Virtual Server:
Virtual server made up of a virtual ip address and service port that the BIG-IP systems listens to and receives traffic on.
(or)
a F5 virtual server is the representation of multiple servers to the user as a single server.
For a standard virtual server setup listening on a specific port using the tcp protocol,the traffic usually flows in the following manner:
1.A client wishing to accesss the application establishes a connection to the virtual server IP address(typically provide via DNS resolution).
2.If the incoming request ( a SYN packet ) matches the IP address and service (port) of a virtual server then it permits the packet and processes it
3.Since the BIG-IP system is utilising a full proxy architecture it completes the three-way handshake and establishes TCP connection with the client
4.Once the TCP connection is established and the client has sent an application request,the virtual server will load balance it to a particular pool memeber,decided by the configured load balancing algorithm.
5.Again,since the BIG-IP system is utilising a full proxy architecture, a new TCP connection will be established between the BIG-IP and the pool member on the service (port) that the pool member is listening on.
6.Once established,the BIG-IP system will create its own application request containing the same payload as the client's and sent it to the pool member.This is because the client-side and server-side connection are completely separate.
The example below displays TCP connection setup for a Virtual server with Layer 7 functionality.
Virtual server made up of a virtual ip address and service port that the BIG-IP systems listens to and receives traffic on.
(or)
a F5 virtual server is the representation of multiple servers to the user as a single server.
For a standard virtual server setup listening on a specific port using the tcp protocol,the traffic usually flows in the following manner:
1.A client wishing to accesss the application establishes a connection to the virtual server IP address(typically provide via DNS resolution).
2.If the incoming request ( a SYN packet ) matches the IP address and service (port) of a virtual server then it permits the packet and processes it
3.Since the BIG-IP system is utilising a full proxy architecture it completes the three-way handshake and establishes TCP connection with the client
4.Once the TCP connection is established and the client has sent an application request,the virtual server will load balance it to a particular pool memeber,decided by the configured load balancing algorithm.
5.Again,since the BIG-IP system is utilising a full proxy architecture, a new TCP connection will be established between the BIG-IP and the pool member on the service (port) that the pool member is listening on.
6.Once established,the BIG-IP system will create its own application request containing the same payload as the client's and sent it to the pool member.This is because the client-side and server-side connection are completely separate.
The example below displays TCP connection setup for a Virtual server with Layer 7 functionality.
Client sends a SYN request to LTM Virtual Server.
LTM sends back an SYN-ACK TCP segment.
The client responds with an ACK to acknowledge the receiving the SYN-ACK.
The client sends an HTTP GET request to the LTM.
The LTM sends ACK to acknowledge receiving the GET request.
The LTM sends an SYN request to the pool member.
The pool member sends an SYN-ACK to the LTM.
LTM sends an ACK packet to acknowledge receiving the SYN-ACK.
LMT forwards the HTTP GET requests to the Pool member
F5 Virtual Server configuration:
Configure F5 Node
As with many network devices, we need to prepare the
configuration from the bottom up. Since the virtual server points to the pool,
which then contains the node, we need to start from the node. After all, the
node is the only component that we can create without having to create other
components first.
First, log in into
your F5 appliance web interface with your credentials. Then, navigate to Local
Traffic > Nodes > Node List. Here you can see all the nodes you have.
Of course, in case of a fresh install, you will see none like we do. In this
page, click on Create… on the top-right corner.
Click on the to-right button to create a
new node.
At this point, we need to
provide our node a name we can remember, and optionally a description. Then, we
need to indicate the address of the device providing this service (in our case
webserver-1and webserver-2), and optionally health monitors. With
health monitors, F5 will monitor the health of the node, and will send the
requests to this node only if the health check is positive.
Configuration of node #1.
Note that if you don’t set
the Health Monitors option
to Node Specific, the Select Monitors field will not
appear. Once it does appear, move with the arrow the tests you need from the
available box to the active box. In this case, we simply ping the server
(ICMP).
Once you are good with the
configuration, click Finished to confirm or return to the list. In our case, we
click on Repeat to confirm the configuration and add a new node. Configure the
second server in the same way.
Seeing our nodes
Once you finish the
configuration of nodes, you will see them in the list as active (green circle).
This is because our ICMP health monitor is telling the F5 device that the
servers respond.
Our new nodes are active in the list.
Configure the pool
Configuring the pool is probably the simplest step of the three. Go to Local Traffic > Pools > Pool List, and then use the Create… button on the top-right, just like you did for nodes.
Here, you will need to give your pool a name and select the health monitors you want to use. Why do you need to do that, if we configured them on the nodes as well? In reality, a server can offer multiple services, like HTTP, HTTPS, or FTP. In the node part, we simply monitored that the server was running. Instead, here we monitor that our servers are actually accepting HTTP connections. Thus, select HTTP (or the service you are configuring).
For this lab, we
will leave the load balancing method as Round
Robin. This mean that requests will be equally distributed across
servers: one to server 1, the following to server 2, then back to server 1 and
so on.
Finally, you need to select
the nodes that will join this pool. Check Node
List, select each server, and configure the port the actual server is
listening on. In our case, they are both listening on port 80, the standard for
HTTP. After that click Add,
and repeat for the other server.
Pool configuration example (webserver-2
is yet to be added).
Once you prepare the
configuration you need, click Finished.
The new pool will appear in the list, like nodes did. If you later need to edit
the members of the pool, click on the pool from the list and the navigate to
the Members tab.
Configure F5 Virtual Server
And now we are at the core of
our tutorial. The configuration of the F5 Virtual Server might be the scariest
one, but we will see exactly how to make it work. To create a F5 new virtual
server, the process is the same as for nodes and pool. Navigate to Local traffic > Virtual Servers > Virtual
Servers List, then click Create… on
the top-right corner.
Since the configuration here
has several parts, we will see each part individually.
General Properties
Here we start with a name for
our F5 web server. Then, we can provide a Source Address: the addresses that
can make requests to this virtual server. If you leave it empty, F5 will fill
it with
0.0.0.0/0, which means anyone can make requests
to our virtual server. This is what we want.
Instead, the important
address is the Destination
Address/Mask. This is the actual IP address the virtual server will
have. If you don’t want to mess with routes, use an address in a network the
appliance has a NIC in. You can omit the mask in case of single address.
Finally, the service port: which port to expose to the users.
In the end, the configuration of this part will look like the one below.
F5 Virtual Server General Properties
Configuration
When preparing the
configuration, leave it to basic. Since we are simply working with HTTP, you
can leave untouched the SSL Profile part. However, there is a field that you
absolutely need to modify. I am talking about the last one, Source Address Translation, which you
should set to Auto Map.
By doing so, the F5 will
contact the web server using its own IP address, instead of the address of the
user. This is important to avoid the server replying directly to the user. In
fact, in our case servers can’t even reach the user, so it is mandatory.
F5 Virtual Server Basic Configuration
With Auto-map, the F5 will use its own IP
address on the exit interface. In complex and production environment, you may
want to dedicate a set of IP addresses for source address translation. This
enables better connection management, and you don’t risk running out of ports.
You can do that with a SNAT pool,
but that’s for another article.
Content Rewrite & Acceleration
For simple deployments, we
don’t need to do anything here. Leave untouched both sections and directly move
to Resources.
Resources
Here we tell F5 what’s behind
this F5 Virtual Server. You guessed it, the pool we configured previously.
Simply select the pool from the drop-down from the Default Pool field, and you are
good to go.
Configure F5 Virtual Server Resources.
And with this, you can click
Finished and effectively create your F5
Virtual Server. Now we just need to test it.
Testing your F5 Virtual Server
To test your virtual server,
navigate to the addres you gave to it from a machine that can access it. In our
case, it is our Lubuntu Workstation inside VMware. Then, hit Ctrl+F5 a few times. You will see
the two messages alternating in sequence.
F5 Virtual Server working, page served
by secondary web server.
Instead, the page from the
primary web server will be green, and will tell that WS1 is doing the job.
Happy Reading...............................
No comments:
Post a Comment