F5 Public Cloud Solutions > 8. F5 Azure Automation > 8.3. Introduction to F5 Orchestration with Ansible Source | Edit on
8.3.1. Introduction to F5 Orchestration with Ansible¶
In this lab we will start a docker container running ansible and use a playbook created in advance to create an environment in Azure. The specific components which will be created are a virtual network in Azure, spin up BIG-IP, configure the BIG-IP, and spin up a few Linux hosts do serve as pool members. The configuration will all be done from a Linux host in the Ravello Cloud. The location of the Linux host used for configuration does not need to be in Azure. It can be in your data center, in a docker container environment on a laptop, or in any cloud of your choice. The Linux host running the docker container for this lab will be accessed through Ravello and is actually running in AWS.
The Linux host in the Ravello cloud is preloaded with Ansible, Python and Docker.
Automation makes this a repeatable process as demonstrated by the entire class performing this same operation using the same ansible playbook. The selection of Ansible is arbitrary. Ansible uses the REST implementation to configure the BIG-IP and the other components in the environment. Many other tools can be used for orchestration including, but not limited to python, terraform, Puppet, and Chef.
Log on to the Ravello jumphost using the FQDN assigned by the instructor. All work in this lab will be done from the jumphost using the Browser and Terminal functions.
8.3.1.1. Accessing Ravello Jump Host and deploy BIG-IP¶
- When prompted for credentials
- Username:
Ubuntu
- Password:
supernetops
- Open the terminal window
- Adjust the font size using the Zoom In
- Size the window
- Username:
8.3.1.2. Build and run a docker container with ansible playbook¶
In the following steps you will build and run a Docker container called agility2018 which will have Ansible installed. From the Docker container, you will provide the required configuration and authentication credentials to deploy an application into the Azure environment in a fully automated way.
Clone the github repository to the Linux Host
Note
This part is optional for Agility lab
git clone https://github.com/ajgerace/azure-f5
- View the contents of the directory. Note the addition of a subdirectory called azure-f5
ls
- Change directory to the azure-f5
cd azure-f5
Build Docker container (hint: note the period at the end of the command.
Note
Optional for Agility lab
sudo docker build -t agility2018 .
Note
A space is required after the period for this command to work
Verify that the agility2018 container exists and look at the other docker containers currently on the system
sudo docker images
Run the Docker container
sudo docker run -it --rm agility2018
Note
Note the change at the prompt. You are now working inside the Docker container
Prompt is now
/home/ansible
Clone the github repository to the Docker container (we use different components of the repository inside the container) and build a system using the existing Ansible playbook
git clone https://github.com/ajgerace/azure-f5
Create environment variables utilizing the student ID and password provided by the instructor
export AZURE_USERNAME=student#@f5custlabs.onmicrosoft.com
Note
Insert the correct values in the username
export AZURE_PW=ChangeMeNow123
Run bash script to create the Azure Service Principal and Secret
cd azure-f5
./spCreate.sh
Output will look something like…..
Troubleshooting tip—If all the values do not populate, the service principal was not created correctly or already exists. If this happens, access the Azure portal to delete the Service Principal for your student ID
- Login to Azure Portal
- https://portal.azure.com
- USERNAME:
student#@f5custlabs.onmicrosoft.com
- Password:
ChangeMeNow123
- Click on Azure Active Directory
- Click App registration
- Click on your app (studentX-app)
- Click delete
- rerun
./shCreate.sh
and verify that all values in the Service - Principal field are populated
- rerun
Create the group_vars/all/vault.yml file with the variables in the black section and verify the contents
vi group_vars/all/vault.yml
- Paste the azure variables created in step 5 in and save the file
- Save - Write access the Azure portal to delete the Service
- Principal for your student IDthe vault.yml file
<esc>:wq
cat group_vars/all/vault.yml
Create the vault password file. This file will hold the vault password so that you will not have to input the password on the command line or be prompted for the password when running the playbook.
echo "@g!l!+y2018" > .vault-pass.txt
- Encrypt the vault.yml file
ansible-vault encrypt group_vars/all/vault.yml
- View the encrypted vault.yml file
cat group_vars/all/vault.yml
- View the contents of the encrypted vault.yml file
ansible-vault view group_vars/all/vault.yml
View the contents of group_vars/azure-f5.yml. Note the prefix variable and the various IP addresses. This is the variable input file to the ansible playbook.
Run Ansible playbook with
deploy_state=present
to create deploymentansible-playbook -i notahost, f5agility.yml -e deploy_state=present
- This step will take about 20 minutes
- Once complete review the comments on the screen.
- Note the URI for BIG-IP management
- Note the URI for the VIP which was created
8.3.1.3. Inspect the objects created in the Azure environment¶
Let’s take a look at what was built by the process in Azure. This section will focus on the IP address and ACL implementation. By default, Azure provides restrictive ACLs and NAT functionality to secure the deployment. Review any other objects of interest. No changes to the configuration will be required.
- Access the Azure portal
- https://portal.azure.com
- Username:
student#@f5custlabs.onmicrosoft.com
- Password:
ChangeMeNow123
- Username:
- Gather information about the Management port on the BIG-IP
- Resource Groups
- Inspect the BIG-IP virtual machine object
- f5vm01
- Inspect the object which contains the BIG-IP management address
- student#-mgmt-pip
- Note the Public IP Address
- student#-mgmt-nsg
- Notice that 443 and 22 are permitted
- Notice that only one source IP address is allowed to connect. The allowed IP address is the IP of the Ravello Jump Host used to build the environment
- Inspect the object which contains the external IP mapping
- student#-ext
- Select IP configurations from the panel on the left
- Note the Public IP Address and Private IP address associated with student#_rg-ext-ipconfig0
- You will browse to the VIP associated with Public IP address to connect to the application VIP
- The Private IP address will be configured as a VIP on the BIG-IP
- student#-ext-nsg
- Notice that ports 443 and 22 are permitted
- Notice that only one source IP address is allowed to connect. In a typical environment this would be less restrictive, possibly any.
- Inspect the network address assignments on the 2 Linux servers
created by the orchestration script
- vm_bodgeit01_inf - Network interface
- vm_bodgeit02_inf - Network interface
- Select IP configurations from the panel on the left
- You could browse to the Public IP address
- The Private IP address will be configured as a pool member on the BIG-IP
- Inspect the object which contains the Linux Server access list
- vm_bodgeit01_inf - Network security group
- vm_bodgeit02_inf - Network security group
- Notice that only port 22 is permitted
- Notice that any source IP address is allowed to connect. Typically those would be much more restrictive
8.3.1.4. Inspect the BIG-IP Configuration¶
8.3.1.5. Verify that you can connect to the application through the BIG-IP¶
- Access the application
http://<Public-IP mapped to the VIP address>
(from the ansible output or look at the management interface in the Azure portal)
8.3.1.6. Inspect the Ansible Playbook¶
- Return to the Terminal window
- Prompt is now
/home/ansible
- If you closed the terminal window, restart the ansible
container
sudo docker ps -a
(this will allow you to see the CONTAINER ID)sudo docker exec -it <CONTAINER ID> /bin/sh
- View the variable assignments in the group_vars/azure-f5.yml
cat group_vars/azure-f5.yml
- View the f5agility.yml file. This is the Ansible code
which controls the execution of the individual playbooks. Playbooks are
referred to as roles in this file.
cd azure-f5
cat f5agility.yml | more
- View the directories where the playbooks are stored
cd roles
ls
- Inspect a few of the playbooks
cd <subdirectory>/tasks
cat main.yml | more
8.3.1.7. Add a VIP to the existing Application environment¶
- In the following steps we will use Ansible to add a Public to
Private IP mapping and create an additional VIP on the BIG-IP
- Return to the Terminal window
- Navigate to /home/ansible/azure-f5
- To add secondary IP to the Azure environment you will run another playbook
ansible-playbook -i notahost, f5agility_add_ip.yml -e deploy_state=present
- To create second vip on the existing BIG-IP you will run another playbook
ansible-playbook -i notahost, f5agility_create_vs2.yml -e deploy_state=present
- Let’s take a look at the Ansible Playbooks used to create the objects
(Public IP in Azure and a VIP on the BIG-IP)
- Inspect the following files from the
/home/ansible/azure-f5 directory. The first 4 are used
to create the Azure components and the last 3 are used to create
the VIP on the BIG-IP
- f5agility_add_ip.yml
- group_vars/azure-f5.yml
- group_vars/ipconfigs.yml
- roles/add_priv_ip/tasks/main.yml
- f5agility_create_vs2.yml
- group_vars/azure-f5.yml
- roles/create_vs2/tasks/main.yml
- Inspect the following files from the
/home/ansible/azure-f5 directory. The first 4 are used
to create the Azure components and the last 3 are used to create
the VIP on the BIG-IP
- Let’s take a look at the configuration changes on ther BIG-IP and
the Azure environmet
- Access BIG-IP Management interface
- Username:
student#
- Password:
ChangeMeNow123
- Username:
- Local
- Note that bodgedit_vs2 is present. IP address
- 10.0.10.247
- Access the Azure portal
- https://portal.azure.com
- Username:
student#@f5custlabs.onmicrosoft.com
- Password:
ChangeMeNow123
- Inspect the external network interface in Azure
- Resource Groups
- Select your Resource Group <student#_rg>
- Inspect the BIG-IP virtual machine Network Interface object
- student#-ext
- IP Configurations from the tool list on the left of the screen
- Note the Public IP associated with 10.0.10.247
- Username:
- Access BIG-IP Management interface
8.3.1.8. Test the newly created VIP¶
- Open a new browser window
- http://<public_IP associated with 10.0.10.247>
8.3.1.9. Destroy the environment and verify that the objects were deleted¶
- Run the ansible playbook with
deploy_state=absent
ansible-playbook f5agility.yml -e deploy_state=absent
- This step takes about 15 minutes
- Access the Azure portal
https://portal.azure.com
- Username:
student#@f5custlabs.onmicrosoft.com
- Password:
ChangeMeNow123
- Verify that the Resource group and associated objects is removed