8.3.1. Introduction to F5 Orchestration with Ansible

In this lab we will start a docker container running ansible and use a playbook created in advance to create an environment in Azure. The specific components which will be created are a virtual network in Azure, spin up BIG-IP, configure the BIG-IP, and spin up a few Linux hosts do serve as pool members. The configuration will all be done from a Linux host in the Ravello Cloud. The location of the Linux host used for configuration does not need to be in Azure. It can be in your data center, in a docker container environment on a laptop, or in any cloud of your choice. The Linux host running the docker container for this lab will be accessed through Ravello and is actually running in AWS.

The Linux host in the Ravello cloud is preloaded with Ansible, Python and Docker.

Automation makes this a repeatable process as demonstrated by the entire class performing this same operation using the same ansible playbook. The selection of Ansible is arbitrary. Ansible uses the REST implementation to configure the BIG-IP and the other components in the environment. Many other tools can be used for orchestration including, but not limited to python, terraform, Puppet, and Chef.

Log on to the Ravello jumphost using the FQDN assigned by the instructor. All work in this lab will be done from the jumphost using the Browser and Terminal functions.

image3

8.3.1.1. Accessing Ravello Jump Host and deploy BIG-IP

  1. When prompted for credentials
    • Username: Ubuntu
    • Password: supernetops
    • Open the terminal window
    • Adjust the font size using the Zoom In
    • Size the window

8.3.1.2. Build and run a docker container with ansible playbook

In the following steps you will build and run a Docker container called agility2018 which will have Ansible installed. From the Docker container, you will provide the required configuration and authentication credentials to deploy an application into the Azure environment in a fully automated way.

  1. Clone the github repository to the Linux Host

    Note

    This part is optional for Agility lab

    • git clone https://github.com/ajgerace/azure-f5
    • View the contents of the directory. Note the addition of a subdirectory called azure-f5
    • ls
    • Change directory to the azure-f5
    • cd azure-f5

  2. Build Docker container (hint: note the period at the end of the command.

    Note

    Optional for Agility lab

    • sudo docker build -t agility2018 .

      Note

      A space is required after the period for this command to work

    • Verify that the agility2018 container exists and look at the other docker containers currently on the system

    • sudo docker images

  3. Run the Docker container

    • sudo docker run -it --rm agility2018

      Note

      Note the change at the prompt. You are now working inside the Docker container

    • Prompt is now /home/ansible

  4. Clone the github repository to the Docker container (we use different components of the repository inside the container) and build a system using the existing Ansible playbook

    • git clone https://github.com/ajgerace/azure-f5

    • Create environment variables utilizing the student ID and password provided by the instructor

    • export AZURE_USERNAME=student#@f5custlabs.onmicrosoft.com

      Note

      Insert the correct values in the username

    • export AZURE_PW=ChangeMeNow123

    • Run bash script to create the Azure Service Principal and Secret

    • cd azure-f5

    • ./spCreate.sh

    • Output will look something like…..

    image201

  5. Troubleshooting tip—If all the values do not populate, the service principal was not created correctly or already exists. If this happens, access the Azure portal to delete the Service Principal for your student ID

    • Login to Azure Portal
    • https://portal.azure.com
    • USERNAME: student#@f5custlabs.onmicrosoft.com
    • Password: ChangeMeNow123
    • Click on Azure Active Directory
    • Click App registration
    • Click on your app (studentX-app)
    • Click delete
    • rerun ./shCreate.sh and verify that all values in the Service
      Principal field are populated

  6. Create the group_vars/all/vault.yml file with the variables in the black section and verify the contents

    • vi group_vars/all/vault.yml
    • Paste the azure variables created in step 5 in and save the file
    • Save - Write access the Azure portal to delete the Service
      Principal for your student IDthe vault.yml file
    • <esc>:wq
    • cat group_vars/all/vault.yml

  7. Create the vault password file. This file will hold the vault password so that you will not have to input the password on the command line or be prompted for the password when running the playbook.

    • echo "@g!l!+y2018" > .vault-pass.txt
    • Encrypt the vault.yml file
    • ansible-vault encrypt group_vars/all/vault.yml
    • View the encrypted vault.yml file
    • cat group_vars/all/vault.yml
    • View the contents of the encrypted vault.yml file
    • ansible-vault view group_vars/all/vault.yml

  8. View the contents of group_vars/azure-f5.yml. Note the prefix variable and the various IP addresses. This is the variable input file to the ansible playbook.

  9. Run Ansible playbook with deploy_state=present to create deployment

    • ansible-playbook -i notahost, f5agility.yml -e deploy_state=present
    • This step will take about 20 minutes
    • Once complete review the comments on the screen.
      • Note the URI for BIG-IP management
      • Note the URI for the VIP which was created

    image202

8.3.1.3. Inspect the objects created in the Azure environment

Let’s take a look at what was built by the process in Azure. This section will focus on the IP address and ACL implementation. By default, Azure provides restrictive ACLs and NAT functionality to secure the deployment. Review any other objects of interest. No changes to the configuration will be required.

  • Access the Azure portal
  • https://portal.azure.com
    • Username: student#@f5custlabs.onmicrosoft.com
    • Password: ChangeMeNow123
  • Gather information about the Management port on the BIG-IP
  • Resource Groups
  • Inspect the BIG-IP virtual machine object
    • f5vm01
  • Inspect the object which contains the BIG-IP management address
    • student#-mgmt-pip
    • Note the Public IP Address
    • student#-mgmt-nsg
    • Notice that 443 and 22 are permitted
    • Notice that only one source IP address is allowed to connect. The allowed IP address is the IP of the Ravello Jump Host used to build the environment
  • Inspect the object which contains the external IP mapping
    • student#-ext
    • Select IP configurations from the panel on the left
    • Note the Public IP Address and Private IP address associated with student#_rg-ext-ipconfig0
    • You will browse to the VIP associated with Public IP address to connect to the application VIP
    • The Private IP address will be configured as a VIP on the BIG-IP
    • student#-ext-nsg
    • Notice that ports 443 and 22 are permitted
    • Notice that only one source IP address is allowed to connect. In a typical environment this would be less restrictive, possibly any.
  • Inspect the network address assignments on the 2 Linux servers created by the orchestration script
    • vm_bodgeit01_inf - Network interface
    • vm_bodgeit02_inf - Network interface
    • Select IP configurations from the panel on the left
  • You could browse to the Public IP address
  • The Private IP address will be configured as a pool member on the BIG-IP
  • Inspect the object which contains the Linux Server access list
    • vm_bodgeit01_inf - Network security group
    • vm_bodgeit02_inf - Network security group
    • Notice that only port 22 is permitted
    • Notice that any source IP address is allowed to connect. Typically those would be much more restrictive

8.3.1.4. Inspect the BIG-IP Configuration

  • https://<BIG-IP-MGMT-IP-ADDRESS> (from the ansible output or look at the management interface in the Azure portal)

    • Username: student#
    • Password: ChangeMeNow123

  • Inspect the VIP on the BIG-IP

    image203

  • Inspect the pool on the BIG-IP

    image204

8.3.1.5. Verify that you can connect to the application through the BIG-IP

  1. Access the application
    • http://<Public-IP mapped to the VIP address> (from the ansible output or look at the management interface in the Azure portal)

8.3.1.6. Inspect the Ansible Playbook

  • Return to the Terminal window
  • Prompt is now /home/ansible
  • If you closed the terminal window, restart the ansible container
    • sudo docker ps -a (this will allow you to see the CONTAINER ID)
    • sudo docker exec -it <CONTAINER ID> /bin/sh
  • View the variable assignments in the group_vars/azure-f5.yml
    • cat group_vars/azure-f5.yml
  • View the f5agility.yml file. This is the Ansible code which controls the execution of the individual playbooks. Playbooks are referred to as roles in this file.
    • cd azure-f5
    • cat f5agility.yml | more
  • View the directories where the playbooks are stored
    • cd roles
    • ls
  • Inspect a few of the playbooks
    • cd <subdirectory>/tasks
    • cat main.yml | more

8.3.1.7. Add a VIP to the existing Application environment

  1. In the following steps we will use Ansible to add a Public to Private IP mapping and create an additional VIP on the BIG-IP
    • Return to the Terminal window
    • Navigate to /home/ansible/azure-f5
    • To add secondary IP to the Azure environment you will run another playbook
    • ansible-playbook -i notahost, f5agility_add_ip.yml -e deploy_state=present
    • To create second vip on the existing BIG-IP you will run another playbook
    • ansible-playbook -i notahost, f5agility_create_vs2.yml -e deploy_state=present
  2. Let’s take a look at the Ansible Playbooks used to create the objects (Public IP in Azure and a VIP on the BIG-IP)
    • Inspect the following files from the /home/ansible/azure-f5 directory. The first 4 are used to create the Azure components and the last 3 are used to create the VIP on the BIG-IP
      • f5agility_add_ip.yml
      • group_vars/azure-f5.yml
      • group_vars/ipconfigs.yml
      • roles/add_priv_ip/tasks/main.yml
      • f5agility_create_vs2.yml
      • group_vars/azure-f5.yml
      • roles/create_vs2/tasks/main.yml
  3. Let’s take a look at the configuration changes on ther BIG-IP and the Azure environmet
    • Access BIG-IP Management interface
      • Username: student#
      • Password: ChangeMeNow123
    • Local Traffic ‣ Virtual Servers ‣ Virtual Server List
    • Note that bodgedit_vs2 is present. IP address
      10.0.10.247
    • Access the Azure portal
    • https://portal.azure.com
      • Username: student#@f5custlabs.onmicrosoft.com
      • Password: ChangeMeNow123
      • Inspect the external network interface in Azure
      • Resource Groups
      • Select your Resource Group <student#_rg>
      • Inspect the BIG-IP virtual machine Network Interface object
      • student#-ext
      • IP Configurations from the tool list on the left of the screen
      • Note the Public IP associated with 10.0.10.247

8.3.1.8. Test the newly created VIP

  • Open a new browser window
  • http://<public_IP associated with 10.0.10.247>

8.3.1.9. Destroy the environment and verify that the objects were deleted

  • Run the ansible playbook with deploy_state=absent
  • ansible-playbook f5agility.yml -e deploy_state=absent
  • This step takes about 15 minutes
  • Access the Azure portal
  • https://portal.azure.com
  • Username: student#@f5custlabs.onmicrosoft.com
  • Password: ChangeMeNow123
  • Verify that the Resource group and associated objects is removed