Recently I have implemented automation for F5 operations. We can achieve more operation efficiency and savings through this, just sharing some overview and sample tasks using Ansible
What Is BIG-IP?
BIG-IP is a collection of hardware platforms and software solutions providing services focused on security, reliability, and performance.
BIG-IP software products are licensed modules that run on top of F5’s Traffic Management Operation System® (TMOS). This custom operating system is an event driven operating system designed specifically to inspect network and application traffic and make real-time decisions based on the configurations you provide. The BIG-IP software can run on hardware or can run in virtualized environments. Virtualized systems provide BIG-IP software functionality where hardware implementations are unavailable, including public clouds and various managed infrastructures where rack space is a critical commodity.
BIG-IP Primary Software Modules
BIG-IP Local Traffic Manager (LTM) — Central to F5’s full traffic proxy functionality, LTM provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape your application traffic. Most other modules in the BIG-IP family use LTM as a foundation for enhanced services.
BIG-IP DNS — Formerly Global Traffic Manager, BIG-IP DNS provides similar security and load balancing features that LTM offers but at a global/multi-site scale. BIG-IP DNS offers services to distribute and secure DNS traffic advertising your application namespaces.
BIG-IP Access Policy Manager (APM) — Provides federation, SSO, application access policies, and secure web tunneling. Allow granular access to your various applications, virtualized desktop environments, or just go full VPN tunnel.
Secure Web Gateway Services (SWG) — Paired with APM, SWG enables access policy control for internet usage. You can allow, block, verify and log traffic with APM’s access policies allowing flexibility around your acceptable internet and public
BIG-IP Application Security Manager (ASM) — This is F5’s web application firewall (WAF) solution. Traditional firewalls and layer 3 protection don’t understand the complexities of many web applications. ASM allows you to tailor acceptable and expected application behavior on a per application basis
BIG-IP Advanced Firewall Manager (AFM) — AFM is designed to reduce the hardware and extra hops required when ADC’s are paired with traditional firewalls. Operating at L3/L4, AFM helps protect traffic destined for your data center. Paired with ASM, you can implement protection services at L3 — L7 for a full ADC and Security solution in one box or virtual environment.
Creating Ansible Playbook for BIG-IP operations - name: Create a VIP, pool and pool members hosts: bigip.local connection: local Connection: local
First, connection: local applies to all hosts in the playbook. If you find yourself mixing and matching BIG-IP hosts with things like web servers, it would cause your legitimate ssh connections to fail.
This is because when you specify connection: local, every host is now considered to have 127.0.0.1 as their IP address.
The above play set the connection parameters to connect big_ip load balanacer,”provider” called in each operations of big ip like create pool, modify pool & etc and the provider can also define in separate yaml file and called using include_vars:
Add a pool A pool represents a collection of resources. These resources typically deliver a service that is identical. By assigning them to a pool, the BIG-IP is able to distribute requests among them.
Below sample to create a pool called web:
Add two pool members
Now you want to create the pool members in your BIG-IP configuration. Members represent where the traffic coming through a virtual server will eventually land. They could be physical gear, VMs, or other devices.
Add a virtual server
Now that you created your pool and the nodes are members of that pool, you want to create a virtual IP address so that external requests go to the pool members. Create VIP, below is the sample play
Recently I have written play book for change pool member status with several conditions and conditions are below
Pool Member change action provided in variable like –extra-vars ‘action=disable’
Credentials details from another var file
Check the pool member already exists in the pool
Log the details in log file
Defined Big_IP credentials in another var file
Creating a log file for everyday ( /tmp/F5_date.log)
Registering date in a variable using linux shell module
Create log file if does not exists — used file module
Collect the pool member details using bigip_device_facts with subset ltm-pools and assigning to variable
bigip_device_facts displays all the pool members in the LB. The requested pool member can be filtered using name ( example : host:80) or full path
Output of — ltm-pools subset
Pool member name and State filtered using Json query
Display the status of the pool member
Change the status of the pool member when action = ‘disable’ or action=’enable or action=’force’
Updating the result into log file