Application delivery controllers carry per-instance and throughput-tier licensing, premium appliance hardware, and per-module fees (WAF, GSLB). Open proxies — HAProxy, NGINX, Traefik — deliver L4/L7 load balancing and TLS termination on commodity hardware, removing the license tax for many use cases.
Choosing a target
- HAProxy — high-performance L4/L7, rich ACLs; the closest open analog to a hardware ADC.
- NGINX — versatile reverse proxy/LB, huge ecosystem.
- Traefik — dynamic, cloud-native ingress, ideal for Kubernetes.
Translate config carefully
Inventory virtual servers (VIPs), pools/members, health checks, and persistence, then export rules/policies (F5 iRules, NetScaler content-switching) and TLS certificates. The translation work is mapping each virtual server → a frontend/backend, and rules/iRules → ACLs/http-request logic. Migrate certs into the proxy’s store and replicate health checks and session persistence.
Sizing & the right tier
Size for L7 throughput and SSL/TLS TPS — and remember that TLS termination/inspection is CPU-intensive. Deploy active/standby (e.g. with keepalived/CARP) for HA, matching the resilience you had.
Cutover by swinging traffic
Stage the new proxy and warm it with test traffic, validate routing/persistence/TLS live (curl/SNI checks), then swing the VIP or DNS per service to the new proxy — keeping the old ADC configured as immediate fallback through hypercare. Roll back by swinging DNS back.
Validation
L4/L7 routing and persistence, TLS/SNI and certificate validation, health-check and failover behavior, and a load/throughput test versus baseline.
Open a source→target page for config examples and a per-instance TCO model.