Network automation of BIG-IP F5

using Ansible Tower

Ansible adoption at Lockheed Martin
Raj Ganeshan
Infrastructure architect – Lockheed-Martin Enterprise IT
My automation story

1. How did you get started with Ansible?

I am an Infrastructure Architect at Lockheed Martin. I got started with Ansible
to provision Infrastructure (Compute, Storage, Network, SSL/TLS Certificates,
Containers etc.)

2. How long have you been using it?

3 years

3. What's your favorite thing to do when you Ansible?

BIG-IP F5 automation, Infrastructure-as-Code
 Agenda

• Why automate network Infrastructure ?

• Infrastructure-as-Code (IaC) defined
• Ansible adoption at Lockheed Martin
• BIG-IP F5 - Ansible modules, AS3, DO, Jinja2 templates
• Ansible Tower concepts and workflows
• Simple Gitlabs lifecycle
• Deep dive - IaC with Gitlabs, Ansible Tower and BIG-IP F5
• The Ansible approach to network automation
• Ansible with 2FA/MFA
 Why automate ?

There are really 3 main reasons

• Speed – Spin up an entire infrastructure architecture by running a script/playbook

• Consistency – Standardize setup of infrastructure to reduce errors and deviations
• Efficiency – All code and version control processes can be applied to infrastructure

Enablers

• Virtualization and Cloud computing

• Software-defined-everything (Compute, storage, networking, security etc.) a.k.a.
Infrastructure-as-Code
 IaC defined

Managing and provisioning computer data centers through machine-readable

definition files

Compute

Storage
Deployment
API
Commit Trigger
Repository Network

Build System Security

Automation Tools
Managed Infrastructure
 Before there was an IaC process …

Difficult to have a repeatable process with varying interfaces

iControlREST example to create an application pool –

curl -k -u <user:password> -H "Content-Type: application/json" -X POST -d '{"name":“some-pool","members":[ \

{"name":"10.10.0.64:80","description":"first member"} ] }' https://10.10.0.1/mgmt/tm/ltm/pool

CISCO API example –

curl -v -X POST https://10.10.0.64/api/v1/auth/token-services -H "Accept:application/json" -u “user:password" -d "" --insecure -3

Use token to do something –

curl -v -H "Accept:application/json" -H "X-Auth-Token: <token>" -H "content-type: application/json" -X POST
https://10.10.0.64/api/v1/nat-svc/pool -d '{"nat-pool-id": "test4-nat-pool", "start-ip-address": “10.10.0.1", "end-ip-address":
"10.10.0.63", "prefix-length": 32}' --insecure -3

Documentation - https://clouddocs.f5.com/api/
 Ansible adoption at Lockheed Martin

• Ansible is the foundation of our IaC approach

• Ansible is being used for provisioning and configuring infrastructure (compute,

storage, network, security) for on-prem environments, public cloud, and hybrid
cloud environments

• Ansible Tower is being used for managing orgs, users, templates, workflows etc.
and is an important part of the automation tool-chain

• We are using RedHat provided training and complimenting it with internal

training

• Ansible engine and Ansible Tower software is licensed through RedHat

 BIG-IP F5
Application traffic routing and management
• Load balancing
• HTTP/HTTPS
• Health monitors

Secures applications using SSL/TLS

• SSL termination and pass-thru
• Different ciphers and algorithms

Monitoring, analytics and metrics

Automation
• API
• Application Services 3 Extension (AS3)
• Declarative onboarding (DO)

Integration
• Ansible templates and modules
 Ansible modules for BIG-IP F5

• Automating initial configuration on the BIG-IP

• Automation to network the BIG-IP (VLANS, Self-Ips)

• Automated deployment of HTTP and HTTPS applications

• Managing Virtual-Servers, Pools, Monitors and other configuration objects

• Documentation –
https://clouddocs.f5.com/products/orchestration/ansible/devel/#
https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html#f5

• Open source –
https://github.com/F5Networks/f5-ansible
 BIG-IP Application Services 3 (AS3) Extension

• Declarative model for managing BIG-IP configuration

• Defined by a JSON schema
• Layer 4-7 application and security services
• Atomic and idempotent
• BIG-IP version 12.1.x or higher

• POST to https://<BIG-IP>:<port>/mgmt/shared/appsvcs/declare

• Documentation –
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/
 BIG-IP Declarative Onboarding (DO)

• A declarative model to initially configure a BIG-IP device

• BIG-IP version 13.1.0 or higher

• Layer 1-3 configuration

• POST and GET to https://<BIG-IP>:<port>/mgmt/shared/declarative-

onboarding

• Documentation
https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/
Ansible approach – Imperative vs. Declarative

• Declarative (Functional) – What

Declarative You define the desired state and the system
executes what needs to happen

• Imperative (Procedural) - How

You defines specific commands to be
executed in the appropriate order to reach the
desired state

• Intelligent (Environment aware) - Why

System determines the desired state before it
executes what needs to happen to achieve the
Imperative
Intelligent desired state

• Ansible uses a push-type, declarative and

imperative approach.
 Jinja2 templates for network configuration

- Jinja2 templates used for templating a file to a remote device

- Write the contents of a file to a remote location
 Jinja2 templates for network configuration

Ansible
Local YAML
vars

Jinja2
Templates Configs

Global YAML
vars
 Ansible Tower

• Ansible Tower is the easy-to-use UI, dashboard, and REST API for Ansible
• Role-based access control – Teams, users in various roles, integration with
LDAP/AD
• Job and workflow templates for automation, workflows and much more !
• Job scheduling - schedule your jobs and set repetition options
• Fully documented REST API

• User guide –
https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html
 Ansible Tower – Workflow Templates

• A combination of job templates, project syncs, and inventory syncs linked

together to execute them as a single unit.
• Extra vars and prompt-on-launch –
Overrides other vars specified elsewhere
Provide an inventory or extra variables when workflow template is launched

• Assign Permissions
• Create Notifications
• Create Schedules
• Create Surveys (Dialogs)
• Use Workflow Visualizer to build a workflow
• Launch the template
 Ansible Tower – End to end flow

End users Validation/Integration

Self-service portal
status_code

Template
SCM update
automation

Commit Trigger Approval API Call

Developer
/Engineer Repository Change control
approval Ansible Tower
Modules
Pull

- Declarative onboarding used to initially configure a BIG-IP device (Layer 1-3) Validation/Integration
Self-service
- AS3 used for applications and security (Layer 4-7) Developers/Engineers
 Simple Gitlabs lifecycle

• Clone the repo to get a working copy

• Modify working copy by editing/adding files
• Fetch changes made by other developers
• To see commits added to the upstream master –
git log --oneline master..origin/master

• Merge the commits into your local master

git checkout master
git merge origin/master

• Commit your changes

• Push to master
 Deep dive notional architecture

• Multi-AZ deployment for HA and

DR with network load-balancer

• Public and private subnets for

network isolation and security

• Security groups for

ingress/egress rules

• BIG-IP and computes in private

subnet
 Deep dive environment

• EC2 instances with NICs and elastic IPs

• Security group with ingress/egress

rules

• A role for the BIG-IP EC2 instance

https://github.com/ansible/workshops/tree/master/exercises/ansible_f5/3.0-as3-
intro
https://github.com/f5devcentral/f5-big-iq-lab
https://github.com/rajganeshan/ansiblefest2019
Section Break
 AWS Marketplace

https://aws.amazon.com/marketplace/
 Ansible network modules

• Automate repetitive tasks

• Configure, test and validate network state

• Separate data model from the execution layer (Ansible engine)

• Simple, agentless automation

• Can communicate over SSH or HTTPS

• Documentation –
https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html
 Ansible modules – Local vs. Remote execution

Local vs. remote execution

 Ansible network modules – Local execution

• Network devices do not typically have Python installed on them

• So, Ansible can not execute tasks directly on the host
• As a work around Ansible uses itself as a proxy for the tasks to be executed against
• Tasks are eventually executed on the remote network device by calling the REST API

API

Inventory Playbook
ANSIBLE ENGINE
Executes playbook for
A list of A file describing each host in the inventory
hosts actions to take
 Git concepts

• Git repo – A virtual storage to save versions of your code

• Tags - A meaningful name for a version. Tags are immutable and meant for product releases
• Branches – A line of development created to work on a new feature. When completed it is
merged back with the master branch
• HEAD – A pointer that always points to the latest commit in the branch. HEAD is updated with
the latest commit
 Gitflow lifecycle

• A strict branching model designed around project releases

- Dev and Master branches
- Master stores official release history (with tags) and Dev used for
integrating features

• Feature branches
- Use Dev as their parent branch
- When complete gets merged back into Dev

• Release branches
- Forked off Dev and meant for a release candidate
- No feature branches till it is merged into Master and back into
Dev
 MFA/2FA for BIG-IP F5

Remote user account management –

• BIG-IP system requires one or more administrative user accounts

• Store BIG-IP user accounts on a remote authentication server (not locally)

- LDAP - Active Directory
- RADIUS - TACACS+

• Remote server performs all authentication of user accounts

• Configure BIG-IP system to use the remote server to authenticate system accounts

• Documentation –
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html