Go Smarter Hands-on Lab Guide

Automating and Orchestrating

Application Services
Version 1.0

1
Table of Contents
Contents
1. Getting Started .................................................................................................................................... 3
1.1 Prerequisites ............................................................................................................................... 3
1.2 Lab Topology .............................................................................................................................. 3
1.3 F5 Automation and Orchestration Toolchain ............................................................................. 4
2. Configure extra services (Optional) ..................................................................................................... 4
3. Configure Postman .............................................................................................................................. 6
3.1 Postman Workflows (Optional) .................................................................................................. 6
3.2 Postman Collection and Environment ........................................................................................ 6
3.3 Configure BIG-IP (Optional) ........................................................................................................ 7
4. Lab #1 – Authentication and Initial Settings using REST. ..................................................................... 7
5. Lab #2 – Declarative Onboarding (DO). ............................................................................................... 8
6. Lab #3 – Application Services 3 (AS3). ............................................................................................... 10
7. Lab #4 – Telemetry Streaming (TS). ................................................................................................... 13
8. Lab #5 – Ansible and AS3. .................................................................................................................. 14

2
1. Getting Started
1.1 Prerequisites
- Exercises in these labs require a functional working knowledge of F5 security products and
familiarity with the Ravello environment.
- Basic Postman knowledge. (https://www.getpostman.com)
- Basic Ansible Knowledge (https://www.ansible.com)

1.2 Lab Topology

- 1 x Windows JumpHost with a public IP to access the lab content (Via RDP).
- 1 x BIG-IP v13.1.0.5, no configuration.
- 1 x LAMP Server, that will be our Application Server for most of the exercises.
- 1 x Ubuntu 16.04 Server, with Docker, Kafka (for Telemetry Streaming) and Ansible

Lab Components:
Component IP Address Credentials
Jumphost Public: Check your Ravello portal RDP: external_user / f5DEMOs4u#
Private: 10.1.10.199
Mgmt: 10.1.1.199
LAMP Server Private: 10.1.20.252 SSH: root / default
Mgmt: 10.1.1.252
Ubuntu Server Private: 10.1.10.80 SSH: ubuntu / ubuntu
Mgmt: 10.1.1.80
BIG-IP Private (external): 10.1.10.240 SSH: root / default
Private (internal): 10.1.20.240 Web: admin / admin
Mgmt: 10.1.0.240

3
1.3 F5 Automation and Orchestration Toolchain
The F5 Automation Toolchain is a product family that brings together our Automation & Orchestration
components under one umbrella.

The F5 Automation Toolchain is made up of composable components that allow customers and partners
to easily integrate F5 platforms into automation pipelines using modern automation patterns.

These components include the following:

• Application Services 3 Extension (AS3): Declarative L4-L7 BIG-IP Application Services

• Declarative Onboarding Extension (DO): Declarative L1-L3 BIG-IP Onboarding
• Telemetry Streaming Extension (TS): Automated BIG-IP Telemetry Streaming to Analytics
Systems

2. Configure extra services (Optional)

If you are running this lab from Ravello, move to the step number 3.

The LAMP server is already built with all the services needed for the Lab and is here in case you want to
build the lab in your own machine. The Ubuntu Server is also ready to use, but use the following
instructions in case you want to build a lab for your own:

- Download and Install Ansible:

sudo apt update
sudo apt install software-properties-common
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt install ansible

Details here: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html

- Install Docker:
sudo apt-get install curl apt-transport-https ca-certificates software-properties-
common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add

sudo add-apt-repository "deb [arch=amd64]

https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

sudo apt-get update

sudo apt-get install docker-ce
sudo systemctl status docker

- Install Docker Compose

sudo curl -L
"https://github.com/docker/compose/releases/download/1.24.0/docker-compose-
$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

sudo chmod +x /usr/local/bin/docker-compose

4
- Kafka Docker Configuration

git clone https://github.com/wurstmeister/kafka-docker

cd kafka-docker/

Edit kafka-docker/docker-compose.yml to look like this:

version: '2'
services:
zookeeper:
image: wurstmeister/zookeeper
restart: always
ports:
- "2181:2181"
kafka:
build: .
ports:
- "9092:9092"
environment:
KAFKA_ADVERTISED_HOST_NAME: 10.1.10.80
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_CREATE_TOPICS: "f5-telemetry:1:1"
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Rubn the following commands:

sudo docker-compose up -d
sudo ./start-kafka-shell.sh 10.1.10.80 10.1.10.80:2181

After the last command, we should be placed in the Container’s shell, not in the Ubuntu server
shell.

Lastly, run this command inside Kafka’s container shell and leave this window open and running
during the duration of the lab.
kafka-console-consumer.sh --bootstrap-server 10.1.10.80:9092 --topic f5-
telemetry --from-beginning

5
3. Configure Postman
3.1 Postman Workflows (Optional)
To complete this lab a Postman extension is needed. If you are using Ravello Lab skip this part and
move to the next step.

https://github.com/0xHiteshPatel/f5-postman-workflows

To install the framework:

1. Open Postman
2. Click the 'Import' button
3. Select 'Import from Link'
4. Enter https://raw.githubusercontent.com/0xHiteshPatel/f5-postman-
workflows/master/F5_Postman_Workflows.postman_collection.json
5. Click the 'Import' button
6. Navigate to your Postman Collections
7. Expand the 'F5_Postman_Workflows' collection
8. Expand the 'Install' folder
9. Click the 'Install/Upgrade f5-postman-workflows' items
10. Click the 'Send' button
11. Verify the installation was successful by:
1. Examine the response tests and ensure the 'Install Successful' test passed
2. Examine your Postman Global Environment and look for a _f5_workflow_functions
item populated with JavaScript code

3.2 Postman Collection and Environment

Postman Environment and Collection are in a GitHub repository.

Environment: AO_Latam_environment.json
https://raw.githubusercontent.com/cavalen/as3gosmarter/master/resources/AO_Latam_environment.json

Collection: AO_Latam_collection.json
https://raw.githubusercontent.com/cavalen/as3gosmarter/master/resources/AO_Latam_collection.json

Postman: Import Environment and Collection

Click on the Import button on the top-left of the screen, and in the new screen select “Import from
Link”, paste the Environment URL and “Import”. Repeat with the Collection URL.

6
 Make sure the “A&O Latam – Gosmarter” Environment is selected in upper-right section of Postman
before proceeding.

3.3 Configure BIG-IP (Optional)

If you are using Ravello Lab skip this part and move to the next step.

For BIG-IP version 13.x run the following command on the CLI:

touch /var/config/rest/iapps/enable

This command enables the “iApps > Package Management LX” screen on the GUI

4. Lab #1 – Authentication and Initial Settings using REST.

Make sure the “A&O Latam – Gosmarter” Environment is selected in upper-right section of
Postman before proceeding.

This lab will explore the basics of setting BIG-IP parameters and configuration using REST API calls. These
are standard API calls, no AS3 declarations.

- Step 1a: This step is to show Basic Auth in the BIG-IP, there is nothing to modify here, validate
the URL and the Authorization Tab.

7
 - Step 1b and Step 1c: These two steps provide Token Based authentication. Check the URL, and
Body Tabs. Username and Password variables are configured in Postman Environment and the
Token is set during the “Tests” phase.
- Step 2 to Step 8 are used to demonstrate a couple of REST endpoints to configure general BIG-IP
settings. Examine the REST endpoints, and the “Body” and “Tests” tabs.

Note: Any time you need to interact with the BIG-IP using REST API calls during this lab, make sure
that first you run steps 1b and 1c to obtain the authentication Token.

5. Lab #2 – Declarative Onboarding (DO).

Here, we will configure a BIG-IP that only have Management access using a Declaration.

Again, validate the URL endpoint, the “Body” and “Tests” parts of each step.

- Step 1: Get a list of the current iControl LX Extensions installed on the BIG-IP. The list should be
empty.

- Step 2: Upload the DO RPM to the BIG-IP.

Select the “Body” Tab and click the “Select File” button. Browse for the DO RPM in the
Downloads folder in the Jumphost (f5-declarative-onboarding-1.4.0-1.noarch.rpm)

8
- Step 3: Create an installation task
This will instruct the BIG-IP to install the RPM sent in the previous step. The response should be
a 202 Accepted

Validate the Test tab and view the variable that Postman will populate to use in the next step.

- Step 4: Validate installation

Postman will populate the install ID to a variable in Step 3, now we will query the status of the
Task ID

- Step 5: Check DO is installed. The answer should be only a 200 OK

- Step 6: Send a DO Declaration to the BIG-IP. The declaration will configure the Hostname,
timezone, DNS, NTP, users, VLANs, Internal and External Self IPs, Default Route and Provisioning.
It is possible to license the Appliance using a DO Declaration, but in this lab the appliance is
already licensed.
Click Send and validate the Output.

9
 This is an “async” task, so the answer from BIG-IP should be a “202 Accepted” and it take a
moment to apply the configuration, validate once is online.

6. Lab #3 – Application Services 3 (AS3).

- Step 1 to Step 4: Same as in previous lab, we need to upload and install AS3 rpm into the BIG-IP.
AS3 RPM -> f5-appsvcs-3.11.0-3.noarch.rpm
We do this task via REST, providing the necessary payload variables for the installation.

- Step 5: If AS3 installation was successful, you should see something like this:

{
"version": "3.11.0",
"release": "3",
"schemaCurrent": "3.11.0",
"schemaMinimum": "3.0.0"
}
- Step 6: In this step we create a Simple HTTP Application in a Tenant “ACME_cloud_01” using an
“http” template. This will lead to the creation of a serviceMain Virtual Server along with some
defaults for the service.

In Step 6b we use a PATCH method to modify the declaration sent in step 6a and add a pool
member.
You can test the Application using a Browser pointing to http://10.1.10.111

- Step 7: In this step we send an AS3 declaration using a Generic template to create two apps
(HTTP and TCP) in a Tenant “ACME_cloud_02”
The difference in this generic Template is the Virtual Server can have any name but will not use
some defaults that are used with the Service_HTTP or Service_HTTPS templates.

10
- Step 8: This step creates a HTTPS application with a ClientSSL and a ServerSSL profiles and using
an SSL certificate embedded in the AS3 Declaration.
Review in the declaration, the “webcert” line to see how to send a Certificate definition inside
the declaration itself.
This should result in a 200 OK status and a new Tenant “ACME_cloud_03”. Test the app using
the browser.

- Step 9: This step creates a HTTPS Application using an SSL certificate and a WAF policy from a
remote repository (e.g., GitHub).
Validate the BIG-IP configuration, The Virtual Server and the ASM Policies:

11
 You can also go to https://10.1.10.115/user/login and try to do a SQL injection in the username
field.

Then review the security logs in the BIG-IP:

- Step 10: Here we will update the Declaration in Step 9 adding two iRules, one defined inside the
Declaration and another from a remote repository.

12
 - Step 10 to 12 are intended to view how AS3 stores information about the different declarations
we have been using so far and how to delete individual Tenants and how to delete all of the
Declarations.
Run through each of the steps and review the Body and the Result for each one.

7. Lab #4 – Telemetry Streaming (TS).

- Step 1 to Step 4: Same as in previous labs, we need to upload and install TS rpm into the BIG-IP.
TS RPM -> f5-telemetry-1.3.0-0.noarch.rpm
We do this task via REST, providing the necessary payload variables for the installation.
- Step 5: After the installation, we need to validate if the TS service is running.
This can take a minute to complete, and you should see something like this:

- Step 6:

Before running this step, do the following:

§ Open an SSH window to the Ubuntu Server (10.1.1.80)(ubuntu/ubuntu)
cd kafka-docker

sudo docker-compose up -d

sudo ./start-kafka-shell.sh 10.1.10.80 10.1.10.80:2181

kafka-console-consumer.sh --bootstrap-server 10.1.10.80:9092 --topic

f5-telemetry --from-beginning
** The last command runs inside the Kafka container

13
 § Leave this window open to review after we generate some traffic to a Web application.

This is the actual TS declaration, and is composed of several parts:

A System Poller: The system poller collects and normalizes statistics from a system, such as BIG-
IP, on a configurable interval.

A Listener: The listener is configured in our BIG-IP in the port specified. It is not a Virtual Server.

,
A Consumer: This is the Third party consuming our telemetry. In our case we will be using Kafka.
There are several consumers like S3, Splunk, CloudWatch, Azure Log Analytics, ElasticSearch and
others.

- Step 7: Here we will deploy a Web Application with a “Traffic Log” profile, using a HSL pool
whose destination is the BIG-IP listener created in the previous step.
Browse to http://10.1.10.120 , generate some traffic and look at the logs in the SSH Kafka
console

8. Lab #5 – Ansible and AS3.

Last lab is a little introduction to Ansible Playbooks using AS3.

We will work with 4 different playbooks:

- First one is called “playbook1.yaml”. This is a simple playbook to create an HTTP application
using an imperative model. First you define a pool, then you add members to the pool and
finally you create a Virtual Server. In this scenario you are automating a configuration, but you
need to know how to do each step, and in which specific order.
- There is also an “undo-playbook1.yaml” that will destroy everything created with the previous
playbook.
- With the third Ansible playbook (playbook-as3.yaml) we include an AS3 declaration. Here you
will see how simple a Playbook can be after using a Declarative interface as AS3 to populate a
service on a BIG-IP.

14
 - The final playbook (undo-playbook-as3.yaml) destroys the configuration created with AS3

Run the labs in a strict order. The steps for these labs are:

Fists SSH into the Ubuntu Server (10.1.1.80) and run:

cd as3gosmarter/resources/ansible
ansible-playbook -i inventory/hosts playbook1.yaml
This command creates a simple HTTP application using an Imperative model.

Take a look at the playbook and validate the BIG-IP configuration.

Then destroy the previous configuration using and “undo” playbook:

ansible-playbook -i inventory/hosts undo-playbook1.yaml

Same as before, validate the BIG-IP configuration.

Finally, run the AS3 playbook to deploy an application in a declarative way

ansible-playbook -i inventory/hosts playbook-as3.yaml

These commands will create a service one the BIG-IP, using a very simple and short playbook.

Take a look at the AS3 declaration used and the playbook. The file referenced from the playbook is
“ansible-as3.json”.

There is also an “undo” playbook, to remove the Tenant "ACME_cloud_ANSIBLE" created in the previous
step.
ansible-playbook -i inventory/hosts undo-playbook-as3.yaml

Fin.

15