UPDATE (08/26/2016): Now that we have cloud-init on BIG-IP starting v12.0.0, this project has been de-emphasized in favor of CloudFormation approach. Please see https://github.com/F5Networks/f5-aws-cloudformation instead. If interested in Ansible integration, please see https://github.com/f5networks/f5-ansible
f5aws is a tool for deploying F5 BIG-IP in various possible architectures within an AWS EC2 Virtual Private Cloud.
As of now, these deployment models are:
-single-standalone (single big-ip and application server in one availability zone)
-single-cluster (cluster of big-ips and application server in one availability zone)
-standalone-per-zone (big-ips in multiple availability zones, fronted by a gtm in each AZ, application hosts in each AZ, and a host in the external subnet for traffic generation)
-cluster-per-zone (big-ip clusters in multiple availability zones, fronted by gtm in each AZ, application hosts in each AZ, and a host in the external subnet for traffic generation)
For more information, see the PDF in /docs.
This code is provided as is and should be used as a reference only. It is not provided as a production-ready tool and F5 support will not field requests for this work.
- Install Virtual Box and Vagrant
Install virtual box (tested using 4.3.26)
https://www.virtualbox.org/wiki/Downloads
Install vagrant (tested using 1.7.2)
http://docs.vagrantup.com/v2/installation/
-
Clone this code to your desktop:
git clone https://github.com/F5Networks/aws-deployments.git
-
Setup the virtualbox host with vagrant:
cd aws-deployments/vagrant
vagrant up
-
When prompted by the vagrant, choose network interface attached to the internet.
-
Once the virtual box has started, login to the machine:
vagrant ssh
-
Edit/Copy (manually with VIM/Nano or SCP) your credentials and environment variables over to your vagrant guest:
- ~/.ssh/<your_aws_ssh_key>
- ~/.aws/credentials
- ~/.f5aws
An example of copying your your AWS SSH private key over to vagrant guest:
user1@desktop:demo $scp -P 2222 /.ssh/AWS-SSH-KEY.pem [email protected]:/.ssh/AWS-SSH-KEY.pem
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
[email protected]'s password:
AWS-SSH-KEY.pem 100% 1696 1.7KB/s 00:00
IMPORTANT: Make sure the ssh key has correct permissions after creation or upload [chmod 400 your-key].
- Depending on the deployment, you will need to go to the AWS Console and accept the EULAs for each of the AMIs in use.
-
F5 BIG-IP Virtual Edition 25 Mbps - Better: https://aws.amazon.com/marketplace/pp/B00JL3Q2VI
-
Client: Ubuntu 14.04 LTS: https://aws.amazon.com/marketplace/pp/B00JV9JBDS
- To create a new environment, use the 'init' command. This will initialize the set of ansible variables necessary for deployment (known as an 'inventory'. After execution of this playbook, inspect '~/vars/f5aws/env/env_name'.
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "single-standalone", "region": "us-east-1", "zone": "us-east-1b"}'
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "single-cluster", "region": "us-east-1", "zone": "us-east-1b" }'
You can also try out a more complex deployment ( complete with GTMs (up to 2 - one in each AZ) and a jmeter client to generate traffic) that can leverage multiple AZs. You must choose the availability zones in which you want to deploy.
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "standalone-per-zone", "region": "us-east-1", "zones": ["us-east-1b"]}'
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "standalone-per-zone", "region": "us-east-1", "zones": ["us-east-1b","us-east-1c"]}'
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "standalone-per-zone", "region": "us-east-1", "zones": ["us-east-1b","us-east-1c","us-east-1d"]}'
or using clusters:
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "cluster-per-zone", "region": "us-east-1", "zones": ["us-east-1b","us-east-1c"]}'
You can add splunk to any deployment model by using the "deploy_analytics" flag:
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "standalone-per-zone", "deploy_analytics": "true", "region": "us-east-1", "zones": ["us-east-1b"] }'
Finally, to deploy an ASM profile to protect your application (i.e. web application FW), set the deployment_type to "lb_and_waf". This deploys a generic linux, mysql, pache, FW policy for basic injections and vulnerabilities.
./bin/f5aws init <your env> --extra-vars '{"deployment_model": "standalone-per-zone", "deployment_type": "lb_and_waf", "region": "us-east-1", "zones": ["us-east-1b"] }'
- Deploy and manage the environment you instantiated in step 1. This creates all the resources associated with environment, including AWS EC2 hosts, a VPC, configuration objects on BIG-IP and GTM, and docker containers.
./bin/f5aws deploy <your env>
- When you are done, just teardown the environment:
./bin/f5aws teardown <your env>
- At any time, you can list all the deployments which are under management:
./bin/f5aws list
- List additional details about an environment via the info command, which has three subcommands:
-
display login information for hosts deployed in ec2
./bin/f5aws info login <your env>
-
print the ansible inventory (dynamic inventory groups like bigips, apphosts, gtms, etc are not printed)
./bin/f5aws info inventory <your env>
-
print the status of deployed infrastructure and output from cloudformation stacks
./bin/f5aws info resources <your env>
Please be aware of the following conditions:
-
The more complex deployment models require additional account resources (EIPs + CFTs) so you may need to increase your limits ahead of time by working with AWS support. For more information, see the PDF in /docs.
-
Due to AMI availability, currently working regions are:
-
us-east-1 , us-west-1, us-west-2, eu-west-1, ap-southeast-2, ap-northeast-1
See PDF in /docs for more details.