Configuring an F5 Load Balancer for PAS

Page last updated:

Overview

This topic provides information for how to configure an F5 BIG-IP Local Traffic Manager (LTM) as a load balancer for Pivotal Application Service (PAS). It assumes you are familiar with the following concepts:

  • Deploying an F5 physical/virtual appliance
  • F5 UI and F5 Traffic Management Shell (tmsh)
  • Creating admin users on the F5 load balancer
  • Creating F5 self IPs, VLANs, and routes

For guidance on the above topics, see F5’s knowledge base.

Note: You must configure your F5 load balancer before installing PAS.

To use your F5 deployment as a load balancer, you must configure it to forward unencrypted HTTP following the steps below. This procedure assumes that you are running F5 v12.1.2 or v13.0.0.

Procedure

This PAS configuration option forwards unencrypted traffic to the PAS Gorouter. It assumes an external load balancer is configured to forward unencrypted traffic.

F5 config 1

This configuration terminates client SSL at the F5 and forward standard HTTP traffic to the backend Gorouters from the LTM. All TCP backends accept forwarded traffic from the LTM.

  1. In the F5 UI, go to Local Traffic.

  2. Go to iRules and click iRule List.

  3. Create the following rules:

    • Name: cf-xforward-for
      Definition: when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] }
    • Name: cf-xforward-proto-https
      Definition: when HTTP_REQUEST { HTTP::header insert X-Forwarded-Proto "https" }
    • Name: cf-xforward-proto-http
      Definition: when HTTP_REQUEST { HTTP::header insert X-Forwarded-Proto "http" }
  4. Go to System, then File Management, and click SSL Certificate List.

    1. Import your PAS certificate and name it pcf-pas-cert.
    2. Import your PAS certificate key and name it pcf-pas-key.
  5. Go to Local Traffic and click Monitors.

    1. Create a gorouter health monitor and give it the following parameters:
      • Name: gorouter_mon
      • Type: HTTP
      • Send String: GET /health HTTP/1.0\r\n
      • Alias Service Port: 8080
      • Receive String: ok
    2. Create a mysqlproxy health monitor and give it the following parameters:
      • Name: mysqlproxy_mon
      • Type: TCP
      • Alias Service Port: 1936
    3. Create a sshproxy health monitor and give it the following parameters:
      • Name: diegobrain_mon
      • Type: TCP
      • Alias Service Port: 2222
    4. Create a tcprouter health monitor and give it the following parameters:
      • Name: tcprouter_mon
      • Type: HTTP
      • Send String: GET /health
      • Alias Service Port: 80
  6. Create all required nodes:

    1. Go to Local Traffic, then Nodes, and click Node List.
    2. Create the desired number of gorouter nodes, one for each Gorouter in your PAS deployment, and give it the following parameters:
      • Name: gorouter-#
      • Address: [IP-ADDRESS-OF-GOROUTER]
      • State: enabled
      • Health Monitors: Node Default
    3. Create the desired number of mysqlproxy nodes, one for each MySQL Proxy in your PAS deployment, and give it the following parameters:
      • Name: mysqlproxy-#
      • Address: [IP-ADDRESS-OF-MYSQLPROXY]
      • State: enabled
      • Health Monitors: Node Default
    4. Create the desired number of diegobrain nodes, one for each Diego Brain in your PAS deployment, and give it the following parameters:
      • Name: diegobrain-#
      • Address: [IP-ADDRESS-OF-DIEGOBRAIN]
      • State: enabled
      • Health Monitors: Node Default
    5. Create the desired number of tcprouter nodes, one for each TCP Router in your PAS deployment, and give it the following parameters:
      • Name: tcprouter-#
      • Address: [IP-ADDRESS-OF-TCPROUTER]
      • State: enabled
      • Health Monitors: Node Default
  7. Create four member pools:

    1. Go to Local Traffic and click Pools.
    2. Create a gorouter pool and give it the following parameters:
      • Name: gorouter_pool
      • Health Monitors: gorouter_mon
      • Load Balancing Method: Least Connections
      • Add all gorouter-# nodes.
        • Service Port: 80
    3. Create a mysqlproxy pool and give it the following parameters:
      • Name: mysqlproxy_pool
      • Health Monitors: mysqlproxy_mon
      • Load Balancing Method: Least Connections
      • Add all mysqlproxy-# nodes.
        • Service Port: 3306
    4. Create a diegobrain pool and give it the following parameters:
      • Name: diegobrain_pool
      • Health Monitors: diegobrain_mon
      • Load Balancing Method: Least Connections
      • Add all diegobrain-# nodes.
        • Service Port: 2222
    5. Create a tcprouter pool and give it the following parameters:
      • Name: tcprouter_pool
      • Health Monitors: tcprouter_mon
      • Load Balancing Method: Least Connections
      • Add all tcprouter-# nodes.
        • Service Port: */0
  8. Create an SSL client profile.

    1. Go to Local Traffic, then Profiles, then SSL, and click Client.
    2. Create an SSL client profile and give it the following parameters:
      • Name: pcf-ssl-client-certs-profile
      • Parent Profile: clientssl
      • Custom: [TRUE]
      • Add a certificate key chain.
        • Certificate: pcf-pas-cert
        • Key: pcf-pas-key

          Note: Your deployment may require additional root or intermediate certificates. You can select them here. Additionally, you can also enter passphrases for certificates.

  9. Create five LTM virtual servers. Two are required, while three are optional.

    1. Go to Local Traffic, click Virtual Servers, and click Virtual Server List.
    2. (Required) Create a virtual server for HTTPS access to Cloud Foundry API and applications and give it the following parameters:
      • Name: pcf-https
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: YOUR-PCF-VIP

        Note: This VIP must be DNS-resolvable to your PCF system and default apps domains.

      • Service Port: 443
      • State: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Profile)
      • HTTP Profile: http
      • SSL Profile: pcf-ssl-client-certs-profile
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Auto Map

        Note: This must be set in one-arm configurations.

      • Default Pool: gorouter_pool
      • iRules: cf-xforward-for and cf-xforward-proto-https
    3. (Optional) Create a virtual server for HTTP access to Cloud Foundry applications and give it the following parameters:
      • Name: pcf-http
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: YOUR-PCF-VIP

        Note: This VIP must be DNS-resolvable to your PCF system and default apps domains.

      • Service Port: 80
      • State: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Profile)
      • HTTP Profile: http
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Auto Map

        Note: This must be set in one-arm configurations.

      • Default Pool: gorouter_pool
      • iRules: cf-xforward-for and cf-xforward-proto-http
    4. (Required) Create a virtual server for mysqlproxy. This virtual server increases internal MySQL availability. Give it the following parameters:
      • Name: pcf-mysqlproxy
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: YOUR-INTERNAL-MYSQL-PAS-VIP

        Note: This VIP must be DNS-resolvable to the fully qualified domain name (FQDN) entered into your PAS configuration for MySQL Service Hostname.

      • Service Port: 3306
      • State: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Profile)
      • HTTP Profile: [NONE]
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Auto Map

        Note: This must be set in one-arm configurations.

      • Default Pool: mysqlproxy_pool
    5. (Optional) Create a virtual server for sshproxy. This virtual server allows developers to SSH into Diego containers. Give it the following parameters:
      • Name: pcf-sshproxy
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: YOUR-SSH-PROXY-VIP

        Note: This VIP must be DNS-resolvable to ssh.[YOUR-PCF-PAS-SYSTEM-DOMAIN].

      • Service Port: 2222
      • State: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Profile)
      • HTTP Profile: [NONE]
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Auto Map

        Note: This must be set in one-arm configurations.

      • Default Pool: diegobrain_pool
    6. (Optional) Create a virtual server for tcprouter. This virtual server allows access to Cloud Foundry TCPapplications. Give it the following parameters:
      • Name: pcf-tcprouter
      • Type: Standard
      • Source Address: 0.0.0.0/0
      • Destination Address/Mask: [YOUR-TCP-ROUTER-VIP]

        Note: This VIP must be DNS-resolvable to tcp.[YOUR-CONFIGURED-TCP-DOMAIN].

      • Service Port: */0
      • State: Enabled
      • Protocol: TCP
      • Protocol Profile (Client): tcp_lan_optimized
      • Protocol Profile (Server): (Use Client Profile)
      • HTTP Profile: [NONE]
      • SSL Profile: [NONE]
      • VLAN and Tunnel Traffic: Enabled on YOUR-CONFIGURED-F5-VPN
      • Source Address Translation: Auto Map

        Note: This must be set in one-arm configurations.

      • Default Pool: tcprouter_pool

Once you have completed configuration, check the Network Map located in Local Traffic Menu. Everything should be green.


F5 Single Configuration Files

Single configuration files (SCFs) are single files containing a complete F5 configuration for F5 v11.x and v12.x. This section contains sample SCF files for functional reference configurations. Often, presenting a reference SCF “template” to an F5 administrator can provide all necessary configuration information for configuring PCF F5.

You can create SCFs by using tmsh:

save /sys config file no-passphrase

You can edit SCFs and use them as a template to replicate configurations across multiple F5s by using tmsh:

load /sys config file

For more information, see Overview of Single Configuration Files (11.x - 13.x).

You can see a sample SCF here.

Additional F5 Resources

See Pivotal Services Legacy iRule Bank Git Repo.

Create a pull request or raise an issue on the source for this page in GitHub