The Case of the Missing F5 AMI : F5 BIG-IP AMI Lifecycle Events
Lifecycle Event Simplified
A lifecycle event is where an organization moves a version of their software from one state to another. For example an AMI can be in a state of public to and moved to a state of restricted or archived. The event that causes this change could be an end-of sale or a patch has been released for a CVE in which F5 restricts the older version of software from being sold to new customers. New customers will only be able to access the BIG-IP builds that are listed as public. Customers that have already subscribed to an offer, they will still be able to access the previous versions.
Let's review what AWS has to say about a deprecated AMI.
After an AMI is deprecated:
-
For AMI users, the deprecated AMI does not appear in DescribeImages API calls unless you specify its ID or specify that deprecated AMIs must appear. AMI owners continue to see deprecated AMIs in DescribeImages API calls.
-
For AMI users, the deprecated AMI is not available to select via the EC2 console. For example, a deprecated AMI does not appear in the AMI catalog in the launch instance wizard. AMI owners continue to see deprecated AMIs in the EC2 console.
-
For AMI users, if you know the ID of a deprecated AMI, you can continue to launch instances using the deprecated AMI by using the API, CLI, or the SDKs.
-
Launch services, such as launch templates and Auto Scaling groups, can continue to reference deprecated AMIs.
-
EC2 instances that were launched using an AMI that is subsequently deprecated are not affected, and can be stopped, started, and rebooted.
Accessing the Software
Once an image has been deprecated, the user experience to locate the software can vary based on how you are normally interacting with AWS. In our example, we will look for a version of software that we had to recently deprecate: 15.1.5.1-0.0.14. Below you can see I am running a deprecated version; it could also be something you previously used.
Please note that F5 recommends that customers always move to patch releases when there is a security fix. With that in mind, and if you cannot move to a new version yet, what are the options to continue to use this software?
Marketplace Wizard
This path works with out any changes to the normal workflow.
Locate the software in marketplace and click through the subscribe (you must have already done this prior to the deprecation) and configuration.
Select your verison and continue to launch.
Complete the from and launch the instance.
My Subscriptions
This path works with moderate changes to the normal workflow.
If you are looking at my subscriptions page, you will only see the most recently published version of the AMI. If you are an F5 user, this could be a major version that you do not use since the display filter is based on publication date. Let's navigate the Better 200 Mbs subscription
Clicking in, we can see the subscription information and can launch another instance of it.
But when we click in, we can only see the latest version by publication date.
Just below the software version drop down, you can see a link to use other versions.
Which takes you to a screen where you can select a different version of the software.
Select the version you want to deploy.
EC2 Launch Instance Wizard
This path does not work
In this path, if we search for the AMI id of the previous version, we will find the listing.
Following the launch wizard, it only takes us to the latest version (not even all public versions) and we cannot access the AMI version we want.
AWS CLI
This path works with changes to the CLI flags.
By default, the AWS CLI will not show an AMI version that has been deprecated.
[cloudshell-user@ip-10-136-48-97 ~]$ aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=F5 BIGIP-15.1.5.1-0.0.14*' --query 'Images[*].[ImageId,Name]' --output yaml
[]
To locate the AMI, you will need to add the flag of include-deprecated.
[cloudshell-user@ip-10-136-48-97 ~]$ aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=F5 BIGIP-15.1.5.1-0.0.14*' --query 'Images[*].[ImageId,Name]' --include-deprecated --output yaml
- - ami-0a25c6b80ecaf6b81
- F5 BIGIP-15.1.5.1-0.0.14 BYOL-LTM 1Boot Loc-220328012805-8f2ed1fb-93bb-4f06-a8f5-eb84757d5fab
- - ami-08b9e9627f579bee6
- F5 BIGIP-15.1.5.1-0.0.14 PAYG-Good 1Gbps-220328013426-7fb2f9db-2a12-4915-9abb-045b6388cccd
- - ami-0a3aa4f2b6a3cdeb2
- F5 BIGIP-15.1.5.1-0.0.14 PAYG-Best 25Mbps-220328014320-3e567b08-20a9-444f-a72a-7e8da3c2cbdf
- - ami-0de86f325238540d8
- F5 BIGIP-15.1.5.1-0.0.14 PAYG-Better 200Mbps-220328014315-bfe1c762-fc65-48ef-a205-29e2770cb15b
- - ami-07dc37ae1b50682ac
- F5 BIGIP-15.1.5.1-0.0.14 PAYG-Adv WAF Plus 3Gbps-220328014327-fd904f36-3781-4002-8075-a1ce0da76185
Once you have the AMI ID, you can launch from the CLI (or CFT).
- - ami-0de86f325238540d8
- F5 BIGIP-15.1.5.1-0.0.14 PAYG-Better 200Mbps-220328014315-bfe1c762-fc65-48ef-a205-29e2770cb15b
[cloudshell-user@ip-10-132-62-194 ~]$ aws ec2 run-instances --image-id ami-0de86f325238540d8 --instance-type m5.2xlarge --subnet-id subnet-0a9daa849fb5f1075
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0de86f325238540d8",
"InstanceId": "i-0a7e6854fdce7c850",
"InstanceType": "m5.2xlarge",
F5 CloudFormation Templates
This path works, but you will need to provide an AMI ID.
F5 provides example cloudformation templates that customers can use. In our templates, we allow customers to specify an AMI ID via the customImageID field
bigIpCustomImageId | No | string | Provide a custom BIG-IP AMI ID you wish to deploy. Otherwise, can leave empty. |
If we specify our AMI, the templates will launch as expected.
F5 BIG-IP Terraform Module
This path works, but you will need to customize your terraform files.
By default, the F5 BIG-IP terraform module uses a variable and a data search function to find an AMI. You will need to make changes that make sense in your terraform tools. Let's take a look at the main.tf file that deploys BIG-IP in AWS.
resource "aws_instance" "f5_bigip" {
instance_type = var.ec2_instance_type
ami = data.aws_ami.f5_ami.id
key_name = var.ec2_key_name
root_block_device {
delete_on_termination = true
encrypted = var.ebs_volume_encryption
kms_key_id = var.ebs_volume_kms_key_arn
volume_size = var.ebs_volume_size
volume_type = var.ebs_volume_type
}
Let's trace the logic. We have a viarable that has the name we want to search for in the variables. tf file.
variable "f5_ami_search_name" {
description = "BIG-IP AMI name to search for"
type = string
default = "F5 BIGIP-15.1.5* PAYG-Better*"
}
This variable goes into a data resource via the data.tf file
data "aws_ami" "f5_ami" {
most_recent = true
// owners = ["679593333241"]
owners = ["aws-marketplace"]
filter {
name = "description"
values = [var.f5_ami_search_name]
}
}
In reviewing the terraform module to locate an AMI, the flags are similar to the cli where you need add the include-deprecated if you are not using an express reference in your terraform files.
|
Your terraform data.tf file will need to be updated to include deprecated images.
data "aws_ami" "f5_ami" {
most_recent = true
owners = ["679593333241"]
include_deprecated = true
filter {
name = "description"
values = [var.f5_ami_search_name]
}
}
Proper Planning Required
Many customers are able to use the latest version, but if you need to use a specific version, you need a plan. Lifecycle events will happen and they may happen quickly, such as a CVE that has a high CVSS score. If you cannot automatically move to the patched build, then you need to plan and document the workflows you will use to ensure you can continue operations until such time as you can move to the new AMI. To stay two steps ahead:
- CLI, API, and automated solutions that search for AMIs — you will need to include deprecated AMIs
- GUI use cases make sure that your users know how to find different versions in the web portal
- Always document the AMI id that you use in each region.
- Carl_BrothersEmployee
A customer asked me if we had anything like an Image name that would reference the most recent AMI Image. After a whole lot of digging the short answer right now is no.
A WHOLE lot more digging around and I found a way to write a query that would return the most recent AMI Image.aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=*BYOL-All Modules 2Boot*' --query 'reverse(sort_by(Images, &CreationDate))[:1].{name:Name,id:ImageId}' --output yaml
In this example it only returns a single AMI ID for the LATEST BYOL image that supports All Modules with Two Boot locations allowing you to do in place upgrades. The [:1] specifies that only a single record should be returned.aws ec2 describe-images --owners 679593333241 --filters 'Name=name,Values=*BYOL-All Modules 2Boot*' --query 'reverse(sort_by(Images, &CreationDate))[:3].{name:Name,id:ImageId}' --output yaml
In this example, we expanded the results to [:3] so it will return the latest AMI images for the three major versions available right now.
You can get more specific with the strings in the Values filter if you need a different set of results.
HTH,
Carl B