BIG-IP Cloud Edition FAQ
BIG-IP Cloud Edition is designed to enable easy to use and fast self-serve deployments of application services in private and public clouds. BIG-IP Cloud Edition is a solution composed of BIG-IP Per-App VEs and BIG-IQ CM 6.0. It's designed to deliver the same consistent industry leading intelligent traffic management (F5 Local Traffic Manager – LTM) and advanced web application firewall (Advanced WAF) services. For more information on BIG-IP Cloud Edition Components please read K3341282 on AskF5. In this FAQ you'll find a growing list of frequently asked questions about the BIG-IP Cloud Edition. Please provide feedback in this discussion thread. BIG-IP Cloud Edition Questions What is BIG-IP Cloud Edition? BIG-IP Cloud Edition is a solution composed of the BIG-IP Per-App Virtual Editions for app service auto-scaling plus BIG-IQ 6.0 per-app management and analytics capabilities. What are the minimum versions needed for BIG-IP Cloud Edition? The minimum versions required to support the full Cloud Edition solution is BIG-IP version 13.1.0.5 or later and BIG-IQ version 6.0. What are the supported cloud evironments for BIG-IP Cloud Edition? At release VMware and AWS environments will be supported. Support for Azure and other cloud providers is planned. Can BIG-IP Cloud Edition be deployed into private or public cloud? Yes, BIG-IP Cloud Edition can be deployed in the same clouds as BIG-IP VE, and managed as any BIG-IP normally would, but we are delivering lifecycle management functionality, e.g. spin-up/spin-down, autoscaling, and rolling upgrades using BIG-IQ for VMware vSphere and AWS cloud environments. Can I upgrade existing BIG-IQ 5.x to 6.0? Initially no, upgrades to 6.0 for existing BIG-IQ customers will be supported in 6.0.1 released later this year, along with support for BIG-IP 12.1.x versions. The intial release of BIG-IQ 6.0 will be limited to new installations of BIG-IQ. Is the BIG-IP AVR module required for BIG-IQ analytics? Are BIG-IQ Data Collection Devices (DCDs) required for analytics? Yes, AVR will be required to be provisioned on the BIG-IP’s utilized in the Cloud Edition use cases. Many of the advanced analytics use cases require AVR to collect more detailed HTTP layer, and performance stats to trigger autoscale. When setting up the Device Templates the admin will need to enable AVR. The AVR overhead on BIG-IP is lighter as all the processing/aggregation is done on BIG-IQ instead of BIG-IP. Data Collection Devices (DCDs) are required to receive the advanced analytics from BIG-IP and are available with a free license. What is an App Template? BIG-IQ 6.0 Application Templates are a way of standardizing application and security services deployment and policies required by an application in a service catalog as defined by the BIG-IP admin or domain expert. BIG-IQ 6.0 will include pre-defined templates for the common web application configurations. An App owner given the appropriate role-based access can then select a template that matches their desired deployment, fill out the required fields and then automatically deploy the application service for his/her application in the UI or can use published and documented APIs. What is a Device Template? BIG-IQ Device Templates are used to on-board BIG-IP Virtual Editions by enabling device instantiation, licensing, provisioning, and networking and are used along with application templates to support autoscaling. This allows complete automation of the environment, with no human involvement required to scale out VE services. Where can I give general feedback on the BIG-IP Cloud Edition? Please provide feedback through the DevCentral Q&A discussion for BIG-IP Cloud Edition. BIG-IP Per App VE Questions What is BIG-IP Per App VE? BIG-IP Per-App VE is a virtual edition designed and priced for dedicated per-app services, with licensed features for 1 VIP, 3 Virtual Servers, and support of LTM and Advanced WAF, and 2 throughput options, 25Mbps and 200Mbps. What is the ‘1 virtual server, 3 virtual servers' limit? Per-App VE is designed to support one application therefore it was licensed to support a single virtual IP address. However, within the 1 virtual IP address, administrators can also use 3 virtual server parameter different port numbers for the virtual IP. Within the allowed 3 virtual servers, one wild card virtual server is allowed primarily to support outbound traffic from backend servers. BIG-IP Per App VE BIG-IP VE (Standard # of Applications Supported 1 Virtual IP & 3 Virtual Servers Skys the Limit BIG-IP Services Available LTM Advanced WAF All Application Services Throughput Per Instance 25Mbps, 200Mbps 25Mbps, 200Mbps, 1GB, 3GB, 5GB, 10GB, High Peformance Licensing Models Subscription, Enterprise License Agreement, Perpetual Subscription, Enterprise License Agreement, Perpetual, Pay-As-You-Go Is there a BIG-IP version requirement for Per-App VE? Yes. Per App VE is available in BIG-IP version 13.1.0.2 but for full Cloud Edition functionality we require version 13.1.0.5 or later. I hear there are smaller images for VE, are these only for the Per-App VE? No, the smaller images are be available in the BIG-IP v13.1.0.2 and later releases and are not restricted to Per-App VE. F5 is reducing the disk size for all virtual editions. Are there different images for the Per App VE and the standard BIG-IP VE? No. The images are the same between the per-app VE and the standard VE. Software licensing determines Per App VE or standard BIG-IP VE functionality. What is the relevance of single slot images and Per-App VE? Slot = Boot Partition. Per-App VE increases the scale of deployments and cost savings on footprint becomes even more relevant. Per-App VE will be typically targeted for 'wipe/deploy' instead of in-place upgrades of BIG-IP. The 1 slot images provide further storage savings by removing the 2nd slot which has been used for version upgrades. 1 slot images are avilable for Per App VE and standard BIG-IP virtual editions. With the new Single Slot VE images, how do we perform upgrades? There is no capability to upgrade software to a new version or even a HF or point release as we now call them. Instead they need to be deployed in an environment that support wipe/deploy type workflows. Wipe/deploy basically means that a new instance with the new version of software is provisioned, and it will replace the older version VE either through automation, or some sort of auto-scale type workflow where traffic is directed from the older instance to the newer one. Can I upgrade from Per-App VE to a standard VE by adding/changing the license? Nope. You can license manage Per App VE along side standard virtual editions through BIG-IQ but they are not interchangeable.Application Auto Scaling Through BIG-IP Cloud Edition
Peanut butter is good and jelly is good. What happens when you bring those two together? BIG-IQ 6 is the peanut butter, Per App VE is the jelly. Put them together and you get per application auto scaling. BIG-IP supported auto scaling for a while now but the use cases of dynamically deploying multiple instances of BIG-IP were few (based on individual application requirements). By deploying the BIG-IP Per App VE instead, you get a (marketing speak alert) lower cost deployment for customized ADC and security on a per application basis. Our training team put together a great walk-through article for deploying auto scaling features with BIG-IP Cloud Edition. In our two videos we'redeploying auto scaling functionalityinto VMWare and AWS infrastructures. For comparison go back and check out Skies Never looked So Good With BIG-IP Cloud Edition where we show the differences between AWS and VMWare tier 1 traffic distributors. But enough talk... Enjoy the walk-through. A discussion in Q&A for BIG-IP Cloud Edition is available if you have questions. Further Reading ASKF5 BIG-IP Cloud Edition Knowledge Center BIG-IP Cloud Edition - Deploy and Secure an Application BIG-IP Cloud Edition & Per App VE FAQ Getting In Shape For Summer With BIG-IP Per App Virtual Edition ASKF5K33431282: Overview of BIG-IP Cloud Edition ComponentsBuilding Applications For The Rest Of Us With BIG-IQ 6
If you enjoy hoarding vast depths of knowledge from your business partners this article is not for you. If you want to provide a scalable and simplified deployment model to empower and enable your teams then read on my friend. Of of the two pieces of the BIG-IP Cloud Edition ecosystem, BIG-IQ 6.0 provides a streamlined way to deploy applications for the rest of us. Tying simplified application deployment to BIG-IP Per App Virtual Edition's auto-scaling functionality within AWS or VMWare, Cloud Edition provides scalable deployment models you've been looking for from F5. Quick application compliance is a button click away for any team wanting complete ADC and Advanced WAF features provided by BIG-IQ and BIG-IP. Using role-based access controls (RBAC) our below example will deploy an application with the assistance of a BIG-IP admin, a Security Manager, and Application Owner. A Template for You and A Template For You; Templates for Everyone! Our BIG-IP admin provides a service catalog of application templates to users who have roles allowing app creation/deployment. Predefining a service catalog gives them the ability to create traffic profiles and tune networking requirements without complicating the deployment process for his application owners. This keeps our BIG-IP admin in control of the network and applications traffic profiles running on it without slowing down deployments. In our example, they'llclone a BIG-IQ default template so the rest of the team can deploy a web application firewall (WAF) enabled application. Our security engineer will create his security policies based on corporate compliance requirements and Dwayne will apply Mick's security policies to the service catalog offerings. Mary our App Manager will choose the new WAF enabled catalog item to deploy a new application in front of her web servers. tl;dr - check out the pretty picture. BIG-IQ 6 comes with several prebuilt templates. They're quite useful for new BIG-IQ administrators to review so they'll see how service catalog items are built from preexisting BIG-IP profiles and configurations. The prebuilt templates, similar to default BIG-IP profiles, are not modified by administrators but cloned or used as references for new service catalog offerings. Note: Templates that do not define an HTTP profile cannot be deployed to a service-scaling group (used for auto-scaling in AWS and VMWare). Security Policies Our Security Manager needs to build a new WAF template for the upcoming application. They've been granted the Security Manger role within BIG-IQto create and manage security policies, relying on the BIG-IP admin to apply them to service catalog items. In this particular case our Security Managerwill edit the policy viol_subviol, change the learning mode to manual and make it available to application templates for use. To apply the new security policy, the BIG-IPadmin will clone the default f5-HTTPS-WAF-lb-template, in this case we're calling it f5-HTTPS-WAF-lb-custom1 (not too creative, I know). The admin can now select theupdated ASM policy viol_subviol and the logging profile templates-default for the virtual servers. Deploying A Service Catalog As An Applications With our creation complete our Application Owner can log into BIG-IQ and starting deploying. TheApplication Manager role wasgranted and will permit them to deploy, edit, and monitor applications (within allowances set by our admins service catalog template). When our App Manager logs in, they'll see a Application Manager specific dashboard; RBAC limits the Application Manager role's view and prevents access to device, security, or global configurations. They'llcreate a new application named site18.example.com (she's not very creative either) based on our predefined f5-HTTPS-WAF-lb-custom1 template. The only information our Application Managerneeds to provide tothe service catalog is the IP address of the virtual server, the IP address and ports open for the application servers, and the FQDN of her application. The Application Managerfills out the application template and clicks Create. BIG-IQ is off to the races to deploy the application and within minutes we'll sees a healthy status on the new site18.example.com application. NOTE: If there was a configuration issue or deployment failure, Dwayne our admin can tail the BIG-IQ logs at /var/log/restjavad.0.log to determine the cause. If the Applicaiton Managernoticed an issue they can click through the application dashboard to find out further details. In this case, the application is fine but they'll update the application health alert rules to coincide with the application's SLA. We can also request other people in the applicaitonteamaccess to monitor this application specifically without viewing others. Our BIG-IP adminhas no problem achieving this with RBAC. Reviewing Application Statistics Application deployment is complete and the Appteam has completed traffic and application testing. Our security manager will log back in, check the viol_subviol ASM policy and then accept the learning completed from thetesting. After that they'll change the enforcement mode to blocking. When our Application Managerlogs back in they can click on security within traffic diagram under Application Services. This will give them security specific analytics and configurations. "Start Blocking" is available for our managerto enable now now that traffic learning was accepted and applied to the system. Sooner or later some cranky people start sending us some malicious traffic some malice and we can view the changes in traffic behavior. Automating Your Deployments BIG-IQ can also assist with automation. BIG-IQ's use of RBAC allows administrators to create automation-centric service accounts for deployment and management needs. Administratorscan segregate service accounts based on unique requirements and further control your application lifecycles as you and your team see fit. ShouldApplication Manager have decided to deploy the application via Ansible they could have clicked View Sample API Request and BIG-IQ will provide the JSON snippet along with entered data to populate the playbook. Of course this is a one-off example but it's providing the template needed to deploy further applications should Ansible authenticate with the appropriate credentials. BIG-IQ 6is a significant step forward to provide ADC and Security functions in front of ALL of your applications, not just the mission critical. We just scratched the surface with application deployment in what BIG-IQ 6 can do for you. In our next article we'll cover auto-scaling applications using service scaling groups with BIG-IP Per App VE. Together BIG-IQ and Per App VE form BIG-IP Cloud Edition and a new way to protect and maintain all of your applications no matter how big or small. As always, if you have questions or feedback, please go to our BIG-IP Cloud Edition Discussion in Q&A. Happy Admining.Skies Never Looked So Good With BIG-IP Cloud Edition
Don't let the title fool you. Yes I know BIG-IP is already available in AWS, Azure, Google Cloud, and your various private cloud flavors. But there's something BIG-IP hasn't done yet in cloud environments. We've had auto-scaling for a while but we'veadded a new twist. BIG-IP Cloud Editiongives administrators the ability to automatically scale on a per App basiswithlower cost licensing.Combine autoscaling features with role-based access to applications, analytics, and security policies you're finally providing BIG-IP's ADC and Advanced WAF features where your teams need it. Application owners now have a seat at the infrastructure table without comprimising other systems. AnFAQ about BIG-IP Cloud Edition including Per App VE is available here. The BIG-IP Cloud Edition Pie There are three slices to this solution. The BIG-IQ Configuration Management slice, the Per App VE Slice, and your preferred cloud provider slice. As the FAQ stated, at launch BIG-IP Cloud Edition will support AWS and VMWare. Azure, Google and others will following in subsequent BIG-IQ releases. Let's discuss the BIG-IQ Slice. A slice of BIG-IQ 6.0 BIG-IQ is your portal into auto-scaling, role-based access controls, API application access, and reporting. Administrators will create a series of templates that application owners can use in a service catalog environment (or use REST API to manage through an external service catalog). Security teams can have WAF and traffic policies built-in and monitor security reports as they happen from RBAC customized dashboards. Dashboards give everyone visibility into the application configuration and health. Application owners can drill down to the individual application nodes to identify slow response times. Security admins can drill down to find out why one application keeps denying password changes. It's all customizable to meet your unique team's role requirements. A slice of BIG-IP Per App VE Building off this week's earlier discussion, when paired with BIG-IQ 6.0, Per App VE's can be deployed in BIG-IQ service scaling groups defined in BIG-IQ to expand and contract triggered by customizable thresholds. The Per App VE lower cost license options offer LTM and Advanced WAF BIG-IP modules in 25 and 200Mbps traffic rates. Using BIG-IQ as the license manager or using utility billing (where applicable) BIG-IP Per App VE provides the lightweight and quicker deployment times needed to meet application elasticity needs. A slice of Cloud As previously stated, BIG-IP Cloud Edition will initially launch with support for AWS and VMWare with other cloud providers soon to follow. Cloud Edition accesses the Per App VE scaling groups by using a cloud provider specific L4 traffic manager. For VMWare this is a special lower cost BIG-IP HA license. For AWS, we use ELB Classic to provide basic L4 traffic forwarding. As Per App VE's are scaled out, the service scalar is notified of additional nodes and configured as needed. Scaling groups give you several benefits beyond just auto-scaling. You can deploy BIG-IP in environments where you previously relied on monolithic devices. Auto-scaling may not be beneficial for VMWare, but allowing smaller one-off deployments for development teams is. For AWS, you can create regional service scaling groups and distribute out BIG-IP to different locations and VPC's as needed. RBAC and flexible device templates offer a exponential possibilities. Heck, just offer 1 Per App VE to development teams and scale up to 2 for throughput testing. For production apps, offer more. It's up to you. What's Next? BIG-IP already has success in private and public clouds for those critical applications that require robust and reliable ADC and Security features. On the flip side, it's still a Royal Rumble when different Ops groups needed to make changes. NetOps doesn't want SecOps to break traffic, while DevOps just want REST access to their apps so they can automate deployments and changes. BIG-IP Cloud Edition turns that no holds barred cage match into a family style pot luck where everyone brings their best dishes, everyone shares, and everyone leaves happy. Best. Analogy. Ever. If you have questions we've started a discussion board in our Q&A. Please feel free to ask questions, leave comments or just say hi. Happy admining.Lightboard Lessons: BIG-IP Cloud Edition Overview
In this lightboard lesson, Jason covers the upcoming release of BIG-IP Cloud Edition, a BIG-IQ and Per App VE solution to support auto-scaling in your cloud environments. Resources Getting In Shape For Summer With BIG-IP Per App Virtual Edition Skies Never Looked So Good With BIG-IP Cloud Edition
