HTTP Load Balancer

Objective

This guide provides instructions on how to create an HTTP load balancer in F5® Distributed Cloud Console (Console) using guided configuration that walks you through the steps of configuring metadata to advanced configuration. This includes configuring the required objects for the virtual host. To know more about virtual host concepts, see Virtual Host.

Using guided creation for HTTP load balancer, you can create the following types of load balancers:

  • HTTP load balancer
  • HTTPS load balancer with your own TLS certificate
  • HTTPS load balancer with automatic TLS certificate (minted by F5® Distributed Cloud Services)

Using the instructions provided in this guide, you can perform the following:

  • Create and advertise an HTTP load balancer
  • Create and advertise an HTTPS load balancer with your TLS certificate or with the certificate minted by Distributed Cloud Services

Note: Distributed Cloud Services supports automatic certificate generation and management. You can either delegate your domain to Distributed Cloud Services or add the CNAME record to your DNS records in case you do not delegate the domain to Distributed Cloud Services. See Automatic Certificate Generation for certificates managed by Distributed Cloud Services. See Delegate Domain for more information on how to delegate your domains to Distributed Cloud Services.


Prerequisites

The following prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • A valid DNS domain delegated to Distributed Cloud Services in case you want Distributed Cloud Services to act as domain name server. For instructions on how to delegate your domain to Distributed Cloud Services, see Delegate Domain.

  • A Distributed Cloud Services Customer Edge (CE) site in case of deploying your applications on CE sites. If you do not have a site, create a site using the instructions included in the Site Management guides. See the vK8s Deployment guide for deploying your applications on the Distributed Cloud Services network cloud or edge cloud.


Configuration

The following video shows a tutorial for HTTP load balancer creation:

The configuration option to create the HTTP load balancer guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.

Step 1: Log into Console.
  • Log into Console.

  • Click Load Balancers.

Figure: Console Homepage
Figure: Console Homepage

  • Select Manage > Load Balancers > HTTP Load Balancers.

Load Balancers
Figure: Load Balancers

  • Click Add HTTP Load Balancer.
Step 2: Start load balancer creation process.

Open the load balancer creation form and perform the following steps:

Step 2.1: Configure metadata, domains, and load balancer type.
  • In the Name field, enter a name for the new load balancer.

  • Optionally, select a label and enter a description.

  • In the List of Domain field, enter a domain name. You can use wildcards to catch prefixes and suffixes.

  • Click Add item to add more domains.

  • Select an option for the Select Type of Load Balancer. The following options are supported:

    • Select HTTP to create the HTTP load balancer.

    • Select HTTPS with Automatic Certificate to create the HTTPS load balancer with an automatic TLS certificate.

    • Select HTTPS with Custom Certificate to create the HTTPS load balancer with your custom TLS certificate.

  • If you select HTTP, select whether to have Distributed Cloud Services manage your DNS records with Automatically Manage DNS Records. This option requires you to have delegated your domain to Distributed Cloud Services.

  • Optionally, select HTTP Redirect to HTTPS and Add HSTS Header checkboxes for HTTPS with Automatic Certificate or HTTPS with Custom Certificate options.

This example configures an HTTPS load balancer with an automatic TLS certificate:

Metadata and Basic Configuration
Figure: Metadata and Basic Configuration

  • From the Select TLS security drop-down menu, select the security level for TLS configuration.

  • If you are using the HTTPS with Custom Certificate option:

    • Set the TLS configuration using the Configure option under the HTTP Loadbalancer TLS Parameters field.

    • From the Select TLS security drop-down menu, confirm the TLS security level.

    • In the TLS Certificates section, click Add Item.

    • For the certificate URL encoding, select PEM or base64(binary), and then entering the certificate URL.

    • To configure the private key, click Configure.

    • Under the Secret section, configure the settings for the private key, and then click Apply.

    • From the OCSP Stapling choice drop-down menu, select the OCSP stapling choice.

    • Click Add Item.

    • In the TLS Certificates section, click Apply.

  • If you are using the HTTPS with Automatic Certificate option:

    • From the mTLS choice with clients drop-down menu, select an option for mutual TLS encryption.

    • From the Server Header value to be used in response drop-down menu, a value for the server header. The following options are supported:

      • Default value for Server header: Specifies that a value of volt-adc be added to the server header.

      • Server Name: Specifies that a custom value be added to existing server headers. Requires you to enter a custom value in the Server Name field.

      • Append Server Name if absent: Specifies that a value be added is no existing server headers are present. If there is an existing server header, this option does not overwrite its value. Requires you to enter a custom value in the Append Server Name if absent field.

      • Pass existing Server header: Specifies that no value is appended if there is no existing value.

    • From the Path normalize drop-down menu, select whether to enable path normalization.

Step 2.2: Configure default origin pool.
  • In the Default Origin Servers section, click Add Item.

  • Click Show Advanced Fields.

  • From the Origin Pool drop-down menu, select an origin pool. To create a new origin pool, click Create new origin pool. Follow the instructions at Origin Pools.

Origin Pool Configuration
Figure: Origin Pool Configuration

  • In the Weight field, set the numeric value.

  • In the Priority field, set the numeric value.

  • Click Add Item.

Step 3: Optionally, configure routes.
  • Click Show Advanced Fields.

  • Click Configure.

  • Click Add item.

  • From the Select Type of Route menu, select an option.

  • For Simple Route:

    • Select Simple Route to match a patch and/or HTTP methods to forward the matching traffic to origin pools configured.

    • Select a method for HTTP Method and a path for the Path Match field.

    • Add a path prefix in the Prefix field. You can also configure specific origin pools for this using the Add Item option in the Origin Pools section.

    • From the Select Host Rewrite Method menu, select an option to specify how the host reader responds to forwarding.

    • In the Advanced Options field, click Configure to configure advanced settings for each route.

    • For Redirect Route:

      • Select Redirect Route to match a patch and/or HTTP methods to redirect the matching traffic to another URL.

      • Select method for HTTP Method and a path for the Path Match field.

      • Add a path prefix in the Prefix field.

      • Configure the Redirect Parameters for Protocol, Host, Path for redirect URL, and Response Code.

      • Select an option from the Query Parameters drop-down menu.

    • For Direct Response Route:

      • Select Direct Response Route to match a patch and/or HTTP methods to send the response directly to the matching traffic.

      • Select method for HTTP Method and a path for the Path Match field.

      • Add a path prefix in the Prefix field.

      • Click Configure option in the Direct Response field, enter a response code, enter response text, and then click Apply.

  • Click Apply to add the route.

Note: You can click Add Item to add more routes per your requirements.

Step 4: Configure VIP advertisement.
  • From the Where to Advertise the VIP drop-down menu, select from one of the options:

    • Select Advertise on Internet to advertise the default VIP on the public network.

    • Select Advertise on Internet (Specified VIP) and enter an IP address in the Public IP field to advertise that IP as VIP on a public network.

    • Select Advertise Custom, click Configure in the Advertise Custom field enabled, and perform the configuration per the following guidelines:

      • Click Show Advanced Fields.

      • Click Add Item.

      • From the Select Where to Advertise menu, select Site or Virtual Site.

      • From the Site Network menu, select an option.

      • From the Site Reference menu, select an option. In case of a site, you can also optionally set an IP address as the VIP.

      • Click Add Item.

      • Configure a TCP listener port or select a default option for the TCP Listen Port Choice field. The default option sets port 80 for the HTTP load balancer and 443 for the HTTPS load balancer.

  • Click Apply to add the custom VIP advertisement configuration.

  • Select Do Not Advertise to disable VIP advertisement.

Note: The default option is Advertise On Internet. To set the other options, enable the Show Advanced Fields option.

Note: The following ports are not supported for advertising on a Distributed Cloud Services site:

  • K8s node port range 28000-32767
  • Distributed Cloud Services port range 65000-65535
  • 10249
  • 10250
  • 10251
  • 10252
  • 10256
  • 10257
  • 10259
  • 1067
  • 18091
  • 18092
  • 18093
  • 18095
  • 22
  • 22222
  • 2379
  • 23790
  • 23791
  • 2380
  • 23801
  • 23802
  • 323
  • 4500
  • 500
  • 53
  • 5355
  • 6443
  • 68
  • 8005
  • 8007
  • 8087
  • 8443
  • 8444
  • 8505
  • 8507
  • 9007
  • 9090
  • 9153
  • 9999
Step 5: Optionally, set security configuration.
Step 5.1: Configure service policy.
  • In the Security Configuration section, enable the Show Advanced Fields options.

  • From the Service Policies menu, select an option to apply the service policy. The following options are available:

    • Apply Namespace Service Policies: This option applies the service policy to an entire namespace.

    • Do Not Apply Service Policies: This option does not apply any service policy.

    • Apply Specified Service Policies: This option applies a service policy to a specified load balancer, not the entire namespace.

Step 5.2: Configure bot defense and CORS policy.

Note: You need to have bot defense enabled in your tenant as a service prior to configuring it for your load balancer.

  • From the Bot Defense Config menu, select an option to configure bot defense. The following options are available:

    • Disable Bot Defense: No bot defense configuration is applied to the load balancer.

    • Specify Bot Defense Configuration: Specifies a bot defense configuration for you to apply to the load balancer. For this option, click Configure to set the configuration.

  • In the CORS Policy field, click Configure and set the CORS policy configuration.

  • Click Apply to associate the CORS policy to the load balancer.

Step 5.3: Configure challenge parameters.
  • From the Select Type of Challenge drop-down menu, select a challenge for all traffic served from the load balancer. The options include:

    • No Challenge: This is the default option. No challenge is enabled for this load balancer.

    • Javascript Challenge: This option enables you to configure a JavaScript challenge for this load balancer.

    • Captcha Challenge: This option enables you to configure a Captcha challenge for this load balancer.

    • Policy Based Challenge: This option enables you to set specific challenge policy rules for this load balancer.

    • If you select the JavaScript challenge, click Configure. Enter a delay value in milliseconds, and enter a cookie expiration value in seconds. Enter a custom message in either ASCII or Base64 format. Click Apply. For more information, see Configure JavaScript Challenge.

    • If you select the Captcha challenge, click Configure. Enter a cookie expiration value in seconds. Enter a custom message in either ASCII or Base64 format. Click Apply.

    • If you select Policy Based Challenge, click Configure.

      • In the Javascript Challenge Parameters section, select the parameters to use. The options include:

        • Use Default Parameters: This option takes the default settings and applies them.

        • Javascript Challenge Parameters: This option enables you to define the challenge parameters.

      • In the Captcha Challenge Parameters section, select the parameters to use. The options include:

        • Use Default Parameters: This option takes the default settings and applies them.

        • Captcha Challenge Parameters: This option enables you to define the challenge parameters.

      • From the Select Type of Challenge drop-down menu, select the default challenge type for all requests. The options include:

        • No Challenge: Default value.

        • Always enable JS Challenge: Enables JavaScript challenges for all requests.

        • Always enable Captcha Challenge: Enables Captcha challenges for all requests.

      • In the Challenge rule list section:

        • Click Configure.

        • Click Add Item.

        • Enter a Name value and an optional description.

        • In the Challenge Rule Specification field, click Configure.

        • From the Select Challenge Action Type drop-down menu, select the challenge action to take. Disable challenge is the default setting. The two options include Enable javascript challenge and Enable captcha challenge.

        • Under the Clients section, click Show Advanced Fields.

          • From the Source IPv4 Match drop-down menu, select the source IP to match the requests. The options include:

          • Any Source IP: This option enables any source IP to match requests.

          • IPv4 Prefix List: This option provides a list of prefix values. You must provide a list of IP prefixes.

          • IP Prefix Sets: This option provides a list of references to IP prefix set objects. You must create the prefix set.

          • From the Source ASN Match drop-down menu, select an option for the origin Autonomous System Number (ASN) to match requests:

            • Any Source ASN: This option matches any source ASN.

            • ASN List: This option provides a list of ASN values to match requests. You must enter the ASN values.

            • BGP ASN Sets: This option provides a list of references for Border Gateway Protocol (BGP) ASN objects to match requests. You must create the ASN set.

          • From the Client Selection drop-down menu, select how the clients will match the challenge rules. The options include:

          • Any Client: This option is for all clients to match the challenge rules.

          • Group of Clients by Label Selector: This option provides a label selector for the set of clients. You must select the expression from the list.

          • To configure the TLS fingerprint matcher, click Configure.

          • Click Show Advanced Fields.

          • From the TLS fingerprint classes drop-down menu, select a class.

          • Optionally, you can add an exact value or exclude a value with Exact Values and Excluded Values, respectively.

          • Click Apply.

          • Optionally, you can set the parameters for the request matching from the Request Match section, and you can set an optional Expiration Timestamp from the Advanced Match section.

          • Click Apply.

        • Click Add Item.

        • Click Apply.

      • Click Apply.

Step 5.4: Configure the user ID policy.
  • From the User Identifier drop-down menu, select the method for user identification:

    • Select Client IP Address to use the user's IP address.

    • Select User Identification Policy to use the object to evaluate the identity. To create a new user ID, click Create new user identification from the User Identification Policy menu.

Step 5.5: Configure rate limiting.
  • To configure rate limiting, select an option from the list:

    • Disable Rate Limiting: Default option. No rate limiting allowed.

    • Rate Limiting Parameters: Enables you to set specific parameters to rate limit.

      • Click Configure.

      • Click Show Advanced Fields.

      • Under the Rate Limit Configuration section, configure the options marked with an asterisk (*) symbol.

      • Click Apply.

Step 5.6: Configure client blocking rules.
  • To configure the Client Blocking Rules option:

    • Click Configure, and then click Add Item.

    • Complete the configuration process to add rules to block specific clients from making requests.

    • Click Add Item.

    • Select the newly created rules option and then click Apply.

Step 5.7: Configure trusted client rules.
  • To configure the Trusted Client Rules option:

    • Click Configure, and then click Add Item.

    • Complete the configuration process to add rules to allow trusted clients and to prevent the WAF from applying the block rules you previously configured.

    • Click Add Item.

    • Select the newly created rules option and then click Apply.

Step 5.8: Configure DDoS rules.
  • To configure the DDoS Mitigation Rules option:

    • Click Add Item.

    • Click Configure, and then click Add Item.

    • Complete the configuration process to add rules to mitigate potential DDoS attacks and block them.

    • Click Add Item.

    • Select the newly created rules option and then click Apply.

Step 5.9: Configure machine learning (ML) option.
  • To configure the ML Config option:

    • Select Single Load Balancer Application to apply the ML settings to this load balancer only. Complete the configuration process by selecting options from the API Discovery, Learn From Traffic With Redirect Response, DDoS Detection, and Malicious User Detection menus.

    • Select Multi Load Balancer Application to apply the ML settings to multiple load balancers.

Step 6: Configure load balancer control and requests.
  • Under the Load Balancing Control section, set how the HTTP/HTTPS requests are load balanced. The options include:

    • Round Robin: This option sends requests to all eligible servers in a round robin fashion.

    • Least Active Request: This option sends requests to an origin server that has least active requests set.

    • Random: This option sends requests to all origin servers randomly.

    • Source IP Stickiness: This option sends requests to all origin servers using the hash value of the source IP.

    • Cookie Based Stickiness: This option sends requests to all origin servers using the hash value of the source IP. Requires you to further configure the parameters.

    • Ring Hash Policy: This option sends requests to all origin servers using the hash value of the request. Requires you to further configure the parameters.

  • If you select Cookie Based Stickiness:

    • In the Name field, enter a name for the cookie.

    • Optionally, set a TTL value in milliseconds and set a path name value.

  • If you select Ring Hash Policy:

    • Click Configure to specify a list of hash policies to use.

    • Click Add Item.

    • From the Hash Policy Specifier drop-down list, select what to apply the hash policy to. The options include:

      • Cookie: Hash policies are applied to a cookie.

      • Header Name: Hash policies are applied to the name of key of the request header used to obtain the hash key.

      • Source IP: Hash policies are applied to the source IP address.

    • In the Name field, enter a name for the cookie that is used to obtain the hash key.

    • To apply the hash policy as a terminal policy, select the option Terminal.

    • Click Add Item.

    • Select the newly created hash policy and then click Apply.

Step 7: Optionally, set advanced configuration.
  • In the Advanced Configuration section, click Show Advanced Fields.

    • Select the Add Location checkbox to specify the RE site name in the header responses.
  • Click Configure in the More Options field and perform the configuration per the following guidelines:

    • In the Header Options section, click Show Advanced Fields and add details in each of the request headers and response headers fields to specify add and remove headers accordingly.

    • In the Configure Error Response Options section, click Show Advanced Fields and then click Configure to customize error responses.

    • In the Miscellaneous Options section, click Show Advanced Fields and then click Configure. Complete the configuration options.

  • Click Apply.

Step 8: Complete creating the load balancer.

Click Save and Exit.

Step 9: Verify the load balancer status.
Delegated Domain:
  • Wait for the DNS Info and Certificate status to display the VIRTUAL_HOST_READY and Certificate Valid values.

Figure: Load Balancer Created
Figure: Load Balancer Created

  • Verify that the requests to your virtual host domain are processed and load balanced between the configured origin servers.

Note: The Certificate expiration date column displays the expiration date for the certificates. Certificates managed by F5 Distributed Cloud Services are issued for 90 days and auto-renewed after 75 days from the date of issuance.

Non-Delegated Domain:
  • Verify that the Certificate status field shows Domain Challenge Pending.

  • Click > to view the load balancer information in JSON format.

  • Verify that ACME challenge record exists under get_spec > auto_cert_info > dns_records field in the JSON. The record name starts with _acme-challenge and the value is the name of the TXT record created by Distributed Cloud Services.

  • Create a CNAME record with the obtained ACME challenge string in your DNS server.

  • Verify that the Certificate status field value changes to Certificate Valid.

  • The Certificate expiration date column displays the expiration date for the certificates.

Note: If the load balancer is of type HTTP, then it is reachable by configured domains as well as automatically generated CNAME.

Note: Some client browsers can employ a performance optimization known as "connection coalescing". In this optimization, if two host names resolve to the same IP address and are present in the same TLS certificate, the HTTP/2 connection will be reused between them. This can land the HTTP request in the wrong load balancer and results in a 404 error. See HTTP2 RFC for more information.


Concepts


API References