NimbostratusMultiple VIPs or Multiple SSL profiles for sites on same nodes?
Hi
No problem really, just would like to know which is considered 'best practice' or the most efficient way of deploying multiple VIPs which target the same 2 nodes.
Scenario: We have over 20 sites, each has a dedicated pair of VIPs, one for port 80 which has an irule forwarding to the port 443 VIP. Each 443 VIP has a it's own SSL client profile containing 1 website name specific SSL cert to terminate SSL connections. Then there is a dedicated pool for each VIP. However, All of the above point to just 2 web servers, so each pool for each VIP points to the same 2 web servers.
All of these sites are public facing as well, so IP address usage is duplicated as well. This obviously is not very efficient for the use of IP addresses and also creates administrative overheads for firewall maintenance whereby bespoke NAT rules are required for each public IP and VIP IP address.
I'd like to know if this is recommended configuration, or if something else would be better? Perhaps something like having 1 VIP using 1 IP (and thus 1 public IP natted to it), then a pool for each site (with site specific health monitors) going to the 2 web server nodes. On this single VIP, you could then have a single SSL profile containing all certs for the sites, or multiple SSL profiles, 1 profile per site. Then we could use a single irule to direct traffic based on HTTP request?
Would configuration such as the above be resource intensive for the BIG-IPs? would it result in slower web site speed as a result of potential increase in process requirements? Can you think of any other pros/cons of such a deployment?
Many thanks
