Forum Discussion

Aleks_Feltin_32's avatar
Aleks_Feltin_32
Icon for Nimbostratus rankNimbostratus
Nov 14, 2016

VS setup in AWS with public IP (EIP)

I've been following F5's official BIG-IP_Virtual_Edition_Setup_Guide_for_Amazon_EC2.pdf to stand up LTM VE instance in AWS. My setup is simple with 3 VPC subnets - Mgmt, Private, Public. Public subnet has default route to internet gateway specified. On F5 default gateway for external interface is the ip of internet gateway.

 

I have configured basic HTTP VIP in auto-map mode and have selected one of the internal IP's allocated to external interface ENI as VIP IP. My pool member is the server in private subnet. It all looks green and works internally in AWS.

 

I'd like my VIP to be accessible from the internet and I assigned EIP to external interface. When I am sending traffic to it, I can see it hits the VIP VS, but instead of being returned back to the client, is rejected after a long timeout - in the tcpdump below I can see countless SYN's:

 

124.169.XX.XX - is customer's IP

 

10.0.3.154 - is VIP self-ip

 

 

Can you please assist with what I am doing wrong here and why no reply is returned to a remote client?

 

AWS
cloud

2 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Nov 15, 2016

    Based in the output from tcpdump, the traffic is not matching the virtual server or any other listener. The lis= should have the virtual server name, like this:

    09:25:30.556171 IP 10.0.0.30.14744 > 10.0.0.200.http: . ack 1 win 64240 in slot1/tmm0 lis=/Common/test1

    test1 is the virtual server name.

    You need to check why the traffic is not been handled by the virtual server. Check if the virtual server is listening in the correct vlan, or change to all vlans. Also, double check IPs and ports are correct, and source address in case you have configured this in the virtual server.

  • Stan_Ward's avatar
    Stan_Ward
    Icon for Altocumulus rankAltocumulus
    May 28, 2019

    In AWS, you would assign a private IP to the VS, and then allocate an EIP (Elastic, or Public IP) and assign the private IP to it. It is essentially a NAT function. I don't know of a way to assign the EIP directly to the VS, but there may be one.