Applying F5 iRules To Manage Network Traffic

In the previous blog, we had read about the different elements that make up an LTM (Local Traffic Manager); now, let us understand how to put these LTM objects to use using iRules.

F5 iRules is a versatile, programmatic interface that allows you to extend and adapt the BIG-IP system’s functionality. It enables you to design application delivery solutions that increase the security, reliability, and scale of your data center applications. iRules give you unprecedented power over IP application traffic manipulation and management. They let you define how you intercept, inspect, manipulate, and direct inbound or outbound application traffic using an easy-to-learn scripting syntax.

In this blog, we’ll try to answer the following questions to give a general overview of iRules as a technology:

  • What exactly is an iRule?
  • What is an iRule, and how does it work?
  • When am I going to use an iRule?
  • When am I NOT going to use an iRule?
  • How can ADC+ be used to automate the execution of iRules?

What is an iRule?

In its most basic form, an iRule is a script that runs in response to network traffic coming via an F5 device. But that’s a broad definition, so let’s clarify what happens inside an iRule more precisely. The concept is simple: iRules allows you to build simple, network-aware pieces of code that can affect your network traffic in various ways. Whether you need custom persistence or rate limitation that isn’t currently accessible in the product’s built-in settings, you want to tailor the user experience by granularly regulating the flow or even the contents of a specific session/packet(s); iRules is the tool for you.

iRules help route, re-route, redirect, examine, modify, delay, discard or reject network traffic going through a BIG-IP, log, or do anything else. The goal of iRules is to make the F5 BIG-IP as flexible as possible. iRules allows network operators to use their F5 devices in a way that differs slightly from the standard BIG-IP collection of checkboxes and dropdowns, allowing them to accomplish precisely what they need when they need it. At the end of the day, iRules is a network-aware, customized language that enables users to apply business and application logic to their network layer implementation.

How does an iRule work?

To begin, in F5 words, an iRule is, first and foremost, a configuration object. This means it’s included in your Big IP Config among your pools, virtual servers, monitors, and other items. It is generally entered into the system using either the GUI or the CLI. An iRule is totally user-generated and customizable, unlike most configuration items. Once you’ve added an iRule to your setup, it’ll be compiled as soon as you save it.

After saving and pre-compiling the iRule, it must be applied to a virtual server before it may affect traffic. An iRule that is not applied to a virtual server is disabled for all intents and purposes. However, once you apply an iRule, it is now technically applied to all traffic via that virtual server. However, this does not imply that all traffic traveling through the connection in question will be impacted. iRules are frequently quite selective in the way they change traffic, reroute, or otherwise affect. This is accomplished using both logical structures within the iRules and the use of events within the iRule.

When am I going to use an iRule?

When you want to add network-layer functionality to your application or app deployment, and that functionality isn’t already available through your BIG-built-in IP’s configuration options, an iRule is the way to go. iRules can add valuable business logic or application functionality to your deployment, whether performing a custom redirect or logging specific information about users’ sessions or a wide range of other possibilities. Instead of being disseminated to every server hosting, whichever application you’re seeking to modify or affect, iRules have a single point of management, your BIG-IP. This can save significant administration time while also shortening the time it takes to launch. iRules are quicker to deploy and modify versus making a quick fix to your application.

When am I NOT going to use an iRule?

If you can do something from the regular config options, profiles, GUI, or CLI, do it there first. If you need to conduct a task that can’t be completed using the “built-in” configuration methods, this is a great moment to use iRules to broaden your options.

As a rule, and if written properly, iRules are extremely fast. Still, there is always a minor performance advantage when you can run functionality directly from built-in core features rather than a bespoke script, even an iRule. Also, rather than re-testing and monitoring an iRule that might be quickly replaced with a few configuration choices, it is easier to keep a feature incorporated into the product via upgrades.

How can ADC+ be used to automate the execution of iRules?

F5 engineers can use the AppViewX ADC+ interface to attach F5 iRules to a set of virtual servers. ADC+ advantage here is that any particular iRule can be applied to multiple devices and hosted applications at once through centralized management GUI-based console, which makes iRule application more than some of the script-based coding tools or through the existing BIG-IP interface.

A relatively simple process to apply the iRule using ADC+

  1. Select the devices and their associated VIPs that need to be modified or provide a URL
  2. Choose the F5 iRule that needs to be applied
  3. To create a new F5 iRule, simply type the new iRule code to be executed in the new iRule Option. 
  4. On submit, the new F5 iRule will be implemented.

The entire upgrade process only takes 2 to 5 minutes. Moreover, if an F5 engineer does a manual F5 iRule update through the F5 interface, he won’t be able to save the F5 iRule that is being overwritten. But ADC+ has the option to keep a backup of the old rule as well.

Use Case: How to use iRule automation for Log4J mitigation?

AppViewX ADC+ makes application delivery super easy.

AppViewX and F5 have a common goal: to provide enterprises with the most dependable application delivery platforms possible. The BIG-IP® platform, comprising BIG-IP LTM, DNS, AFM, and ASM modules, as well as VIPRION hardware and the cloud-ready BIG-IP iSeries hardware, can be seamlessly integrated with AppViewX ADC+. Using ADC+, F5 network operators can create a modernized application delivery network for data center agility.

ADC+ provides an application-centric view and centralized management over the F5 application delivery network, bridging the gap between application owners, network administrators, and security teams. Its powerful GUI-based automation workflows add to the management capabilities of F5 BIG-IQ®, making life easier for network teams.

Automate your Network Today!

Tags

  • F5 ADC
  • F5 Automation
  • F5 big ip device upgrade
  • F5 BIG-IP
  • F5 Load Balancer
  • How to use iRule
  • iRule
  • iRule automation
  • iRule use cases
  • Log4j irule

About the Author

Related Articles

Kubernetes: Now, With Less Complexity

| 14 Min Read

Decoding F5 BIG-IP: Elements of an LTM (Local Traffic Manager) II

| 5 Min Read

Decoding F5 BIG-IP: Elements of an LTM (Local Traffic Manager)

| 6 Min Read