Introducing the F5 Application Study Tool (AST)
In the ever-evolving world of application delivery and security, gaining actionable insights into your infrastructure and applications has become more critical than ever. The Application Study Tool (AST) is designed to help technical teams and administrators leverage the power of open-source telemetry and visualization tools to enhance their monitoring, diagnostics, and analysis workflows.AST and Telemetry Streaming
Hi! I am quite please with the Application Study Tool, but there is one thing that I keep wondering about. The OpenTelemetry component (otel-collector) currently pulls data from the F5 using the iControl REST API, however: there is also Telemetry Streaming available. Is it possible to use Telemetry Streaming for getting the data into Prometheus?How Do I Install the Application Study Tool in an Air-Gapped Environment?
The Application Study Tool (AST) from F5 is a powerful tool to help you with monitoring and observability of your BIG-IP ecosystem. It provides valuable insights into the performance of your BIG-IP, the applications it delivers, potential threats, and traffic patterns. AST runs as a set of containers, and most deployments simply use "docker pull" to download the required container images from the Internet and run them locally (on “the AST host”). However, some customer environments have firewall restrictions that block most Internet destinations and only whitelist specific sites. For these environments, whitelisting github.com, docker.io, and ghcr.io (all on port 443) will allow you to download the configuration and container images you need to run the Application Study Tool. However, other environments are completely "air-gapped" with no connectivity to the outside world whatsoever. To run the tool in an environment like these, you'll need another way to get the container images onto the AST host. The following steps will guide you through this process. This guide assumes Docker (or another compatible container engine, such as Podman) is already installed on the AST host, and it requires access to another machine that does have connectivity to the Internet, at least to github.com, docker.io, and ghcr.io. You will also need a way to get files from this Internet-connected machine to the air-gapped AST host. This could be a local network connection, a shared network file system, or even a USB drive that can plug into both systems with read and write permissions. Note: this guide includes several Docker commands as examples. All assume you have permission to run Docker directly. If your access requires “sudo” before the command, add this to the beginning of all Docker commands when running the command examples below. Determining Whether Your Environment is Air-Gapped You may already know what Internet connectivity you have in place from your environment, but if you need to confirm access to the specific container registries used by the Application Study Tool, you can test by running the following commands: $ curl https://docker.io This will determine basic connectivity to Docker Hub, the container repository used for the Grafana and Prometheus images. $ docker pull grafana:latest This tests your environment’s ability to download (or "pull") a container image from Docker Hub. Certain firewall configurations permit the prior step (curl) but block this one since it is attempting to download binary content. $ docker pull ghcr.io/f5devcentral/application-study-tool/otel_custom_collector:latest This tests your environment’s ability to download a container image from the GitHub Container Registry. This is a different registry from Docker Hub and is where the AST Otel Collector container image is hosted. If all the above commands succeed, you already have the Internet connectivity you need and, most likely, do not need the guidance in this article. Simply running "docker compose up" should download the needed images from their respective Internet-based repositories and run them on your target system. If one of more of the above commands fail, you must either establish the required connectivity so the above commands succeed (which, depending on your network configuration, organizational policies, level of effort required, personal preferences, etc. might be unfeasible) or use the steps outlined below to run AST in an air-gapped environment. What is a Container Image? Before we go any further, let's quickly cover what a container image is. It is not simply a self-contained file that can be moved around with simple copy commands; it is a multi-part collection of data with assets stored in various places on the host’s storage system. A container requires a container engine, such as Docker, Podman, Containerd, etc., to list it in a container CLI (i.e., Docker) and run it. For a more in-depth understanding of this concept, see Where Are Docker Images Stored? For a more general explanation of container images, their contents, advantages, etc., see What is an image? Step 1: Clone the Git Repo from an Internet-Connected System Now that we've covered some basic concepts and established your need to run the Application Study Study Tool in an air-gapped environment, you’ll need a local copy of the Git repository. This contains all the configuration files and text-based assets required to run the tool. You can retrieve this using the Internet-connected system and then move it over to the air-gapped machine. From the web browser, go to the Application Study Tool repo page, click on the green “<> Code” button and select “Download ZIP” to download repo as a .zip file. If a web browser is not available and you only have command line access from the Internet-connected system, you can clone the repo from the command line by running the following command: $ git clone https://github.com/f5devcentral/application-study-tool.git Next, use tar or zip to compress it into a single file. There are several ways to do this, including the steps found in this guide: https://www.redhat.com/en/blog/taming-tar-command Step 2: Download the Required Container Images from the Internet-Connected System If Docker is not already installed on this system, first perform the following steps to install it: https://docs.docker.com/engine/install/ Now, run the following commands to download the required images to this machine: $ docker pull prom/prometheus:v2.54.1 $ docker pull grafana/grafana:11.2.0 $ docker pull ghcr.io/f5devcentral/application-study-tool/otel_custom_collector:v0.9.4 $ docker pull python:3.12.6-slim-bookworm (The above instructions specify current versions of the Prometheus, Grafana, Otel Collector , and Python containers as of the writing of this article. Your deployment may use different versions of these packages.) Step 3: Export the Container Images as TAR Files Export the container images as tar files using the below commands: $ docker save prom/prometheus > prometheus.tar $ docker save grafana/grafana > grafana.tar $ docker save ghcr.io/f5devcentral/application-study-tool/otel_custom_collector > application-study-tool_otel-collector_1.tar $ docker save python > python.tar Step 4: Move the ZIP and TAR Files to the AST Host All of these files (the Git repository zip file and the three container image tar files) now need to be moved to the machine that will run the Application Study Tool. As discussed earlier, this could be accomplished by network file transfer, shared storage, a USB drive, or any other method of moving files from the Internet-connected host to the AST host. The Git repo zip file should be copied to your preferred location on the AST host. This will be the directory containing the application's configuration files and will be your working directory for launching the tool. The three container tar files can be copied to any directory on the AST host where you have write access, but be sure to note their new location. Step 5: Import the TAR Files as Container Images on the AST Host Import the tar files to Docker by running the following commands: $ docker load -i /path/to/tarfile/grafana.tar $ docker load -i /path/to/tarfile/prometheus.tar $ docker load -i /path/to/tarfile/application-study-tool_otel-collector_1.tar $ docker load -i /path/to/tarfile/python.tar You are now ready to run these container images on your AST host. Navigate to the Application Study Tool directory and follow the Application Study Tool installation instructions to configure and run the Application Study Tool.Application Study Tool: Make Grafana Listen on HTTPS
The Application Study Tool (AST) from F5 is a powerful utility for monitoring and observing your BIG-IP ecosystem. Its primary interface is the Grafana dashboard, which provides valuable insights into the performance of your BIG-IPs, the applications delivered, traffic patterns, and potential threats. The default installation instructions are quick and easy to set up, enabling you to achieve observability quickly. However, the Grafana dashboard, by default, can only be accessed via HTTP (unencrypted), not HTTPS. This means that any data sent to the dashboard, including passwords, can potentially be intercepted by anyone sniffing traffic between you and the AST host. (Note that connections between AST and BIG-IPs are always encrypted over HTTPS, so your BIG-IP credentials are secure.) This guide will walk you through configuring Grafana to serve HTTPS, thereby encrypting traffic between your web browser and the AST Grafana dashboard. Apply or Generate the Certificate Before encrypting traffic, you’ll need a certificate and key. This can either be a CA-signed certificate or a self-signed certificate. Both encrypt traffic in transit, but only CA-signed certificates establish the authenticity of the server endpoint (in this case, Grafana). Many organizations opt for self-signed certificates for internal-only connections where man-in-the-middle attacks are unlikely. However, CA-signed certificates remain the more secure option. Using a CA-Signed Certificate If you have a CA-signed certificate available, copy the cert and key files to the ./services/grafana/ directory within the AST installation directory. Make note of the certificate and key file names. (This guide was tested with .crt and .pem extensions, but Grafana also supports other formats.) If you need to generate a CA-signed certificate, you can follow the instructions on the Grafana website for creating a CA certificate using Let’s Encrypt: https://grafana.com/docs/grafana/latest/setup-grafana/set-up-https/#obtain-a-signed-certificate-from-letsencrypt . Using a Self-Signed Certificate If you prefer to use a self-signed certificate, you can generate one using the following commands: $ sudo openssl genrsa -out services/grafana/grafana.key 2048 $ sudo openssl req -new -key services/grafana/grafana.key -out services/grafana/grafana.csr (Answer the questions about location, organization, name, email address, etc., as prompted.) $ sudo openssl x509 -req -days 365 -in services/grafana/grafana.csr -signkey services/grafana/grafana.key -out services/grafana/grafana.crt Set the correct file permissions after generating the files: $ sudo chmod 440 services/grafana/grafana.key services/grafana/grafana.crt Additional documentation on this process is available on Grafana’s website: https://grafana.com/docs/grafana/latest/setup-grafana/set-up-https/#generate-a-self-signed-certificate . Configure Grafana to Listen on HTTPS The next step is to create a configuration file for Grafana, named grafana.ini. Create this file under the ./services/grafana directory (e.g., ~/application-study-tool/services/grafana/grafana.ini). The following is an example configuration. Update the values to fit your environment. If your key and certificate files have names other than grafana.key and grafana.crt, modify the cert_key and cert_file paths accordingly. Note that /etc/grafana/ in the example below is the path within the container. This example uses port 3000. You can configure Grafana to listen on port 443 (the default HTTPS port), but elevated permissions are required in most environments. [server] http_addr = http_port = 3000 domain = mysite.com root_url = https://subdomain.mysite.com:3000 cert_key = /etc/grafana/grafana.key cert_file = /etc/grafana/grafana.crt enforce_domain = False protocol = https Find more details on each variable here: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#server . Configure AST to Point to grafana.ini To enable the Application Study Tool to recognize the new grafana.ini file, you need to update the Docker Compose configuration. Locate the "grafana" service section in docker-compose.yaml. Comment out the existing provisioning mount line: # - ./services/grafana/provisioning/:/etc/grafana/provisioning Then add the following line to mount the updated directory: - ./services/grafana/:/etc/grafana/ Your updated Grafana service configuration should look like this: grafana: image: grafana/grafana:11.2.0 container_name: grafana restart: unless-stopped ports: - 3000:3000 volumes: - grafana:/var/lib/grafana # - ./services/grafana/provisioning/:/etc/grafana/provisioning - ./services/grafana/:/etc/grafana/ env_file: ".env" networks: - 7lc_network Restart AST and Access Grafana via HTTPS Restart Docker Compose with the following commands: $ sudo docker compose down $ sudo docker compose up That's it! Once restarted, the Grafana dashboard will be available over https. Browse to https://localhost:3000/ (be sure to include https) to try it out. If you used a self-signed certificate, your browser may display a warning message such as “This site is unsafe” or “This Connection Is Not Private.” This is expected behavior for self-signed certificates. Now, all web traffic to your Grafana dashboard will be securely encrypted.
Can I deploy the application study tool on Kubernetes?(AST)
Hi, everyone. I followed the AST guide to ensure that AST works on Docker. But, I want to deploy this on Kubernetes, is there a how-to or guide for that? If you have any suggestions on availability, or any alternative links or instructions I can refer to, I would really appreciate it. Thank you for your help.
Inquiry About the "ast-api-discovery" Repository
Hello everyone, I've been exploring the AST tool (application-study-tool) and noticed there’s a related repository at ast-api-discovery that caught my attention. Unfortunately, when I try accessing it, I receive a 404 error. I was really looking forward to diving into that tool as well. Could anyone let me know if the repository has been moved or if there are any updates on its availability? Any guidance or alternative links would be greatly appreciated. Thanks in advance for your help!Displaying Application Study Tool (AST) Dashboards in Your Own Grafana Instance
The Application Study Tool (AST) has its own Prometheus and Grafana instances. These instances run as containers and are designed to coexist with other Prometheus and Grafana instances in your environment, even on the same host. However, during demos and discussions with customers, many have expressed the desire to use their existing Grafana instance to display AST dashboards. Although it may not be obvious to new Grafana users, this process is straightforward. This blog will walk you through launching a second generic Grafana container instance, connecting it to the AST instance of Prometheus (the data source), importing a dashboard from the AST instance of Grafana, and displaying it in the new Grafana instance. If you already have a non-AST instance of Grafana running in your environment, the steps to launch a second Grafana container are optional. However, you may want to run it in order to test the import functionality and make your own customizations before importing it again into your “production” Grafana instance. Here is an example of a dashboard folder in a non-AST Grafana instance after importing three dashboards from AST: Launch a Second (Generic) Grafana Container If you already have a Grafana instance, you may skip this step. However, if you don’t, or you would like to use a “sandbox” for testing customizations before importing the dashboard into your “production“ Grafana instance, you can use the following steps to launch a new Grafana container. The following assumptions are made for the steps that follow: You are using Docker as your container runtime. (If you are using Podman, simply substitute “podman” for “docker” in each of the following commands. Other container runtimes may also work for this exercise, but I have not tested them.) You have sufficient privileges to run containers. If you don’t, you may need to run these commands with “sudo”. If that fails due to permissions errors, you will need to request the necessary privileges from your Linux administrator. We want to run Grafana version 11.5.2. Any recent version should work. However, this is the latest version as of the writing of this blog. The IP address of the host where you are running these containers is 192.168.0.15. Yours will likely be different. Use your own host’s IP when you run “curl” inside the grafana2 container. In my testing, I used MacOS. This will also work on any current Linux distribution and should work on Windows. First, launch the Grafana container. I set this new instance of Grafana to listen on port 3002 (the default for Grafana is 3000) to avoid conflicts with the AST instance, if they are running on the same host. $ docker run -d --name=grafana2 -p 3002:3000 grafana/grafana:11.5.2 Next, exec into the container to ensure it can connect to the AST instance of Prometheus. You can instead check connectivity from the Grafana UI, but the below method is a good way to troubleshoot any connectivity errors you may encounter. $ docker exec -it grafana2 bash You are now running a Bash shell inside the new Grafana container. Run a curl command to confirm the new Grafana container can reach the Prometheus application, which listens on port 9090, by default. (The IP address, 192.168.0.15, is used as an example. Use your own host's IP address here.) 5d3e8256af3d:/usr/share/grafana$ curl 192.168.0.15:9090 <a href="/graph">Found</a>. Now, it is time to test the new Grafana instance. Open a web browser and navigate to the host where this new Grafana container is running, at port 3002. If you are running on your local machine, it will be http://localhost:3002/. The default credentials are admin/admin. When first logging in, Grafana will prompt you to change the password. You may choose to change it now or click “skip” to leave it as is. Now you can export one of the dashboards from AST and import it into this instance. Export a Dashboard from AST Now that you have launched a second instance of Grafana (or you are running your own non-AST instance), it is time to import a dashboard from AST. You can import just one dashboard of your choosing (i.e., BigIP - Device Device >> Virtual Servers), or several (or even all) dashboards from AST. For this example, we will only import one dashboard, BigIP - Device Device >> Virtual Servers. If you wish to import other dashboards, the steps are the same. Navigate to the dashboard you would like to import into your Grafana instance. For the example used here, navigate to Dashboards >> BigIP – Device >> Device Virtual Servers. Click the blue "Share" button near the upper-right corner. In the pop-up box, click the Export tab. Click the blue "Save to file" button to download the JSON file representing the dashboard. Two notes: If you wish to use your own non-AST instance of Prometheus, you will need to move the slider for “Export for sharing externally” (available in the Share pop-up box, under the Export tab) to the right to enable it. This will allow you to select your own Prometheus instance as the data source when importing the dashboard into the alternate Grafana instance. The default JSON for these dashboards is also available in “dashboards” folder of the repo: https://github.com/f5devcentral/application-study-tool/tree/main/services/grafana/provisioning/dashboards. This version has the “Export for sharing externally” option enabled, so you will need to select the desired Prometheus data source – either your own or the AST instance – when importing the dashboard into the alternate Grafana instance. Import the Dashboard into the New (or Existing) Grafana Instance If you have just launched a new, generic Grafana container using the instructions in the above section, Launch a Second (Generic) Grafana Container, you can now launch the UI from a web browser by navigating to http://localhost:3002/ (assuming you are running on your local machine). The default login credentials are admin/admin. If this is just a temporary test instance, you may click “skip” when prompted to “Update your password”. (For a production instance or any instance that will be used more than just briefly, we recommend changing this to a stronger password.) If you are using an existing Grafana instance, navigate to it and log in. Connect the New Grafana Instance to the AST Prometheus Instance From this non-AST Grafana instance, verify the Prometheus data source is reachable from Grafana, and then connect to it by following these steps: In the menu bar on the left, click Connections >> Data sources. If this is a new instance of Grafana, the “Add data source” button will appear in the middle of the screen. If this is an existing instance with pre-existing data sources, the button will be in the upper-right corner of the screen and will say “Add new data source”. Click on it. Select Prometheus from the list of data sources. You may have to scroll down or enter “prometheus” in the search bar. Fill in a name (for example, “ast-prometheus”), and the URL to connect to the Prometheus instance. In my case, it was my host's private IP address, 192.168.0.15, and the port Prometheus is listening on (9090 by default): http://192.168.0.15:9090. Set the “Interval behaviour >> Scrape interval” to be the same as the value used for the collection_interval setting in your AST configuration. If you did not explicitly change it when configuring AST, it will be the default value of 60s. Click the blue "Save & test" button and ensure you get the message, “Successfully queried the Prometheus API” at the bottom of the screen. Import the Dashboard into the New Grafana Instance Click on “Dashboards” in the menu on the left. Click the blue “New” button in the upper-right and, from the drop-down, select "Import". Click on "Upload dashboard JSON file" and upload the JSON file you previously exported from the original AST dashboard. Give it a name (under Name). Under the Prometheus drop-down, select your Prometheus data source. (In the example above, it is called "ast-prometheus". If you accept the default name, it will just be “prometheus”.) Click Import. Voilà! You are now taken to the newly imported Grafana dashboard. Conclusion The Application Study Tool offers excellent observability for F5 BIG-IP systems and the traffic they handle. If you have your own Grafana instance with your own set of dashboards, there is no need to manage two separate instances. You can combine the two so you have all your dashboards in one place. The flexibility of Grafana also allows it to be highly customizable, so you can modify any of the out-of-the-box dashboards AST provides and even create your own. If you have gotten value from customizing some of the default AST dashboards, feel free to post what you did below, as many of our readers will find this valuable.
