Forum Discussion
iControl vs AS3
I just started looking into F5 REST APIs. I've been told that iControl will be deprecated in favor of AS3. But, some reading about AS3 makes it look like it is used to configure F5 devices. I didn't find a way to just query device properties, for example, using the iControl /mgmt/tm/cm/device URI. Does AS3 provide this?
Hey cbarlock - let me help you answer your question about AS3 vs Rest, i believe that the aim is more of AS3 should be considered the gold standard to delivering applications, for things like what you are talking about (querying and gathering data) to fill in blanks i think those will be around for a very long time, either that or will be adapated to something that will be more in-line with our Automation toolchain.
The automation toolchains are really aimed at deploying configurations in their endstate so in theory you wouldnt need to query an object as it would be configured to however the templates are designed, and any modifications would be done to the templates never within the GUI or CLI so the templates become the single source of truth.
There are 3 major parts of our Automation Tool Chain as per (https://www.f5.com/products/automation-and-orchestration). Ill try to explain to you how i define them.
- Declarative Onboarding (DO) - This is where you are setting up the F5 think of Day 1 type operations, setting up the BIG-IP (IPs/DNS/NTP/Self IPs/VLANS/Modules deployed/Sync Groups/etc.). DO is really about configuring the device(s) if you would like to see a example declaration i do with ansible and vSphere deployments.
https://github.com/VDI-Tech-Guy/f5-bd-bigip-vmware-vSphere/blob/main/roles/F5-Roles/do_configure/templates/do_configure.j2 - Applications Services 3 (AS3) - this is all about delivering applications within tenants, the idea of AS3 is to have 1 single declaration to deliver the "End State" of your deployment (for that tenant (partition)). Think of it as deploying all your vips/pools/nodes in their final configured state for the entire tenant (if thats 100s of vips or 10 vips) and the declaration contains the entire deployment for that tenant. The biggest thing to note here is that AS3 NEVER writes to the common partition and this is by design. the reason it wont write to common is becuase if think of common as ROOT and wrote its end state it would have to track every tenant within it or you could wipe out the entire root and partition set... so this is why its not allowed. AS3 is all about the Apps tho so when you think about delivering apps AS3 is what you aim for.
Here is an example of AS3 deployments that i do for deploying apps via our Ansible 101/201 courses where you are filling in variables in a template to deploy out tenants.
https://github.com/f5devcentral/f5-bd-ansible-labs/blob/main/201-F5-Advanced/AS3/01-Deploy-SSL-Enabled-App_Services-AS3/j2/https.j2 - Telemetry Streaming (TS) - is all about monitoring applications delivered, and setting up that monitoring with either BIG-IQ or other montioring services like Prometheus, Elastic/Kibana, Splunk etc. If you want to start doing things like Event-Driven Automation setting up some sort of telemetry is going to be key to delivering that level of automation.
Here is an example of TS with Elastic -
https://github.com/F5Networks/f5-telemetry-streaming/blob/master/examples/declarations/elasticsearch.json
Hopefully this helps answer your questions (sorry if long winded), and if not please let me know
- Declarative Onboarding (DO) - This is where you are setting up the F5 think of Day 1 type operations, setting up the BIG-IP (IPs/DNS/NTP/Self IPs/VLANS/Modules deployed/Sync Groups/etc.). DO is really about configuring the device(s) if you would like to see a example declaration i do with ansible and vSphere deployments.
- Matt_MabisEmployee
Hey cbarlock - let me help you answer your question about AS3 vs Rest, i believe that the aim is more of AS3 should be considered the gold standard to delivering applications, for things like what you are talking about (querying and gathering data) to fill in blanks i think those will be around for a very long time, either that or will be adapated to something that will be more in-line with our Automation toolchain.
The automation toolchains are really aimed at deploying configurations in their endstate so in theory you wouldnt need to query an object as it would be configured to however the templates are designed, and any modifications would be done to the templates never within the GUI or CLI so the templates become the single source of truth.
There are 3 major parts of our Automation Tool Chain as per (https://www.f5.com/products/automation-and-orchestration). Ill try to explain to you how i define them.
- Declarative Onboarding (DO) - This is where you are setting up the F5 think of Day 1 type operations, setting up the BIG-IP (IPs/DNS/NTP/Self IPs/VLANS/Modules deployed/Sync Groups/etc.). DO is really about configuring the device(s) if you would like to see a example declaration i do with ansible and vSphere deployments.
https://github.com/VDI-Tech-Guy/f5-bd-bigip-vmware-vSphere/blob/main/roles/F5-Roles/do_configure/templates/do_configure.j2 - Applications Services 3 (AS3) - this is all about delivering applications within tenants, the idea of AS3 is to have 1 single declaration to deliver the "End State" of your deployment (for that tenant (partition)). Think of it as deploying all your vips/pools/nodes in their final configured state for the entire tenant (if thats 100s of vips or 10 vips) and the declaration contains the entire deployment for that tenant. The biggest thing to note here is that AS3 NEVER writes to the common partition and this is by design. the reason it wont write to common is becuase if think of common as ROOT and wrote its end state it would have to track every tenant within it or you could wipe out the entire root and partition set... so this is why its not allowed. AS3 is all about the Apps tho so when you think about delivering apps AS3 is what you aim for.
Here is an example of AS3 deployments that i do for deploying apps via our Ansible 101/201 courses where you are filling in variables in a template to deploy out tenants.
https://github.com/f5devcentral/f5-bd-ansible-labs/blob/main/201-F5-Advanced/AS3/01-Deploy-SSL-Enabled-App_Services-AS3/j2/https.j2 - Telemetry Streaming (TS) - is all about monitoring applications delivered, and setting up that monitoring with either BIG-IQ or other montioring services like Prometheus, Elastic/Kibana, Splunk etc. If you want to start doing things like Event-Driven Automation setting up some sort of telemetry is going to be key to delivering that level of automation.
Here is an example of TS with Elastic -
https://github.com/F5Networks/f5-telemetry-streaming/blob/master/examples/declarations/elasticsearch.json
Hopefully this helps answer your questions (sorry if long winded), and if not please let me know
- Leslie_HubertusRet. Employee
Hey Matt_Mabis - apologies, your reply somehow got caught up in our automated spam filter. I've released it now, so everyone can see it!
cbarlock - if this answered your question, can you please hit the Accept as Solution button on Matt's post so that future users can easily find the answer they're looking for?
- cbarlockAltocumulus
Thank you Matt! Very thorough explanation.
- Declarative Onboarding (DO) - This is where you are setting up the F5 think of Day 1 type operations, setting up the BIG-IP (IPs/DNS/NTP/Self IPs/VLANS/Modules deployed/Sync Groups/etc.). DO is really about configuring the device(s) if you would like to see a example declaration i do with ansible and vSphere deployments.
- Leslie_HubertusRet. Employee
Hi cbarlock - did you see this AS3 Best Practice article?
- cbarlockAltocumulus
Thank you, no. I will read it!
- cbarlockAltocumulus
That best practices article didn't address my question.
- Leslie_HubertusRet. Employee
OK, I'll ask one of my colleagues to swing by this thread.
- cbarlockAltocumulus
In the AS3 documentation, it says:
If you attempt to use GET, but you do not currently have any AS3-produced configuration on the target device, the system responds with a 204 HTTP status (“The server successfully processed the request and is not returning any content”).This makes me think that you can't use AS3 to query F5 device configuration (say virtual servers or network config) like you can with iControl REST.
- ZdenekCirrostratus
Hello, I see quite some answers in this topic, but no-one confirmed or denied this "iControl will be deprecated in favor of AS3."
We have built quite a massive automation using F5 Rest API (iControl Rest) where we directly go to F5 without any iWorkflow, BigIQ, AS3. I believe the RestAPI is going to be available for long time and no changes to that are planned, right?- Matt_MabisEmployee
iControl will be utilized in BIG-IP Classic until its full end of life as far as i know, moving forward into our future product scopes i.e. (Next, XC) Product lines will heavily focus on our declaritive delivery so it is the recommendation of F5 to eventually migrate over to an AS3 format for your code so that you can have a proper migration strategy when the full end-of-life for BIG-IP Classic happens you have a path forward into our next generation of products.
in our public documentation it refers to in our NEXT Platform how iControl is transitioned to Declarative API.
https://www.f5.com/pdf/products/an-introduction-to-big-ip-next-f5s-next-generation-big-ip-software.pdfBIG-IP Next completes the transition away from imperative APIs (iControl REST)—where individual commands must be arduously sequenced together to automate simple tasks—to a more powerful, flexible, and entirely declarative model where desired end-state declarations centered around use cases are all that is required to automatically configure instances. This shift makes deploying and configuring applications faster and also replaces the need for extensive domain knowledge—making it easier for administrators to automate tasks. F5’s Declarative API, Application Services 3 (AS3), is carried forward from BIG-IP and continues to be the primary API for L4-L7 app services configuration, automating configurations required for all application services in a single declarative API call. All the benefits of a declarative configuration model can also be realized on BIG-IP Next through F5 App Services Templates (FAST), which provide a fast and easy way to deploy applications with minor inputs and minimal system knowledge. AS3 declarations and FAST templates used to configure BIG-IP TMOS devices can be modified by the Journeys Migration Service to be compatible with BIGIP Next, allowing reuse of existing declarations and templates when migrating applications to BIG-IP Next. Both AS3 and FAST templates are fully integrated within BIG-IP Next software so that extension installation is no longer required. Compatibility with leading automation and orchestration tools, such as Ansible and Terraform is also maintained, allowing DevOps or developer teams to integrate app services deployments as part of their CI/CD pipelines. Additionally, F5’s declarative API supports multi-threading which enables tasks from multiple orchestrators to be processed concurrently, benefiting multi-tenant deployments
Hopefully this answer helps.
- ZdenekCirrostratus
Thanks for taking time to answer, appreciate it. Regarding "almost sacred" declarative model, well not sure how about others, but in our case it's not just about deploying stuff, but also about visibility. Over the years we built complex database where we keep VIPs<>irule/policy/pools/sslprofiles/sslcert/key/csr in the database and visualise it in our portal. We are able to show all mapped objects in well readable format and connect it with our automation etc. This is not about declarative vs imperative model, but about getting to the low-level data, if F5 decides to drop direct API access then it would loose one of its biggest benefits it brings us at the moment, simply said versatility and maturity of F5 API was a key factor for us when deciding about ADC vendor.
Another case is, for example, SSL certificate automation with ACME we built above the data we have, so it's fairly easy to onboard new service to the SSL cert order, we can map it easily and proceed with CSR signing and installing it to any LB/SSL profile where it's needed. Again, I cannot imagine what would be the approach with declartive model here.
I understand F5 needs to keep API attractive to non F5 "guru" users who need to publish service with minimal effort, then declarative model is perfectly fine, we do that as well with our declarative model 🙂 But imperative model has strong position and I think I am not alone here.
Sorry for longer post..
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com