ASM VE performance scalling

Question

Hi,&nbsp;
I wonder if there is any good article about sizing VM for ASM/AFM deployment. Or maybe someone already did such deployment and can share some figures. What number of vCPU/RAM/Other resources to assign?&nbsp;
Let's say there will be no SSL Offload involved and we talking about 50k+ concurrent TCP connections per second creating HTTP Transactions.&nbsp;
Is that at all possible to use VE?&nbsp;
Piotr&nbsp;

hannes_rapp · Answer

I do not have an exact answer for your environment, I'm just giving you the base configuration. Use these values to make adjustments according to your own needs:&nbsp;
ASM+AFM+LTM Setup&nbsp;
16GB memory, 4 vCPU, VE with 1Gbps license
You can use the VE BigIP. It's actually the most cost efficient BigIP deployment option in no-SSL TPS environments. Another good thing with VE is that if you run short of available bandwidth (1Gbps initial license limit), it takes very little effort to upgrade the license to 3Gbps.&nbsp;

dragonflymr · Answer

Hi,&nbsp;
Thanks for hints. If I am not wrong limit for VE ends at 10Gb throughput? I am asking because right now under attack customer is reporting hardware BIG-IP as bottleneck (don't know yet what is HW). Wonder is alternative could be some LB pointing to ASM VE pool to create LB at the attack time in cost effective manner.&nbsp;
As far as I know ASM is most resource intensive module on BIG-IP.&nbsp;
Piotr&nbsp;

hannes_rapp · Answer

10Gbps is indeed the current maximum supported by VE. Your next question is thougher, it's for sure that you can deploy ASM on a separate BigIP, and route requests to it from another AFM/LTM box. What I do not know is if you can implement some sort of balancing from a single AFM/LTM appliance/cluster to multiple ASM boxes. Not even sure if it will help you remedy the effects of a DOS attack significantly.

Personally, I would leave out the balancing to multiple ASM appliances since the ASM module is quite costly and the desired solution is not guaranteed, but instead look into possibilities to take down the attack on the AFM/LTM box, and if the attack is huge (i.e the on-site appliance couldn't cope), manually activate the cloud-based DOS attack mitigation (i.e pay to subscribe service from F5 Silverline or Prolexic). Just some ideas.

dragonflymr · Answer

OK, but we are not really talking about volumetric attack saturating Internet pipe. We are talking about exhausting current ASM device resources - sure simplest solution is to buy bigger BIG-IP box but could be no way here. Customer however have quite substantial VMWare  based resources so spinning few ASM VE could be an option.

Piotr

hannes_rapp · Answer

Give it a go then :). I cannot confirm for sure, but I think that even if the 1st line of appliances are configured as active-standby, you should be able to deploy the 2nd line of appliances (VE ASM) in active-active mode to really widen the existing bottleneck.

Forum Discussion

ASM VE performance scalling

6 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

Understanding Performance Metrics and Network Traffic

Performance Logging iRule (Rule_http_log)

ASM logs

ASM LOGS

Security First, Performance Always: How F5 Drives Citrix VDI Excellence in Application Delivery