Ever wondered how you can avoid the pain of F5 iRules?

Ever wondered how you can avoid the pain of F5 iRules?

How-Tos Published on 4 mins Last updated

Many things in tech are over-complicated for no reason, and iRules are a prime example of that. I think F5 consultants come in and deliberately make complicated iRules that you don't actually need, so you have to keep calling them back to do more paid work to fix the iRules you didn't need in the first place. You'll also find, that the complex iRules won't be covered by your standard F5 support contract. But hey, this is a great opportunity for the consultant to also sell you their own support top-up as well!

Hang on, why don't F5 just make iRules easier to use?

I think it helps F5 to make things complex because that increases lock-in.
Complexity increases the cost for customers to leave the F5 product range.
After all, you'd need to pay a consultant to move you to another vendor. And why would they help you do that when they make so much money from complex iRules?

Amusingly, iRules are so hard to understand, F5 have to run extensive and ongoing Field Service Agent challenges to try and incentivize their own specialists to get their heads around it all. The other win for F5 is when other vendors try to 'help you convert iRules'. They may result in something even more complex — that not even paid consultants understand...

Here at Loadbalancer.org, we like to think 'outside the box'. What is the ACTUAL problem we are trying to solve here? And how can we make it easier?

What have we learned about migrating iRules to HAProxy ACLs?

We pride ourselves on our support, but something we don't sing about enough is our ability to simplify things. We have never come across an iRule that we haven't been able to convert during an F5 migration. However, in a shockingly large number of cases, we can just remove the iRules. Yes, really.

How is that possible?

Because we come across iRules that have been written and even the network admin doesn't know what the rule was doing in the first place! We also find hugely complex rules that don't have any effect on traffic. Many iRules that are leftover from applications that don't even exist - iRules that someone wrote just to learn iRules.

In general, we find 'ghost iRules' and 'ghost applications' account for 60% of the config file! And then another 30% of the iRules are simply unnecessary.

This is because the majority of iRules are trying to achieve basic features, such as HTTP to HTTPS redirection, persistence based on session ID, custom health checks, or even a simple maintenance page. All of which can be easily done through our WebUI, with no need to write a rule. I have hyperlinked each option to the relevant page in our administration manual so you can take a look.

SSL re-encryption also needs an iRule, but again, it's something we have directly built into our appliance (this includes termination on the load balancer and SSL offloading). Again, we have an extremely in-depth guide on how to do this here.

However, sometimes only custom rules will do

Sometimes, you need to write rules, we get it. Sometimes you want to send users to a specific server based on a header or their IP address. Sometimes, you want to relocate those connections completely. Well, using HAProxy's ACL rules, which are much easier to configure than iRules, you can. We even have a graphical interface to write the ACL rules to assist with the ease of configuration. Best of all they're all supported within your support contract.

In the above image, you can see based on anything that comes from that IP address, we can choose to drop or deny that traffic, set a flag for 'if' statements - which will also allow you to add, set, and replace headers, redirect the URL location, or prefix said URL. And last but not least, we can tell that traffic to use a specific virtual service (Use Backend) or direct all the traffic that matches the rule to a specific real server (Use Server).

It's not just IP addresses we can base the rules off, here is the full list:

Notice the flags I mentioned earlier. This is how we can create 'if' statements for your traffic, to give almost endless capability. Speaking of which, the list is made up of the most popular ACL rules. But if there's anything you know HAProxy can do that's not on the list, the option of "Free Type" will allow you to use any HAProxy ACL rule.

An example of a rule to redirect internal and external users could look like this:

Notice, we also add the header, X-My-Internal-Use-Hdr. More detail can be found in my previous blog on our ACL rules.

If you are looking to move away from F5 and need help converting or even understanding your iRules, get in contact with us and we will be happy to assist. You might also be pleasantly surprised how few rules you really need!

Need help?

Our experts are always here