For a typical F5 BIG-IP LTM setup, the components are connected roughly like this:
- Virtual Server
- iRules
- Profiles, including SSL profiles
- Pool
- Pool Members
- Nodes
- SSL certificate/key inside the SSL profile
A clean way to think about it is:
- Traffic flow hierarchy
Client
-> Virtual Server
-> iRules / Profiles / policies applied on the Virtual Server
-> Pool
-> Pool Member
-> Node
And for TLS:
Client
-> Virtual Server
-> Client SSL Profile
-> SSL Certificate + Private Key
Optionally on server-side TLS:
Virtual Server
-> Server SSL Profile
-> trusted CA / client cert settings / server-side TLS behavior
-> Pool Member / Node
- Main component relationships
Here is the direct relationship map for one Virtual Server.
A. Virtual Server
The Virtual Server is the main entry point.
It is connected to:
- destination IP and port
- one or more iRules
- one default Pool
- one or more Profiles
- optionally SSL profiles
- optionally persistence profiles
- optionally SNAT settings
- VLAN restrictions, source restrictions, etc.
So:
Virtual Server
- has a destination
- references a Pool
- references zero or more iRules
- references zero or more Profiles
- may reference a Client SSL Profile
- may reference a Server SSL Profile
B. iRules
iRules are attached directly to the Virtual Server.
They can:
- inspect incoming requests
- change pool selection
- redirect requests
- manipulate headers
- reject/drop traffic
- select a specific node or pool member
- use data groups
- influence SSL behavior indirectly
So:
iRule
- is attached to a Virtual Server
- may override the default Pool
- may select a different Pool
- may select a Node directly
- may depend on data groups or other objects
Important:
A Virtual Server can have multiple iRules.
The order of iRules can matter.
C. Pool
The Pool is the backend group the Virtual Server sends traffic to.
It is connected to:
- the Virtual Server as default target
- health monitors
- pool members
- load-balancing method
So:
Pool
- is referenced by a Virtual Server
- contains Pool Members
- may have one or more health Monitors
- defines load-balancing behavior
D. Pool Member
A Pool Member is usually:
node + service port
Example:
- Node:
10.1.1.10 - Pool member:
10.1.1.10:443
So:
Pool Member
- belongs to a Pool
- references a Node
- defines the service port for that Node within that Pool
Important:
The same Node can appear in multiple pools with different ports.
E. Node
A Node is just the backend server IP or hostname object.
So:
Node
- is referenced by one or more Pool Members
- represents the actual backend host address
Relationship:
Node
- does not directly belong to the Virtual Server
- is reached through Pool Member association
- may be selected directly by iRule in some designs
F. SSL Certificate
The certificate is not normally attached directly to the Virtual Server.
It is usually attached through an SSL profile.
Relationship:
Virtual Server
-> Client SSL Profile
-> Certificate
-> Private Key
So:
SSL Certificate
- belongs to a Client SSL Profile
- that profile is attached to the Virtual Server
For server-side TLS:
Virtual Server
-> Server SSL Profile
-> trust / validation / client cert settings
- Full connection chain
For one standard HTTPS VIP:
- Virtual Server
/Common/vs_app_https - iRule
/Common/irule_redirect_logic - Pool
/Common/pool_app_https -
Pool members:
/Common/10.10.20.11:443/Common/10.10.20.12:443
-
Nodes:
/Common/10.10.20.11/Common/10.10.20.12
- Client SSL Profile
/Common/clientssl_app - Certificate
/Common/app.example.com.crt - Key
/Common/app.example.com.key
Connections:
-
Virtual Server
/Common/vs_app_https- uses iRule
/Common/irule_redirect_logic - uses Pool
/Common/pool_app_https - uses Client SSL Profile
/Common/clientssl_app
- uses iRule
-
Client SSL Profile
/Common/clientssl_app- uses certificate
/Common/app.example.com.crt - uses private key
/Common/app.example.com.key
- uses certificate
-
Pool
/Common/pool_app_https- contains pool member
/Common/10.10.20.11:443 - contains pool member
/Common/10.10.20.12:443
- contains pool member
-
Pool member
/Common/10.10.20.11:443- references Node
/Common/10.10.20.11
- references Node
-
Pool member
/Common/10.10.20.12:443- references Node
/Common/10.10.20.12
- references Node
- In graph form
You can represent it like this:
Virtual Server
├─ iRule 1
├─ iRule 2
├─ Client SSL Profile
│ ├─ Certificate
│ └─ Private Key
├─ Server SSL Profile (optional)
└─ Default Pool
├─ Pool Member 1
│ └─ Node 1
├─ Pool Member 2
│ └─ Node 2
└─ Pool Member 3
└─ Node 3
- Important F5-specific nuances
A. Virtual Server to Pool is usually one default reference
A Virtual Server usually has:
- one default pool
But:
- an iRule can send traffic to a different pool
- a policy can do the same
So the true runtime path can be:
Virtual Server
-> default Pool
or
Virtual Server
-> iRule logic
-> alternate Pool
B. Pool Member is not the same as Node
This is a very important distinction.
- Node = backend host identity
- Pool Member = node plus service port in a specific pool
Example:
- Node:
10.10.20.11 - Pool member A:
10.10.20.11:80 - Pool member B:
10.10.20.11:443
Same node, different members.
C. SSL cert is usually indirect
Usually:
- Virtual Server does not point directly to cert
- Virtual Server points to SSL profile
- SSL profile points to cert/key
D. iRules can alter the topology
Even if a Virtual Server is configured with Pool A, an iRule may:
- choose Pool B
- choose a specific member
- reject the request
- redirect client elsewhere
So from a config dependency perspective:
Virtual Server
-> iRules
-> potential Pools or Nodes referenced inside iRule code
That means if you are mapping dependencies, parsing only the Virtual Server object is not enough. You may also need to inspect iRule text.
- Dependency list for one Virtual Server
If you want a concise dependency list, use this model:
Primary object:
- Virtual Server
Direct dependencies:
- iRules attached to the Virtual Server
- default Pool referenced by the Virtual Server
- SSL profiles attached to the Virtual Server
- other LTM profiles attached to the Virtual Server
Indirect dependencies:
- certificate and key referenced by the Client SSL Profile
- pool members contained in the Pool
- nodes referenced by the Pool Members
- health monitors referenced by the Pool
- additional pools/nodes referenced inside iRules
- Example dependency table
Component Type Component Name Connected To
Virtual Server /Common/vs_app_https Pool, iRules, SSL Profile
iRule /Common/irule_redirect_logic Virtual Server
Pool /Common/pool_app_https Virtual Server, Pool Members
Pool Member /Common/10.10.20.11:443 Pool, Node
Pool Member /Common/10.10.20.12:443 Pool, Node
Node /Common/10.10.20.11 Pool Member
Node /Common/10.10.20.12 Pool Member
Client SSL Profile /Common/clientssl_app Virtual Server, Cert, Key
Certificate /Common/app.example.com.crt Client SSL Profile
Private Key /Common/app.example.com.key Client SSL Profile
- If you want to model it in C#
A useful object model would be:
VirtualServerDependencyGraph
- VirtualServer
- List<iRule>
- Pool
- List<PoolMember>
- List<Node>
- List<SslProfile>
- List<SslCertificate>
- List<SslKey>
- Practical F5 REST endpoints for these connections
To build this mapping from REST, you typically inspect:
-
Virtual server:
/mgmt/tm/ltm/virtual/<name>
-
Pool:
/mgmt/tm/ltm/pool/<name>
-
Pool members:
/mgmt/tm/ltm/pool/<pool>/members
-
Nodes:
/mgmt/tm/ltm/node
-
iRules:
/mgmt/tm/ltm/rule
-
SSL profiles:
/mgmt/tm/ltm/profile/client-ssl/mgmt/tm/ltm/profile/server-ssl
-
SSL certs/keys:
/mgmt/tm/sys/file/ssl-cert/mgmt/tm/sys/file/ssl-key
- Short answer
The core connections are:
- Virtual Server -> iRules
- Virtual Server -> Pool
- Pool -> Pool Members
- Pool Member -> Node
- Virtual Server -> SSL Profile
- SSL Profile -> SSL Certificate + Private Key
And optionally:
- iRule -> alternate Pool or Node
- Pool -> Monitor
- Virtual Server -> persistence / HTTP / TCP / SSL profiles
If you want, I can next create:
- a dependency diagram in Mermaid format
- C# classes representing this relationship graph
- code that reads BIG-IP REST JSON and builds the graph automatically