Creating a process for changing irule applied to a virtual server

Question

Hi All,&nbsp;
&nbsp;Here's my situation...&nbsp;
&nbsp;I'm in the process of eliminating several IIS proxies by rolling the proxy function to LTM.  In IIS this application used 2 different mod_rewrite scripts, one during normal operation and a different one during maintenance mode to redirect client connections to different servers / pages etc.&nbsp;
&nbsp;As part of the migration I have created 2 different irules to perform the same function the mod_rewrite scripts were doing when IIS was in use.  Everything works great.&nbsp;
&nbsp;The situation I am trying to overcome is that the owners of this site used to have an automated process to switch between the IIS  mod-rewrite scripts (using MOVEit) when they wanted to change from prod to maintenance mode.  I would like to come up with a way to automate the change between the prod irule and the maintenance irule.  I'm trying to avoid giving application owners accounts on the LTM's and training them how to change the irules applied to virtual servers.  I'm also trying to avoid them having to call the F5 admin team to make the change for them.&nbsp;
&nbsp;I'm curious if any of you have been faced with a similar situation and / or have any input on how I could automate this via a script of some sort etc.&nbsp;
&nbsp;I appreciate all input!&nbsp;
&nbsp;Thanks,&nbsp;
&nbsp;Rich&nbsp;

gavinw_29074 · Answer

Rich 
&nbsp;  
&nbsp; I've done something very similar for our services to cover maintenance mode functionality.  
&nbsp;  
&nbsp; I came up with the following iRule, which allows an authorized user to hit a defined URI and enable/disable a maintenance window.  
&nbsp; https://devcentral.f5.com/wiki/irules.LTM-Dynamic-Maintenance-using-Session-Table.ashx 
&nbsp;  
&nbsp; The above iRule is light on security, however I've updated our local copy to include both a Client IP filter and a HTTP Basic Authentication check...  
&nbsp; Therefore if you've got multiple customers you could tweak the rule by having a different set of datagroups for each VS...  
&nbsp;  
&nbsp; Let me know if you want a copy of the iRule including the above security features.  
&nbsp;  
&nbsp; Regards 
&nbsp; Gavin

rdessert_76127 · Answer

Thanks for the input Gavin!  I'll look into it. 
&nbsp;  
&nbsp; Rich

michael_yates · Answer

Hi RDessert, 
&nbsp;  
&nbsp; You may also want to look at creating a Custom Health Check that would do what you are trying to accomplish as well.   
&nbsp;  
&nbsp; Example: 
&nbsp; You create a monitor for an Windows Service that you don't normally use (like TCP Print Services on Windows which runs on Port 515).  Apply the monitor to the server pool and allow your Application Support Teams to control which servers are available in the pool by Enabling/Starting and Disabling/Stopping the Windows Service directly on the servers. 
&nbsp;  
&nbsp; This would require that they have access to start and stop Windows Services, but it is a simpler solution (less administrative overhead) than an iRule solution which would require on going collaboration with the Application Teams. 
&nbsp;  
&nbsp; Just another option. 
&nbsp;  
&nbsp; Hope this helps.

Forum Discussion

Creating a process for changing irule applied to a virtual server

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

qkview process stuck

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

Create a DevCentral account

iRule Processing query

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment