Build a Simple F5 Application Services Evaluation Lab on AWS Part 1 The Plan and Plumbing
Introduction
In my ongoing attempts to both help our customers, and potential customers understand and test all the cool things you can do with a BIG-IP, I thought it was time we built a simple and easy to deploy demo environment.
The aim is to help you create a sandbox with some application servers, a BIG-IP, and some test tools, along with some examples and guidance on how to explore the more advanced traffic management and security services like blue-green deployments and bot detection.
There are plenty of more advanced deployment scenarios and production-ready deployment examples, but this is supposed to be simple deployment that can be run in a limited number of places, and is all about the application services, not about the plumbing.
This guide will take you through some of the very basics of the tools we will be using as we build the lab. If you’re familiar with building cloud infrastructure templates, tools to launch and monitor cloud configs and infrastructure-as-code, then you will probably want to wait for the later parts of this series, because ware starting very simply
So, what are we going to need?
- Some simple applications
- A BIG-IP
- Somewhere to run and manage tests
- Some documentation
I’m aiming to build an environment that looks a bit like this:
The most obvious thing to build is some kind of Cloud Infrastructure-as-a-Service (Iaas) infrastructure as Code (IaC) template solution and the most obvious place to pilot that is AWS as it’s the most-used cloud IaaS platform with a mature IaC system: CloudFormation.
AWS CloudFormation lets you build and configure a Virtual Private Cloud and populate it with networking and compute infrastructure, all based on a (relatively) simple YAML or JSON file called a Cloud Formation Template (CFT). SDK’s and CLI tools for things like PowerShell and Linux make launching, monitoring and deleting ‘stacks’ created with CFTs fast and mainly intuitive. Deleting a stack deletes all the resources created by it – which is really handy since there is going to be a lot of trial and even more error during the development of this lab.
What tools am I going to use?
- A text editor – personally I like SublimeText – but whatever floats your boat.
- The AWS tools for PowerShell – while from a server perspective I’m Unix/Linux all the way, purely due to familiarity, like many, my workstation is Windows and I really want to be able to develop and test the CFT’s without added complexity. Despite a sub-101 knowledge of PowerShell, it’s turning out to be easy to use.
- An AWS account. Obviously.
- The F5 CloudFormation Templates collection - these large, full featured, and supported templates will serve as a useful guide to building our simplified, more comprehensible template.
- Google, just so much google to find out what I’ve done wrong, and to hunt for clues to get it right.
Prerequisites
- An AWS account and IAM user – take a look at my recent article for more information on that.
- Install the AWS CLI tools for PowerShell – you *may* run into PowerShell Constrained Language Mode issues depending on your IT policy, so it might be worth testing you language mode early by using the PS C:\> $ExecutionContext.SessionState.LanguageMode command – you want to be getting FullLanguage as the response. If you are in constrained language mode then you should talk nicely to your IT security team to get that addressed.
- Next, configure credentials for your IAM user within PowerShell
Getting to “hello world”
Test your PowerShell Setup:
PS C:\> Get-EC2ImageByName WINDOWS_2016_BASE WINDOWS_2016_NANO WINDOWS_2016_CORE WINDOWS_2016_CONTAINER
….
Create an S3 Bucket to keep your CFT’s in
PS C:\> New-S3Bucket -BucketName f5cft101 -Region us-west-1 CreationDate BucketName ------------ ---------- 5/3/2019 9:08:15 PM f5cft101
Deploying infrastructure with CFT – a ‘Hello World’ CFT deployment
So first let’s make the world’s simplest CFT:
Resources: HelloBucket: Type: AWS::S3::Bucket
We now need to get it into our S3 bucket – use whatever you feel like but I’ve been using a PowerShell command that looks like this:
PS C:\> Write-S3Object -BucketName as3bkt -File .\HelloWorld.templ
Now we can launch a stack based on our template:
PS C:\>New-CFNStack -StackName HelloWorld -TemplateURL https://s3-us-west-1.amazonaws.com/as3bkt/HelloWorld.tmpl arn:aws:cloudformation:us-west-1:512883148924:stack/HelloWorld/b838b5d0-736b-11e9-b7af-500cf8ee6099
Calling Get-CFNStack shows:
StackName CreationTime LastUpdatedTime Capabilities StackStatus DisableRollback --------- ------------ --------------- ------------ ----------- --------------- HelloWorld 5/10/2019 2:36:50 PM 1/1/0001 12:00:00 AM {} CREATE_COMPLETE False
Check we have actually created the bucket from the CloudFormation template:
PS C:\> Get-S3Bucket | findstr -i hellobucket 5/10/2019 2:36:56 PM helloworld-hellobucket-apbufnqznzo3
And then delete the bucket by deleting the stack:
Remove-CFNStack -StackName HelloWorld –force
And confirm that Get-S3Bucket | findstr -i hellobucket shows that our bucket is gone
Building the Base VPC infrastructure:
The Resources Section of the CFT is where all our components are defined. We’ll start with the VPC, Intnernet gateway, subnet and other networking infrastructure:
AWSTemplateFormatVersion: 2010-09-09 # This CloudFormation template deploys a basic F5 Demo Environment in a VPC # It is not production ready and is intended for test use only # No warraty explicit or implied is granted # # Plumbing # Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.1.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]] # Our VPC will need internet access: InternetGateway: Type: AWS::EC2::InternetGateway DependsOn: VPC Properties: Tags: - Key: Name Value: !Join ['', [!Ref "AWS::StackName", "-IGW" ]] AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway PublicSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.1.10.0/24 AvailabilityZone: !Select [ 0, !GetAZs ] # Get the first AZ in the list Tags: - Key: Name Value: !Sub ${AWS::StackName}-Public-SN # Route table for subnet: PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${AWS::StackName}-Public-RT PublicRoute1: # Public route table has direct routing to IGW: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway # A NAT Gateway: NATGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NgElasticIPAddress.AllocationId SubnetId: !Ref PublicSubnet Tags: - Key: Name Value: !Sub NAT-${AWS::StackName} NgElasticIPAddress: Type: AWS::EC2::EIP Properties: Domain: VPC UsElasticIPAddress: Type: AWS::EC2::EIP Properties: Domain: VPC # Associate A the public Subnet with the Route Table PublicSubnetARouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet RouteTableId: !Ref PublicRouteTable
Most of the entries are pretty self-explanatory – but notice the !<command> entries that perform some functions in cloud formation. These are known as Intrinsic Functions and we’ll be using them frequently to make our CFT do ‘stuff’. Notice also there are some Pseudo Parameters like AWS::StackName that are predefined by AWS CloudFormation.
Adding this to our S3 bucket would look something like this:
New-CFNStack -StackName justPlumbing -TemplateURL https://<your bucket>JustPlumbing.tmpl
Running the CFT
PS C:\ New-CFNStack -StackName justPlumbing -TemplateURL https://s3-us-west-1.amazonaws.com/as3bkt/JustPlumbing.tmpl
Checking the status should (eventually) show us that our stack is created:
PS C:\ Get-CFNStack StackName CreationTime LastUpdatedTime Capabilities StackStatus DisableRollback --------- ------------ --------------- ------------ ----------- --------------- justPlumbing 5/14/2019 9:29:11 AM 1/1/0001 12:00:00 AM {} CREATE_COMPLETE False
So there we have a basic empty VPC with a subnet, routing and a gateway.
In part II, we will install some servers, provision them with Docker and then download and run some containers.