Forum Discussion

cbarlock's avatar
cbarlock
Icon for Altocumulus rankAltocumulus
Mar 02, 2023
Solved

iControl vs AS3

I just started looking into F5 REST APIs.  I've been told that iControl will be deprecated in favor of AS3.  But, some reading about AS3 makes it look like it is used to configure F5 devices.  I didn...
cloud
  • Matt_Mabis's avatar
    Matt_Mabis
    Mar 07, 2023

    Hey cbarlock - let me help you answer your question about AS3 vs Rest, i believe that the aim is more of AS3 should be considered the gold standard to delivering applications, for things like what you are talking about (querying and gathering data) to fill in blanks i think those will be around for a very long time, either that or will be adapated to something that will be more in-line with our Automation toolchain.   

    The automation toolchains are really aimed at deploying configurations in their endstate so in theory you wouldnt need to query an object as it would be configured to however the templates are designed, and any modifications would be done to the templates never within the GUI or CLI so the templates become the single source of truth. 

    There are 3 major parts of our Automation Tool Chain as per (https://www.f5.com/products/automation-and-orchestration).  Ill try to explain to you how i define them.

    • Declarative Onboarding (DO) - This is where you are setting up the F5 think of Day 1 type operations, setting up the BIG-IP (IPs/DNS/NTP/Self IPs/VLANS/Modules deployed/Sync Groups/etc.).  DO is really about configuring the device(s) if you would like to see a example declaration i do with ansible and vSphere deployments.
      https://github.com/VDI-Tech-Guy/f5-bd-bigip-vmware-vSphere/blob/main/roles/F5-Roles/do_configure/templates/do_configure.j2

    • Applications Services 3 (AS3) - this is all about delivering applications within tenants, the idea of AS3 is to have 1 single declaration to deliver the "End State" of your deployment (for that tenant (partition)).  Think of it as deploying all your vips/pools/nodes in their final configured state for the entire tenant (if thats 100s of vips or 10 vips) and the declaration contains the entire deployment for that tenant. The biggest thing to note here is that AS3 NEVER writes to the common partition and this is by design.  the reason it wont write to common is becuase if think of common as ROOT and wrote its end state it would have to track every tenant within it or you could wipe out the entire root and partition set... so this is why its not allowed.  AS3 is all about the Apps tho so when you think about delivering apps AS3 is what you aim for.
      Here is an example of AS3 deployments that i do for deploying apps via our Ansible 101/201 courses where you are filling in variables in a template to deploy out tenants.
      https://github.com/f5devcentral/f5-bd-ansible-labs/blob/main/201-F5-Advanced/AS3/01-Deploy-SSL-Enabled-App_Services-AS3/j2/https.j2

    • Telemetry Streaming (TS) - is all about monitoring applications delivered, and setting up that monitoring with either BIG-IQ or other montioring services like Prometheus, Elastic/Kibana, Splunk etc.  If you want to start doing things like Event-Driven Automation setting up some sort of telemetry is going to be key to delivering that level of automation.
      Here is an example of TS with Elastic - 
      https://github.com/F5Networks/f5-telemetry-streaming/blob/master/examples/declarations/elasticsearch.json

    Hopefully this helps answer your questions (sorry if long winded), and if not please let me know

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Dec 19, 2023

Hi Zdenek , ACME cert management will have no problem integrating into the BIG-IP Next way of doing things. Unclear to me if it's 100% today, but definitely on the roadmap if not. Even if not fully integrated today, you can manage your certificates for applications off-instance, and then send them in declarations as documents to CM, and then from CM those documents can be deployed as application services to instances and go from draft->active workload. It's a new way of thinking about things from a management perspective, but at the end of the workflow, it's still a configuration on an instance doing a job. That configuration is just going to be AS3 instead of a config file. It's just json, so that information can be grokked just as well from that format as the big-ip configuration file format. It's definitely going to take some work for customers who already have a lot of automation in place, we're sensitive to that and acknowledge the work ahead, it's why we're talking about it now to give everyone a few years to plan.

Even though control plane access is shifting mostly (there will be some laggers, like cert management) to Central Manager, the APIs will not be problematic to pull the information you need, most of the logs/metrics will be retrievable directly from CM, and if you need that data elsewhere, you can set up otel directives on the instances to stream logs and/or metrics directly to 3rd party servers. 

I'm going to to a generic home labs office hours next week 9am-noon pacific on Dec 28th, happy to chat about that stuff live and understand your pain points so I can communicate them back to the team!

Zdenek's avatar
Zdenek
Icon for Cirrostratus rankCirrostratus
Dec 19, 2023

We already are in production with our ACME solution, all the logic is at our end, only we need from F5 are iRules (for domain validation) and then few API calls to import and install certs, that's it. We are not in need to use any robust product because we made it "home-made" tailored to our needs.

Anyway, I work for managed service provider, we are not some small/medium/large company focused to just our products, but we serve multiple different customers and customer environments are different, some are very special - historically. Standarization is ongoing but it's long run and we cannot make any hard cuts, because it means, in some cases, to loose a sales case. Trust me, I faced it already and had to sacrifice level of the standardization (and thus automation) to be able to adapt to the situation and have a deal.

You mentioned:

I'm going to to a generic home labs office hours next week 9am-noon pacific on Dec 28th, happy to chat about that stuff live and understand your pain points so I can communicate them back to the team!

I would be happy if we can talk, 20 mins and you get an idea, of course, if you are interested. We are bit advanced, about 20 thousands line of code related to F5 orchestration, we started to use API since F5 leaved SOAP model. Please leave me a message if you'd like to meet up. Thanks

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 26, 2023

    Sure thing, Zdenek! Shoot me a direct message with some times (PST please) and dates that work for you in the first couple of weeks in January.