Skies Never Looked So Good With BIG-IP Cloud Edition
Don't let the title fool you. Yes I know BIG-IP is already available in AWS, Azure, Google Cloud, and your various private cloud flavors. But there's something BIG-IP hasn't done yet in cloud environments. We've had auto-scaling for a while but we'veadded a new twist. BIG-IP Cloud Editiongives administrators the ability to automatically scale on a per App basiswithlower cost licensing.Combine autoscaling features with role-based access to applications, analytics, and security policies you're finally providing BIG-IP's ADC and Advanced WAF features where your teams need it. Application owners now have a seat at the infrastructure table without comprimising other systems. AnFAQ about BIG-IP Cloud Edition including Per App VE is available here. The BIG-IP Cloud Edition Pie There are three slices to this solution. The BIG-IQ Configuration Management slice, the Per App VE Slice, and your preferred cloud provider slice. As the FAQ stated, at launch BIG-IP Cloud Edition will support AWS and VMWare. Azure, Google and others will following in subsequent BIG-IQ releases. Let's discuss the BIG-IQ Slice. A slice of BIG-IQ 6.0 BIG-IQ is your portal into auto-scaling, role-based access controls, API application access, and reporting. Administrators will create a series of templates that application owners can use in a service catalog environment (or use REST API to manage through an external service catalog). Security teams can have WAF and traffic policies built-in and monitor security reports as they happen from RBAC customized dashboards. Dashboards give everyone visibility into the application configuration and health. Application owners can drill down to the individual application nodes to identify slow response times. Security admins can drill down to find out why one application keeps denying password changes. It's all customizable to meet your unique team's role requirements. A slice of BIG-IP Per App VE Building off this week's earlier discussion, when paired with BIG-IQ 6.0, Per App VE's can be deployed in BIG-IQ service scaling groups defined in BIG-IQ to expand and contract triggered by customizable thresholds. The Per App VE lower cost license options offer LTM and Advanced WAF BIG-IP modules in 25 and 200Mbps traffic rates. Using BIG-IQ as the license manager or using utility billing (where applicable) BIG-IP Per App VE provides the lightweight and quicker deployment times needed to meet application elasticity needs. A slice of Cloud As previously stated, BIG-IP Cloud Edition will initially launch with support for AWS and VMWare with other cloud providers soon to follow. Cloud Edition accesses the Per App VE scaling groups by using a cloud provider specific L4 traffic manager. For VMWare this is a special lower cost BIG-IP HA license. For AWS, we use ELB Classic to provide basic L4 traffic forwarding. As Per App VE's are scaled out, the service scalar is notified of additional nodes and configured as needed. Scaling groups give you several benefits beyond just auto-scaling. You can deploy BIG-IP in environments where you previously relied on monolithic devices. Auto-scaling may not be beneficial for VMWare, but allowing smaller one-off deployments for development teams is. For AWS, you can create regional service scaling groups and distribute out BIG-IP to different locations and VPC's as needed. RBAC and flexible device templates offer a exponential possibilities. Heck, just offer 1 Per App VE to development teams and scale up to 2 for throughput testing. For production apps, offer more. It's up to you. What's Next? BIG-IP already has success in private and public clouds for those critical applications that require robust and reliable ADC and Security features. On the flip side, it's still a Royal Rumble when different Ops groups needed to make changes. NetOps doesn't want SecOps to break traffic, while DevOps just want REST access to their apps so they can automate deployments and changes. BIG-IP Cloud Edition turns that no holds barred cage match into a family style pot luck where everyone brings their best dishes, everyone shares, and everyone leaves happy. Best. Analogy. Ever. If you have questions we've started a discussion board in our Q&A. Please feel free to ask questions, leave comments or just say hi. Happy admining.379Views0likes0CommentsUpdating an Auto-Scaled BIG-IP VE WAF in AWS
Update servers while continuing to process application traffic. Recently we've been showing how to deploy BIG-IP (and F5 WAF) in various clouds like Azure and AWS. Today, we’ll take a look at how to update an AWS auto-scaled BIG-IP VEweb application firewall (WAF) that was initially created by using this F5 github template. This solution implements auto-scaling of BIG-IP Virtual Edition (VE) Web Application Firewall (WAF) systems in Amazon Web Services. The BIG-IP VEs have the Local Traffic Manager (LTM) and Application Security Manager (ASM) modules enabled to provide advanced traffic management and web application security functionality. As traffic increases or decreases, the number of BIG-IP VE WAF instances automatically increases or decreases accordingly. Prerequisites: BIG-IP VE version 13.0 You created your WAF using the F5 Cloud Formation Template or CFT from Github. So, let’s assume you used the CFT to create a BIG-IP WAF in front of your application servers…and your business is so successful that you need to be able to process more traffic. You do not need to tear down your deployment and start over – you can make changes to your current deployment while the WAF is still running and protecting your environment. For this article, a few examples of things you can change include increasing the throughput limit. For instance, when you first configured the WAF, you choose a specific throughput limit for BIG-IP. You can update that. You may also have selected a smaller AWS instance size and now want to choose a larger AWS instance type and add more CPU. Or, you may have set up your auto-scaling group to launch a maximum of two instances and now you want to be able to update the auto-scaling group attributes and add three. This is all possible so let’s check it out. The first thing we want to do is connect to one of the BIG-IP VE instances and save the latest configuration. We open putty, login and run the TMSH command (save /sys ucs /var/tmp/original.ucs) to save the UCS config file. Then we use WinSCP to copy the UCS files to the desktop. You can use whatever application you like and copy the file wherever you like as this is just a temporary location. Once that’s done, open the AWS Management Console and go to the S3 bucket. This bucket was created when you first deployed the CFT and locate yours. When you find your file, click it and then click the Backup folder. Once there, now upload the UCS file into that folder. The USC is now in the folder. The last step is to redeploy the CFT and change the selected options. From the main AWS Management Console, click CloudFormation, select your Stack and under Actions, click Update Stack. Next, you can see the template we originally deployed and to update, click Next. Scroll down the page to Instance Configuration to change the instance type size. Right under that is Maximum Throughput to update the throughput limit. And a little further down under Auto Scaling Configuration is where you can update the max number of instances. When done click Next at the bottom of the page. It’ll ask you to review and confirm the changes. Click Update. You can watch the progress and if your current BIG-IP VE instance is actively processing traffic, it will remain active until the new instance is ready. Give it a little time to ensure the new instance is up and added to the auto-scaling group before we terminate the other instance. When it is done, we’ll confirm a few things. Go to the EC2 Dashboard and check the running instances. We can see the old instance is terminated and the new instance is now available. You can also check the instance size and within the auto-scaling group you can see the new maximum for number of instances. And we’re deployed. You can follow this same workflow to update other attributes of your F5 WAF. This allows you to update your servers while continuing to process traffic. Thanks to our TechPubs group, you can also watch the video demo. ps Related: Deploy BIG-IP VE in AWS Deploy BIG-IP VE in Microsoft Azure Using an ARM Template Deploying F5’s Web Application Firewall in Microsoft Azure Security Center478Views0likes0Comments