A journey into lesser known (but still really, really cool) Avi features
The most commonly deployed F5 iRules offer basic functionality, such as HTTP redirects, content switching, or logging. With Avi, that’s table stakes—it’s all point and click functionality. Thankfully, that’s not what this blog post is about. Today, we’re going to explore some of the cool, advanced iRules functions that are all native with Avi Networks.
Now for the fun. In my career, I've seen thousands of iRules. Every once in awhile I've come across or written a few really cool rules (ex-F5 employee here). But with modern application delivery platforms, you’ll see that most of these iRules are completely unnecessary. That's not to say there aren't legitimate use cases for custom dataplane scripting. At Avi, we've found that more than 75% of all iRule conversions are accommodated by native Avi features. That still leaves room for advanced and custom use cases that require Avi's DataScript. DataScripts are similar to iRules except they use Lua instead of TCL. Lua is similar to TCL but is 20 years newer and doesn’t have so many squiggly brackets.
Without further ado, here are 10 iRules that are all native to the Avi Vantage Platform.
1. HTTP to HTTPS
Redirect clients to HTTPS, rewrite server redirects, insert HSTS headers, secure cookies, etc. Click the SSL Everywhere checkbox and stuff just works. No scripting necessary. If your virtual service only has port 80, Avi is smart enough to not redirect clients into a 443 black hole.
2. Request Throttling a Client Based on SessionID
Connection and request throttling can be on a number of vectors, including a client's sessionID. This could be within a header or a cookie. In addition to standard request throttling actions, Avi can return a custom page, response code, or redirect to an alternate location.
3. Load Balance Based on SessionID
Sticking with the sessionID theme, clients can be load balanced or hashed based on their sessionID. Select the hash load balancing algorithm, choose custom content to hash (persist) against, and fill in the session ID name.
4. Persistence Based on SessionID
If the server is already embedding a sessionID, persist on it instead of inserting new cookies. Simply pick the app-cookie persist method and type in the name of the sessionID. This will check both the headers and cookies in case clients support on or the other.
5. Trace a User Session
Avi can log every connection or request. If the client logs into the site, Avi populates an internal "user ID" field. If the client is not authenticating, the field can be populated with a sessionID. In the logs, type in the user's name in the search bar to monitor their complete interaction with the site.
6. Insert Client SSL Certificate into Server Header
Avi authenticates clients via their client SSL certificates and inserts the entire client cert (or any components) into a custom HTTP header sent to the server.
7. Proxypass
Rewrite client requests, including their URI and hostnames to something the server is expecting. Then reverse the process with the response traffic. Avi can automatically rewrite server redirects to the name used by the client. Throw in a policy or two for more robust cookie name or embedded content manipulation.
8. HTTP Server Reselect
If a server sends out an error, such as 503 “server busy”, Avi automatically retries the same server or tries other servers in the pool a specified number of times.
9. Maintenance Page
Upload a maintenance response web page within the HTTP policies. The page can be enabled or disabled for maintenance windows by simply enabling or disabling the policy rule.
10. A/B Pool Distribution
Using a pool group, distribute traffic across multiple pools with an adjustable ratio. If all servers are running version 1, move some traffic over to a few servers running version 2. Compare the end user experience between the two pools prior to fully shifting traffic to the new servers.
There are many great use cases for custom scripting. But it's a crutch to use scripting when native functionality is available. It's more computationally efficient and much easier to maintain. Yes, scripting may still be required, but only when you've got a really good rule like my Sudoku game. Still working on converting that one over from iRules to DataScript.
To learn a bit more about DataScript, check out Avi's knowledge base site > Guides > DataScript (or click here). Browse through the functions and explore the included examples.