Forum Discussion

nada_nope's avatar
nada_nope
Icon for Nimbostratus rankNimbostratus
May 01, 2023

Need to merge two access policies established through the visual policy editor.

Using F5 BIG-IP Virtual Edition Version: 15.1.5.1 Build 0.0.14

According to my technical lead, F5 recommends that people move away from using F5 iRules and place everything in an access policy using the F5 visual policy editor. The technical lead has commanded me to merge two access policies which are similar but not identical.

1. Can anyone recommend a strategy for merging these two complex access policies?
2. Is there a tool for merging these two complex access policies?

We have enterprise support, but the technical lead elects to not grant me access.

  • To be clear, we don't recommend people move away from iRules. 

    We recommend people make excellent access policies with all the options and choose where to apply them (on what vip). A single vip should not have to go that deep (iRules) most of the time, when an access policy can include all scenarios.

    I would recommend you break your policies into macros as much as possible to make them easier to manage.. and migrate. So for this.. make macros for your smaller policies and have them branch off the main policy.

  • Thanks for the reply Aubrey. As a user, I find orienting on best practices before getting in too deep helps.

    Though I am currently being directed to discard infrastructure as code (IaC), I favor an IaC approach over the visual policy editor.  So I have been examining the tooling around setting up the F5 BIG-IP. There are a lot of solutions using Ansible to set-up the load balancer. Then there is the current discussion of using a declarative model vs using an imperative model. It's my understanding that F5 is creating a movement toward the declarative model through tooling such as the application services 3 (AS3) extension whereas historically it has been an imperative model. If you have time, I would love to hear your opinion on this.

    • AubreyKingF5's avatar
      AubreyKingF5
      Icon for Moderator rankModerator

      I think F5 is definitely moving to declarative. You see that with AS3, for sure, but you also see it with our more modern software in the Distributed Cloud (F5 XC) with more open standards than AS3. Unfortunately, there has not been enough APM added to the Distributed Cloud yet, but I'm sure it'll get there.. and it'll be Declarative all the way.

      One thing people may not have largely realized is that last year, F5 became the first sizable tech company - ever - to transition succesfully from a hardware to a software company. According to our annual shareholders call at the end of last fiscal year, >50% of our revenue was software. Some might think, "well.. that's all specialized software for your hardware, right?" No. We have already ported our WAF engine to all platforms in the portfolio - VIPRION, BIG-IP, VE, NGINX+ and F5 XC. Rest assured we will be looking to port all of our software across all of our platforms.

      To do this, we need to be 100% Declarative. That's my take, as an F5 fan.