How to Upload Config File to F5 Load Balancer

Configuring an F5 Load Balancer for TAS for VMs

• Overview
• Process
• F5 Single Configuration Files
• Additional F5 Resources

Page terminal updated:

This topic provides data for how to configure an F5 Large-IP Local Traffic Director (LTM) as a load balancer for Pivotal Application Service (PAS).

Overview

This topic assumes you are familiar with the post-obit concepts:

• Deploying an F5 physical/virtual appliance
• F5 UI and F5 Traffic Management Beat out (tmsh)
• Creating admin users on the F5 load balancer
• Creating F5 cocky-IPs, VLANs, and routes

For guidance virtually the higher up topics, come across AskF5.

Note: You must configure your F5 load balancer earlier installing PAS.

To utilize your F5 deployment equally a load balancer, you must configure it to forward unencrypted HTTP following the steps below. This process assumes that y'all are running F5 v12.ane.ii or v13.0.0.

Procedure

This PAS configuration option forwards unencrypted traffic to the PAS Gorouter. It assumes an external load balancer is configured to forward unencrypted traffic.

This configuration terminates client SSL at the F5 and frontwards standard HTTP traffic to the backend Gorouters from the LTM. All TCP back ends accept forwarded traffic from the LTM.

1. In the F5 UI, go to Local Traffic.

2. Go to iRules and click iRule Listing.

3. Create the following rules:

   • Name: cf-xforward-for
     Definition: when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] }
   • Name: cf-xforward-proto-https
     Definition: when HTTP_REQUEST { HTTP::header insert X-Forwarded-Proto "https" }
   • Name: cf-xforward-proto-http
     Definition: when HTTP_REQUEST { HTTP::header insert X-Forwarded-Proto "http" }

4. Go to System, then File Management, and click SSL Document List.

   1. Import your PAS certificate and name information technology pcf-pas-cert.
   2. Import your PAS certificate key and proper name it pcf-pas-cardinal.

5. Get to Local Traffic and click Monitors.

   1. Create a gorouter health monitor and requite it the post-obit parameters:
      • Name: gorouter_mon
      • Type: HTTP
      • Send String: GET /health HTTP/1.0\r\n
      • Alias Service Port: 8080
      • Receive String: ok
   2. Create a sshproxy health monitor and requite it the following parameters:
      • Proper noun: diegobrain_mon
      • Type: TCP
      • Alias Service Port: 2222
   3. Create a tcprouter wellness monitor and give it the following parameters:
      • Name: tcprouter_mon
      • Type: HTTP
      • Send Cord: Get /health
      • Alias Service Port: 80

6. Create all required nodes:

   1. Go to Local Traffic, then Nodes, and click Node List.
   2. Create the desired number of gorouter nodes, one for each Gorouter in your PAS deployment, and give information technology the following parameters:
      • Name: gorouter-#
      • Address: [IP-Accost-OF-GOROUTER]
      • State: enabled
      • Wellness Monitors: Node Default
   3. Create the desired number of diegobrain nodes, one for each Diego Encephalon in your PAS deployment, and give it the following parameters:
      • Name: diegobrain-#
      • Address: [IP-Accost-OF-DIEGOBRAIN]
      • State: enabled
      • Health Monitors: Node Default
   4. Create the desired number of tcprouter nodes, ane for each TCP Router in your PAS deployment, and give it the post-obit parameters:
      • Name: tcprouter-#
      • Address: [IP-Address-OF-TCPROUTER]
      • State: enabled
      • Wellness Monitors: Node Default

7. Create three member pools:

   1. Become to Local Traffic and click Pools.
   2. Create a gorouter pool and give it the post-obit parameters:
      • Name: gorouter_pool
      • Wellness Monitors: gorouter_mon
      • Load Balancing Method: Least Connections
      • Add all gorouter-# nodes.
        • Service Port: fourscore
   3. Create a diegobrain pool and requite it the post-obit parameters:
      • Name: diegobrain_pool
      • Health Monitors: diegobrain_mon
      • Load Balancing Method: Least Connections
      • Add all diegobrain-# nodes.
        • Service Port: 2222
   4. Create a tcprouter puddle and give it the following parameters:
      • Name: tcprouter_pool
      • Wellness Monitors: tcprouter_mon
      • Load Balancing Method: Least Connections
      • Add all tcprouter-# nodes.
        • Service Port: */0

8. Create an SSL client profile.

   1. Go to Local Traffic, then Profiles, then SSL, and click Client.
   2. Create an SSL client profile and give it the following parameters:
      • Name: pcf-ssl-client-certs-contour
      • Parent Contour: clientssl
      • Custom: [TRUE]
      • Add a certificate key concatenation.
        • Certificate: pcf-pas-cert
        • Key: pcf-pas-key

          Annotation: Your deployment may crave additional root or intermediate certificates. You can select them here. Additionally, you lot can also enter passphrases for certificates.

9. Create four LTM virtual servers. One is required, while 3 are optional.

   1. Go to Local Traffic, click Virtual Servers, and click Virtual Server Listing.
   2. (Required) Create a virtual server for HTTPS access to Cloud Foundry API and apps and give it the post-obit parameters:
      • Name: pcf-https
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: YOUR-PCF-VIP

        Notation: This VIP must be DNS-resolvable to your Pivotal Platform system and default apps domains.

      • Service Port: 443
      • Country: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Utilise Client Profile)
      • HTTP Profile: http
      • SSL Contour: pcf-ssl-client-certs-contour
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Accost Translation: Auto Map

        Note: This must be set in one-arm configurations.

      • Default Pool: gorouter_pool
      • iRules: cf-xforward-for and cf-xforward-proto-https
   3. (Optional) Create a virtual server for HTTP access to Pivotal Platform apps and give it the post-obit parameters:
      • Name: pcf-http
      • Type: Standard
      • Source Accost: 0.0.0.0/0
      • Destination Address/Mask: YOUR-PCF-VIP

        Note: This VIP must be DNS-resolvable to your Pivotal Platform system and default apps domains.

      • Service Port: eighty
      • State: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Contour)
      • HTTP Profile: http
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Machine Map

        Note: This must exist set in one-arm configurations.

      • Default Pool: gorouter_pool
      • iRules: cf-xforward-for and cf-xforward-proto-http
   4. (Optional) Create a virtual server for sshproxy. This virtual server allows developers to SSH into Diego containers. Give information technology the following parameters:
      • Name: pcf-sshproxy
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: YOUR-SSH-PROXY-VIP

        Annotation: This VIP must be DNS-resolvable to ssh.[YOUR-PCF-PAS-Organization-DOMAIN].

      • Service Port: 2222
      • Country: Enabled
      • Protocol: TCP
      • Protocol Contour (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Apply Customer Profile)
      • HTTP Profile: [NONE]
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Auto Map

        Note: This must be set up in one-arm configurations.

      • Default Puddle: diegobrain_pool
   5. (Optional) Create a virtual server for tcprouter. This virtual server allows access to Pivotal Platform TCP app. Give it the post-obit parameters:
      • Name: pcf-tcprouter
      • Blazon: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: [YOUR-TCP-ROUTER-VIP]

        Notation: This VIP must be DNS-resolvable to tcp.[YOUR-CONFIGURED-TCP-DOMAIN].

      • Service Port: */0
      • Land: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Profile)
      • HTTP Profile: [NONE]
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Car Map

        Notation: This must be set up in i-arm configurations.

      • Default Pool: tcprouter_pool

Once you have completed configuration, check the Network Map located in Local Traffic Menu. Everything should be light-green.

F5 Single Configuration Files

Single configuration files (SCFs) are single files containing a complete F5 configuration for F5 v11.x and v12.10. This section contains sample SCF files for functional reference configurations. Often, presenting a reference SCF "template" to an F5 admin can provide all necessary configuration information for configuring an F5 load balancer for Pivotal Platform.

Yous tin create SCFs by using tmsh Run:

          salvage /sys config file SCF-FILENAME no-passphrase                  

Where SCF-FILENAME is the name of the SCF you lot want to create.

You can likewise edit SCFs and utilize them equally a template to replicate configurations across multiple F5s by using tmsh. Run:

          load /sys config file SCF-FILENAME                  

Where SCF-FILENAME is the name of the SCF you want to edit.

For more information, see Overview of Single Configuration Files (xi.x - 13.ten).

For a sample SCF, see pcf-f5-recipe1-scf.txt in the PCF F5 Cookbook repository on GitHub.

Boosted F5 Resources

For information virtually F5 iRules that may be useful when configuring an F5 load balancer for PAS, encounter the Pivotal CF iRules For F5 repository on GitHub.

hernandezentes1943.blogspot.com

Source: https://docs.pivotal.io/application-service/2-7/operating/f5-lb.html

Share this post