https load balancing with active/standby pair setup

Hey. It's not a stupid question. Assuming the Virtual Server is listening on 10.10.10.5;

 

 

The DNS should point to whatever IP you are using for the Virtual Server. The SSL certificate is applied via a profile to the Virtual Server (it's not directly tied to an IP address).

 

 

You would not use the Self/Cluster IP for DNS. The Self/Cluster IP would be what you route the VS range/network to from surrounding devices (if necessary) and is simply the device's L3 'leg' in that subnet. Note that the VS range you use doesn't have to actually exist and the F5 doesn't need to have a L3 interface in that subnet, as long as you route the network to the F5 it'll handle it.

 

Q1. No. The site name MUST resolve to the IP of the Virtual Server.

 

Q2. The CN (Common Name) of the cert MUST be the FQDN of the DNS entry that resolves to the Virtual Server IP. (I'm ignoring things like alternate names & wildcards deliberately here to make it easier).

 

 

So you need to create a virtual server (VS) that has a separate IP from any of the others and place your actual web servers into a pool that is used by the virtual server.

 

 

H

Note that although I'm usually a fan of this, doing it this way means it's harder in v11 to run active/active with multiple traffic-groups, unless you dedicate a whole subnet to each TG and set the routing on your upstream routers appropriately.

 

 

H

Thank you very much!

You're welcome.