External Loadbalancer setup - good practise config

i’ve been trying to find any guidance on setting up an external load balancer for API GW to avoid too much trial and error.

Planning to use F5 BigIP LTM to do the load balancing and am not sure how well the API GW would work with HTTPS offloading/acceleration.

If it was HTTPS offloading it would do the following - the external connection would terminate on the load balancer which then re-encrypts to the real server, on a different port, with a source NAT set to push the traffic back to the load balancer
This would allow more intelligence for session persistence on the load balancer

the other option is to just pass the traffic straight through and does no termination of the sessions

any help on the best/support way of setting this up would be great
thanks

Hi Chris,
Both options are possible.

Terminating SSL at API Gateway tunneling through the LB:

  1. SSL certs need to be added to all the upstream API Gateway

  2. For mSSL, the client certificate need to be added to all the API Gateway instance

  3. Less latency, as in there is only one SSL termination

Terminating SSL at LB:

  1. SSL certs & client certs has to be configured common to all API Gateway at the LB

  2. Upstream can be HTTP and HTTPS, if it is https there is an additional latency – second SSL handshake to API Gateway

  3. Path based routing to port is possible – (some of the HTTPS traffic can be terminated and sent to http port, External ports can be used for runtime to employ threat protection feature).

  4. Latest SSL version support will be available in the LB.

Hope this helps.

Regards.