If you’ve ever heard of F5®, you’ve probably heard their products referred to as “BIG-IP.” Many people wonder what BIG-IP is and what F5 BIG-IP accomplishes in a network. This blog series will break it down for you so you know exactly what F5 BIG-IP is and the challenges it can solve for you in terms of networking and application availability, performance, security, and access control/IAM – whether in the cloud or in local data centres.
BIG-IP is a software and hardware family from F5 Networks that focuses on application availability, access management, and security. It’s the ultimate consolidation platform, allowing you to proxy/load balance, apply security, offload and transform access, and so much more – all from a single endpoint, the virtual IP or “VIP.” It helps you with/in
- Steering traffic based on availability & performance.
- Security for protection of your web apps and APIs.
- Identity and access management/control.
- Analysis of critical applications
F5 Networks’ fundamental technology is the BIG-IP TMOS software. When people talk about GTM, LTM, APM, ASM, and other software modules, they’re talking to the logical software modules that run on the BIG-IP Traffic Management Operating System® (TMOS) Software. To be clear, these aren’t discrete hardware modules; you don’t need to buy a new card to add a module; instead, it’s all about logical licensing. You can run the software on a dedicated hardware appliance, a virtual machine (VM), or even F5’s Software as a Service cloud offering and let F5’s dedicated NOC do the heavy lifting with Silverline® DDoS & WAF Services.
Primary F5 BIG-IP Modules
F5® BIG-IP devices are built on a modular system, allowing you to add new features as needed to easily react to changing application and business requirements. F5’s application delivery architecture is based on the fundamental components Local Traffic Manager (LTM) and Global Traffic Manager (GTM). F5 has other modules that expand on these capabilities, making it a comprehensive application delivery solution.
Local Traffic Manager (LTM)
F5 BIG-IP® Local Traffic Manager (LTM) enables you to deliver applications to consumers in a safe, dependable, and optimal manner. BIG-IP LTM maintains the availability and scalability of your applications by making intelligent traffic decisions that adapt to changing demands. You can simplify, automate, and customize applications more quickly and predictably using BIG-IP LTM.
The LTM is generally known for delivering load balancing services based on application health and performance, but it can do so much more. It can be used as a reverse proxy, forward proxy, and traffic shaper/bender for security and authentication. For full HTTP traffic inspection and manipulation, LTM can be used to terminate SSL/TLS. It can also conduct minimal API gateway capabilities by routing requests and doing basic validation using a local traffic policy or an iRule.
Objects of an LTM
- VIP(Virtual IP)
A Virtual IP, also known as a Virtual Server, is an important part of any BIG-IP setup. When network engineers think about designing a configuration for a certain application, it’s usually where they start. When queries are bound for whatever application lies behind the BIG-IP, the VIP is the destination (combination of IP and port) to which they will be routed. For example, if your web application is hosted on a server behind an F5 device, it will no longer have a public facing internet address. Instead, you’d assign that public address to the BIG-IP as a VIP with whatever accompanying port you’re anticipating traffic on. As a result, you’ll have a VIP on the front end (or “client side”) of your BIG-IP that sends traffic to the back end server(s). The VIP is crucial since it is where all outside traffic is directed, where profiles and other configuration settings are defined, and so much more.
Various types of VIPs are common in application configurations, especially when they accept traffic on multiple ports or if they need to use multiple profiles for some reason (for example, some requests use a client SSL certificate while others don’t). It’s vital to keep in mind that one VIP does not always imply one application. On the BIG-IP, a VIP is a configuration object that allows you to connect a destination IP:port pair and process traffic for that pair. Whether it’s to send traffic to a back end server, reroute it somewhere else, deny, delete, investigate, or simply log data about it… once traffic reaches the F5 device, you have a nearly infinite amount of options for what you can do with it.
In the simplest terms, a pool is a collection of servers. A pool, like a VIP, is an essential BIG-IP configuration item. Although it can be considered one level lower in the configuration stack. To put it another way, you need a VIP in place to allow traffic into your F5 device in general, and pools become relevant only after that. A pool is a group of one or more servers, known as members.
Monitoring the pool level is vital since it shows you which groups of servers are available and which aren’t at any given time. Each VIP can choose a default pool, however if the primary pool is unavailable, it is also possible to direct to another pool. In some implementations, a pool is chosen based on characteristics learned from the connection once it is in place, rather than a default pool being specified. Pools are where the servers that host the application that is being served live, and as such, they are an important aspect of any deployment.
- Pool Member
A pool member refers to one of the specific servers linked with a specific pool. Pool members are crucial because they represent the actual servers in any configuration. The broad, general structure of a basic application stack within a BIG-IP is made up of a VIP, pool, and pool members. There can be thousands of permutations and alternatives, but this is the most basic, generic picture, which is critical to grasp for beginners. In addition to the configuration options inherently in place, pool members can have many options toggled on them.
… here is the flow till now
Traffic will be directed toward a specific VIP. The traffic will then be sent to a specific pool based on either the VIP’s default pool or some other criterion, such as an iRule. The traffic will then arrive at that pool, where a load balancing decision will be made based on currently available members and the select load balancing algorithm. Traffic will then be directed to a pool member, which is the final destination (i.e. server), which will process the request and respond appropriately.