BIG-IQ Cloud API: Implementations. Version 4.0

Transcription

1 BIG-IQ Cloud API: Implementations Version 4.0

2

3 Table of Contents Table of Contents Legal Notices...5 Acknowledgments...7 Chapter 1: BIG-IQ Cloud Overview...9 Overview: BIG-IQ system...10 BIG-IQ Cloud definitions...10 Chapter 2: Confirm Your API Configuration...13 About installing cloud components on the BIG-IP system...14 Installing cloud components on the BIG-IP system...14 Testing the API installation...14 About using Python scripts to make API calls...15 Making test API calls...15 Chapter 3: Create Tenant...17 About creating a cloud tenant...18 Creating a tenant...18 Chapter 4: Create Custom Application Catalog...21 About providing tenants access to resources and services...22 Creating a custom application catalog...22 Chapter 5: VMware vshield Cloud Integration...25 About VMware vshield Manager integration...26 Integrating vshield Manager with your cloud applications...26 How vshield Manager processes tenant-editable values...26 Chapter 6: vcloud Director Integration...29 About vcloud Director integration...30 Before you begin vcloud Director integration...30 Task summary...30 Determining an organization's globally unique identifier...30 Creating BIG-IQ Cloud integration objects...31 Integrating vcloud Director with your cloud applications...31 Chapter 7: Amazon EC2 Cloud Integration

4 Table of Contents About Amazon EC2 integration...34 Integrating with EC2 cloud applications...34 Chapter 8: Deploy Application Services...35 About cloud tenant self-service application deployment...36 Deploying application catalogs...36 Chapter 9: Revise Application Deployment...37 About expanding cloud resources...38 Creating a cloud resource...38 Creating a cloud resource that can flex to match demand...39 Chapter 10: License Status...41 About license management...42 Managing BIG-IQ licenses...42 Chapter 11: Monitor Application Health...43 About application monitoring...44 Monitoring application health

5 Legal Notices Publication Date This document was published on April 24, Publication Number PUB Copyright Copyright , F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks Access Policy Manager, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, Clustered Multiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, GUARDIAN, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iapps, icontrol, ihealth, iquery, irules, irules OnDemand, isession, L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Manager, MSM, OneConnect, OpenBloX, OpenBloX [DESIGN], Packet Velocity, Policy Enforcement Manager, PEM, Protocol Security Manager, PSM, Real Traffic Policy Builder, Rosetta Diameter Gateway, Scale N, Signaling Delivery Controller, SDC, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, Traffix Diameter Load Balancer, Traffix Systems, Traffix Systems (DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vcmp, virtual Clustered Multiprocessing, WA, WAN Optimization Manager, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

6 Legal Notices FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 6

7 Acknowledgments This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler which is protected under the GNU Public License.

8 Acknowledgments This product includes software developed by Niels Mueller which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project ( This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker ( and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License. This product includes software developed by the Apache Software Foundation ( This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. ( This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. 8

9 Chapter 1 BIG-IQ Cloud Overview Topics: Overview: BIG-IQ system BIG-IQ Cloud definitions

10 BIG-IQ Cloud Overview Overview: BIG-IQ system The BIG-IQ system is a centralized tool that streamlines the management of devices in your network. The functionality offered is dependent on your software license. Administrators use BIG-IQ Cloud to provide cloud tenants self-service access to shared computing resources such as networks, servers, storage, applications, and services. Cloud resources can be private or public, depending on the customer's requirements. Each tenant has restricted and dedicated access to cloud resources based on a specific user account or tenant role, ensuring that tenants have access only to their own resources. Cloud resources are easily expanded and reallocated as needed, providing flexible resource balancing. Firewall managers use BIG-IQ Security to manage security firewalls for multiple devices from one central location. Firewall management includes discovering, editing, and deploying firewall configurations, as well as consolidating shared firewall objects. Once a firewall device is designated for central management, it is no longer managed locally unless there is an exceptional need. BIG-IQ Cloud definitions Common terms are defined within the context of the F5 BIG-IQ Cloud service. Term application templates BIG-IQ Cloud bursting cloud service provider Definition An application template is a collection of parameters that a cloud service provider uses to create a customized configuration for a tenant. Cloud server providers add the configured application to a catalog. Tenants deploy the application template from the catalog A centralized tool that streamlines the management of BIG-IP systems in your network. It provides a management function that allows our customers (cloud service providers) to offer their customers (tenants) web based application services. These services are made available through the Internet, and access cloud-based servers that host the applications. Cloud bursting is a seamless way for cloud providers to manage an anticipated increase in application traffic by directing some traffic to a another cloud resource. When demand falls back into normal parameters, traffic can be directed back to the original cloud resource. This elasticity allows efficient management of resources during periods of increased or decreased traffic to applications. BIG-IP Cloud administrators own access to their cloud based servers. They perform a management function to their customers (tenants), and control access to the servers that host the application services that the tenants want to use. 10

11 BIG-IQ Cloud API: Implementations Term cloud connector provider template tenant user Definition Identifies the resources necessary to deploy your applications; and when necessary, adds parameters required by third party cloud providers. Provider templates contain a list of applications. Provider templates are also referred to as application catalogs. The cloud service provider s customer; the tenant is a consumer of web based applications that are delivered and managed by the service provider. Employees of the tenant, who are given access to the web based applications provided to the tenant by the cloud service provider. 11

12 BIG-IQ Cloud Overview 12

13 Chapter 2 Confirm Your API Configuration Topics: About installing cloud components on the BIG-IP system Testing the API installation About using Python scripts to make API calls

14 Confirm Your API Configuration About installing cloud components on the BIG-IP system This release of BIG-IQ Cloud includes both an application delivery controller (ADC) component and an enterprise management component. The ADC component includes support for cloud management and is installed by running a script. Installing cloud components on the BIG-IP system You can perform this task only after you have installed both BIG-IQ Cloud and a BIG-IP system running, at minimum, version 11.3 software. This task updates the BIG-IP system with three services that BIG-IQ Cloud requires: a REST-based RPM endpoint that simplifies deployment of the updates managed by BIG-IQ product a REST framework that supports Java-based management services required by BIG-IQ system a REST framework that supports C++-based management services required by BIG-IQ system Important: When you run the script that updates the BIG-IP systems, the traffic management interface (TMM) on each BIG-IP device restarts. It is important that, before you run this script, you verify that no critical network traffic is targeted to the BIG-IP devices. 1. Log in to the BIG-IQ Cloud. ssh root@<big-iq IP Address> 2. Navigate to the folder in which the files reside. cd /usr/lib/dco/packages/upd-adc 3. Run the install script../update_bigip.sh a admin p password <BIG-IP MGMT IP Address> Note: You will be prompted multiple times for the BIG-IP root password, because the script uses SSH to connect. Testing the API installation With the software installed and the licensing task completed, you can test that the APIs respond to a basic command before proceeding. 1. Use SSH to connect to the management port IP address. 2. From the command line, type bigstart status msgbusd. 3. Verify that the Cloud Services host is running. 4. From the command line, type bigstart status restjavad. 5. Verify that the Cloud Services host is running. 6. From a different Linux system in your network, run the following command to test that the API is working: curl k u admin:admin A response to this request confirms that the APIs are properly installed and licensed. 14

15 BIG-IQ Cloud API: Implementations About using Python scripts to make API calls There is a file included in the download package named restapi.py. This Python file serves as a shim or wrapper that you can use to run API calls. Important: The file is compatible with Python version 2.7 or later. Consider updating your Python version if necessary. Making test API calls To confirm that your installation was successful, you can run a test script that is included in the download package named cloud_test.py. Running this Python script makes a test call to each of the REST APIs that is part of the BIG-IQ Cloud system. Important: The file is written to be compatible with Python version 2.7 or later. Consider updating your Python version if necessary. 1. Open a browser session and navigate to the F5 Downloads site, downloads.f5.com. 2. Log in, and navigate to the BIG-IQ area. 3. In the list, locate and download the restapi_bundle.zip file. Important: F5 recommends downloading the ZIP file to a Linux client because you need to run the included scripts from that environment. Six files extract to the location you specify: restapi.py, cloud_test.py, and four.json files. 4. From the Linux client command prompt, navigate to the location to which you extracted the REST API bundle, and type:./cloud_test.py --bigiq-address <IP address> --bigip-version <version> --bigiq-user admin --bigiq-password <password> Important: Where appropriate, substitute the BIG-IQ Cloud system's IP address, the user's password, and the BIG-IP system version (in the format X.Y). The cloud test script runs, using restapi.py as a wrapper. As each API is called, the appropriate.json files are used as sample payload. You should see a success response for each API that is called. 15

16 Confirm Your API Configuration 16

17 Chapter 3 Create Tenant Topics: About creating a cloud tenant

18 Create Tenant About creating a cloud tenant As a cloud provider, you use BIG-IQ Cloud to give cloud tenants access to restricted and dedicated cloud resources and application services. This access is based on a tenant's user role. In this way, tenants are restricted to only those resources that you assign to them. Creating a tenant Creating a tenant allows your cloud service providers to provide access to cloud resources for application services. When you create a tenant, you associate it with a specific user account or custom tenant role, which ensures that the tenant has access only to its own resources. Creation is also a handy opportunity to define the cloud resources to which that tenant will have access, and then specify access to those resources to that tenant. Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using APIs referenced in this task. 1. Authenticate with the F5 Cloud REST API. Every API request needs to be authenticated. You can use HTTP Basic Authentication. After your initial authentication, the F5 Cloud REST API endpoint provides a session cookie-based authentication mechanism based on an authorization cookie header. This cookie-based authentication assumes that the client has support for cookies enabled. This mechanism means you do not have to provide HTTP Authorization header with each F5 Cloud REST API request. The authorization cookie (in addition to the regular authentication) also helps prevent user session hijacking. 2. To verify that the tenant you want to add does not already exist, view the tenants using the Get all tenants API. /mgmt/cm/cloud/tenants GET Tip: To get additional information for a specific tenant, use the Get one tenant information API (/mgmt/cm/cloud/tenant/tenant-id GET). 3. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST 4. Use one of the connector APIs to create a connector that defines the cloud resources to which you will give the new tenant access. Choose the connector type appropriate for your cloud resource: Local, (for BIG-IP clouds) EC2 for Amazon clouds) or VMware for (VMware or vcloud clouds). /mgmt/cm/cloud/connectors/local POST or /mgmt/cm/cloud/connectors/ec2 POST or /mgmt/cm/cloud/connectors/vmware POST 5. Create a new tenant using the Create tenant API. /mgmt/cm/cloud/tenants POST You will likely want to edit the specifications for the tenant. You can edit everything except the name and ID for the tenant. Now is a good opportunity to specify the connector to which this tenant has access. Tip: To delete a tenant, use the Delete tenant API (/mgmt/cm/cloud/tenant/tenant-id DELETE). 18

19 BIG-IQ Cloud API: Implementations The newly created tenant is associated with a user name and a custom role. The custom role is then granted access to only that tenant's REST APIs and templates. 19

20 Create Tenant 20

21 Chapter 4 Create Custom Application Catalog Topics: About providing tenants access to resources and services

22 Create Custom Application Catalog About providing tenants access to resources and services An iapps application template contains a collection of parameters required to provide a tenant access to customized applications, configurations, and cloud resources on devices running TMOS and later. When you add a device to the BIG-IQ system, all iapps templates that exist for that managed device are imported to the BIG-IQ system. You can then customize the template for a tenant by specifying details, such as the virtual IP address, application server IP addresses, and so forth. In this way, you can offer customized network resources and application services on several devices, saving time while ensuring the accuracy of complex traffic management configurations. Once saved to the application catalog, these customized applications are available to tenants for self-service deployment of resources without requiring them to perform complicated networking procedures. Creating a custom application catalog Before you can submit the API calls required to complete this task, you must assemble the customization parameters (for example, SSL offload, acceleration, cookie-persistence, or DNS settings) that you wish to specify. The catalog of applications that you create gives your cloud service providers the ability to choose the applications to make available to their tenants. The provider customizes the application, specifying which attributes are visible to the tenant and which attributes the tenant's users can specify. The result is referred to as an application template. The tenant template shows the applications that the provider made available to tenants, and presents only the tenant-editable attributes. Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task. 1. Authenticate with the F5 Cloud REST API. 2. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST 3. Choose a base template to customize. To see the list of available templates, use the Get templates API. (/mgmt/cm/cloud/templates/iapp GET). 4. View the parameter details for the selected template using the Get provider iapp templates and Get customized provider template parameters APIs (/mgmt/cm/cloud/provider/templates/iapp GET and /mgmt/cm/cloud/provider/templates/iapp/template-id GET). a) Determine whether you want to use the default server tiers for this template, or specify one or more tiers of your own. For each tier you specify (or allow the tenant to specify), you need details such as the virtual IP address, pool name, and pool members. b) Identify the template parameters that you want the tenant to be able to customize for the template. c) Identify any pre-set values that you want to set in the template. 5. Revise the parameters that you identified; use the Create provider iapp template API (/mgmt/cm/cloud/provider/templates/iapp POST). Tip: When you save the customized template, use a meaningful name that will help to identify it. 22

23 BIG-IQ Cloud API: Implementations The catalog you created is now available for providers to deploy to tenants. 23

24 Create Custom Application Catalog 24

25 Chapter 5 VMware vshield Cloud Integration Topics: About VMware vshield Manager integration

26 VMware vshield Cloud Integration About VMware vshield Manager integration After you integrate VMware vshield Manager with BIG-IQ Cloud, you can deploy your tenant application environment using the service insertion portion of the vshield interface. A tenant application on BIG-IQ Cloud corresponds to a service profile in the vshield Manager. The tenants see a catalog of application templates that they can deploy and delete as needed to deploy their own new vapps. Using the vshield Manager interface, you can manage the virtual machines necessary for application deployments, add or remove a virtual machine, and start or stop virtual machines. You can use your cloud vendor's user interface to duplicate changes. Important: To integrate with BIG-IQ Cloud, you must use vshield Manager version or later. Integrating vshield Manager with your cloud applications Integrating vshield Manager (VSM) with your cloud applications makes it possible for you to use the VSM interface to manage your F5 cloud applications. Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task. 1. Authenticate with the F5 Cloud REST API. 2. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST 3. Create a catalog of BIG-IQ Cloud applications to publish into the vshield Manager vendor template using the Create provider iapp template API. /mgmt/cm/cloud/provider/templates/iapp POST 4. Create new tenants for VSM using the Create tenant API. /mgmt/cm/cloud/tenant POS 5. Create a VSM cloud connector using the Create VMware connection API, specifying the IP address and appropriate credentials. /mgmt/cm/cloud/connectors/vmware POST The applications you included when you created the VSM vendor template are published to the VSM interface. The tenants that you created and connected to VSM can now use the VSM interface to create applications. Fields that are tenant-editable are displayed in the VSM user interface. How vshield Manager processes tenant-editable values There are a few complexities to be aware of when you create a service profile in the vshield interface to access the applications in your template. 26

27 BIG-IQ Cloud API: Implementations Tenant Editable Field Tenant Name Pool members Virtual IP addresses Tabular data Action Make a note of the tenant name you created. You need to enter it in the vshield interface. If you choose an incorrect tenant name or leave the tenant name blank, the VSM create service profile task fails. Enter values in the Service Attributes portion of the VSM interface. Enter values in the Service Attributes portion of the VSM interface. There is additional complexity for API values represented in a table. Editable table columns appear in the VSM interface as an entry in the list of Vendor Attributes. To specify multiple values for an entry, you enter them in a comma-delimited list. Consider the following example. { "name": "pool members", "columns": [ { "name": "addr", "isrequired": false, "providertype": "NODE"}, { "name": "port", "isrequired": true, }, { "name": "port_secure", "isrequired": true, }, { "name": "connection_limit", "isrequired": true, "provider": "10000" }, { "name": "ratio", "isrequired": true, "provider": "1" }, { "name": "priority", "isrequired": true, "provider": "0" } ], "servertier": "default" } For the table represented, there are two editable columns, port and port_secure. In the VSM interface there are Vendor Attributes rows to represent these values. The port appears as pool members.port and the secure port entry appears as pool members.port_secure. Enter values for these in a comma-delimited list (for example, pool members.port_secure 443, 444). 27

28 VMware vshield Cloud Integration 28

29 Chapter 6 vcloud Director Integration Topics: About vcloud Director integration Before you begin vcloud Director integration Task summary

30 vcloud Director Integration About vcloud Director integration Integrating vcloud Director (VCD) with your cloud applications makes it possible for you to use the VCD interface to manage the F5 cloud applications. The integration process involves tasks using the user interface in both the F5 BIG-IQ Cloud and the VMware VCD. After you integrate vcloud Director (VCD) with BIG-IQ Cloud, you can use VCD to manage your cloud applications. After integration, a catalog of BIG-IP Cloud applications appears in the VCD user interface. BIG-IQ Cloud refers to a service provider's customers as tenants. The VCD equivalent to a tenant is referred to as an organization. BIG-IQ Cloud identifies tenants using a tenant ID. One key to successfully integrating VCD with BIG-IQ Cloud is associating the tenant ID assigned to that catalog with a VCD organization. To deploy an F5 application catalog in vshield Manager (VSM), you deploy a VSM service profile. While VSM service profiles do not currently recognize F5 tenants, they do recognize VCD organizations. So when your tenant s ID is associated with a VCD organization, you can use VSM and VCD to administer and deploy the tenant s application catalog. When you create a tenant for VCD integration, make a note of the tenant ID so you can connect it to a VCD organization. Before you begin vcloud Director integration Before you integrate BIG-IQ Cloud with your vcloud Director applications, make sure that you have completed the following prerequisites. Customize and store at least one provider template in the catalog. Create at least one tenant. Task summary When you are integrating vcloud Director (VCD) and BIG-IQ Cloud, you must configure VCD, then BIG-IQ, then VCD again. Determining an organization's globally unique identifier The globally unique identifier (GUID) is the figurative glue that binds the BIG-IQ Cloud connector to your vcloud Director (VCD) applications. You use the GUID when you create a tenant for a VCD connector. 1. Log in to your VCD system and complete the initial setup. Setup must include creating at least one VMware organization virtual data center (VDC). 2. In VCD, navigate to the list of organization VDCs. 3. In VCD, select the organization VDC that you are going to use to manage BIG-IQ applications. When you select the VDC, an alphanumeric string, known as the GUID appends to the end of the displayed URL. In the following illustration, the GUID is highlighted. 30

31 BIG-IQ Cloud API: Implementations Make a note of the GUID; you will need it when you create a tenant for this connector. Creating BIG-IQ Cloud integration objects The BIG-IQ Cloud integration objects you create in this task are available in your VMware vcloud Director (VCD) applications, so you can manage these objects using the VCD user interface. Important: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task. 1. Authenticate with the F5 Cloud REST API. 2. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST 3. Create a catalog of BIG-IQ Cloud applications to publish into the vshield Manager vendor template using the Create provider iapp template API. /mgmt/cm/cloud/provider/templates/iapp POST 4. Using the BIG-IQ Cloud APIs, create a VMware vshield Manager connector using the Create VMware connection API (/mgmt/cm/cloud/connectors/vmware POST), specifying the IP address and appropriate credentials. 5. Using the BIG-IQ Cloud APIs, create a new tenant, using the Create tenant API. /mgmt/cm/cloud/tenants POST Important: You must use the organization's vcloud Director GUID for the new tenant's name. Integrating vcloud Director with your cloud applications You must create a VMware connector in BIG-IQ Cloud before you can perform this task. Connecting BIG-IQ integration objects to your vcloud Director (VCD) applications makes it possible for you to manage BIG-IQ applications using the VCD user interface. 1. In VCD, enable the cloud connector you just created for the Organization VDC that corresponds to the tenant you created for VCD. 2. In VCD, create an edge gateway for the organization VDC that corresponds to the tenant. 3. In VCD, create an edge gateway service for the edge gateway you just created. As part of creating the service, you need to first specify a pool, and then a virtual machine. The tenants that you created and connected to VCD can now use the VCD interfaces to create and manage applications. The VCD user interface displays the fields that are tenant-editable. 31

32 vcloud Director Integration 32

33 Chapter 7 Amazon EC2 Cloud Integration Topics: About Amazon EC2 integration

34 Amazon EC2 Cloud Integration About Amazon EC2 integration The built-in EC2 Cloud Connector supports connection between the BIG-IQ Cloud and an Amazon Web Services (AWS) account. The connector gives you the management capability for your EC2 AWS cloud based applications. The EC2 Cloud Connector provides two key features: The EC2 cloud connector can discover BIG-IP Amazon machine images running in the account. The EC2 cloud connector can discover application servers running in the account. You can combine these two features to coordinate management-plane changes to a private, public, or hybrid cloud environment. For example, to accommodate traffic fluctuations, you might need to periodically add or subtract BIG-IP devices or application servers to an application. Discovering the necessary resources on the fly makes this bursting support possible. Integrating with EC2 cloud applications Creating an EC2 connector provides you with the ability to manage your EC2 AWS cloud based applications. 1. Authenticate with the F5 Cloud REST API. 2. Create a new EC2 connector using the Create a cloud connector API. /mgmt/cm/cloud/connectors/ec2 POST The new connector triggers a discovery process that retrieves all currently running BIG-IP devices in the EC2 account, and discovers all currently running application servers. 3. To get your EC2 connector's current health use the Get health of an EC2 connector API. /mgmt/cm/cloud/connectors/ec2/id/stats GET 4. You can define the set of connectors accessible to a tenant when you create the tenant; use the Create tenant API. /mgmt/cm/cloud/tenants/{tenant-id} POST 5. You can edit the set of connectors accessible to an existing tenant using the Update tenant information API. /mgmt/cm/cloud/tenants/{tenant-id} PUT 6. To retrieve a list of the current EC2 connectors, use the Get all cloud connectors of a given type API. /mgmt/cm/cloud/connectors/ec2/ GET 7. To view a tenant's current connectors, use the Get all tenant cloud connectors API. 34

35 Chapter 8 Deploy Application Services Topics: About cloud tenant self-service application deployment

36 Deploy Application Services About cloud tenant self-service application deployment Cloud service providers customize iapps application templates based on your needs as a cloud tenant. For example, they specify such things as an IP address for a virtual server, identify hosts and server pools, set connection limits, and so forth. This customization eliminates the need for you to perform complicated networking tasks, and ensures that your settings are optimized. BIG-IQ Cloud provides these customized applications as catalog items to you. When these applications are associated with you as a tenant, you have the option to further modify the application as required, and deploy it as needed. Deploying application catalogs Before you can submit the API calls required to complete this task, you must: Customize and store at least one application template in the catalog. Create at least one tenant. By modifying and deploying the configuration of a tenant service, you can give specific tenants the ability to deploy cloud applications. Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task. 1. Authenticate with the F5 Cloud REST API. 2. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST 3. From the tenant service template list, select a template that provides most or all of the application services required, using the Get service instances API. /mgmt/cm/cloud/tenant/tenant-id/services GET 4. Examine the current configuration of the tenant service template that you selected using the Get service instance configuration API. /mgmt/cm/cloud/tenant/tenant-id/services/service-id GET 5. Modify the tenant service template so that it meets your needs and then deploy it, using the Create service instance API. /mgmt/cm/cloud/tenant/tenant-id/services POST If you decide to delete a tenant service template after you deploy it, you can use the Delete service instances API (/mgmt/cm/cloud/tenant/tenant-id/services/service-id DELETE). To view the current health of a deployed tenant, use the Get service health API (/mgmt/cm/cloud/tenant/tenant-id/services/iapp/service-id/health GET). 36

37 Chapter 9 Revise Application Deployment Topics: About expanding cloud resources

38 Revise Application Deployment About expanding cloud resources The BIG-IQ Cloud provides you, as a cloud provider, a seamless way to manage an anticipated increase in application traffic by directing some of your local traffic to another cloud resource. This is referred to as cloud bursting. The cloud resource can be located on your private local network, or in a VMware vshield network, or an Amazon EC2 network. When demand falls back into normal parameters, you can redirect all traffic back to your original cloud resource. The elasticity of this process allows you to efficiently manage your resources during periods of increased or decreased traffic to your applications. Creating a cloud resource Expanding application traffic to an additional cloud resource, or cloud bursting, is an effective way to obtain additional resources that are required only for a set period of time. For example, if you are hosting an application that has a significant increase of traffic only during certain seasons, you can rent public cloud space, and direct some of your extra traffic there. When the season is over, you can discontinue use of the public cloud space and move all of your traffic back to your local network. This decreases the seasonal load on your local resources, without requiring you to invest in additional equipment. 1. Authenticate with the F5 Cloud REST API, specifying a user role of Provider. 2. Create two new cloud connectors (a primary and a secondary) using the Create a new cloud connector API. /mgmt/cm/cloud/connectors/ec2 POST or /mgmt/cm/cloud/connectors/vmware POST 3. Grant the tenant access to the two new cloud resources using the Update tenant information API to revise the connectorreference variable. /mgmt/cm/cloud/tenants/<tenant-id>/ PUT 4. Create a custom application catalog that defines the necessary applications and cloud resources that you want the tenant to access using the Create provider iapp template API. /mgmt/cm/cloud/provider/templates/iapp POST Important: You need to create two catalogs, one for the primary local cloud that uses the f5.cloud_tunnel_local application type and a second for the remote cloud that uses the f5.cloud_tunnel_remote application type. When you name the catalogs, it is a good idea to use the words local and remote so that users can identify which is which. 5. Authenticate with the F5 Cloud REST API, specifying a user role of Tenant. 6. Identify the server addresses on the newly deployed cloud resources using the Query for all tenant nodes API. (/mgmt/cm/cloud/tenants/{tenant}/nodes GET) Examine the API return and make note of the servers to be used in application deployment for the primary cloud. 7. Modify the tenant service template to include the cloud resources identified in step 6 and then deploy it, using the Create service instance API. (/mgmt/cm/cloud/tenant/tenant-id/services/iapp POST) The cloud resource is now ready to begin processing traffic levels at normal volume. 38

39 BIG-IQ Cloud API: Implementations Creating a cloud resource that can flex to match demand When traffic volume requires additional cloud computing resources, you can reconfigure and redeploy BIG-IQ Cloud services to suit your needs. 1. Provision the required computing resources in Amazon EC2 Cloud. a) Login to AWS Management console as Tenant. b) Provision a F5 BIG-IP instance with three elastic IP addresses. Associate these elastic IPs with the proper network interfaces. Assign the management interface elastic IP to (eth0). Assign the primary and secondary external interface elastic IPs to (eth1). c) Provision application servers with private interfaces on the internal subnet used by the BIG-IP devices. Tip: For details on configuring an EC2 cloud, refer to the BIG-IP Virtual Edition Setup Guide for Amazon EC2 on the AskF5 Knowledge Base located at 2. Authenticate with the F5 Cloud REST API, specifying a user role of Tenant. 3. Connect primary and secondary clouds by deploying a cloud tunnel using the Create service instance API. /mgmt/cm/cloud/tenant/tenant-id/services/iapp POST a) For the new secondary cloud gateway (f5.cloud_tunnel_remote) use these settings: For the iapp variable basic.womendpointaddress use EC2 secondary external interface private address (for example, ). Important: Elastic IP must be associated with this secondary private address and EC2 VPC NAT must allow bidirectional HTTPS traffic on port 443 to this interface. For the iapp variable basic.womremoteendpointaddress use an unused public virtual server IP address in primary cloud address space. For the iapp variable basic.womadvertisedroute use an EC2 internal subnet (for example, ). b) For the existing primary cloud gateway (f5.cloud_tunnel_local) use these settings: For the iapp variable basic.womendpointaddress use the same public virtual server IP address in primary cloud address space that you specified for the basic.womremoteendpointaddress variable. Important: This Public IP address must allow bidirectional HTTPS traffic on port 443. For the iapp variable basic.womremoteendpointaddress use an elastic IP address associated with the EC2 secondary external interface address. For the iapp variable basic.womadvertisedroute use the primary cloud internal subnet (for example, ). 4. Redeploy the BIG-IQ Cloud services using the Update service instance API. /mgmt/cm/cloud/tenant/tenant-id/services/iapp PUT When your traffic levels return to normal and you no longer need the additional cloud resources, use the same API to remove the secondary cloud from service. 39

40 Revise Application Deployment 40

41 Chapter 10 License Status Topics: About license management

42 License Status About license management The number of active nodes currently being served by application services is the metric that BIG-IQ Cloud uses to determine the extent of your license consumption. Licensing management capability allows you to track your node count. You can track the node count using the BIG-IQ Cloud Servers panel, or using the BIG-IQ Cloud REST APIs. Important: BIG-IQ Cloud licensing information is available when you log in with an Admin user role. Tenants who log in with a Cloud Tenant user role are not given access to license status information. Once the node limit is exceeded: You cannot create new or update existing applications. You can delete applications to get your node limit back within licensing limits. Managing BIG-IQ licenses 1. Authenticate with the F5 Cloud REST API. 2. Get the current status of your license using the Get license API. /mgmt/cm/shared/license GET The response provides a complete breakdown of the current license, including the current node count. 42

43 Chapter 11 Monitor Application Health Topics: About application monitoring

44 Monitor Application Health About application monitoring A tenant can use BIG-IQ Cloud to monitor the health and performance of your applications. Health for each application is influenced by multiple factors including the health of these elements: Connectors Devices that host the application BIG-IQ Cloud placement service (which handles load distribution and elasticity) The application itself You can monitor application health at these times: When a tenant deploys a new application, its health is based on whether it deploys successfully. If placement fails, the health state is Unhealthy and BIG-IQ Cloud displays error messages to indicate the cause. After a new application is deployed successfully, the health state that BIG-IQ Cloud provides is from the services used in the application. Monitoring application health You can perform application monitoring when a new application is being deployed and after it deploys successfully. Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using APIs referenced in this task. 1. Authenticate with the F5 Cloud REST API. 2. Get the health of an application using the Get service health API. /mgmt/cm/cloud/tenant/<tenant-id>/services/iapp/<service-id>/stats GET 44

45 Index Index A Amazon EC2 34 Amazon elastic cloud computing 34 API installation testing 15 application catalog 22 application catalogs about deploying 36 application integration with EC2 34 with vcloud Director 30, 31 with vshield Manager 26 application services about deploying 36 deploying 22 deploying catalogs 36 publishing 22 application templates 22 about 22 and vapps 26 attributes editing by tenant 22 B BIG-IP system installing cloud components 14 BIG-IP version 11.3 ensuring compatibility 14 BIG-IQ Cloud about 10 BIG-IQ Security about 10 BIG-IQ system about 10 BigSwitch testing API 14 bursting to cloud defined 38 C cloud components and restarting TMM 14 installing 14 cloud resources providing for tenants 22 using 38 cloud tenants about creating 18 E EC2 about integration 42 EC2 integration 34 about 34 G glossary 10 H health about monitoring 44 monitoring 44 I iapps customizing for tenants 22 defined 22 See also application templates integration of BIG-IQ Cloud with VCD 30 L license managing 42 license management about 42 M management entity creating 18 N network configurations customizing for tenants 22 P package endpoint installing 14 prerequisites for vcloud integration 30 provider templates 22 Python using for API calls 15 45

46 Index R resources managing demand 38 RPM endpoint installing 14 S scripts ensuring BIG-IP version 11.3 compatibility 14 self-service deployment 36 statistics about monitoring 44 monitoring 44 T tenant creating 18 tenant-editable attributes 22 tenant-editable values for vshield Manager 26 tenants about creating 18 terminology 10 TMM and installing cloud components 14 V vapps and application templates 26 deploying 26 vcloud Director integration 30 about 30 prerequisites 30 with applications 30 vshield Manager about integration 26 supported version 26 46