Deploy Quickstart BIG-IP with Existing Stack in Google Cloud using v2 Templates

The BIG-IP Public Cloud team has developed many solutions over the years to enable customers to easily deploy BIG-IP with a few steps. In the first article of this series, I discussed the differences between the v1 and v2 BIG-IP Cloud Solution Templates for public cloud. I plan to cover how-to deploy BIG-IP services into a Google Cloud existing network stack.

How-to v2 Quickstart Example: BIG-IP on Google Cloud with Existing Network Stack

The following section will be a walkthrough with steps to deploy BIG-IP in GCP using the Quickstart example with an existing network stack. You can use the same techniques in order to copy the templates, modify as needed, and deploy in your environment. Make sure to review the README for prerequisites.

I will deploy BIG-IP with an existing network stack in GCP. I customize the example Runtime Init YAML file from GitHub and then copy it to my GCP Bucket with public access. This allows the BIG-IP to retrieve it during onboard. The result will be the following:

Using my existing network stack with 3x VPCs: mgmt, external, internal
BIG-IP instance, version=16.1.3.2
4x CPU, 3-NICs
Using my customized runtime-init-conf-3nic-payg-jeff.yaml from my GCP Bucket
BIG-IP system and network settings only

Clone GitHub Repository

1. Open a terminal (ex. Visual Studio Code) and clone the repository

git clone https://github.com/F5Networks/f5-google-gdm-templates-v2.git

Modify Parameters - Existing Stack

1. From your terminal, set DEPLOYMENT_NAME, set CONFIG_FILE, and change folders

DEPLOYMENT_NAME="giroux-bigip-existing"
CONFIG_FILE="sample_quickstart_existing_network.yaml"

cd f5-google-gdm-templates-v2/examples/quickstart
git checkout tags/v2.6.0.0

2. Edit the file sample_quickstart_existing_network.yaml

---
# sample_quickstart_existing_network.yaml - BIG-IP with existing stack
# Note: Commented and some Optional lines were removed from
#       the yaml below. This keeps the code block small
#       for easier illustration purposes.

imports:
  - path: quickstart-existing-network.py
  - path: ../modules/bigip-standalone/bigip_standalone.py
  - path: ../modules/dag/dag.py
resources:
  - name: quickstart-existing-network-py
    properties:
      bigIpImageName: f5-bigip-16-1-3-2-0-0-4-payg-best-plus-1gbps-220914234533
      bigIpRuntimeInitConfig: >-
        https://storage.googleapis.com/giroux-public/runtime-init-conf-3nic-payg-jeff.yaml
      numNics: 3
      networks:
        mgmtNetworkName: jgiroux-net-mgmt
        externalNetworkName: jgiroux-net-ext
        internalNetworkName: jgiroux-net-int
      subnets:
        mgmtSubnetName: jgiroux-subnet-mgmt
        appSubnetName: jgiroux-subnet-ext
        internalSubnetName: jgiroux-subnet-int
      owner: giroux
      provisionPublicIp: true
      region: us-west1
      restrictedSrcAddressApp: [0.0.0.0/0]
      restrictedSrcAddressMgmt: [0.0.0.0/0]
      uniqueString: giroux321
      zone: us-west1-a
    type: quickstart-existing-network.py

3. Edit the runtime-init-conf-3nic-payg.yaml file according to your existing network stack

4. Save file and upload to a location accessible by BIG-IP during onboard

# runtime-init-conf-3nic-payg.yaml - sourced from GitHub examples
# My example change...
          app_route:
            class: Route
            gw: '10.1.20.1'
            network: '10.1.0.0/16'
            mtu: 1500

Deploy the BIG-IP - Existing Stack

1. From your terminal, launch the GDM template

gcloud deployment-manager deployments create ${DEPLOYMENT_NAME} --config ${CONFIG_FILE}

# Sample Output
The fingerprint of the deployment is b'A3qm7z5mY6q5APP9sEhbJA=='
Waiting for create [operation-1651006616110-5dd94eee003ec-389d2a10-388bd686]...done.              
Create operation operation-1651006616110-5dd94eee003ec-389d2a10-388bd686 completed successfully.

NAME                         TYPE                       STATE      ERRORS  INTENT
giroux321-app-int-fw         compute.v1.firewall        COMPLETED  []
giroux321-app-vip-fw         compute.v1.firewall        COMPLETED  []
giroux321-bigip-vm-01-ti     compute.v1.targetInstance  COMPLETED  []
giroux321-bigip-vm-01        compute.v1.instance        COMPLETED  []
giroux321-fr-01              compute.v1.forwardingRule  COMPLETED  []
giroux321-http-hc            compute.v1.healthCheck     COMPLETED  []
giroux321-https-hc           compute.v1.healthCheck     COMPLETED  []
giroux321-mgmt-fw            compute.v1.firewall        COMPLETED  []
giroux321-public-ip-01       compute.v1.address         COMPLETED  []
giroux321-tcp-hc             compute.v1.healthCheck     COMPLETED  []

Validating the Deployment

See the "Validating the Deployment" section or the "Further Exploring" section in the Quickstart README file for more validation commands.

1. Retrieve the values for bigIpManagementPublicIp and vip1PublicIp

gcloud deployment-manager manifests describe --deployment=${DEPLOYMENT_NAME} --format="value(layout)" | yq '.resources[0].outputs[] | select(.name | contains("bigIpManagementPublicIp")).finalValue'

# Sample Output "bigIpManagementPublicIp"
35.227.161.180

gcloud deployment-manager manifests describe --deployment=${DEPLOYMENT_NAME} --format="value(layout)" | yq '.resources[0].outputs[] | select(.name | contains("vip1PublicIp")).finalValue'

# Sample Output "vip1PublicIp"
35.197.57.26

SSH to BIG-IP and Review Logs

1. Access BIG-IP and enter bash mode (value from bigIpManagementPublicIp)

ssh admin@35.227.161.180 -i ~/.ssh/id_rsa

admin@(giroux123-bigip1)(Standalone)(Active)(/Common)(tmos)# bash
[admin@giroux123-bigip1:Active:Standalone] ~ #

2. Review BIG-IP Runtime Init onboard logs

[admin@giroux123-bigip1:Active:Standalone] ~ # cat /var/log/cloud/bigIpRuntimeInit.log

# Sample Output
...snippet...
2022-11-04T00:03:12.178Z [5528]: info: Executing inline shell command: tmsh save sys config
2022-11-04T00:03:18.579Z [5528]: info: Shell command: tmsh save sys config execution completed; response: Saving running configuration...
...snippet...
 - saving ...done

2022-11-04T00:03:18.580Z [5528]: info: Initializing telemetryClient
2022-11-04T00:03:19.425Z [5528]: info:         ...snippet...
2022-11-04T00:03:19.524Z [5528]: info: Sending f5-teem report
2022-11-04T00:03:19.529Z [5528]: info: All operations finished successfully

Testing the Application and WAF

The following tests will work if you deploy the BIG-IP with Layer 4-7 settings. For my demo settings, the "existing stack" does not create BIG-IP application objects nor does it create an application server. Fear not! You can still POST an AS3 declaration to the BIG-IP, or you can login manually and create a pool and listener. Check out the F5 AS3 Docs for more example declarations!

1. From your local machine, curl the demo application (value from vip1PublicIp)

curl http://35.197.57.26 -I

# Sample Output
HTTP/1.1 200 OK
...snippet...
Set-Cookie: BIGipServer~Tenant_1~Shared~Shared_Pool=xxxx; path=/; Httponly
Set-Cookie: TS01aa0884=xxxx; Path=/

2. Perform a security violation by sending a disallowed 'method' of DELETE

curl http://35.197.57.26 -sk -X DELETE

# Sample Output
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9487250596978229314<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>

Delete and Clean Up

1. Delete the deployment

gcloud deployment-manager deployments delete ${DEPLOYMENT_NAME} -q

Summary

This article shows you how to use the BIG-IP Cloud Solution Templates to easily deploy services and BIG-IP in Google Cloud. I use sample configurations in this article to deploy a BIG-IP device with an existing network stack. I then show you how to validate the deployment and review onboard logs. This Quickstart example is an easy way to have your applications protected by BIG-IP and running on Google Cloud. Make sure to check out the other examples in the GitHub repository for scenarios like active/standby or autoscale.