The Case of the Missing F5 AMI : F5 BIG-IP AMI Lifecycle Events

Today, many F5 customers use AWS, and use the AWS Marketplace to procure F5 BIG-IP software. Customers that follow this route receive multiple benefits, such as a simplified procurement process and the ability to use their Enterprise Discount Program (EDP) committed spend for AWS and non AWS software, such as F5, that can be consumed in the marketplace. When a customer uses AWS hourly billing for F5 software, they will use the F5 provided prebuilt machine images (AMI).  Other customers my procure a license key for BIG-IP via other means and leverage the AMIs we provide in AWS for such scenarios. When using AMIs that are created by a third party (any organization other than yours) there are lifecycle events that happen that may make it seem like the AMI has simply vanished. The AMI is there. You just need to use the tools and workflows to continue to see and use it. 

Lifecycle Event Simplified

A lifecycle event is where an organization moves a version of their software from one state to another. For example an AMI can be in a state of public to and moved to a state of restricted or archived.  The event that causes this change could be an end-of sale or a patch has been released for a CVE in which F5 restricts the older version of software from being sold to new customers. New customers will only be able to access the BIG-IP builds that are listed as public. Customers that have already subscribed to an offer, they will still be able to access the previous versions.

Let's review what AWS has to say about a deprecated AMI.

After an AMI is deprecated:

  • For AMI users, the deprecated AMI does not appear in DescribeImages API calls unless you specify its ID or specify that deprecated AMIs must appear. AMI owners continue to see deprecated AMIs in DescribeImages API calls.

  • For AMI users, the deprecated AMI is not available to select via the EC2 console. For example, a deprecated AMI does not appear in the AMI catalog in the launch instance wizard. AMI owners continue to see deprecated AMIs in the EC2 console.

  • For AMI users, if you know the ID of a deprecated AMI, you can continue to launch instances using the deprecated AMI by using the API, CLI, or the SDKs.

  • Launch services, such as launch templates and Auto Scaling groups, can continue to reference deprecated AMIs.

  • EC2 instances that were launched using an AMI that is subsequently deprecated are not affected, and can be stopped, started, and rebooted.

Accessing the Software

Once an image has been deprecated, the user experience to locate the software can vary based on how you are normally interacting with AWS.  In our example, we will look for a version of software that we had to recently deprecate: 15.1.5.1-0.0.14.   Below you can see I am running a deprecated version; it could also be something you previously used.  
 

Please note that F5 recommends that customers always move to patch releases when there is a security fix.  With that in mind, and if you cannot move to a new version yet, what are the options to continue to use this software? 

Marketplace Wizard

This path works with out any changes to the normal workflow. 

Locate the software in marketplace and click through the subscribe (you must have already done this prior to the deprecation) and configuration.

Select your verison and continue to launch.

Complete the from and launch the instance. 

 My Subscriptions

This path works with moderate changes to the normal workflow.

If you are looking at my subscriptions page, you will only see the most recently published version of the AMI. If you are an F5 user, this could be a major version that you do not use since the display filter is based on publication date.   Let's navigate the Better 200 Mbs subscription 

 

Clicking in, we can see the subscription information and can launch another instance of it. 

But when we click in, we can only see the latest version by publication date.

 

Just below the software version drop down, you can see a link to use other versions.

Which takes you to a screen where you can select a different version of the software.

Select the version you want to deploy.

 

EC2 Launch Instance Wizard

This path does not work

In this path, if we search for the AMI id of the previous version, we will find the listing. 

Following the launch wizard, it only takes us to the latest version (not even all public versions) and we cannot access the AMI version we want. 

AWS CLI 

This path works with changes to the CLI flags.

By default, the AWS CLI will not show an AMI version that has been deprecated.

[cloudshell-user@ip-10-136-48-97 ~]$ aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=F5 BIGIP-15.1.5.1-0.0.14*' --query 'Images[*].[ImageId,Name]' --output yaml
[]

To locate the AMI, you will need to add the flag of include-deprecated.

[cloudshell-user@ip-10-136-48-97 ~]$ aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=F5 BIGIP-15.1.5.1-0.0.14*' --query 'Images[*].[ImageId,Name]' --include-deprecated --output yaml
- - ami-0a25c6b80ecaf6b81
  - F5 BIGIP-15.1.5.1-0.0.14 BYOL-LTM 1Boot Loc-220328012805-8f2ed1fb-93bb-4f06-a8f5-eb84757d5fab
- - ami-08b9e9627f579bee6
  - F5 BIGIP-15.1.5.1-0.0.14 PAYG-Good 1Gbps-220328013426-7fb2f9db-2a12-4915-9abb-045b6388cccd
- - ami-0a3aa4f2b6a3cdeb2
  - F5 BIGIP-15.1.5.1-0.0.14 PAYG-Best 25Mbps-220328014320-3e567b08-20a9-444f-a72a-7e8da3c2cbdf
- - ami-0de86f325238540d8
  - F5 BIGIP-15.1.5.1-0.0.14 PAYG-Better 200Mbps-220328014315-bfe1c762-fc65-48ef-a205-29e2770cb15b
- - ami-07dc37ae1b50682ac
  - F5 BIGIP-15.1.5.1-0.0.14 PAYG-Adv WAF Plus 3Gbps-220328014327-fd904f36-3781-4002-8075-a1ce0da76185

Once you have the AMI ID, you can launch from the CLI (or CFT).

- - ami-0de86f325238540d8
  - F5 BIGIP-15.1.5.1-0.0.14 PAYG-Better 200Mbps-220328014315-bfe1c762-fc65-48ef-a205-29e2770cb15b
 
 
[cloudshell-user@ip-10-132-62-194 ~]$ aws ec2 run-instances --image-id ami-0de86f325238540d8 --instance-type m5.2xlarge --subnet-id subnet-0a9daa849fb5f1075
{
    "Groups": [],
    "Instances": [
        {
            "AmiLaunchIndex": 0,
            "ImageId": "ami-0de86f325238540d8",
            "InstanceId": "i-0a7e6854fdce7c850",
            "InstanceType": "m5.2xlarge",

F5 CloudFormation Templates

This path works, but you will need to provide an AMI ID.

F5 provides example cloudformation templates that customers can use.  In our templates, we allow customers to specify an AMI ID via the customImageID field

bigIpCustomImageId No   string Provide a custom BIG-IP AMI ID you wish to deploy. Otherwise, can leave empty.

 If we specify our AMI, the templates will launch as expected. 

F5 BIG-IP Terraform Module 

This path works, but you will need to customize your terraform files.

By default, the F5 BIG-IP terraform module uses a variable and a data search function to find an AMI.  You will need to make changes that make sense in your terraform tools. Let's take a look at the main.tf file that deploys BIG-IP in AWS. 

resource "aws_instance" "f5_bigip" {
  instance_type = var.ec2_instance_type
  ami           = data.aws_ami.f5_ami.id
  key_name      = var.ec2_key_name

  root_block_device {
    delete_on_termination = true
    encrypted             = var.ebs_volume_encryption
    kms_key_id            = var.ebs_volume_kms_key_arn
    volume_size           = var.ebs_volume_size
    volume_type           = var.ebs_volume_type
  }

Let's trace the logic.  We have a viarable that has the name we want to search for in the variables. tf file.

variable "f5_ami_search_name" {
  description = "BIG-IP AMI name to search for"
  type        = string
  default     = "F5 BIGIP-15.1.5* PAYG-Better*"
}

This variable goes into a data resource via the data.tf file

data "aws_ami" "f5_ami" {
  most_recent = true
  // owners      = ["679593333241"]
  owners = ["aws-marketplace"]

  filter {
    name   = "description"
    values = [var.f5_ami_search_name]
  }
}

In reviewing the terraform module to locate an AMI, the flags are similar to the cli where you need add the include-deprecated if you are not using an express reference in your terraform files. 

  • include_deprecated - (Optional) If true, all deprecated AMIs are included in the response. If false, no deprecated AMIs are included in the response. If no value is specified, the default value is false.

Your terraform data.tf file will need to be updated to include deprecated images.

data "aws_ami" "f5_ami" {
  most_recent = true
  owners      = ["679593333241"]
  include_deprecated = true

  filter {
    name   = "description"
    values = [var.f5_ami_search_name]
  }
}

Proper Planning Required

Many customers are able to use the latest version, but if you need to use a specific version, you need a plan. Lifecycle events will happen and they may happen quickly, such as a CVE that has a high CVSS score.  If you cannot automatically move to the patched build, then you need to plan and document the workflows you will use to ensure you can continue operations until such time as you can move to the new AMI. To stay two steps ahead:

  • CLI, API, and automated solutions that search for AMIs — you will need to include deprecated AMIs
  • GUI use cases make sure that your users know how to find different versions in the web portal 
  • Always document the AMI id that you use in each region.  
Updated Dec 01, 2023
Version 3.0
  • A customer asked me if we had anything like an Image name that would reference the most recent AMI Image.  After a whole lot of digging the short answer right now is no.

    A WHOLE lot more digging around and I found a way to write a query that would return the most recent AMI Image.

    aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=*BYOL-All Modules 2Boot*' --query 'reverse(sort_by(Images, &CreationDate))[:1].{name:Name,id:ImageId}' --output yaml


    In this example it only returns a single AMI ID for the LATEST BYOL image that supports All Modules with Two Boot locations allowing you to do in place upgrades.  The [:1] specifies that only a single record should be returned. 

    aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=*BYOL-All Modules 2Boot*' --query 'reverse(sort_by(Images, &CreationDate))[:3].{name:Name,id:ImageId}' --output yaml

    In this example, we expanded the results to [:3] so it will return the latest AMI images for the three major versions available right now.  

    You can get more specific with the strings in the Values filter if you need a different set of results.

    HTH,

    Carl B