F5 iRule Setup and Notes for VMware vCloud Director Accessibility

Recently, I’ve had several providers that have had to manage and/or update their F5 iRules for secure accessibility for vCD tenants and providers. F5 has a nice deployment guide here.

F5 provides a solid solution for VIPs and Load Balancer capabilities which I see often between many of our global VMware Cloud Providers.

With the new vCD HTML5 User Interface (UI), there has been several changes that required these modifications to provide direct access.

Typically, when utilizing a F5 appliance, some providers and tenants were seeing errors after a vCD upgrade.

Some saw behavior where the H5 interface was not accessible – receiving a message such as:

An error was encountered during initialization. This can be caused by issues such as accessing the application via an unsupported public URL or poor connectivity.

Similarly, data was not shown properly like below –

This is going to be a quick post, but I felt this was a prudent discussion to share what I’ve found so far to help others to ensure proper interoperability with F5.

Modifications to F5 iRules

First up, after speaking to one of my Public Sector providers, they had to append these new sub-domains to their iRule list for H5 accessibility:

  • /tenant
  • /network
  • /tenant-networking
  • /cloudapi
  • /api/sessions

Overall, they had the following in their access-list:

  • /tenant/*
  • /api/sessions/*
  • /network/*
  • /tenant-networking/*
  • /cloudapi/*
  • /cloud/org/*
  • /cloud/vmrcconsole.html
  • /cloud/customtheme*
  • /cloud/webmksconsole.html
  • /cloud/support/
  • /cloud/amf/*

Sample iRule Set for Secure vCD Access

Disclaimer – First, I am not a F5 expert but any means. However, I had another provider provide me their iRule set for accessibility. From my understanding, this blocks system user access for API calls from external networks.

Furthermore, I suggest working with your F5 counterpart to verify what might need to be changed and/or implemented to verify full functionality.

 when HTTP_REQUEST {
    set http_path [string tolower [HTTP::path]]
    set client_ip [IP::client_addr]
 
    if { $http_path starts_with "/cloud/org/" 
        or $http_path starts_with "/favicon.ico"
            or $http_path starts_with "/cloud/customtheme"
            or $http_path starts_with "/cloud/amf"
            or $http_path starts_with "/cloud/support"
            or $http_path starts_with "/cloud/webmksconsole.html"
            or $http_path starts_with "/transfer/"
            or $http_path starts_with "/tenant/"
            or $http_path starts_with "/network/"
            or $http_path starts_with "/api/session"
            or $http_path starts_with "/cloudapi"
            or $http_path starts_with "/cloud/vmrcconsole.html" } then {
            pool <provider>-vcloud-https
    }
    elseif { $http_path starts_with "/api/"} then {
         if { [HTTP::header exists Authorization] } {
            set creds [HTTP::username]
            if { $creds ne "" } {
                set fields [split $creds "@"]
                set api_user [lindex $fields 0]
                set api_org [string tolower [lindex $fields 1]]
                if { $api_org ne "" } {
                    if { $api_org eq "system" } {
                        if { (![matchclass [IP::remote_addr] eq vcloudadmins]) } then {
                            SSL::disable serverside
                            log local0. "vcloud_api_auth: unathorized system api access (user: $api_user, ip: $client_ip)"
                            HTTP::respond 403 content {
                                <html><head><title>Forbidden</title></head>
                                <body><h1>Access Denied</h1></body></html>
                            } 
                        }
                        else {
                            #log local0. "vcloud_api_auth: authorized system api access (user: $api_user, ip: $client_ip)"
                            pool <provider>-vcloud-https  
                        }
                    }
                    else {
                        log local0. "vcloud_api_auth: org api access (user: $api_user, org: $api_org, ip: $client_ip)"
                        pool <provider>-vcloud-https
                    }
                }
                else {
                    log local0. "vcloud_api_auth: missing org (credentials: $creds, ip: $client_ip)"
                    HTTP::respond 403 content {
                        <html><head><title>Forbidden</title></head>
                        <body><h1>Access Denied</h1></body></html>
                    } 
                }
            }
            else {
                log local0. "vcloud_api_auth: missing credentials (ip: $client_ip)"
                HTTP::respond 403 content {
                    <html><head><title>Forbidden</title></head>
                    <body><h1>Access Denied</h1></body></html>
                }
            }
        }
        else {
            # debug
            #log local0. "DEBUG vcloud_api_access: api request (ip: $client_ip, path: $http_path)"
            pool <provider>-vcloud-https
        }
    }
    else { 
        if { (![matchclass [IP::remote_addr] eq vcloudadmins]) } then {
            SSL::disable serverside
            if { ! ($http_path starts_with "/sorry-static/") } then {
                log local0. "vcloud_web: unauthorized access (ip: $client_ip, path: $http_path)"
            }
            pool <provider>_sorry_server_pool
        }
        else {
            # debug
            #log local0. "DEBUG  vcloud_web: request (ip: $client_ip, path: $http_path)"
            pool <provider>-vcloud-https  
        }
    }
}

Finally, I hope this helps others that use vCD and F5 to ensure proper UI and API access. If you have any other tips, please do let me know.

Thank you Piyush and shankarsingh on VMTN for the sample iRule code!

-Daniel

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.