Forum Discussion

cbarlock's avatar
cbarlock
Icon for Altocumulus rankAltocumulus
Mar 02, 2023

iControl vs AS3

I just started looking into F5 REST APIs.  I've been told that iControl will be deprecated in favor of AS3.  But, some reading about AS3 makes it look like it is used to configure F5 devices.  I didn...
cloud
  • Matt_Mabis's avatar
    Matt_Mabis
    Mar 08, 2023

    Hey cbarlock - let me help you answer your question about AS3 vs Rest, i believe that the aim is more of AS3 should be considered the gold standard to delivering applications, for things like what you are talking about (querying and gathering data) to fill in blanks i think those will be around for a very long time, either that or will be adapated to something that will be more in-line with our Automation toolchain.   

    The automation toolchains are really aimed at deploying configurations in their endstate so in theory you wouldnt need to query an object as it would be configured to however the templates are designed, and any modifications would be done to the templates never within the GUI or CLI so the templates become the single source of truth. 

    There are 3 major parts of our Automation Tool Chain as per (https://www.f5.com/products/automation-and-orchestration).  Ill try to explain to you how i define them.

    • Declarative Onboarding (DO) - This is where you are setting up the F5 think of Day 1 type operations, setting up the BIG-IP (IPs/DNS/NTP/Self IPs/VLANS/Modules deployed/Sync Groups/etc.).  DO is really about configuring the device(s) if you would like to see a example declaration i do with ansible and vSphere deployments.
      https://github.com/VDI-Tech-Guy/f5-bd-bigip-vmware-vSphere/blob/main/roles/F5-Roles/do_configure/templates/do_configure.j2

    • Applications Services 3 (AS3) - this is all about delivering applications within tenants, the idea of AS3 is to have 1 single declaration to deliver the "End State" of your deployment (for that tenant (partition)).  Think of it as deploying all your vips/pools/nodes in their final configured state for the entire tenant (if thats 100s of vips or 10 vips) and the declaration contains the entire deployment for that tenant. The biggest thing to note here is that AS3 NEVER writes to the common partition and this is by design.  the reason it wont write to common is becuase if think of common as ROOT and wrote its end state it would have to track every tenant within it or you could wipe out the entire root and partition set... so this is why its not allowed.  AS3 is all about the Apps tho so when you think about delivering apps AS3 is what you aim for.
      Here is an example of AS3 deployments that i do for deploying apps via our Ansible 101/201 courses where you are filling in variables in a template to deploy out tenants.
      https://github.com/f5devcentral/f5-bd-ansible-labs/blob/main/201-F5-Advanced/AS3/01-Deploy-SSL-Enabled-App_Services-AS3/j2/https.j2

    • Telemetry Streaming (TS) - is all about monitoring applications delivered, and setting up that monitoring with either BIG-IQ or other montioring services like Prometheus, Elastic/Kibana, Splunk etc.  If you want to start doing things like Event-Driven Automation setting up some sort of telemetry is going to be key to delivering that level of automation.
      Here is an example of TS with Elastic - 
      https://github.com/F5Networks/f5-telemetry-streaming/blob/master/examples/declarations/elasticsearch.json

    Hopefully this helps answer your questions (sorry if long winded), and if not please let me know

Zdenek's avatar
Zdenek
Icon for Cirrostratus rankCirrostratus
Dec 14, 2023

Hello, I see quite some answers in this topic, but no-one confirmed or denied this "iControl will be deprecated in favor of AS3."

We have built quite a massive automation using F5 Rest API (iControl Rest) where we directly go to F5 without any iWorkflow, BigIQ, AS3. I believe the RestAPI is going to be available for long time and no changes to that are planned, right?

  • Matt_Mabis's avatar
    Matt_Mabis
    Icon for Employee rankEmployee
    Dec 19, 2023

    iControl will be utilized in BIG-IP Classic until its full end of life as far as i know, moving forward into our future product scopes i.e. (Next, XC) Product lines will heavily focus on our declaritive delivery so it is the recommendation of F5 to eventually migrate over to an AS3 format for your code so that you can have a proper migration strategy when the full end-of-life for BIG-IP Classic happens you have a path forward into our next generation of products. 

    in our public documentation it refers to in our NEXT Platform how iControl is transitioned to Declarative API.
    https://www.f5.com/pdf/products/an-introduction-to-big-ip-next-f5s-next-generation-big-ip-software.pdf

    BIG-IP Next completes the transition away from imperative APIs (iControl REST)—where
individual commands must be arduously sequenced together to automate simple tasks—to a
more powerful, flexible, and entirely declarative model where desired end-state declarations
centered around use cases are all that is required to automatically configure instances. This
shift makes deploying and configuring applications faster and also replaces the need for
extensive domain knowledge—making it easier for administrators to automate tasks. F5’s
Declarative API, Application Services 3 (AS3), is carried forward from BIG-IP and continues to
be the primary API for L4-L7 app services configuration, automating configurations required
for all application services in a single declarative API call. All the benefits of a declarative
configuration model can also be realized on BIG-IP Next through F5 App Services Templates
(FAST), which provide a fast and easy way to deploy applications with minor inputs and
minimal system knowledge. AS3 declarations and FAST templates used to configure BIG-IP
TMOS devices can be modified by the Journeys Migration Service to be compatible with BIGIP Next, allowing reuse of existing declarations and templates when migrating applications
to BIG-IP Next.
Both AS3 and FAST templates are fully integrated within BIG-IP Next software so that
extension installation is no longer required. Compatibility with leading automation and
orchestration tools, such as Ansible and Terraform is also maintained, allowing DevOps or
developer teams to integrate app services deployments as part of their CI/CD pipelines.
Additionally, F5’s declarative API supports multi-threading which enables tasks from multiple
orchestrators to be processed concurrently, benefiting multi-tenant deployments

    Hopefully this answer helps. 

    • Zdenek's avatar
      Zdenek
      Icon for Cirrostratus rankCirrostratus
      Dec 19, 2023

      Thanks for taking time to answer, appreciate it. Regarding "almost sacred" declarative model, well not sure how about others, but in our case it's not just about deploying stuff, but also about visibility. Over the years we built complex database where we keep VIPs<>irule/policy/pools/sslprofiles/sslcert/key/csr in the database and visualise it in our portal. We are able to show all mapped objects in well readable format and connect it with our automation etc. This is not about declarative vs imperative model, but about getting to the low-level data, if F5 decides to drop direct API access then it would loose one of its biggest benefits it brings us at the moment, simply said versatility and maturity of F5 API was a key factor for us when deciding about ADC vendor.

      Another case is, for example, SSL certificate automation with ACME we built above the data we have, so it's fairly easy to onboard new service to the SSL cert order, we can map it easily and proceed with CSR signing and installing it to any LB/SSL profile where it's needed. Again, I cannot imagine what would be the approach with declartive model here.

      I understand F5 needs to keep API attractive to non F5 "guru" users who need to publish service with minimal effort, then declarative model is perfectly fine, we do that as well with our declarative model 🙂 But imperative model has strong position and I think I am not alone here.

      Sorry for longer post..

      • Anesh's avatar
        Anesh
        Icon for Cirrostratus rankCirrostratus
        Feb 15, 2024

        I am in agreement with Zdenek The iControl REST API gives you a lower level control of all the individual properties of the TMOS, unlike AS3 ,  also to fact that we have to figure out how to manage state, if you are not using something like Terraform...etc so it looks like more of a forced decision from f5, rather than a community driven decision to transition away from imperative to declarative model..

    • cbarlock's avatar
      cbarlock
      Icon for Altocumulus rankAltocumulus
      Dec 19, 2023

      The declarative model is fine for configuring the F5, but one of the things we do with iControl is query the F5 for information like its IP address, virtual servers, serial number, yada, yada.  I haven't seen anything that addresses this in BIG-IP Next.