This article will explain how to configure a F5 Load Balancer running GTM to load balance connections to Umbrella Virtual Appliances. This solutions utilizes priority groups and a health check which monitors DNS connectivity to Virtual Appliances and redirects traffic based on Virtual Appliance availability.
More information about F5 Load Balancers can be found here: https://f5.com/glossary/load-balancer
F5 has the notion of priority groups. When setting up a pool, you can make all the Virtual Appliances have a higher priority than your normal local DNS resolvers.
- Assign a Priority group to every member of your Umbrella pool. The VAs should have the same, higher priority number, your backup local resolvers should have a lower priority.
- Create a health check that does a DNS lookup. This step ensures that the DNS server is working and will disable one from the pool if it isn’t working.
For this, we are using the “dnsmonitor” external health check available here: https://devcentral.f5.com/codeshare?sid=390.
Download the code from the link above and save it as a local file, “dnsmonitor”
Import “dnsmonitor” under System > File Management > External Monitor Program File List.
- Create a new health check monitor under Local Traffic > Monitors > New Monitor. Here we are doing a DNS A record lookup for a.rootservers.net, which will hopefully always be 18.104.22.168. In the arguments we specify what we are looking up, “a.rootservers.net”, what type of record, “A”, what we expect it to be, “22.214.171.124” and how long it should take “2” seconds. Feel free to change the lookup address to something that fits your environment or add more health checks if needed
Now we add this health check to our pool. Under Local Traffic > Pools > “umbrella (or whichever pool you created in Step 1) > Properties, change the Health Monitor to our new dns-monitor-a.rootservers.net. You can select multiple health monitors as suggested above. You’ll need to go to the advanced tab to select the availability requirement, too. For now, we’ll just keep it basic with a single health monitor.
- Create a Virtual Server AND Port for the F5 to listen on. This is the BigIP or Virtual IP that your clients will query. It uses the “umbrella” pool.
You can verify you are hitting a Virtual Appliance by doing a TXT query for debug.opendns.com.
OSX\Linux - dig txt debug.opendns.com <VIP IP>
Windows - nslookup -type=txt debug.opendns.com <VIP IP>
This will output information in regards to your Umbrella account. Look for a field called "appliance id". The number following this is unique to each Virtual Appliance. You can verify it's load balancing by running the TXT lookup and copying down the appliance id then disconnect the first VA in the pool and run the command again you will get an ID from one of the other VA's in your pool.