Automating F5 AFM Using vCO Dynamic Types and vCAC – Part 1

So recently I have been working with Automating F5 BIG-IP for PaaS using vCloud Automation Center and vCloud Application Director. I must admit it has been really interesting work as automating the industry leading load balancer with vCAC for PaaS deployment really shows how the SDDC can come together. So I thought I would post on what some of the major options that are available for F5 automation with vCAC 6.x (because there are quite a few). As well as a demo of what I have done with F5 and vCO Dynamic Types.

 

F5 Automation Options for vCAC Integration->

So before I go into demonstrating the awesomeness of vCO Dynamic types and vCAC I thought I would go through the various options when integrating with F5. There are quite a few options and I have highlighted the major ones below.

vCO Plugin:

The F5 vCO Plugin is a free full vCO plugin available from the VMware Solutions Exchange. This plugin uses either REST or SOAP when connecting to an BIG-IP device and exposes common operations around LTM and GTM.
The advantage of this plugin is that it is ready to use and comes with some great OOTB example workflows. It also populates an inventory of vCO objects based on LTM Virtual Servers, Pools and Nodes. For many standard LTM and GTM use cases this plugin is probably the quickest and easiest way to get automating.

The disadvantage of the plugin is that it is relatively limited in terms of functionality and really is focused on common LTM and GTM operations. There are at least another 8 F5 modules that can be leveraged outside of LTM and GTM, in my case for this post I was required to automate the Advanced Firewall Module (AFM). As a result the plugin was not suitable for my use case and this would probably be the case for people who wish to automate a large amount of the F5 BIG-IP platform.

http://www.f5.com/pdf/white-papers/vmware-vcenter-orchestrator-white-paper.pdf

https://solutionexchange.vmware.com/store/products/f5-networks-management-plug-in-for-vcenter-orchestrator

PowerShell:

F5 also provide PowerShell Snapin for BIG-IP which is great for PowerShell fans such as myself. This can be leveraged with the vCO PowerShell plugin however its drawbacks are similar to that of the vCO Plugin. Not all modules (AFM for example) are exposed via PowerShell commandlets. For mainly this reason it was not my method of choice for vCAC/vCO.

https://devcentral.f5.com/wiki/icontrol.powershell.ashx

tmsh:

For those who don’t know the Traffic Management Shell (tmsh) is the BIG-IP CLI. To say that it is a fully featured CLI would be an understatement as this reference document is over 2,390 pages.
This solves the problem of the previous two solutions where you can’t automate part of the solution because the method or commandlet simply doesn’t exist. This solution also is not very hard to implement as you can leverage the SSH plugin within vCO to run the commands directly on the BIG-IP platform.

The disadvantage of both the tmsh and PowerShell methods is that unfortunately you have no vCO inventory to leverage. This then results in users entering in information as strings rather than picking from objects in list. This then requires more error handling in the code and the requester to know exactly what they want/need to change.

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmsh-11-5-0.html

SOAP API:

The SOAP API is the traditional API that has always been available for BIG-IP. The SOAP API is available via HTTPS and returns content in XML.
I’m not going to go to much into REST vs SOAP however it seems that although F5 is still supporting the SOAP API, it looks like the REST API is the future.

I have had issues adding an F5 BIG-IP as a SOAP host to vCO which is described in this communities post. If anyone knows if this has been solved I would be grateful.

UPDATE: So I have been advised that F5 BIG-IP is using wsdl in an older RPC/encoded format and it is not compliant with what vCO is after rpc/literal or document/literal format.
Thanks to Simon Lynch for this information.

https://devcentral.f5.com/wiki/icontrol.apireference.ashx

REST API:

As just stated above the REST API which is fully supported from BIG-IP version 11.5 onwards seems to be the future of the F5 API. Although REST is not self-declarative like SOAP it does have some advantages.

  • Easy to setup and use in vCO
  • Easy to test and debug in a web browser with a REST client plugin
  • Provided in JSON which is easy to work with in a Javascript based vCO
  • Works with Christophe Decanini’s Dynamic Types plugin generator which provides a vCO Inventory πŸ™‚

You can also save yourself allot of effort is setting up all the various REST operations by leveraging Simon Sparks vCO Workflow Script to Add REST Operations to a REST Host for F5 BIG-IP LTM – Part 1 and Part 2.

https://devcentral.f5.com/articles/introducing-a-restful-interface-for-icontrol

https://devcentral.f5.com/d/icontrol-rest-user-guide-version-1150?download=true

 

 

Using vCO Dynamic Types with the F5 REST API (AFM use case)->

So time to show off using vCAC, vCO Dynamic Types and the BIG-IP REST API together. So although this is quite a simple use case it shows the concept off quite well.

As mentioned earlier my use case was AFM, so what specifically in AFM was I needing to automate. Simply I was required to add Virtual Machines to specific Firewall Server Address Lists, these address lists were then already mapped to approved Firewall rules for multi-tiered applications. Now in my case the IP address were coming from vCloud Application Director as part of PaaS deployments however this example is based on vCAC Custom actions.

So before I get started I would like to give thanks to Christophe Decanini and Marc Chisinevski. I will be going through how to setup the Dynamic Type plugin generator for F5 in Part 2.

 

First things here is the before shot. Simply as I stated above I have an F5 AFM Address List I want to Add a VM to.

The user finds the VM in the vCAC inventory and simply selects the Custom Action F5 – Add Virtual Machine to AFM Address List

F5DT-Before F5DT-VCACDay2Option1

The requester provides a description and reason for the request.

F5DT-VCACDay2Option2

The requester then selects from a tree list which Address List to add the VM IP to. This is a dynamic list that is checked via the Dynamic Types plugin, if I were to add or remove an Address List before this workflow the list would be updated appropriately. The magic of Dynamic Types πŸ™‚

F5DT-VCACDay2Option3

After submitting the request we can see the VM’s IP has now been added to the address list and associated Firewall rules.

F5DT-Before

This screenshot shows the underlying vCO workflow used to add the VM IP from vCAC to the BIG-IP using the REST API.

F5DT-vCOWorkflowRun

We can also see the Dynamic Types Plugin Inventory for the F5 Address Lists as used earlier in the vCAC Custom Action.

F5 Dynamic Types Examples

 

Continued in Part 2 with how to setup Dynamic Types with AFM in vCO based on this example…. Chris Slater out.

Leave a comment

1 Comment

  1. Calling vRO Workflow via Powershell | Virtualise Me

Leave a Reply

Your email address will not be published. Required fields are marked *