Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.1, 3.3.0
9
Balancing Traffic Inbound to Enterprise Servers
Introducing firewall load balancing for inbound traffic
This chapter explains how to load balance a configuration in which users on the Internet request information from a pair of enterprise servers behind the enterprise's set of firewalls. Such a configuration is appropriate for any enterprise that wants to provide information by way of the Internet, but also wants to limit traffic to specific services.
In this configuration, both the set of firewalls and the pair of servers require load balancing. This necessitates two BIG-IP Controller redundant systems:
- A BIG-IP Controller redundant system on the outside (that is, the side nearest the Internet) of the firewalls, to balance traffic inbound across the firewalls.
- A BIG-IP Controller redundant system on the inside (that is, the side nearest the enterprise servers) of the firewalls, to balance traffic from the firewalls to the servers.
Collectively, this is known as a firewall sandwich configuration, because the BIG-IP Controller redundant systems sandwich the firewalls. Figure 9.1, following, illustrates this type of scenario, and provides an example configuration for this entire chapter. Remember that this is just a sample: when creating your own configuration, you must use IP addresses, host names, and so on, that are applicable to your own network.
Figure 9.1 Balancing inbound traffic
Configuration tasks
To load balance traffic to enterprise servers across a set of firewalls using a firewall sandwich, you need to complete the following tasks in order:
- Configure routing to the internal network.
- Create load balancing pools for firewalls and servers.
- Create virtual servers for the firewall sandwich.
- Configure BIG-IP Controller interfaces for source and destination processing
- Configure administrative routing
Each of the following sections explains one of the tasks, and shows how you would perform the task in order to implement the example configuration shown in Figure 9.1.
Note: The procedures in this chapter detail how to configure a single BIG-IP Controller. In order to complete your configuration, synchronize the configured BIG-IP Controller with the other BIG-IP Controller in your BIG-IP Controller redundant system, as detailed in Synchronizing configurations between controllers, on page 18-41.
Configuring routing to the internal network
The external router should include a route for traffic bound for the network that includes the external interfaces of the internal BIG-IP Controller redundant system (that is, the redundant system that load balances the enterprise servers). This route should be by way of the external shared alias of the external BIG-IP Controller redundant system.
For example, in Figure 9.1, the network on which the internal BIG-IP Controller redundant system resides is 10.10.30.0, and the external shared alias of the external BIG-IP Controller redundant system is 10.10.10.1. Thus, a command to configure this routing might be:
route add -net 10.10.30.0 -gateway 10.10.10.1
The exact syntax of this command depends on the type of router.
Creating pools for firewalls and servers
To use this configuration, you must create load balancing pools. A pool is a group of devices that you want a BIG-IP Controller redundant system to load balance. You need to create three pools:
- To load balance incoming requests across the external interfaces of your firewalls, you will create a pool that includes these interfaces. You create this pool on the outside BIG-IP Controller redundant system (1a and 1b in Figure 9.1).
- Requests that pass through the firewalls must be load balanced to the enterprise servers, so you create a pool that includes these servers. You create this pool on the inside BIG-IP Controller redundant system (2a and 2b in Figure 9.1).
- When a server responds to a request, the outgoing request must return by way of the internal interface of the firewall through which it originally came, so you create a pool that includes the internal interfaces of the firewalls. You create this pool on the inside BIG-IP Controller redundant system (2a and 2b in Figure 9.1).
Creating a pool for outside firewall interfaces
First, create the pool for the outside addresses of the firewalls on the outside BIG-IP Controller redundant system.
To implement the configuration shown in Figure 9.1, you would create this pool on BIG-IP Controller redundant system 1a and 1b.
To create the pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 9.1:· Create a pool named firewalls.
· Add each firewall from the example, 10.10.20.4, 10.10.20.5, and 10.10.20.6, to the pool. For each firewall you add to the pool, specify port 0.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_method <xx> member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the IP addresses of the outside interfaces of your respective servers.
- lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in BIG-IP Reference Guide.
In Figure 9.1, for example, the pool for the outside addresses is firewalls_outside, the outside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command would be:
bigpipe pool firewalls_outside { lb_method rr member 10.10.20.4:0 member 10.10.20.5:0 member 10.10.20.6:0 }
Creating a pool for servers
Create the pool for the nodes that handle requests to your enterprise servers on the inside BIG-IP Controller redundant system. Use the Configuration utility, or the bigpipe pool command, as you did to create the firewall pools. Choose a pool name appropriate for this pool.
To create the pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 9.1:· Create a pool named servers.
· Add the servers 10.10.40.4 and 10.10.40.5 to the pool. For each server, specify port 80.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_method <xx> member <Server1>:0 member
<Server2>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Server1> and <Server2> are the IP addresses of your enterprise servers.
- lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in Reference Guide.
To implement the configuration shown in Figure 9.1, you would create this pool on BIG-IP Controller redundant systems 2a and 2b. In this example, the pool for the server addresses is servers, the server addresses are 10.10.40.4 and 10.10.40.5, and the load balancing method is Round Robin. Thus, the command to implement this configuration is:
bigpipe pool servers { lb_method rr member 10.10.40.4:80 member 10.10.40.5:80 }
Creating a pool for inside firewall interfaces
Next, create a pool for the internal addresses of your firewalls on the inside BIG-IP Controller redundant system. Use the Configuration utility, or the bigpipe pool command, as you did to create the pool for the outside firewall addresses. Choose a pool name appropriate for this pool.
To create the pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
To create the configuration shown in Figure 9.1:
· Create a pool named firewalls.
· Add each firewall from the example, 10.10.30.4, 10.10.30.5, and 10.10.30.6, to the pool. For each firewall you add to the pool, specify port 0.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_method <xx> member <Firewall1>:0
member <Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the IP addresses of the inside interfaces of your respective firewalls.
lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in Reference Guide.
To implement the configuration shown in Figure 9.1, you would create this pool on BIG-IP Controller redundant systems 2a and 2b. In this example, the pool for the inside addresses is firewalls_inside, the inside addresses are 10.10.30.4, 10.10.30.5, and 10.10.30.6, and the load balancing method is Round Robin. Thus the command to implement this configuration would be:
bigpipe pool firewalls_inside { lb_method rr member 10.10.30.4:0
member 10.10.30.5:0 member 10.10.30.6:0 }
Creating virtual servers for the firewall sandwich
After you define the pools for the internal and external interfaces of the firewalls, you can define the virtual servers for the BIG-IP Controller redundant systems. You will create a wildcard virtual server on the outside BIG-IP Controllers (1a and 1b in Figure 9.1) to load balance the firewalls, and a standard virtual server on the inside BIG-IP Controllers (2a and 2b in Figure 9.1) to load balance the enterprise servers.
Creating a wildcard virtual server to load balance the outside firewall interfaces
The outside BIG-IP Controller redundant system load balances inbound connections across the outside interfaces of the firewalls. Therefore, you need to create a wildcard virtual server on this system (1a and 1b in Figure 9.1). The wildcard virtual server should reference the pool you created in Creating a pool for outside firewall interfaces, on page 9-4, that contains the outside interfaces of the firewalls.
To create a wildcard virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - Configure the appropriate attributes on the Add Virtual Server screen. For additional information about configuring a virtual server, click the Help button.
Configuration notes
To create the configuration shown in Figure 9.1:· Add a virtual server with address 0.0.0.0. and port 0 (this designates a wildcard virtual server).
· In the Pool list, select firewalls_outside (having created the firewalls_outside pool in Creating a pool for outside firewall interfaces, on page 9-4).
· Select none for interface.
To create a wildcard virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip 0.0.0.0:0 <interface> use pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
- <interface> is the interface on the BIG-IP Controller on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure. For example the command to implement the configuration shown in Figure 9.1 would be:
bigpipe vip 0.0.0.0:0 none use pool firewalls_outside
Enhancing security
To supplement the security offered by your firewalls, you may want to create a port-specific wildcard virtual server, or a standard virtual server, rather than a wildcard virtual server. In this configuration, a port-specific wildcard virtual server would reduce the number of accessible IP ports from 65,553 ports on all addresses to one port (and one service) on all addresses. A standard virtual server reduces the security exposure to one port on one address.
You can create a port-specific wildcard or standard virtual server to enhance the security of the configuration shown in Figure 9.1 using either the Configuration utility or the command line.
- To create a port-specific wildcard virtual server using the Configuration utility, follow the instructions in To create a wildcard virtual server using the Configuration utility, on page 9-9, using 80 for the port attribute.
- To create a port-specific wildcard virtual server from the command line, use the bigipe vip command as explained in To create a wildcard virtual server from the command line, on page 9-9. The command is:
bigpipe vip 0.0.0.0:80 none use pool firewalls_outside
- To create a standard virtual server using the Configuration utility, follow the instructions in To create a wildcard virtual server using the Configuration utility, on page 9-9. Substitute 10.10.30.9 for the Address attribute and 80 for the port attribute.
- To create a standard virtual server from the command line, use the bigipe vip command as explained in To create a wildcard virtual server from the command line, on page 9-9. The command is:
bigpipe vip 10.10.30.9:80 none use pool firewalls_outside
Creating a standard virtual server to load balance the enterprise servers
After you configure the outside BIG-IP Controller redundant system to handle inbound traffic, configure the inside BIG-IP Controller redundant system (2a and 2b in Figure 9.1) to load balance the enterprise servers.
Use the Configuration utility, or the bigpipe vip command, as you did to create the wildcard virtual server for the inside BIG-IP Controller redundant system. Instead of using a wildcard IP address, use a standard IP address and pool appropriate for your network.
To create a standard virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - Configure the appropriate attributes on the Add Virtual Server screen. For additional information about configuring a virtual server, click the Help button.
Configuration notes
To create the configuration shown in Figure 9.1:· Add a virtual server with address 10.10.30.9. and port 80 (this designates a standard wildcard virtual server receiving HTTP traffic).
· In the Pool list, select servers (having created the servers pool in Creating a pool for servers, on page 9-6).
To create a standard virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip <virtual server>:<service> <interface> use pool <pool
name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
- <interface> is the interface on the BIG-IP on which you want to create this virtual server.
<pool name> is the name of the pool you want this virtual server to use.
To use the bigpipe vip command to implement the configuration shown in Figure 9.1, type:
bigpipe vip 10.10.30.9:80 use pool server_pool
Designating the last hop pool
When a BIG-IP Controller redundant system is accepting connections for virtual servers from more than one firewall, it is typically necessary to return packets through the same firewall from which the connection originated. Returning the data through the originating firewall ensures that:
- Outbound traffic is balanced across the firewall set.
- In situations where the firewall is maintaining a connection for a client, packets can be returned to that client.
To configure the firewall sandwich along these lines, use the Configuration utility or the bigpipe vip command with the lasthop keyword to designate the pool containing the inside interfaces of the firewalls as the last hop pool.
To configure a last hop pool using the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - In the virtual server list, click the virtual server for which you want to set up a last hop pool.
The Virtual Server properties screen for the virtual server you clicked opens. - In the Virtual Server properties screen, select the pool you want to designate as the last hop. For additional information about configuring a last hop pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 9.1, select firewalls_inside as the last hop pool for the virtual server 10.10.30.9:80.
To configure last hop pools for virtual servers from the command line
Use the bigpipe vip command:
bigpipe vip <virtual server>:<service> lasthop pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
- <pool name> is the name of the pool you want this virtual server to use.
For example, to implement the configuration shown in Figure 9.1, you would type:
bigpipe vip 10.10.30.9:http lasthop pool firewalls_inside
Configuring interfaces
Typically, a BIG-IP Controller redundant system has two interfaces:
- An external interface, usually set for destination processing.
- An internal interface, usually set for source processing.
In order for the firewall sandwich configuration to work, you must set all interfaces on the BIG-IP Controller redundant system systems (1a and 1b, and 2a and 2b, in Figure 9.1) to process both source and destination addresses.
Thus, you must enable source processing for the external interfaces and enable destination processing for the internal interfaces.
To configure source and destination processing using the Configuration utility
- In the navigation pane, click NICs.
The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table. - In the Network Interface Card table, click the name of the interface you want to configure.
The Network Interface Card Properties screen opens. - In the Network Interface Card Properties screen, configure the attributes required for the interface. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 9.1, for both exp0 and exp1, make sure the Enable Source Processing and the Enable Destination Processing check boxes are checked.
To configure source processing from the command line
Use the bigpipe interface command with the source keyword to enable source processing for an interface:
bigpipe interface <interface> source enable
where <interface> is the identifier for the internal interface of a BIG-IP Controller redundant system.
To implement the configuration shown in Figure 9.1, use the command:
bigpipe interface exp0 source enable
Repeat this process for each BIG-IP Controller redundant system.
To configure destination processing from the command line
Use the bigpipe interface command with the dest keyword to enable destination processing for an interface:
bigpipe interface <interface> dest enable
where <interface> is the identifier for the external interface of a BIG-IP Controller redundant system.
For example, to implement the configuration shown in Figure 9.1, use the command:
bigpipe interface exp1 dest enable
Repeat this process for each BIG-IP Controller redundant system.
Configuring administrative routing
In order to administer the outside BIG-IP Controller redundant system (BIG-IP Controllers 1a and 1b in Figure 9.1) from the inside BIG-IP Controller redundant system (BIG-IP Controllers 2a and 2b in Figure 9.1), and to administer the inside redundant system from the outside redundant system, you need to create routes between the systems, using the firewalls as gateways.
For example, to implement the configuration shown in Figure 9.1, you would use the following commands on BIG-IP Controllers 1a and 1b:
route add -host 10.10.30.1 -gateway 10.10.20.4
route add -host 10.10.30.2 -gateway 10.10.20.5
route add -host 10.10.30.3 -gateway 10.10.20.6
To complete the configuration, you would use the following commands on BIG-IP Controllers 2a and 2b:
route add -host 10.10.20.1 -gateway 10.10.30.4
route add -host 10.10.20.2 -gateway 10.10.30.5
route add -host 10.10.20.3 -gateway 10.10.30.6