AS3 Deployments (shared objects)
BIG-IP LTM: 17.1.1 AS3 Plugin: 3.49.0 We are migrating from older hardware to newer r5900 series hardware. In that process we are moving to configuration as code, using AS3. Working through all the hiccups and hurdles, came across a "need", that I was wondering if possible?! Can you have a "global" (or "shared") partition with configurations within that all partitions can reference? I inherited the previous configurations from a colleague, and everything is located within the Common partition, which has kinda worked out nicely, as we can share "objects" (iRules, profiles, etc..) between most configurations. This also has been beneficial when we need to make a global change (certificate chain change, for example) that allowed us to fix all configurations quickly by changing just the one object that was shared. Is this possible across partitions, or is that a hard silo division, and nothing can be shared between them?
AS3 Monitoring multiple ports selectively
Hi, I have nodes listening on port 80, 81, 82, 83. the port 80 is mandatory and at least one out of the other 3 ports is mandatory. with manual configuration, I put the port 80 monitor at the node level and the other 3 ports at pool member level. with AS3, the node level monitoring does not exist. what are the other options given that all my deployments are based on AS3. thanks. OMAS3 ACC Conversion
hi, I have a qkview extracted from a bigip r5600 running 17.1.1 version. I have imported the qkview to vscode and converted it to as3 using ACC. When I try to post the declaration, I have errors about ssl certificate not being found even though the certificates are in place. the fact is, when the configuration has been created in the first place on F5 via the GUI, there is no concept of PATH under domain partition, and now with AS3 I have this Shared App that has been added to the configuration. What is exactly the right process of converting to AS3 via ACC when the original configuration qkview file does not have any Application subfolder just Admin partition (i.e Tenant) ? here is the error I am getting right now { "id": "82530133-0b46-46c3-97a5-68766a5a663f", "results": [ { "code": 422, "message": "declaration failed", "response": "01070277:3: The requested key (/TENANT1/Mycert-2024) was not found.", "host": "localhost", "tenant": "TENANT1", "runTime": 2739, "declarationId": "urn:uuid:bdc310a7-31ad-4f07-bf96-2566912cd989" } ], "declaration": { "class": "ADC", "schemaVersion": "3.37.0", "id": "urn:uuid:bdc310a7-31ad-4f07-bf96-2566912cd989", "label": "Converted Declaration", "remark": "Generated by Automation Config Converter", "controls": { "class": "Controls", "userAgent": "vscode-f5/3.16.1", "archiveTimestamp": "2024-03-06T15:36:02.267Z" }, "updateMode": "selective" } } thanks.
AS3 add another VS to existing tenant
I have deployed the sample AS3 script to create a VS with pool and pool members from here: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS1": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.11" ], "pool": "web_pool_1" }, "web_pool_1": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.10", "192.0.1.11" ] } ] } } } } } Now I want to add another VS to the same tenant (same partition) but when I edit the above script and deploy this: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS2": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.12" ], "pool": "web_pool_2" }, "web_pool_2": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.12", "192.0.1.13" ] } ] } } } } } It replaces the old configuration and I only have MyVS2. How can I add MyVS2 to the current configuration without losing MyVS1?DELETE method with AS3 is too powerful !
Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be wiped off that easily ... From my understanding it's mandatory to have the administrator privilege to use AS3, and administrators can access all the partitions ; so you cannot even create users that would be allowed to manage only specific partitions ... It's all or nothing. In my opinion the least you should do is to get rid of this dangerous default behavior, and instead use the keyword "ALL" to remove all tenants ... ========================== Extract from the doc : Use DELETE to remove configurations for one or more declared Tenants from the target ADC. If you do not specify any Tenants, DELETE removes all of them, which is to say, it removes the entire declared configuration. Indicate the target device and Tenants to remove by appending elements to the main AS3 URL path (/mgmt/shared/appsvcs/declare). By default (just main URL) DELETE removes all Tenants from target localhost. DELETE examples: DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare removes all tenants DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare/T1,T2,T5 removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place ========================== Does anyone agree, or have a suggestion to add some security ?AS3 Shared Objects and Virtual Service Address Lists
Below is a declaration that will create a virtual service that has a host 1.1.1.50/32 as the allowed source host. How in AS3 do you create a shared object address list if that is possible, or if that is not possible how do reference an existing address list in the declaration so I can specify multiple source hosts rather than a subnet? { "class": "AS3", "action": "patch", "patchBody": [ { "op": "add", "path": "/{{tenant}}/testvip", "value": { "class": "Application", "template": "generic", "testvip_http_8080": { "class": "Service_HTTP", "snat": "auto", "virtualPort": 8080, "virtualAddresses": [ ["10.10.10.10", "1.1.1.50/32"] ], "iRules": [], "pool": "testvip_tcp_8080_pool", "persistenceMethods": [] }, "testvip_tcp_8080_pool": { "class": "Pool", "monitors": [ { "use": "testvip_http_8080_monitor" } ], "loadBalancingMode": "least-connections-member", "members": [ { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "2.2.2.2" ], "hostname": "server1" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "3.3.3.3" ], "hostname": "server2" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "4.4.4.4" ], "hostname": "server3" } ] }, "testvip_http_8080_monitor": { "class": "Monitor", "monitorType": "http", "send": "GET /keepalive.txt HTTP/1.0", "receive": "200" } } } ] }
An example of an AS3 Rest API call to create a GSLB configuration on BIG-IP.
Hi everyone, Below you can find an example of an AS3 Rest API call that creates a simple GSLB configuration on BIG-IP devices. The main purpose of this article is to share this configuration with others. Of course, on different sites (github, etc) you can find different bits of data, but I think this example will be useful, because it contains all the necessary information about how to create different GSLB objects at the same time, such as: Data Centers (DCs), Servers, Virtual Servers (VSs), Wide IPs, pools and more over. { "class": "AS3", "declaration": { "class": "ADC", "schemaVersion": "3.21.0", "id": "GSLB_test", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "DC1": { "class": "GSLB_Data_Center" }, "DC2": { "class": "GSLB_Data_Center" }, "device01": { "class": "GSLB_Server", "dataCenter": { "use": "DC1" }, "virtualServers": [ { "name": "/ocp/Shared/ingress_vs_1_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "device02": { "class": "GSLB_Server", "dataCenter": { "use": "DC2" }, "virtualServers": [ { "name": "/ocp2/Shared/ingress_vs_2_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "dns_listener": { "class": "Service_UDP", "virtualPort": 53, "virtualAddresses": [ "A.B.C.D" ], "profileUDP": { "use": "custom_udp" }, "profileDNS": { "use": "custom_dns" } }, "custom_dns": { "class": "DNS_Profile", "remark": "DNS Profile test", "parentProfile": { "bigip": "/Common/dns" } }, "custom_udp": { "class": "UDP_Profile", "datagramLoadBalancing": true }, "testpage_local": { "class": "GSLB_Domain", "domainName": "testpage.local", "resourceRecordType": "A", "pools": [ { "use": "testpage_pool" } ] }, "testpage_pool": { "class": "GSLB_Pool", "resourceRecordType": "A", "members": [ { "server": { "use": "/Common/Shared/device01" }, "virtualServer": "/ocp/Shared/ingress_vs_1_443" }, { "server": { "use": "/Common/Shared/device02" }, "virtualServer": "/ocp2/Shared/ingress_vs_2_443" } ] } } } } } P.S. The AS3 scheme guide was very helpful: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.htmlPatching additional TLS certificate to the existing virtual server
Hi, I am New to AS3. tried following json file to patch the new TLS certificate to the existing virtual server however its not working. can you let me know what is the correct procedure ? { "class":"AS3", "action":"patch", "patchBody":[ { "op":"add", "path":"/tenanat/Application/private-vip/front-cert", "value":{ "class":"TLS_Server", "certificates":[ { "certificate":"frontend-cert" } ], "ciphers":"DEFAULT", "frontend-cert":{ "class":"Certificate", "certificate":"-----BEGINCERTIFICATE-----fsdfsdfdshfd-----ENDCERTIFICATE-----\n", "privateKey":"-----BEGINPRIVATEKEY-----edfddsfdsfds-----ENDPRIVATEKEY-----\n" }, "private-vip":{ "layer4":"tcp", "class":"Service_HTTPS", "ServerTLS":"front-cert", "redirect80":false, "shareAddresses":true, "virtualAddresses":[ "192.168.1.x" ] } } } ] }