Forum Discussion

MohammedNadeem's avatar
MohammedNadeem
Icon for Nimbostratus rankNimbostratus
Mar 01, 2023

Need to create irule

I need to create irule to forward URLs to pools and make HA There will be 2 servers which will be holding same url as below details: http://10.10.25.x1:98/xyz.asmx http://10.10.25.x2:98/xyz.asmx ...
  • Paulius's avatar
    Paulius
    Mar 08, 2023

    MohammedNadeem I would do the following.

    1. On the firewall between the load balancer and the client only allow the ports you want through to the virtual server (VS) IP in order to limit what ports someone can access since the VS will accept traffic on all TCP ports which might not be desired.
    2. Configure your VS to listen on all TCP ports assuming you implemented step 1.
    3. Configure a data group that has the port to pool mapping for each api which is provided below.
    4. Configure an iRule the way it is shown below in order to reduce the amount of line numbers in your iRule.
    5. Create one pool for every API so that you can perform a unique health check per port providing you flexibility to know which API is up or down as apposed to your option 2 which wouldn't allow for that.

    Internal data-group

    ltm data-group internal CLASS_api_port_map {
        records {
            64 {
                data POOL_name2_TCP64
            }
            67 {
                data POOL_name4_TCP67
            }
            68 {
                data POOL_name3_TCP68
            }
            98 {
                data POOL_name1_TCP98
            }
        }
        type string
    }

    iRule to be created

    when CLIENT_ACCEPTED priority 500 {
    
        # Checks the TCP local port to see if it matches any port listed in the internal data-group
        if { [class -- match [TCP::local_port] == CLASS_api_port_map] } {
            # Creates a POOL variable to match the value to the port field otherwise you have no other way of matching the two values together
            set POOL_API [class -- match -value [TCP::local_port] == CLASS_api_port_map]
            pool ${POOL_API}
        } else {
            # Rejects all traffic that doesn't have a matching port in the the data-group above
            reject
        }
    
    }

    Again as the comments outline, this will allow you to have a significant amount of port to pool mappings which keeping the iRule at just a couple lines in order to reduce confusion in the iRule and keep that line count low in order to not have to create an additional iRule if you go over the iRule line limit. You will notice that we create a variable called POOL_API inside the if statement because this is the only way you can match the port number to the appropriate pool. Feel free to adjust the data-group as you see fit because I'm sure you provided redacted names of pools and ports as well as change the variable names as long as the syntax remains the same.