I want the GTM to balance on a pool of servers that are behind a firewall at a remote data center:
Server A has private IP 192.168.1.1, translated IP 198.19.1.1
Server B has private IP 192.168.1.2, translated IP 22.214.171.124
Server C has private IP 192.168.1.3, translated IP 126.96.36.199
The GTM needs to monitor the servers using private IP, as there are two healthchecks. The first is to do a basic check of port 443. The second is to check Tomcat in port 8080, which is not reachable via the public IP.
I've added the servers (being sure to fill out the translated IP address), created the pool, then created the WideIP. However, I always get back the private IP of the server.
It seems like in the server, pool, or wideIP configuration, there should be a checkbox to hand out the public IP addresses. What am I missing?
If I understand your description then the addresses are backwards. The address field in GTM is the public IP and the translation field is the private IP. GTM resolves using the address field and the monitors also test the IP in the address field so in your case GTM would not be able to check port 8080 on the pub IP.
I have not tested this (pretty sure it will work) but you might be able to work around this by creating two servers/virtual servers, one for the public IP and the other for private. Then in the public virtual server properties set virtual server dependency so it depends on the private addr virtual server. Assign you monitors so that if the private VS is unavailable then the public VS will be marked down also.
The translation in GTM is for GTM communications only. Not for affecting the addresses that GTM hands out. It's a small distinction, but important... You only use them if there's a NAT between the GTM and the LTM (Or other device) that's serving the VS's.
If you want to translate the addresses that GTM gives you, you need to do that externally, OR with an Rule (There's an LTM Rule that translates GTM addresses in the DNS response on codeshare... Which I'd provide a link to, but some kind soul has re-organised it, and I can't seem find my way around any more...).
Ahh... Here's the Rule... GTM Translate...
And a discussion about it (Extra info on where I managed to confuse others -> https://devcentral.f5.com/questions/gtm-irule-split-dns
You're right; I had it backwards. Translation is the internal/private/real IP, whereas address is the external/public/mapped IP.
So the good news is the GTM now hands out the public IPs.
The bad news is I need the Tomcat healthcheck to use the internal IP, since Tomcat is not exposed to the public. I can't find any way to force this. Going to ask F5 support.
Thanks for the response. It sounds like using Dependencies for the server is what I want.
For the second method, I would have to create a separate monitor for each server, correct? Monitor_1: Alias address 192.168.1.1, Monitor_2: Alias address 192.168.1.2, etc
If you have https on the front end and 8080 on the back end servers, that implies that you are load balancing with what? F5 LTM?
If so then the LTM is the one who is doing the health checks against the back end servers on 8080, and via iQuery will communicate to the GTM if any of them are down.
Unless I am missing something.
If you wanted the GTM to directly query the back end servers, does it have a route to their private IPs?
In this case the servers were in a remote data center managed thru a partner, and there was no LTM. The servers ran Apache Proxy on port 443 were being accessed via NAT translations on a Cisco ASA firewall. 8080 was the app port, and was not exposed to internet. The GTM had access to the server private IPs via VPN.
But all moot now since the data center got an LTM in 2016 and then was retired in 2017.