We’ve recently refreshed our F5 equipment and have decided to use F5’s version of virtualization called vCMP or virtual clustered multiprocessing. The nice thing about the technology is that we can split our F5’s for different sites, or different business units, so we can perform maintenance on one virtual F5 while the sites on the other virtual instances aren’t affected. Let’s discuss some of the F5 vCMP Concepts.
In the last post, we set up a basic configuration, but didn’t do much in the way of optimizing how it works. Today, we’ll look at F5 BIG-IP profiles. These are a way to modify the way the virtual server works. You can do things that change the behavior of the BIG-IP virtual server. For example, adding SSL or inserting X-Forwarded-For Headers into the web logs. Continue reading “F5 BIG-IP Profiles”
This is a question I get all the time… What is a WAF? Since I maintain our WAF for my job, I usually need to educate and convince co-workers, management, application owners about why and how we should deploy our WAF. Let’s start with the objections I usually run into, and why you still should have a WAF, and then dig a bit deeper into what a WAF is really doing.
Myth 1: I have a firewall, I don’t need a WAF!
In the VIP we created in the basic load balancing virtual, we used the default TCP F5 BIG-IP health monitor. Although its not terrible, its not really a great monitor. Same applies to the default HTTP monitor. Take a look below at the configuration of the default: Continue reading “Better F5 BIG-IP Health Monitor”
Now that we have the basic ADC setup, we need to actually allow traffic to connect via the BIG-IP to the web application. We’ll do this by creating an F5 Virtual Server. There are a few things we need to build, and F5 has some great training at https://university.f5.com/ that explains the details, but for now, we can just build the relevant pieces and go from there.
As part of my series of posts related to the infrastructure behind websites, this post will show how to deploy an F5 VE in ESXi. Here’s a high level overview of the steps:
- Download the template from https://downloads.f5.com/
- Deploy to your hypervisor (ESXi in this case)
- Boot Vitual Machine
- Configure management networking
- Install License
- Setup Basic Networking
- Lock down and customize
Working with technology, one of the most important things that any website can have is availability. A beautiful layout, with great content doesn’t mean a thing if you can’t access it! There’s a lot of ways you can accomplish this, such as using round robin DNS or having disaster recovery sites, but what I’d like to focus on today is utilizing an application delivery controller (ADC) to load balance two different web servers. My preferred ADC is F5’s Local Traffic Manager(LTM). There’s a lot of technical reasons, but first for me is that its the leader in market share, which has been a big boost in my professional career.
Continue reading “Building a highly available website with F5 BIG-IP LTM & Joomla/MySQL”
Looking into deploying F5 vCMP? First, take a look at my blog post on starting out with F5 vCMP concepts and then go through my step by step guide on F5 vCMP. You probably understand virtualization technology. F5’s version isn’t any different. The device is basically running a custom version of Linux KVM, with a bunch of custom drivers to enable things like hardware SSL acceleration for the vCMP guests.
Second, take a look at the configuration and implementation guide for F5 vCMP on their support page here. There’s a lot more detail in their guides and are obviously the best place to get F5’s recommendation.
Third, take time to plan your F5 vCMP environment. Prepare how much CPU and Memory resources each F5 vCMP guest will need. I’ve found that people tend to underestimate the resources F5 vCMP requires. They under allocate their guests, and then need to beef them up down the road. If you have the extra resources on the host, it won’t be a big deal, just a reboot of the guest. If you don’t have the resources, you’ll need to migrate the guest to another host, or buy another host. Also, it’s an expensive waste of resources to have one or two vCPU’s not used on the host, so plan appropriately and plan early!
The minimum size guest is going to have a single vCPU. Remember though, a vCPU is a hyperthread, which is only half of a CPU core. An F5 needs a lot of processing power, and unless you’re doing just about nothing on your guest, a single hyperthread is not going to be enough. Also, it means that you’re sharing your management plane activities with your traffic plane on that single hyperthread. Expect to have a very slow GUI when you have any decent amount of traffic going through the device.
Fourth, leave a comment, or contact us if you’d like to get some help specific to your environment!
Need help installing an F5 BIG-IP Hotfix? Looking for resources for the F5 hotfix process? You’ve found the right place. From time to time, F5 changes their software versioning, and as of 2018, there is no longer hotfixes. Each new version has a full ISO to install. I’d expect this to change somewhat in the future as they tend to go back and forth often with various things.
In any case, for when they return, I’ll keep this page up.
First, take a look at my blog post on the F5 install hotfix process.
Second, when downloading the hotfix file, make sure to take a look at the release notes for the hotfix you’re installing at F5 Downloads
Third, consider opening a case with F5 and create a qkview to speed up any issues you have during the process.
Fourth, leave a comment or contact us if you’d like some help with installing an F5 BIG-IP hotfix or new version in your environment.