L7 Routing

Version notice:

Introduced in F5 Agent v9.2.0 (Mitaka) and 10.0.0 (Newton)

L7 routing takes its name from layer 7 of the OSI Model, also called the application layer. [1] The F5 Agent for OpenStack Neutron passes L7 content switching policies and rules from OpenStack Neutron to a BIG-IP device. The BIG-IP device then processes the application data of request traffic as it passes through a virtual server and applies corresponding Local Traffic Manager (LTM) policies and rules to make routing decisions. You can use the OpenStack API to define the content conditions and the actions that they should trigger.

Important

See the OpenStack Neutron LBaaS Layer 7 rules documentation for a full explanation of the L7 rules and L7 policies.

It is essential to understand these concepts before proceeding with this document.

Neutron LBaaSv2 API L7 Policies and Rules

In Neutron, an L7 Policy is a collection of L7 rules associated with a Listener; it may also have an association to a back-end pool. Policies describe actions that the load balancing software should take if all of the rules in the policy return “true” (or, in other words, they match).

OpenStack Policy/Rules versus BIG-IP Local Traffic Manager Policy/Rules

The Neutron L7 terminology does not directly align with the common vocabulary of BIG-IP Local Traffic Manager (LTM). Keep the following key differences in mind:

• BIG-IP LTM policies also have a set of rules; in LTM, it is the rules, not the policies, that specify what action to take.
• BIG-IP devices evaluate policies attached to a virtual server regardless of whether the associated rules are true.
• BIG-IP LTM rules, not policies, have an ordinal.

The table below shows how the terms from each software domain correspond.

L7 policies/rules in OpenStack Neutron and BIG-IP LTM

Neutron LBaaS L7 term	BIG-IP LTM equivalent
Policy	Policy Rules (wrapper_policy)
Policy Action	Rule Action
Policy Position	Rule Ordinal
Rule	Rule Conditions

The BIG-IP LTM policy has a name, description, set of rules, and a strategy defining how to evaluate the rules. OpenStack L7 policies in are similar to a collection BIG-IP LTM policy rules evaluated using the ‘First match’ strategy.

BIG-IP LTM rules have conditions, actions, and an ordinal. The F5 Agent creates the LTM rules based on the OpenStack L7 policy and rule attributes.

Neutron LBaaSv2 API L7 rules to BIG-IP LTM policy mapping

The F5 Agent maps a combination of L7Policy and L7Rule elements to TMOS traffic policies (and, in the case of specific L7Rule compare_types, iRules).

All L7 Rule types map directly to TMOS traffic policy match conditions:

L7 Rule Type	TMOS Traffic Policy Match Condition
Hostname	HTTP Host
Path	HTTP URI + path
FileType	HTTP URI + extension
Header	HTTP Header
Cookie	HTTP Cookie

The LBaaS L7 Rules requirement to “execute the first L7Policy that returns a match” directly maps to the TMOS “first-match” traffic policy execution strategy.

Four of the five L7Rule compare_type values map directly to TMOS traffic policy rule conditions:.

L7 Rule Compare Type	L7 ‘–invert’ Specified	TMOS Traffic Policy Rule Match Condition
STARTS_WITH	No	Begins with
STARTS_WITH	Yes	Does not begin with
ENDS_WITH	No	Ends with
ENDS_WITH	Yes	Does not end with
EQUAL_TO	No	Is
EQUAL_TO	Yes	Is not
CONTAINS	No	Contains
CONTAINS	Yes	Does not contain
REGEX	X	No direct mapping

All L7Policy actions map directly to TMOS traffic policy rule actions:

L7 Policy Action	TMOS Traffic Policy Rule Action
Reject	Reset traffic
RedirectToUrl	Redirect
RedirectToPool	Forward traffic to pool

Caveats

• The REGEX comparison type is not supported in this release.

Usage

L7 Routing doesn’t require any F5 Agent configuration changes. Rather, you define L7 switching policies and rules when creating or updating a Neutron LBaaS listener.

The CLI example below from the OpenStack Neutron Wiki demonstrates how to define rules and policies using the OpenStack CLI. [2]

# Create a listener
neutron lbaas-create-listener listener1
# Create a pool
neutron lbaas-create-pool pool1
# Create a policy
neutron --policy policy1 lbaas-create-l7policy --name "policy1" --listener "listener1" --action redirect_to_pool --pool "pool1" --position 1
# Create a rule for this policy
# Once the below operation has completed, a new policy will exist on the device called 'wrapper_policy'.
# It will have a single rule called redirect_to_pool_1.
# A single condition and a single action will exist.
neutron lbaas-create-l7rule rule1 --rule-type path --compare-type contains --value "i_t" --policy policy1
# Create a second rule for the above policy
neutron lbaas-create-l7rule rule2 --rule-type cookie --compare-type ends_with --key "cky" --value "i" --invert --policy policy1

The F5 Agent implements the above Neutron LBaaS policies and rules on the BIG-IP device as follows.

ltm policy wrapper_policy {
   controls { forwarding }
   last-modified 2016-12-05:09:19:05
   partition Project_9065d69e806a4b4894a47fed7484a006
   requires { http }
   rules {
       reject_1 {
           actions {
               0 {
                   forward
                   reset
               }
           }
           conditions {
               0 {
                   http-uri
                   path
                   contains
                   values { i_t }
               }
               1 {
                   http-cookie
                   name cky
                   ends-with
                   values { i }
               }
           }
           ordinal 1
       }
   }
   status legacy
   strategy /Common/first-match
}

Learn more

• OpenStack Neutron LBaaS Layer 7 rules documentation
• OpenStack Neutron LBaaSv2 l7 Wiki
• BIG-IP Local Traffic Management – Getting Started with Policies

Footnotes

[1]	https://wiki.openstack.org/wiki/Neutron/LBaaS/l7

[2]	OpenStack Foundation