Virtual Server Pool versus ASM Class Pool

Question

I'm struggling trying to understand the difference between using a pool applied to a Virtual Server versus a pool applied to an ASM class, and when I might want to use one versus the other.   
      
   Is there anything wrong with not defining an ASM pool, and allowing the Default Pool or iRules applied to the Virtual Server determine where to route the traffic?    
      
   For example say I have an HTTP VS, with no default pool, and an iRule which checks the URI to determine where to route traffic, i.e.:

when HTTP_REQUEST {   
     if {[HTTP::uri starts_with "/navigation"]} {   
       pool navigation_pool   
     } else {   
       pool browse_pool   
     }   
   }

I've also got an ASM Class applied to this VS which has no default Pool. Can you see anything wrong with simply allowing ASM to scan the incoming requests and afterwards hand them back off to the VS for routing? I fail to see how one could make any type of dynamic routing decision like an iRule can when specifying an ASM pool.

chris_paulraj_1 · Answer

We are also using it the way you described, iRule is too valuable to give up in our environment.It seems to be working fine, iRules get processed after ASM.

hooleylist · Answer

Here is a diagram which illustrates the logical flow for requests: 
&nbsp;  
&nbsp;  
&nbsp; SOL6754 - Traffic flow for ASM-enabled virtual servers (Click here) 
&nbsp;  
&nbsp; And SOL8018 (Click here) gives a similar overview of this in text and includes some common configuration options.   
&nbsp;  
&nbsp; The typical suggestion has been to use a pool on each HTTP class and not configure a default pool on the VIP.  This ensures that all traffic must explicitly match a class in order to get through the BIG-IP.  It makes it more difficult to accidentally allow traffic to slip through the classes and go to the default pool without being validated by ASM.   
&nbsp;  
&nbsp; A common exception to this configuration would be if you wanted to use the same HTTP class and ASM web app + policy on multiple VIPs.  If you wanted to reuse the same class/web app/policy, you could not configure the pool on the class, but instead use a default pool on the VIP.  If you want to use any filters on the HTTP class, you should add a default class to the VIP(s) with no filters to ensure no traffic bypasses ASM. 
&nbsp;  
&nbsp; Aaron

smp_86112 · Answer

Thank you cpaulraj for the sanity check, and hoolio for the references. I am much more comfortable knowing now that I am not planning to do anything extrordinary.

Forum Discussion

Virtual Server Pool versus ASM Class Pool

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

WILS: Virtual Server versus Virtual IP Address

Check a Virtual Server's SSL Status

Server Virtualization versus Server Virtualization

Virtual Server graphical App for F5 LTM

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server