the Load balancer domestic site:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
