HTTP Load Balancer
Objective
This guide provides instructions on how to create an HTTP load balancer in F5® Distributed Cloud Console (Console) using guided configuration. This includes configuring the required objects for the virtual host. To learn more about virtual hosts, see Virtual Host.
Using guided creation for HTTP load balancer, you can create the following types of load balancers:
- HTTP load balancer
- HTTPS load balancer with your own TLS certificate
- HTTPS load balancer with automatic TLS certificate (minted by F5® Distributed Cloud Services)
Using the instructions provided in this guide, you can perform the following:
- Create and advertise an HTTP load balancer
- Create and advertise an HTTPS load balancer with your TLS certificate or with the certificate minted by Distributed Cloud Services
Note: Distributed Cloud Services support automatic certificate generation and management. You can either delegate your domain to Distributed Cloud Services or add the CNAME record to your DNS records in case you do not delegate the domain to Distributed Cloud Services. See Automatic Certificate Generation for certificates managed by Distributed Cloud Services. See Delegate Domain for more information on how to delegate your domain to Distributed Cloud Services.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
A valid DNS domain delegated to Distributed Cloud Services in case you want Distributed Cloud Services to act as domain name server (DNS). For instructions on how to delegate your domain to Distributed Cloud Services, see Delegate Domain.
-
A Distributed Cloud Services Customer Edge (CE) site in case of deploying your applications. If you do not have a site, create a site using the instructions provided in the Site Management guides. See the vK8s Deployment guide for deploying your applications on the Distributed Cloud Services network cloud or edge cloud.
Configuration
The following video shows a tutorial for HTTP load balancer creation:
The configuration option to create the HTTP load balancer guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.
Step 1: Log into Console and create new load balancer.
-
Log into Console.
-
Click
Multi-Cloud App Connect
.
- Select
Manage
>Load Balancers
>HTTP Load Balancers
.
-
Confirm the correct namespace is selected.
-
Click
Add HTTP Load Balancer
.
Step 2: Configure metadata, domains, and load balancer type.
-
In the
Name
field, enter a name for the new load balancer. -
Optionally, select a label and enter a description.
-
In the
Domains
field, enter a domain name. You can use wildcards to catch prefixes and suffixes. -
Click
Add item
to add more domains, if needed. -
From the
Load Balancer Type
drop-down menu, select an option. The following options are supported:-
Select
HTTP
to create the HTTP load balancer. -
Select
HTTPS with Automatic Certificate
to create the HTTPS load balancer with an automatic TLS certificate. -
Select
HTTPS with Custom Certificate
to create the HTTPS load balancer with your custom TLS certificate.
-
Note: Do not add both wildcard and top level domains (for example,
*.example.com
andexample.com
) if you are using an automatic certificate for different load balancers.
-
If you select
HTTP
, select whether to have Distributed Cloud Services manage your DNS records withAutomatically Manage DNS Records
. This option requires you to have delegated your domain to Distributed Cloud Services. -
Optionally, select
HTTP Redirect to HTTPS
andAdd HSTS Header
checkboxes forHTTPS with Automatic Certificate
orHTTPS with Custom Certificate
options. -
From the
TLS Security Level
drop-down menu, select the security level for TLS configuration. -
If you are using the
HTTPS with Custom Certificate
option:-
Set the TLS configuration using the
Configure
option under theTLS Parameters
field. -
From the
TLS Security Level
drop-down menu, select the desired level. -
In the
TLS Certificates
section, clickAdd Item
. -
For the certificate URL encoding, select
PEM
orbase64(binary)
, and then enter the certificate URL. -
To configure the private key, click
Configure
. -
Under the
Secret
section, configure the settings for the private key, and then clickApply
. -
From the
OCSP Stapling choice
drop-down menu, select the OCSP stapling choice. -
Click
Apply
. -
In the
TLS Parameters
page, clickApply
.
Note: You can add more than one certificate using the
Add Item
option. However, only one certificate per encryption type (such as RSA and EC-DSA) is supported. -
-
If you are using the
HTTPS with Automatic Certificate
option:-
Enable the
Show Advanced Fields
option. -
From the
Mutual TLS
drop-down menu, selectEnable
orDisable
for mutual TLS encryption:-
Copy the CA certificate information into the Box using the
PEM
orBase64
option. -
From the
Verify client certificate with CR
menu, selectCRL
to have the client certificate verified against the CRL, and then select theCRL
. -
From the
Add X-Forwarded-Client-Cert Header
menu, enable the adding of an X-Forwarded-Client-Cert (XFCC) proxy header to send client certificate details to the origin. You can choose to send the entire certificate, a single field, or multiple fields using the following:By
,Hash
,Cert
,Chain
,Subject
,URI
, andDNS
.
-
-
From the
Server Response Header
drop-down menu, select an option for the server response header. The following options are supported:-
Default
: Specifies that the response header name isserver
, and the value isvolt-adc
. -
Modify header value
: Specifies that a custom value be added to the existing server header. This will overwrite existing values, if any, in the server header. -
Append header value
: Specifies that a custom value be added to the server header if no value is present. If there is an existing server header value, this option does not overwrite the value. Enter a header value in theAppend header value
field. -
Do not modify
: Specifies that the existing server header is passed as is. If no server header is present, a new header is not appended.
-
-
From the
Path Normalization
menu, select an option.
-
Step 3: Configure origin pools.
-
In the
Origins
section, clickAdd Item
to create an origin pool. -
From the
Select Origin Pool Method
menu, select an option for a simple origin pool or a custom cluster:-
Origin Pool
: From theOrigin Pool
drop-down menu, select an origin pool. To create a new origin pool, clickAdd Item
. Follow the instructions at Origin Pools. -
Custom Cluster
: From theCustom Cluster
menu, select the cluster to use.
-
-
In the
Weight
field, set the numeric value. -
In the
Priority
field, set the numeric value. -
Click
Apply
.
Step 4: Optionally, configure routes.
-
In the
Routes
section, clickConfigure
. -
Click
Add Item
.
-
From the
Select Type of Route
menu, select an option. -
Simple Route
: matches a path and/or HTTP methods to forward the matching traffic to origin pools configured:-
Select a method for
HTTP Method
. -
Select the type of path match for the
Path Match
field. -
Add a path prefix in the
Prefix
field. You can also configure specific origin pools and/or headers for this using theAdd Item
options in theOrigin Pools
andHeaders
sections. -
From the
Select Host Rewrite Method
menu, select an option to specify how the host header can be modified during forwarding. -
In the
Advanced Options
field, clickConfigure
to configure advanced settings for each route.
-
-
Redirect Route
: matches a path and/or HTTP methods to redirect the matching traffic to another URL:-
Select method for
HTTP Method
and a path for thePath Match
field. -
Add a path prefix in the
Prefix
field. -
Configure the
Redirect Parameters
forProtocol
,Host
,Redirect Path
for redirect URL, andResponse Code
. -
Select an option from the
Query Parameters
drop-down menu.
-
-
Direct Response Route
: matches a path and/or HTTP methods to send the response directly to the matching traffic:-
Select method for
HTTP Method
and a path for thePath Match
field. -
Add a path prefix in the
Prefix
field. -
Click the
Configure
option in theDirect Response
field. Enter a response code, enter response body, and then clickApply
.
-
-
Custom Route Object
: uses an existing custom route object:- Select a route object in the
Reference to Custom Route
drop-down menu. For information on how to create a custom route, see How to setup path-based routing or application load balancing.
- Select a route object in the
-
Click
Apply
to add the route.
Note: You can click
Add Item
to add more routes per your requirements.
Step 5: Optionally, set security configuration.
Step 5.1: Configure WAF and corresponding security features.
You can choose to disable WAF application (default setting) or you can select a WAF that was previously created, configured, and apply it in your load balancer security settings. In addition, you can also create and enable a new WAF and have your load balancer configured to exclude specific WAF rules from processing certain requests.
-
Go to the
Web Application Firewall
section. -
From the
Web Application Firewall (WAF)
drop-down menu, select whether to enable the WAF for this HTTP load balancer.Disable
is the default value. -
If you select
Enable
, use theEnable
drop-down menu to select your WAF to apply to this load balancer.
Note: You can also add App Firewall per route. In the route configuration, for
Simple Route
, go to advanced options configuration, go to security section, and selectApp Firewall
for theWeb Application Firewall (WAF)
field. Select an App Firewall object. By default, the route inherits the App Firewall configured for the load balancer.
-
To add exclusion rules for the WAF, follow the instructions at Create WAF Exclusion Rules.
-
Select
Configure
in theData Guard Rules
section and follow the instructions listed in Configure Data Guard to set data guard rules. -
Select
Configure
for theCross-Site Request Forgery Protection
option. Specify allowed domains in theAllowed Domains (Source Origin)
field in the CSRF protection page, and selectApply
. You can either configure to allow all load balancer domains or set specific domains to the allow list.
Note: You can verify the CSRF mitigation in the load balancer security monitoring page. The CSRF mitigation event is displayed as a
Service Policy
event. Expand the security event's JSON view. Thesec_event_name
field with valueCSRF Policy Violation
indicates that CSRF mitigation is active. For more information on load balancer monitoring, see Monitor HTTP Load Balancer.
-
To configure the settings for GraphQL inspection, perform the following:
-
Under the
GraphQL Inspection
section, clickConfigure
. -
Click
Add Item
. -
In the
Name
field, enter a name for this rule. -
From the
Domain
drop-down menu, select an option that corresponds to your domain setting. Default value isAny Domain
. You can choose an option match byExact Value
orSuffix Value
. -
From the
Path
drop-down menu, select an option for the location of your GraphQL server endpoint. Default value is/graphql
. -
From the
HTTP Method
drop-down menu, select an option that specifies the method used to access the GraphQL endpoint server. -
In the
GraphQL Settings
section, perform the following:-
From the
Maximum Total Length
menu, enter a value to specify the maximum total length in bytes for a query. -
From the
Maximum Structure Depth
menu, enter a value to specify the maximum depth for a query. -
From the
Maximum Batched Queries
menu, enter a value to specify the maximum number of single batch queries. -
From the
Introspection Queries
menu, select whether to enable introspection of GraphQL schema.
-
-
Click
Apply
to save settings. -
Click
Apply
to apply settings to load balancer configuration.
-
-
Optionally, in the
Cookie Protection
field, clickConfigure
to add attributes to an HTTP Response cookie that is sent to the client:-
Click
Add Item
. -
In the
Cookie Name
field, enter a name for this cookie. -
From the
SameSite
menu, select if or how the new cookie is sent with same-site and cross-site requests. You can select from the following:Ignore
Strict
Lax
None
-
From the
Secure
menu, select whether this new cookie is sent only over an HTTPS encrypted connection to the server. Default option isIgnore
. -
From the
HttpOnly
menu, select whether this new cookie is inaccessible to JavaScript Document.cookie API. Default option isIgnore
. SelectAdd
to ensure the cookie is inaccessible. -
Select
Enable
for theCookie Tampering Protection
field to enable cookie tampering protection. This prevents attackers from modifying the values of session cookies. -
Click
Apply
to save settings. -
Click
Apply
to apply settings to load balancer configuration.
-
Step 5.2: Configure bot defense.
Note: You need to have bot defense enabled in your tenant as a service prior to configuring it for your load balancer.
-
Go to
Bot Defense
section. From theBot Defense
menu, select an option to configure bot defense. The following options are available:-
Disable
: No bot defense configuration is applied to the load balancer. -
Enable
: Specifies a bot defense configuration for you to apply to the load balancer. Follow the instructions listed in the Configure Bot Defense guide to set Bot defense protection for your load balancer.
-
Step 5.3: Configure API protection.
Go to API Protection
section and do the following:
-
From the
API Definition
menu, select whether to use an API definition. The default value isDisable
, meaning an API definition is not used for this load balancer. -
If you select
Enable
:-
From the
API Definition
menu, select the API definition. -
To create a new definition, click
Add item
.
-
-
From the
Validation
menu, select an option to perform OpenAPI specification validation. Following are the options:-
Disabled
: Default option. No validation is performed. -
All Endpoints
: Validate all endpoints listed in the OpenAPI specification file. Any other endpoints not listed will act according toFall Through Mode
. -
Custom List
: Define API groups, base path, or API endpoints and their validation modes. Any other endpoints not listed will act according toFall Through Mode
.
-
Note: OpenAPI Validation is a feature that ensures API traffic complies with the specified schema and can block or report non-compliant traffic. Validation can be configured on a per-endpoint, per-group, or per-base-path basis. The
Fall Through Mode
allows for identifying and handling Shadow APIs by either blocking, reporting, or allowing them. Allowed IPs list can be created to pass OpenAPI Validation by specific IP addresses.
-
From the
OpenAPI Validation Processing Mode
menu, select whether toValidate
orSkip
. -
From the
Validation Enforcement Type
menu, select an option to specify the type of enforcement. -
From the
Request Validation Properties
menu, select one or multiple options from the following:-
Query Parameters
: The incoming requests are validated against the query parameters specified in the API definition. -
Path Parameters
: The incoming requests are validated against the path parameters specified in the API definition. -
Content-type
: The incoming requests are validated against the content-types specified in the API definition. -
Cookie Parameters
: The incoming requests are validated against the cookie parameters specified in the API definition. -
HTTP Headers
: The incoming requests are validated against the HTTP headers specified in the API definition. -
HTTP Body
: The incoming requests are validated against the HTTP body specified in the API definition.
-
-
From the
Fall Through Mode
menu, select an action for every request that targets endpoints which are not in validation list. -
Select
Configure
in theAPI Protection Rules
field. See the Configure API Protection Rules guide for more instructions. -
From the
API Discovery
menu, selectEnable
to enable API discovery.
Note: For more information, see Import Swagger to Define and Control API Groups.
Step 5.4: Configure DDoS protection.
Go to DoS Protection
section and do the following:
-
Select
Enable
from theDDoS Detection
menu. -
Optionally, select
Enable
from theAuto Mitigation
menu. With this option set a DDoS Mitigation rule is created whenever a DDoS attack is detected. The mitigation rule will block the malicious IP(s) and automatically expire after 10 minutes; however, the rule will be recreated if the IP continues the DDoS attack. You can use theDDos Mitigation Rules
described below to create a more permanent blocking rule, if necessary. -
Optionally, select
Configure
for theDDoS Mitigation Rules
to open the rules list page. Use theAdd Item
to add rule.-
In the
DDoS Mitigation Rule
page, set a name for the rule. -
Select a choice for the
Mitigation Action
andMitigation Choice
. The mitigation choice can be either list of IP addresses or combination of ASN, Region, and TLS Fingerprinting. -
Click
Apply
to add the rule to list of rules. -
Click
Apply
to add the rules list to the DDoS protection configuration.
-
Note: The DDoS rules define the malicious clients (in other words, the clients attempting L7 DDoS attacks on your applications) that should be blocked. You can choose match condition rules, such as IP source and DDoS client source.
- Enter
Request Timeout
andRequest Header Timeout
values inSlow DDos
.
Note: See the Explore Security Monitoring > DDoS section in Monitor HTTP Load balancer to learn more about observing and reacting to an active DDoS attack.
Step 5.5: Configure Client-Side Defense.
Ensure that this service is enabled for your tenant. See Client-Side Defense for more information and configuration instructions.
Step 5.6: Configure service policies.
Go to Common Security Controls
section and perform the following:
-
From the
Service Policies
menu, select an option to apply the service policy. The following options are available:-
Apply Namespace Service Policies
: This option applies the service policy to an entire namespace. -
Do Not Apply Service Policies
: This option does not apply any service policy. -
Apply Specified Service Policies
: This option applies a service policy to a specified load balancer, not the entire namespace.
-
-
To apply a specific service policy, select
Apply Specified Service Policies
, and perform the following:- Click
Configure
.
- Click
- From the
Policies
menu, select a service policy, and then clickApply
.
Step 5.7: Configure IP Reputation service.
For more information, see Deny Malicious IPs Using IP Threat Categories.
Step 5.8: Configure the user identification.
-
From the
User Identifier
drop-down menu, select the method for user identification:-
Select
Client IP Address
to use the user's IP address. -
Select
User Identification Policy
to use the object to evaluate the identity. To create a new user ID, clickAdd item
from theUser Identification Policy
menu.
-
Note: For more information, see Configure Rate Limiting per User.
Step 5.9: Configure malicious user detection.
From the Malicious User Detection
drop-down menu, select Enable
.
Step 5.10: Configure rate limiting.
-
To configure rate limiting, select an option from the list:
-
Disable
: Default option. No rate limiting enabled for this load balancer. -
API Rate Limit
: Set rate limiting for specific API endpoints. -
Custom Rate Limiting Parameters
: Allows you to set custom parameters to rate limit.
-
Note: For detailed instruction to set up rate limiting, see Configure API Rate Limiting.
Step 5.11: Configure challenge parameters.
-
From the
Challenge Type
drop-down menu, select a challenge for all traffic served from the load balancer. The options include:-
None
: This is the default option. No challenge is enabled for this load balancer. -
Javascript Challenge
: This option enables you to configure a JavaScript challenge for this load balancer. -
Captcha Challenge
: This option enables you to configure a Captcha challenge for this load balancer. -
Policy Based Challenge
: This option enables you to set specific challenge policy rules for this load balancer.
-
-
If you select the
Javascript Challenge
, clickView Configuration
. Enter a delay value in milliseconds, and enter a cookie expiration value in seconds. Enter a custom message in ASCII or Base64 format. ClickApply
. For more information, see Configure JavaScript Challenge. -
If you select the
Captcha Challenge
, clickView Configuration
. Enter a cookie expiration value in seconds. Enter a custom message in ASCII or Base64 format. ClickApply
. -
If you select
Policy Based Challenge
, clickView Configuration
:-
From the
Javascript Challenge Parameters
menu, select the parameters to use. The options include:-
Use Default Parameters
: This option takes the default settings and applies them. -
Javascript Challenge Parameters
: This option enables you to define the challenge parameters.
-
-
From the
Captcha Challenge Parameters
menu, select the parameters to use. The options include:-
Use Default Parameters
: This option takes the default settings and applies them. -
Captcha Challenge Parameters
: This option enables you to define the challenge parameters.
-
-
From the
Malicious User Mitigation Settings
menu, select an option for malicious users at different threat levels:-
Default
: Applies low, medium, and high levels. -
Custom
: Defines different levels and actions to take. ClickCreate new Malicious User Mitigation
to create a custom option.
-
-
From the
Challenge type
menu, select the default challenge type for all requests. The options include:-
No Challenge
: Default value. -
Always enable JS Challenge
: Enables JavaScript challenges for all requests. -
Always enable Captcha Challenge
: Enables Captcha challenges for all requests.
-
-
In the
Rules
section:-
Click
Configure
. -
Click
Add Item
. -
Enter a
Name
value and an optional description. -
In the
Challenge Rule Specification
field, selectView Configuration
. -
From the
Select Challenge Action Type
drop-down menu, select the challenge action to take.Disable challenge
is the default setting. The two options includeEnable javascript challenge
andEnable captcha challenge
. -
From the
Source IPv4 Match
drop-down menu, select the source IP to match the requests. The options include:-
Any Source IP
: This option enables any source IP to match requests. -
IPv4 Prefix List
: This option provides a list of prefix values. You must provide a list of IP prefixes. -
IP Prefix Sets
: This option provides a list of references to IP prefix set objects. You must create the prefix set.
-
-
From the
Source ASN Match
drop-down menu, select an option for the origin Autonomous System Number (ASN) to match requests:-
Any Source ASN
: This option matches any source ASN. -
ASN List
: This option provides a list of ASN values to match requests. You must enter the ASN values. -
BGP ASN Sets
: This option provides a list of references for Border Gateway Protocol (BGP) ASN objects to match requests. You must create the ASN set.
-
-
From the
Client Selection
drop-down menu, select how the clients will match the challenge rules. The options include:-
Any Client
: This option is for all clients to match the challenge rules. -
Group of Clients by Label Selector
: This option provides a label selector for the set of clients. You must select the expression from the list.
-
-
To configure the TLS fingerprint matcher, select
Configure
:-
From the
TLS fingerprint classes
drop-down menu, select a class. -
Optionally, you can add an exact value or exclude a value with
Add item
. -
Click
Apply
. -
Optionally, you can set the parameters for the request matching from the
Request Match
section, and you can set an optionalExpiration Timestamp
from theAdvanced Match
section. -
Click
Apply
.
-
-
Click
Apply
.
-
-
Click
Apply
. -
Click
Apply
.
-
Step 5.12: Configure trusted client rules.
These rules define specific clients for which WAF processing and Bot Defense will be skipped. Add rules to allow trusted clients based on the match conditions configured. You can skip WAF, skip bot processing, or both. The match conditions include IP prefix, AS number, and HTTP headers to identify specific clients.
-
To configure the
Trusted Client Rules
option:-
Click
Configure
, and then clickAdd Item
. -
Complete the configuration process to add rules to allow trusted clients and to prevent the WAF from applying the block rules you previously configured.
-
Click
Apply
. -
Select the newly created rules option and then click
Apply
.
-
Step 5.13: Configure client blocking rules.
You can choose match condition rules, such as IP prefix, AS number, and HTTP headers to identify specific clients to block from accessing your applications.
-
To configure the
Client Blocking Rules
option:-
Click
Configure
, and then clickAdd Item
. -
Complete the configuration process to add rules to block specific clients from making requests.
-
Click
Apply
. -
Select the newly created rules option, and then click
Apply
.
-
Step 5.14: Configure Cross-Origin Resource Sharing (CORS) policy.
-
In the
CORS Policy
field, clickConfigure
. -
To enable a specific origin server, click
Add item
under theAllow Origin
field. -
To enable origin servers by regex, click
Add item
under theAllow Origin Regex
field. -
Use the numbers to order the list of policies. You can drag and drop the rules up and down.
-
After you finish, click
Apply
.
Step 6: Optionally, set other settings.
In the Other Settings
section, perform additional configuration.
Step 6.1: Configure VIP advertisement.
-
From the
VIP Advertisement
drop-down menu, select from one of the options available:-
Select
Internet
to advertise the default VIP on the public network. -
Select
Internet (Specified VIP)
and enter an IP address in thePublic IP
field to advertise that IP as VIP on a public network. -
Select
Custom
. ClickConfigure
in theAdvertise Custom
field, and then perform the configuration per the following guidelines:-
Select
Add Item
. -
From the
Select Where to Advertise
menu, selectSite
orVirtual Site
. -
From the
Site Network
menu, select an option. -
From the
Site Reference
menu, select an option. In case of a site, you can also optionally set an IP address as the VIP. -
Enable the
Show Advanced Fields
option. -
Configure a TCP listener port or select a default option for the
TCP Listen Port Choice
field. The default option sets port 80 for the HTTP load balancer and 443 for the HTTPS load balancer. -
Click
Apply
.
-
-
Click
Apply
. -
Select
Do Not Advertise
to disable VIP advertisement.
-
Note: If you have enabled Internet VIP on the AWS cloud site to allow clients to access Load Balancer VIP directly from the internet, set the
VIP Adertisement
selection toCustom
, and then configure the custom VIP advertisement to advertise on aSite
orVirtual Site
withSite Network
set to eitherOutside Network with internet VIP
orInside and Outside Network with internet VIP
. For more information, see Create AWS Site.
Note: The following ports are not supported for advertising on a Distributed Cloud Services site:
- K8s node port range 28000-32767
- Distributed Cloud Services port range 65000-65535
- 10249
- 10250
- 10251
- 10252
- 10256
- 10257
- 10259
- 1067
- 18091
- 18092
- 18093
- 18095
- 22
- 22222
- 2379
- 23790
- 23791
- 2380
- 23801
- 23802
- 323
- 4500
- 500
- 53
- 5355
- 6443
- 68
- 8005
- 8007
- 8087
- 8443
- 8444
- 8505
- 8507
- 9007
- 9090
- 9153
- 9999
Step 6.2: Configure load balancer control and requests.
-
From the
Load Balancing Algorithm
menu, set how the HTTP/HTTPS requests are load balanced. The options include:-
Round Robin
: This option sends requests to all eligible servers in a round robin fashion. -
Least Active Request
: This option sends requests to an origin server that has least active requests set. -
Random
: This option sends requests to all origin servers randomly. -
Source IP Stickiness
: This option sends requests to all origin servers using the hash value of the source IP. -
Cookie Based Stickiness
: This option sends requests to all origin servers using the hash value of the source IP. Requires you to further configure the parameters. -
Ring Hash Policy
: This option sends requests to all origin servers using the hash value of the request. Requires you to further configure the parameters.
-
-
If you select
Cookie Based Stickiness
:-
In the
Name
field, enter a name for the cookie. -
Optionally, set a TTL value in milliseconds and set a path name value.
-
-
If you select
Ring Hash Policy
:-
Click
Configure
to specify a list of hash policies to use. -
Click
Add Item
. -
From the
Hash Policy Specifier
drop-down menu, select what to apply the hash policy to. The options include:-
Cookie
: Hash policies are applied to a cookie. -
Header Name
: Hash policies are applied to the name of key of the request header used to obtain the hash key. -
Source IP
: Hash policies are applied to the source IP address.
-
-
In the
Name
field, enter a name for the cookie that is used to obtain the hash key. -
To apply the hash policy as a terminal policy, select the
Terminal
option. -
Click
Apply
. -
Select the newly created hash policy, and then click
Apply
.
-
Step 6.3: Configure trusted client IP headers.
- Select the
Enable
from theTrusted Client IP Headers
drop-down menu. - Use
Add Item
button to add one or more headers. The headers are processed in the numerical order they are added, as shown on the page.
Note: When trusted client headers are enabled, system uses real client IP address as the source IP, instead of the proxy's IP address.
Step 6.4: Configure additional settings.
- Select the
Add Location
checkbox to specify the regional edge (RE) site name in the header responses.
-
Click
Configure
in theMore Options
field and perform the configuration per the following guidelines:-
In the
Header Options
section, clickAdd Item
and add details in each of the request headers and response headers fields to specify add and remove headers accordingly. -
In the
Configure Error Response Options
section, clickConfigure
to customize error responses. -
In the
Miscellaneous Options
section, clickConfigure
. Complete the configuration options.
-
-
Click
Apply
.
Step 7: Complete creating the load balancer.
Click Save and Exit
.
Step 8: Verify the load balancer status.
Note: If the load balancer is of type
HTTP
, then it is reachable by configured domains as well as automatically generated CNAME.
Delegated Domain:
- Wait for the
DNS Info
andCertificate status
to display theVIRTUAL_HOST_READY
andCertificate status
Valid
values.
- Verify that the requests to your virtual host domain are processed and load balanced between the configured origin servers.
Note: The
Certificate expiration date
column displays the expiration date for the certificates. Certificates managed by F5 Distributed Cloud Services are issued for 90 days and auto-renewed after 75 days from the date of issuance.
Non-Delegated Domain:
-
Verify that the
Certificate status
field showsDomain Challenge Pending
. -
Click
>
to view the load balancer information in JSON format. -
Verify that ACME challenge record exists under
get_spec
>auto_cert_info
>dns_records
field in the JSON. The record name starts with_acme-challenge
and the value is the name of the TXT record created by Distributed Cloud Services. -
Create a CNAME record with the obtained ACME challenge name and value in your DNS server.
-
Verify that the
Certificate status
field value changes toCertificate Valid
. -
Verify that the
Certificate expiration date
field value displays the expiration date for the certificates.
Note: Some client browsers can employ a performance optimization known as "connection coalescing." In this optimization, if two host names resolve to the same IP address and are present in the same TLS certificate, the HTTP/2 connection will be reused between them. This can land the HTTP request in the wrong load balancer and results in a
404
error. See HTTP2 RFC for more information.