F5 Agility Labs - Index

Welcome

Welcome to the PC101 - Deploying F5 Solutions to AWS with Terraform and CloudFormation Templates lab at F5 Agility 2020

The content contained here leverages a full DevOps CI/CD pipeline and is sourced from the GitHub repository at https://github.com/TonyMarfil/f5agility2020-pc101-readthedocs. Bugs and Requests for enhancements can be made using by opening an Issue within the repository.

PC 101 - Deploying F5 Solutions to AWS with CloudFormation Templates

This is a self-guided introductory lab that covers:

  • Deploying F5 solutions to AWS with Terraform and CloudFormation Templates
  • Service Discovery iApp - Dynamically populate pool members with the AutoDiscovery iApp.
  • Cross Availability Zone HA with F5
  • Application Services Extension - Automate the creation of virtual servers and associated services using a declarative model.

Prerequisites

In this lab we’ll prepare our AWS environment with the prerequisites required to launch F5 CloudFormation templates.

  • Create AWS account and login to the AWS console.
  • Accept the F5 license subscription from the AWS Marketplace.
  • Create and upload SSH keys to AWS.
  • Create the infrastructure prerequisites necessary to launch an F5 CloudFormation template.
Login to F5’s lab platform (Unified Demo Framework) and launch a remote desktop session

Follow the link in your email invite and login to the lab environment.

Your Deployment => Systems => win2019 => DETAILS. Copy the Administrator password to your clipboard. The password starts immediately after Administrator:

_images/00_admin_pass.png

Click [Done] in the lower right-hand corner.

Under win2019, from the ACCESS drop-down, select RDP and resolution. The lab looks best in FHD (1920 x 1080). This will download the rdp file to your computer. Launch the RDP file and login via RDP using the Administrator credentials. Copy and paste credentials from your clipboard.

_images/01_rdp.png

When prompted with the blue “Networks” message click “Yes”.

_images/02_networks.png

Attention

Before proceeding, wait 30 seconds for the Visual Studio Code and Postman applications to start automatically.

You can run the entire lab from within the Windows jump host.

Visual Studio Code => View => Terminal

You will see:
  • AWS Console URL
  • AWS Console Username
  • AWS Console Password
_images/1_vscode_terminal.png

Maximize the Terminal Window by clicking on the ^ in the upper-right-hand corner of the Terminal.

_images/2_vscode_terminal.png
Login to AWS Console

A URL shortcut has been auto-generated on the Windows desktop: “Amazon Web Services Sign-In”.

First, launch Firefox from the taskbar, then click on the “Amazon Web Services Sign-In” URL shortcut on the Desktop.

If the Firefox resolution in your RDP session renders components off-screen, try to first launch Firefox from the taskbar before you click on the “Amazon Web Services Sign-In” URL shortcut on the Desktop.

Alternatively, you can CTRL+click the “AWS Console URL:” https shortcut in the Visual Studio Code terminal.

_images/3_aws_console_desktop_shortcut.png

Login to the AWS web console with the credentials shown in your terminal.

_images/4_signin_aws_console.png

In the upper-right-hand corner, choose US-West (Oregon) us-west-2 region.

_images/5_aws_console_confirm_region.png

“Services” => type “marketplace” in the search window. Select “AWS Marketplace Subscriptions” from the search results. Right-click on “Manage subscriptions” to open a new tab. => “Discover products” Type “f5 advanced 25mbps” in the search box. => “F5 Advanced WAF (PAYG, 25Mbps)” => “Continue to Subscribe” => “Accept Terms”

_images/6_aws_marketplace_accept_terms_f5.png

Track “Effective date” and “Expiration date”. When they are no longer “Pending” you can proceed.

_images/7_aws_marketplace_subscribe_to_f5.png
Create an AWS VPC with Terraform

From the Visual Studio Code Terminal, clone the github repository for this lab and change to the working directory.

Attention

For a smooth ride, always invoke commands from inside the cloned git repository (f5agility2020-pc101). To check you’re in the right place, you can run the command pwd and the output should read /home/f5admin/f5agility2020-pc101

git clone https://github.com/TonyMarfil/f5agility2020-pc101.git
cd f5agility2020-pc101/
_images/8_git_clone_and_cd.png

Run the start.sh script to set environment variables and make the ./scripts directory executable

source ./start.sh
_images/9_source_start.png

Create an SSH key and upload to your AWS account. We’ll later use this key to connect to our F5 instances.

create-ssh-keys.sh
_images/9a_create_ssh_keys.png

From the AWS Console => Services => EC2 => Key pairs. Confirm your ssh key was created.

_images/14_confirm_ssh_keys.png

Initialize Terraform modules.

terraform init
_images/10_terraform_init.png

Validate Terraform files and create a terraform dependency graph.

terraform validate
create-terraform-dependency-graph.sh
_images/11_terraform_validate_and_dependency_graph.png

From the Windows desktop, click on the “terraform_dependancy_graph” URL shortcut. Review in your browser. Terraform creates a dependency of all of the objects in your environment. This is one of the major advantages to using a declarative tool for building infrastructure and services.

_images/12_terraform_dependency_graph_desktop_shortcut.png _images/13_terraform_dependency_graph_svg.png

From the Visual Studio Code Terminal

terraform plan -var 'bigip_admin_password=f5letme1n'
terraform apply -var 'bigip_admin_password=f5letme1n' -auto-approve
_images/15_terraform_plan.png _images/16_terraform_apply.png _images/17_terraform_apply_complete.png

Review the terraform output when complete. You can always get the terraform output details again by invoking from the terminal:

terraform output
_images/18_terraform_output.png

Deploying an F5 CloudFormation Template to AWS

Deploy an F5 CloudFormation template to AWS using the supporting AWS infrastructure and services created in the previous lab.

F5 CloudFormation templates on Github

Open a new tab in the web browser. Click on the “PC101 AS3 Template” URL bookmar in the bookmark toolbar. An AS3 Declaration is a single JSON-formatted file that defines your virtual server(s) and all accompanying configuration objects. Some interesting configuration objects are highlighted int the screenshot below:

  • We use AWS tags to lookup the application pool members dynamically. You do not hardcode the IP addresses of pool members.
  • An HTTP/2 profile is enabled.
  • The Virtual Server Address is a “catch-all” wildcard address: 0.0.0.0/0.
class1/module2/./images/4a_f5_aws_cloudformation_as3_declaration

Open another new tab in the web browser. Click on the “f5-aws-cloudformation” URL bookmark in the bookmark toolbar. Supported F5 CloudFormation templates are hosted on the official F5 GitHub repo: https://github.com/F5Networks/.

Scroll down and click on “Next”

_images/4_f5_aws_cloudformation_confirm_region2.png

Fill in the CloudFormation template parameters. Leave defaults where not explicitly called out below.

Parameter Value
NETWORKING CONFIGURATION
VPC (10.0.0.0/16)(terraform_student@f5lab.dev)
Management Subnet AZ1 (10.0.101.0/24)(management)
Management Subnet AZ2 (10.0.102.0/24)(management)
Subnet1 in AZ1 (10.0.1.0/24)(public)
Subnet1 in AZ2 (10.0.2.0/24)(public)
INSTANCE CONFIGURATION
BIG-IP Image Name AdvancedWaf25Mbps
SSH Key MyKeyPair-student@f5lab.dev
Source Address(es) for Management Access 0.0.0.0/0
Source Address(es) for Web Application Access (80/443) 0.0.0.0/0
NTP Server 0.pool.ntp.org
Timezone (Olson) UTC
BIG-IP Modules ltm:nominal,avr:nominal
VIRTUAL SERVICE CONFIGURATION
AS3 Declaration URL https://f5-public-cloud.s3.amazonaws.com/pc101_as3_template
_images/5_f5_aws_cloudformation_stack_details1.png _images/5_f5_aws_cloudformation_stack_details2.png

Scroll to the bottom of the CloudFormation template and click [Next].

_images/5_f5_aws_cloudformation_stack_details3.png

Click on “Estimate cost”.

_images/7_f5_aws_cloudformation_estimate_cost1.png

You can estimate the cost of running this CloudFormation stack with the AWS Simple Monthly Calculator. Review and close this screen.

_images/8_f5_aws_cloudformation_estimate_cost2.png

Scroll to the bottom of the CloudFormation template. Acknowledge that AWS CloudFormation might create IAM resources and [Create stack].

_images/9_f5_aws_cloudformation_create_stack.png

Watch as your resources are built in AWS by refreshing the CloudFormation Events screen.

_images/9_f5_aws_cloudformation_events.png

Explore the AWS Virtual Private Cloud

The F5 environment will be ready to protect our web applications shortly. In the meantime, let’s explore the AWS Virtual Private Cloud we’ve created to familiarize ourselves with some basic AWS networking concepts.

Explore AWS Environment

Services => VPC => Your VPCs. A VPC (Virtual Private Cloud) was created by Terraform. All of our supporting infrastructure will run inside this VPC.

_images/1_aws_console_explore_vpc.png

Services => VPC => Internet Gateways. An Internet Gateway was created to allow instances in our VPC to connect to the Internet.

_images/3_aws_console_explore_internet_gateway.png

Services => VPC => Subnets. Terraform created management and traffic subnets (both public and private) across two Availability Zones: us-wesst-2a and us-west-2b.

_images/4_aws_console_explore_subnets.png

Services => VPC => Elastic IPs. Elastic IPs are public IP addresses assigned to the management and traffic interfaces of the F5 Virtual Editions deployed.

_images/5_aws_console_explore_elastic_ips.png

Services => VPC => Security Groups. Security Groups are stateful port filters applied to either instances or network interfaces.

_images/6_aws_console_explore_security_groups_external.png _images/6_aws_console_explore_security_groups_mgmt.png

Services => CloudFormation. The CloudFormation Stack “BIGIP-Across-Az-Cluster-2nic-PAYG” will quickly show status of “CREATE_COMPLETE”

_images/7_aws_console_explore_cft_stack_create_complete.png

Services => EC2 => Instances. Two example NGINX web servers were deployed: web-az1 and web-az2. The “findme : web” tag will be used later in the lab so that our F5 Virtual Edition can auto-discover its pool members.

_images/7_aws_console_explore_ec2_web_server.png

The “Big-IP1” and “Big-IP2” F5 instances are still “Initializing” and will come online shortly.

_images/8_aws_console_explore_ec2_bigip_initializing.png

Services => CloudFormation => Stacks => “BIGIP-Across-Az-Cluster-2nic-PAYG” => Events. When you deploy via CloudFormation template, all of the steps to build the F5 in AWS environment are recorded as CloudFormation Events.

_images/9_aws_console_explore_cft_stack_events.png

The CloudFormation template created a pair of F5 Virtual Edition instances and many other supporting resources. All of the resources created by CloudFormation are recorded here.

_images/10_aws_console_explore_cft_stack_resources.png

The CloudFormation stack will compute output attributes and report them here. What’s the public management IP addresses URL for Big-IP1? What is the Virtual Server Elastic IP address? These sorts of questions can be answered by querying the CloudFormation stack outputs. We make use of this useful convenience in a future lab section.

_images/11_aws_console_explore_cft_stack_outputs.png

CloudFormation parameters will report on the values fed into the CloudFormation template. Look here to confirm a value or when you suspect an error/typo and want to confirm.

_images/12_aws_console_explore_cft_stack_parameters.png

The CloudFormation template can be customized when you need to deviate from the default behavior.

_images/13_aws_console_explore_cft_stack_template.png

F5 Admin SSH and Configuration Utility (WebUI) Access

Configure admin SSH and Configuration Utility (WebUI) access to the F5 Virtual Editions. Retrieve information about our deployment using CloudFormation outputs.

Check status of F5 instances before proceeding.

From the AWS Web Console => Services => EC2 => INSTANCES => Instances. Select the Big-IP1… Select the “Status Check” tab below.

_images/1_aws_console_ec2_bigip_status_check.png

From the AWS Web Console => Services => EC2 => INSTANCES => Instances. Select the Big-IP2… Select the “Status Check” tab below.

_images/2_aws_console_ec2_bigip_status_check2.png

Attention

Ensure both the System Status Checks and the Instance Status Checks have passed (green font) before proceeding.

Create terraform data resource to read CloudFormation outputs.

From the Visual Studio Code Terminal, enable the f5-cft-outputs.tf terraform file.

mv f5-cft-outputs.tf.zzz f5-cft-outputs.tf
_images/3_vscode_mv_f5_cft_outputs_zzz_to_tf.png

terraform init

terraform init

terraform validate

terraform validate
_images/5_vscode_terraform_validate.png

terraform plan

terraform plan -var 'bigip_admin_password=f5letme1n'
_images/6_vscode_terraform_plan.png

terraform apply

terraform apply -var 'bigip_admin_password=f5letme1n' -auto-approve
_images/7_vscode_terraform_apply.png

terraform apply completed.

_images/8_vscode_terraform_apply_complete.png
SSH to Big-IP1 and Big-IP2

Run the create-ssh-to-bigip-alias.sh shell script to create convenient command aliases for bigip1 and bigip2.

source create-ssh-to-bigip-alias.sh
_images/9_create_ssh_to_bigip_alias.png

Confirm the bigip1 and bigip2 aliases were created.

type bigip1
type bigip2
_images/10_type_bigip_alias.png

SSH to Big-IP1 to confirm state and change the admin password.

Attention

Ensure the system status prompt is either Active or Standby before proceeding. All other status prompts indicate the system is not ready. Use the screenshots as a guide.

bigip1

Acknowledge the ssh remote host when prompted “Are you sure you want to continue connecting (yes/no)?”

yes
modify auth user admin password f5letme1n
modify /sys global-settings gui-setup disabled
save /sys config
quit
_images/11_bigip1_confirm_state.png _images/12_bigip1_modify_auth.png

SSH to Big-IP2 to confirm state and change the admin password.

Attention

Ensure the system status prompt is either Active or Standby before proceeding. All other status prompts indicate the system is not ready. Use the screenshots as a guide.

bigip2

Acknowledge the ssh remote host when prompted “Are you sure you want to continue connecting (yes/no)?”

yes
modify auth user admin password f5letme1n
modify /sys global-settings gui-setup disabled
save /sys config
quit
_images/13_bigip2_modify_auth.png
Configuration Utility (WebUI) HTTPS access to Big-IP1 and Big-IP2

We need the management address to connect to the Configuration utility (WebUI). Invoke terraform output and look for:

Bigip1Url

Bigip2Url

terraform output
_images/14_terraform_output_cft.png

From the Visual Studio Code Terminal, Ctrl + click to follow link for “BigIP1Url” =

_images/16_bigip1_url.png

We are using self-signed certificates in the lab. Bypass the TLS warnings. “Accept the Risk and Continue”.

_images/17_bigip1_bypass_tls_warning.png

Login to the Big-IP1 Configuration Utility (WebUI):

Username: admin

Password: f5letme1n

_images/18_bigip1_login.png

Look in the upper-left-hand corner. Note whether this is the active or standby unit.

_images/18a_bigip1_login_active.png

From the Visual Studio Code Terminal, Ctrl + click to follow link for “BigIP2Url” =

_images/19_bigip2_url.png

We are using self-signed certificates in the lab. Bypass the TLS warnings. “Accept the Risk and Continue”.

_images/20_bigip2_bypass_tls_warning.png

Login to the Big-IP2 Configuration Utility (WebUI):

Username: admin

Password: f5letme1n

_images/21_bigip2_login.png

Look in the upper-left-hand corner. Note whether this is the active or standby unit.

_images/21a_bigip2_login_active.png

Attention

Make sure Big-IP1 is active and Big-IP2 is standby before proceeding. To force Big-IP2 to standby: “Device Management” => “Devices” => bigip2.f5lab.dev => [Force to Standby].

Creating High Availability Virtual Servers in AWS

The F5 Virtual Edition can discover instances in AWS dynamically using tags.

Check example application is running

From the Visual Studio Code Terminal, invoke terraform output.

terraform output | grep Bigip1VipEipAddress

…Ctrl + click on the Bigip1VipEipAddress=. This is the same Elastic IP we just reviewed in the AWS Console.

_images/11_f5_aws_console_virtual_server.png

We are using self-signed certificates in the lab. Bypass the TLS warnings. “Accept the Risk and Continue”. You will see the example app.

_images/12_f5_example_app.png
Survive a fail-over event across Availability Zones

From the AWS Console, Services => EC2 => NETWORK & SECURITY => Elastic IPs. Note the Elastic IP address (public IPv4 address) mapping for the Secondary IP address of our Active Big-IP1 (10.0.1.x).

_images/13_f5_aws_console_elastic_ip_before_failover.png

Big-IP1 => Device Management => Devices => Self => [Force to Standby]. Click [OK] to confirm.

_images/14_f5_bigip1_force_to_standby.png

Big-IP2 is now active.

_images/15_f5_bigip2_confirm_now_active.png

From the AWS Console, Services => EC2 => NETWORK & SECURITY => Elastic IPs. Note the Elastic IP address (public IPv4 address) mapping for the Secondary IP has changed to the new Active Big-IP2 (10.0.2.x). Hit the refresh icon in the upper-right-hand side a few times until you notice the change.

_images/16_f5_bigip2_confirm_elastic_ip_moved.png

Back to the example app screen. We are using self-signed certificates in the lab. Bypass the TLS warnings. “Accept the Risk and Continue”. You will see the example app now behind the new active Big-IP2.

_images/17_f5_bigip2_confirm_example_app.png

Attention

The example application reports which Availability Zone is serving up the content (pool member), not which Availability Zone is hosting the active Big-IP.

Delete Environment in Fell Swoops

The promise of declarative automation tools is that we can both quickly stand up and tear down environments.

Cleanup

Delete the S3 bucket.

AWS => Services => S3 => delete bucket.

_images/1_delete_s3_bucket.png

Delete the CloudFormation Stack.

_images/2_delete_cloudformation_stack.png
Terraform destroy

From the Visual Studio Code Terminal, invoke terraform destroy.

terraform destroy --force -var 'bigip_admin_password=f5letme1n'
_images/3_terraform_destroy.png _images/4_terraform_destroy_complete.png

Confirm it’s all gone. Review AWS => Services => ec2 => Instances.

Fin