i’ve been trying to find any guidance on setting up an external load balancer for API GW to avoid too much trial and error.
Planning to use F5 BigIP LTM to do the load balancing and am not sure how well the API GW would work with HTTPS offloading/acceleration.
If it was HTTPS offloading it would do the following - the external connection would terminate on the load balancer which then re-encrypts to the real server, on a different port, with a source NAT set to push the traffic back to the load balancer
This would allow more intelligence for session persistence on the load balancer
the other option is to just pass the traffic straight through and does no termination of the sessions
any help on the best/support way of setting this up would be great
thanks
Terminating SSL at API Gateway tunneling through the LB:
SSL certs need to be added to all the upstream API Gateway
For mSSL, the client certificate need to be added to all the API Gateway instance
Less latency, as in there is only one SSL termination
Terminating SSL at LB:
SSL certs & client certs has to be configured common to all API Gateway at the LB
Upstream can be HTTP and HTTPS, if it is https there is an additional latency – second SSL handshake to API Gateway
Path based routing to port is possible – (some of the HTTPS traffic can be terminated and sent to http port, External ports can be used for runtime to employ threat protection feature).
Latest SSL version support will be available in the LB.