Example: Configuring an F5 load balancer

With the F5 load balancer, network traffic is decrypted to the backend pool resulting in an improved performance. If you are using an F5 load balancer, configure it after you deploy BMC Helix Operations Management.

Important

This topic is to be used as an example only. Do not use this topic as a reference for the required configuration.

Before you configure an F5 load balancer, ensure the following:

  • The following URLs point to the load balancer:
    • Tenant URL
    • LB_HOST
    • TMS_LB_HOST
    • MINIO_LB_HOST
  • The load balancer is configured with the following headers:

    X-Forwarded-Host , X-Forwarded-proto , X-Forwarded-port
    HTTP::header insert X-Forwarded-Host [HTTP::host]
    HTTP::header insert X-Forwarded-Proto "https"
    HTTP::header insert X-Forwarded-Port "443"
    configmap for ingress also needs: use-forwarded-headers: "true"
    use-proxy-protocol: "true"

For more information, see Load balancer requirements

To configure an F5 load balancer, perform the following steps:

  1. Import or create the SSL certificate.
  2. Create an SSL profile in F5.
  3. Create the pool.
  4. Create iRules.
  5. Configure the virtual server.


1. To create or import a certificate/key pair

If you are configuring SSL Offloading or re-encryption, you must import a certificate in F5 as a .pem file. You can also import the certificate/key pair from .p12 files. Click the Import button in the F5 user interface to import a certificate.

You can also create a certificate by clicking the Create button. 

After you import or create the certificate, it is available in F5 as shown in the following image:


2. To create an SSL profile in F5

  1. In the F5 user interface, go to the Local Traffic > Profiles: SSL : Client > New Client SSL Profile page.
  2. In the Certificate key chain field, select the check box and then click Add.


  3. In the Add SSL Certificate to Key Chain dialog box, add the required details:


    • Select the certificate and key.
    • If the certificate is not part of the same chain, select a chain.
    • If the certificate has a passphrase, enter the passphrase.


Note

If the normal daemonset for the ingress controller in a standard Rancher deployment does not have an svc and uses the 80/443 ports, the yaml file in Deploying and configuring the ingress controller for OpenShift or Kubernetes creates the service.


3. To create a pool

  1. In the F5 user interface, go to the Local Traffic > Pools: Pool List > New Pool page.
  2. Click Create.
  3. In the Health Monitors field, select http or https from the Active box and move it to the Available box.
  4. Under Resources, in the New Members field, do the following:
    1. Add the node name. This is not mandatory. However, we recommend adding it so that you can easily recognize a resource from a list.
    2. Add the static IP address.
    3. Add the service port and select the http or https option based on the SSL option you are using.

      If you are unsure of the port number, run the following command to get it:

      $ kubectl -n <namespace_where_the_ingress_controller_is_deployed> get SVC

      Note

      If the normal daemonset for the ingress controller in a standard Rancher deployment does not have an svc and uses the 80/443 ports, the yaml file in Deploying and configuring the ingress controller for OpenShift or Kubernetes creates the service.

  5. Click Add to add a node.
  6. Repeat this process for each node that you want to add.

You can view the list of all the pools on the Local Traffic > Pools: Pool List page.

You can create multiple pools with http or https that can exist with the same nodes.


4. To create an iRule

iRules are one of the methods to set the required headers. You can create iRules to inject X-Forwarded when you use SSL offloading or re-encryption options. The following X-Forwarded headers are required:

  • X-Forwarded-Host
  • X-Forwarded-Proto
  • X-Forwarded-Port

Example iRule

The following image displays one of the ways in which you can configure an iRule to set the required headers:


5. To configure the virtual servers

You can configure virtual servers with the following options:

  • SSL offloading
  • Full SSL proxy or re-encryption
  • Passthrough

For this document, we will configure the virtual servers with the SSL Offloading option.

To configure a virtual server with the SSL offloading option:

  1. In the F5 user interface, go to the Local Traffic > Virtual Servers > Virtual Server List page. 
  2. Configure the values for the virtual server.
    The following table describes the required configurations for BMC Helix IT Operations Management:

    FieldConfiguration
    NameAdd the host name of the virtual server.
    Description(Optional) Add a description for the virtual server.
    TypeSelect Standard.
    Source AddressEnter the CIDR of 0.0.0.0/0 to provide unrestricted access to the virtual server.
    Destination Address/Mask

    Enter the static IP address of the virtual server.

    The static IP address is different from the host name that you added in the Name field. The host name can be descriptive with alpha-numeric characters.

    Service Port

    Set port 443 with HTTPS for BMC Helix IT Operations Management.

    HTTP ProfileSelect http. This value is required to use the iRule that you created earlier.
    SSL Profile (Client)From the Selected list, select the SSL profile that you created earlier, and move it to the Available list.
    SSL Profile (Server)Leave blank.
    Source Address TranslationSelect Auto Map.
    iRulesFrom the Enabled list, select the iRule that you created earlier, and move it to the Available list.
    Default PoolSelect the pool that you created earlier for the http port of nodes.

  3. Click Finished to configure the virtual server.


Was this page helpful? Yes No Submitting... Thank you

Comments