connect to cloudflare or cloud ec2 via SSLO
Hi everyone, I need your help. I'm having trouble connecting to Cloudflare or a cloud EC2 instance via SSLO. The connection keeps failing due to SSL issues. I think it might work if I add the CA list of Cloudflare or the cloud provider, but I'm not sure if this is correct. Could it be that the "Full Strict Mode" or mtls configuration on these servers is causing the problem? Please let me know if you have any insights on this. Thank you.
GCP F5 deployment - Active -Active with config Sync
i want to deploy F5s in different Zones in GCP . reading the below Document . i want to deploy 2 F5s in 2 Zones . https://clouddocs.f5.com/cloud/public/v1/google/Google_configsync.html both F5s are behind the Google loadbalancer. Question - how will config Sync work . meaning will both F5s have the same virtual server ip address ? where can i download a template to configure the 2 F5s in Config Sync deployment.Active/Active load balancing examples with F5 BIG-IP and Azure load balancer
Background A couple years ago Iwrote an article about some practical considerations using Azure Load Balancer. Over time it's been used by customers, so I thought to add a further article that specifically discusses Active/Active load balancing options. I'll use Azure's standard load balancer as an example, but you can apply this to other cloud providers. In fact, the customer I helped most recently with this very question was running in Google Cloud. This article focuses on using standard TCP load balancers in the cloud. Why Active/Active? Most customers run 2x BIG-IP's in an Active/Standby cluster on-premises, and it's extremely common to do the same in public cloud. Since simplicity and supportability are key to successful migration projects, often it's best to stick with architectures you know and can support. However, if you are confident in your cloud engineering skills or if you want more than 2x BIG-IP's processing traffic, you may consider running them all Active. Of course, if your totalthroughput for N number of BIG-IP's exceeds the throughput thatN-1 can support, the loss of a single VM will leave you with more traffic than the remaining device(s) can handle. I recommend choosing Active/Active only if you're confident in your purpose and skillset. Let's define Active/Active Sometimes this term is used with ambiguity. I'll cover three approaches using Azure load balancer, each slightly different: multiple standalone devices Sync-Only group using Traffic Group None Sync-Failover group using Traffic Group None Each of these will use a standard TCP cloud load balancer. This article does not cover other ways to run multiple Active devices, which I've outlined at the end for completeness. Multiple standalone appliances This is a straightforward approach and an ideal target for cloud architectures. When multiple devices each receive and process traffic independently, the overhead work of disaggregating traffic to spread between the devices can be done by other solutions, like a cloud load balancer. (Other out-of-scope solutions could be ECMP, BGP, DNS load balancing, or gateway load balancers). Scaling out horizontally can be a matter of simple automation and there is no cluster configuration to maintain. The only limit to the number of BIG-IP's will be any limits of the cloud load balancer. The main disadvantage to this approach is the fear of misconfiguration by human operators. Often a customer is not confident that they can configure two separate devices consistently over time. This is why automation for configuration management is ideal. In the real world, it's also a reason customers consider our next approach. Clustering with a sync-only group A Sync-Only device group allows us to sync some configuration data between devices, but not fail over configuration objects in floating traffic groups between devices, as we would in a Sync-Failover group. With this approach, we can sync traffic objects between devices, assign them to Traffic Group None, and both devices will be considered Active. Both devices will process traffic, but changes only need to be made to a single device in the group. In the example pictured above: The 2x BIG-IP devices are in a Sync-Only group called syncGroup /Common partition isnotsynced between devices /app1 partition issynced between devices the /app1 partition has Traffic Group None selected the /app1 partition has the Sync-Only group syncGroup selected Both devices are Active and will process traffic received on Traffic Group None The disadvantage to this approach is that you can create an invalid configuration by referring to objects that are not synced. For example, if Nodes are created in/Common, they will exist on the device on which they were created, but not on other devices. If a Pool in /app1 then references Nodes from /Common, the resulting configuration will be invalid for devices that do not have these Nodes configured. Another consideration is that an operator must use and understand partitions. These are simple and should be embraced. However, not all customers understand the use of partitions and many prefer to use /Common only, if possible. The big advantage here is that changes only need to be made on a single device, and they will be replicated to other devices (up to 32 devices in a Sync-Only group). The risk of inconsistent configuration due to human error is reduced. Each device has a small green "Active" icon in the top left hand of the console, reminding operators that each device is Active and will process incoming traffic onTraffic Group None. Failover clustering using Traffic Group None Our third approach is very similar to our second approach. However, instead of a Sync-Only group, we will use a Sync-Failover group. A Sync-Failover group will sync all traffic objects in the default /Common partition, allowing us to keep all traffic objects in the default partition and avoid the use of additional partitions. This creates a traditional Active/Standby pair for a failover traffic group, and a Standby device will not respond to data plane traffic. So how do we make this Active/Active? When we create our VIPs in Traffic Group None, all devices will process traffic received on these Virtual Servers. One device will show "Active" and the other "Standby" in their console, but this is only the status for the floating traffic group. We don't need to use the floating traffic group, and by using Traffic Group None we have an Active/Active configuration in terms of traffic flow. The advantage here is similar to the previous example: human operators only need to configure objects in a single device, and all changes are synced between device group members (up to 8 in a Sync-Failover group). Another advantage is that you can use the/Common partition, which was not possible with the previous example. The main disadvantage here is that the console will show the word "Active" and "Standby" on devices, and this can confuse an operator that is familiar only with Active/Standby clusters using traffic groups for failover. While this third approach is a very legitimate approach and technically sound, it's worth considering if your daily operations and support teams have the knowledge to support this. Other considerations Source NAT (SNAT) It is almost always a requirement that you SNAT traffic when using Active/Active architecture, and this especially applies to the public cloud, where our options for other networking tricks are limited. If you have a requirement to see true source IPandneed to use multiple devices in Active/Active fashion, consider using Azure or AWS Gateway Load Balancer options. Alternative solutions like NGINX and F5 Distributed Cloud may also be worth considering in high-value, hard-requirement situations. Alternatives to a cloud load balancer This article is not referring to F5 with Azure Gateway Load Balancer, or to F5 with AWS Gateway Load Balancer. Those gateway load balancer solutions are another way for customers to run appliances as multiple standalone devices in the cloud. However, they typically requirerouting, not proxying the traffic (ie, they don't allow destination NAT, which many customers intend with BIG-IP). This article is also not referring to other ways you might achieve Active/Active architectures, such as DNS-based high availability, or using routing protocols, like BGP or ECMP. Note that using multiple traffic groups to achieve Active/Active BIG-IP's - the traditional approach on-prem or in private cloud - is not practical in public cloud, as briefly outlined below. Failover of traffic groups with Cloud Failover Extension (CFE) One option for Active/Standby high availability of BIG-IP is to use the CFE , which can programmatically update IP addresses and routes in Azure at time of device failure. Since CFE does not support Active/Active scenarios, it is appropriate only for failover of a single traffic group (ie., Active/Standby). Conclusion Thanks for reading! In general I see that Active/Standby solutions work for many customers, but if you are confident in your skills and have a need for Active/Active F5 BIG-IP devices in the cloud, please reach out if you'd like me to walk you through these options and explore any other possibilities. Related articles Practical Considerations using F5 BIG-IP and Azure Load Balancer Deploying F5 BIG-IP with Azure Cross-Region Load Balancer
F5 not sending traffic to Web pool
Hello All, I am having issues with a new configured F5 big-IP that everything works fine as follows. traffic from the client is coming to the firewall which is then natted to the private network. (works) the Load balancer ( Virtual server) IP is accessible and request is sent to the virtual server. and from the big ip to the pool is not sent. connection between the F5 to the pool is fine and vice versa and pool and nodes are available (green). connection between web-server and F5 is through Https (443). configuration F5 as follows: F5 Virtual IP : 192.168.1.41 self IP: int 1 : 10.10.10.14 self IP int 2 : 192.168.1.41 web server pool : 10.10.10.X range with class c subnet. SSL is configured between the client to F5 as clientssl and between the server and F5 as serverssl. source address translation is automap. I am having trouble why it doesn't work and is trying to find out the problem.
Access azure app service using f5 LTM
Hi Everyone, As per the customer requirement , we are conducting a poc to integrate Azure App Services into F5 LTM. The main objective is to access URLs using F5 as the backend for the web app. flow: with app gateway User>Internet>dns> Azure LB>Azure web app(backend) >webpage In the current scenario, we have an Azure App Gateway configured with Azure Web App as the backend. In the Azure DNS zone, we've created an A record with the public IP of the app gateway and a CNAME record for "abc.com," pointing towards the A record's alias name. and it is working fine. flow: with f5 user>internet>dns>Azure external LB>F5 (backend)> pools >node "fqdn "abcd.com" xx.xx.xx.xx And we want to achieve the same using F5 LTM. Here, we have an Azure Load Balancer with F5 configured as the backend pool. In F5, we created the pools. In the DNS zone, we created an A record with the public IP of the Azure Load Balancer and a CNAME, for example, 'abcd.com,' pointing towards the A record's alias name. We created a pool and node with the FQDN. However, when accessing, we're encountering a 404 error. If someone has done this before or has any suggestions, they would be highly helpful for me. here azure lb is working as a frontend and f5 as backend thanks Krutibasa
rewrite Azure AD response for portal access via web portal
Hi All, I have a web portal where access to it is done via SAML authentication with AzureAD. I have a portal access called VIP_Maintenance configured on this we portal, the APP VIP_Maintenance is a web site on this web server (mywebserver.xyz.com) which also configured for SAML authentication. This web server hosts multiple web sites, so the one for VIP_Maintenance is (mywebserver.xyz.intra/azure). Other resource is /signin-wsfederation, this is where I should land after the successful authentication with Microsoft. So when I try to access to the web portal using my user name and password, F5 sends the request to AzureAD and I receive a code on my cell phone which I enter and access is granted. Now when I click on the portal access icon (VIP_maintenance), the web portal rewrites the request to this: https://web-portal-azuread.viarail.ca/f5-w-68747470733a2f2f7669706d6e74632e746573742e696e747261$$/azure then I see my browser communicating with Microsoftonline for authentication and I see the reply from AzureAD like this: https://login.microsoftonline.com/007eae9f-b0c2-4137-a710-16d67a6568a1/wsfed?wtrealm=https%3A%2F%2Fvipmntc.test.intra%2F&wctx=WsFedOwinState%3DaQm7wom_iiDcspTp4F75-SNiAH6ulYFzgGdxezLukSK9-twIS0gTcgMY7dprTnf7OmROGo1XmkiLAbaVs4L8ISgubrF5FaUtbeIdn7ywnn0JvUYlwclAR1V3GwiWN9VkfNE5hThiW2bzM1tV1arZ6IahGZgjBiVVLSCn2BzTdFdu73Ck709An2sk1IVDfV-26FbvGHbUJyYjK-fnc5iiCw&wa=wsignin1.0&wreply=https%3A%2F%2Fvipmntc.test.intra%2Fsignin-wsfederation right after, the url changes to this: https:// mywebserver.xyz.intra/signin-wsfederation, and I get an error this this page cannot be reached which is understood as mywebserver.xyz.intra is not exposed to internet. Now, what I need to do is to make F5 rewrite the response from Microsoft in to this url: https://web-portal-azuread.viarail.ca/f5-w-68747470733a2f2f7669706d6e74632e746573742e696e747261$$/ signin-wsfederation , instead of https:// mywebserver.xyz.intra/signin-wsfederation. Any Idea how I can achieve that? Your help is highly appreciated. regards,
