A10 Thunder VIP – well…

Time to lay down a basic VIP. Sure, this is easy stuff for experts, for some, it will be very new Let’s talk about the User Acceptance to Production dilemma first then shall we?

Often we have a test environment, and (very) often we are not the application developers. Always set up a test VIP with HTTPS (only) and never concede to also having port 80 in that environment. HTTPS is a pain – I know. Here’s why you never open an HTTP port for a test environment: The app somehow is dependent upon HTTP. If you set up an HTTP path to the same resources on the test environment – the dependency is transparent to the developers. This is your fault.

If you create an HTTP direct path to the application in parallel to the HTTPS path all sorts of bad things could happen.

You say: OK, I hear that. What about a redirection?

Um yeah – is this a “hard” redirect or are you also propagating the path and full URI like so many examples might provide?

It does not matter how careful you are when providing HTTP access to the test environment. Developers are very creative (bless them). Something will go wrong. The solution to all future issues in the production environment is to create hard errors the developers see. Functionality fails and QA does not pass. Only this provides the feedback necessary to prevent deployment issues that hide behind an HTTP dependency.

When you go to production you will force a port 80 HTTP redirection to the home page of the application (with NO path or query strings) with the confidence this will not disrupt the application functionality. You know this because port 80 HTTP was never available in the test environment.

Did I promise a VIP config? Yikes. You need to define some servers – these run the app. You need to clump these into a group to get that redundancy and scale. Next, you apply a service group to a port of a VIP to then get the whole picture. Here is a minimum VIP configuration – and against my own advice, it is on port 80 HTTP. HTTPS has some moving parts we will get to post-haste.

slb server mcyork1
port 80 tcp

slb server mcyork2
port 80

slb service-group example-mcyork tcp
member mcyork1
member mcyork2

slb virtual-server example.mcyork.com
 port 80 http
  service-group example-mcyork

Was that too much? Don’t say yes. Stick with me.

This is the simplest VIP on the planet in any ADC / load balancer. VIP in this case is virtual-server. The IP address where you will direct traffic for this application. Do I need to also do a DNS primer? Whatever you go to this IP and the result should be a response from either or .51. Where we expect the developers are hosting the website/application or API they promised.

Promise delivered – config for the absolute minimum possible VIP. Along with the sage advice of what not to do just because you think it is easy and or the developers are asking for it – no HTTP in pre-production – ever.