Deploy the BIG-IP Controller for Cloud Foundry with per-Route Virtual Servers

Follow the instructions provided here to run the BIG-IP Controller for Cloud Foundry in broker_mode. In broker_mode, the BIG-IP Controller acts as a Service Broker to let you deploy per-Route BIG-IP virtual servers.

Task Summary
Step Task

Define the Virtual Server Settings in the Application Manifest

Apply BIG-IP policies and profiles (OPTIONAL)

Add BIG-IP Health Monitors (OPTIONAL)

Push the BIG-IP Controller app to Cloud Foundry
Register the BIG-IP Controller as a Service Broker
Bind the f5servicebroker Service to a Route
Edit or Remove BIG-IP Objects for Cloud Foundry Routes

Define the Virtual Server Settings in the Application Manifest

Define the desired BIG-IP virtual server settings as a Service Plan in the BIG-IP Controller Application Manifest. You can add the Service Plan section to the Application Manifest for an existing BIG-IP Controller instance, or when deploying the Controller for the first time.

You can use as many Service Plans as you need to define the BIG-IP services your Apps require. When you Register the BIG-IP Controller as a Service Broker, the f5servicebroker Service discovers Service Plan(s) associated with the BIG-IP Controller automatically.

Warning

Cloud Foundry supports one Route Service Binding per Route. While you can define multiple Service Plans in a single BIG-IP Controller Application Manifest, you cannot apply multiple plans to the same Application.

  1. Deploy or update the BIG-IP Controller Application with the following settings:

    Warning

    It’s important to use the proper CIDR format when allocating IP addresses or networks for the tier2_ip_range config parameter (for example, 172.0.0.0/24 for IPv4). Failure to use the proper format may result in errors when the BIG-IP Controller configures BIG-IP objects.

    When allocating networks, the network prefixes must align with CIDR block boundaries. For example:

    • 10.105.175.245/30 causes failures because it doesn’t reference an address at the CIDR boundary.
    • 10.105.175.244/30, which correctly references an address at the CIDR boundary, succeeds.

    See Overview of the Standard Virtual Server on AskF5 for more information.

    Tip

    You can also Apply BIG-IP policies and profiles and/or Add BIG-IP Health Monitors in the Service Plan.

    Example App Manifest for cf-bigip-ctlr Service Broker
      1
      2
      3
      4
      5
      6
      7
      8
      9
     10
     11
     12
     13
     14
     15
     16
     17
     18
     19
     20
     21
     22
     23
     24
     25
     26
     27
     28
     29
     30
     31
     32
     33
     34
     35
     36
     37
     38
     39
     40
     41
     42
     43
     44
     45
     46
     47
     48
     49
     50
     51
     52
     53
     54
     55
     56
     57
     58
     59
     60
     61
     62
     63
     64
     65
     66
     67
     68
     69
     70
     71
     72
     73
     74
     75
     76
     77
     78
     79
     80
     81
     82
     83
     84
     85
     86
     87
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
    100
    101
    102
    103
    104
    applications:
      - name: cf-bigip-ctlr
        health-check-type: http
        health-check-http-endpoint: /health
        env:
          # Provide the desired BIG-IP configurations including partition, load
          # balancing algorithm, and Self IP address to assign to the virtual server
          # THE SETTINGS IN THIS SECTION ARE GLOBAL
          # Set "broker_mode" to "true" to run the BIG-IP Controller as a
          # Service Broker
          BIGIP_CTLR_CFG: |
                          bigip:
                            url: https://bigip.example.com
                            user: myBigipUsername
                            pass: myBigipPassword
                            partition:
                              - cf
                            balance: least-connections-node
                            verify_interval: 30
                            external_addr: 10.100.100.101
                            # Required if running the Controller in broker mode
                            tier2_ip_range: 255.255.255.0
                            ssl_profiles:
                              - /Common/my-ssl-policy
                            policies:
                              - /Common/example-ltm-policy
                            profiles:
                              - /Common/example-profile
                            health_monitors:
                              - /Common/tcp_half_open
    
                          # Required to run the BIG-IP Controller as a Service
                          # Broker (introduced in v1.1.0)
                          broker_mode: true
    
                          logging:
                            level: info
    
                          route_mode: all
    
                          # Required for HTTP routing
                          nats:
                            - host: 192.168.10.1
                              port: 4222
                              user: myNatsUser
                              pass: myNatsPassword
    
                          # Required for TCP routing
                          oauth:
                            token_endpoint: uaa.system.cf.local
                            client_name: uaa-client
                            client_secret: uaa-secret
                            port: 443
                            skip_ssl_validation: true
                            ca-certs:
    
                          routing_api:
                            uri: http://api.system.cf.local
                            port: 80
                            auth_disabled: false
    
                          # User account for authentication to the Service Broker API
                          status:
                            user: user
                            pass: pass
    
          # Include the section below to use the cf-bigip-ctlr as a Service Broker
          # THE SETTINGS IN THIS SECTION ARE ROUTE-SPECIFIC
          # See http://clouddocs.f5.com/containers/latest/cloudfoundry/cf-per-route-virtuals.html for more information
          SERVICE_BROKER_CONFIG: |
                                 {
                                   "plans": [
                                     {
                                       "description": "plan for sb test example",
                                       "name": "sbtest",
                                       "virtualServer": {
                                         "policies": [
                                           "/Common/PreventSpoofOfXFF"
                                         ],
                                         "profiles": [
                                           "/Common/x-forwarded-for"
                                         ],
                                         "sslProfiles": [
                                           "/Common/server-ssl"
                                         ]
                                       },
                                       "pool": {
                                         "balance": "ratio-member",
                                         "healthMonitors": [
                                           {
                                             "name": "/Common/my-healthMonitor"
                                           },
                                           {
                                             "name": "hm-test",
                                             "type": "http",
                                             "interval": 5,
                                             "timeout": 12,
                                             "send": "hello"
                                           }
                                         ]
                                       }
                                     }
                                   ]
                                 }
    

    Download the example manifest

  2. To add a Service Plan for a Controller that’s already registered as a Service Broker:

    • Edit the cf-cigip-ctlr Application Manifest.
    • Add the desired Service Plan.
    • Restart the App to make the new settings take effect.

Apply BIG-IP policies and profiles

Include any of the following BIG-IP objects in the Service Plan to attach them to the Route’s virtual server:

  • policies (BIG-IP Application Security Manager, L7 forwarding, compression, etc.),
  • profiles (tcp optimizations, x-forwarded-for, OneConnect, etc.),
  • pool settings (including health monitors and load balancing algorithm), and
  • server ssl profiles.

Warning

The BIG-IP Controller cannot create or manage policies or profiles on the BIG-IP system. All of the BIG-IP objects that you want to apply to the virtual server – With the exception of health monitors – must already exist on the BIG-IP device.

Add BIG-IP Health Monitors

You can attach an existing health monitor, create a new one, or both:

  • use any health monitor that exists in the /Common partition on the BIG-IP system
  • create a new health monitor in the partition the BIG-IP Controller manages (in this case, “cf”)
Example health monitor configuration for cf-bigip-ctlr Service Broker
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
      # See http://clouddocs.f5.com/containers/latest/cloudfoundry/cf-per-route-virtuals.html for more information
      SERVICE_BROKER_CONFIG: |
                             {
                               "plans": [
                                 {
                                   "description": "plan for sb test example",
                                   "name": "sbtest",
                                   "virtualServer": {
                                     "policies": [
                                       "/Common/PreventSpoofOfXFF"
                                     ],
                                     "profiles": [
                                       "/Common/x-forwarded-for"
                                     ],
                                     "sslProfiles": [
                                       "/Common/server-ssl"
                                     ]
                                   },
                                   "pool": {
                                     "balance": "ratio-member",
                                     "healthMonitors": [
                                       {

Download the example manifest

Push the BIG-IP Controller app to Cloud Foundry

Deploy the cf-bigip-ctlr App using the cf push command.

Be sure to use the -o flag to specify the Docker image and version you want to use.

cf push cf-bigip-ctlr -o f5networks/cf-bigip-ctlr:1.1.0 -f manifest.yaml

Register the BIG-IP Controller as a Service Broker

Attention

The tasks in this section require a Cloud Foundry user account with administrator permissions.

  1. Map a Route for the BIG-IP Controller.

    Hint

    Mapping a new Route creates a unique endpoint to use for calls to the Service Broker. This allows you to differentiate between calls to the Controller (such as Cloud Foundry health checks) and calls to the Service Broker API.

    cf map-route cf-bigip-ctlr example.com --hostname sbtest
    
  2. Register the Controller as a Service Broker.

    Follow the instructions provided in Register a Broker as appropriate for your environment. You’ll need to provide the following information:

    • a name for the Service Broker;
    • the username and password provided in the bigip.status section of the Application Manifest (lets the Cloud Controller authenticate to the BIG-IP Controller Service Broker API;
    • the Route created in the previous step.
    cf create-service-broker cfbigip-sb someUser somePass https://sbtest.example.com
    
  3. Enable Service Access for the f5servicebroker Service.

    cf enable-service-access f5servicebroker
    
  4. Create a Service instance for your users.

    Tip

    The plan name you provide here – “sbtest” in the example below – must match the name of a plan defined in your cf-bigip-ctlr Application Manifest.

    cf create-service f5servicebroker sbtest myAppSbTest
    
  5. Verify availability of the Service in the Cloud Foundry Marketplace.

    cf marketplace -s f5servicebroker
    

Bind the f5servicebroker Service to a Route

Once an administrator has completed the section above, developers can use the f5servicebroker Service for their Apps. To do so, bind the f5servicebroker Service to the App’s Route.

Important

Cloud Foundry supports one Route Service Binding per Route.

cf bind-route-service example.com myAppSbTest --hostname myApp

When you bind a Route to the Service, the BIG-IP Controller creates a virtual server, pool(s), and pool member(s) on the BIG-IP device with the requested policy(ies) and profile(s) attached.

Edit or Remove BIG-IP Objects for Cloud Foundry Routes

Note

  • If you remove all bound Routes before you delete the associated Service Plan, the Controller cleans up the BIG-IP objects and removes the Plan from the data group before restarting.
  • If you remove a Plan without unbinding the associated Routes, the Controller logs will show a diff of the data group vs any incoming Plans. It will remove all BIG-IP objects associated with the deleted plan. If you try to unbind a Route after removing its associated Plan, the Controller takes no action on the BIG-IP.
  • Altering Plans that are already in effect may cause interruptions in traffic, depending on what settings have changed.

Edit or Remove a Service Plan

When you remove a Service Plan from the Application Manifest, the Controller removes all of the BIG-IP objects associated with the Plan. This is the case regardless of whether any Routes are still bound to the Service when you delete the plan.

  1. To edit or remove a Service Plan for a Controller that’s already registered as a Service Broker:
    • Edit the Application Manifest to edit or remove the desired Service Plan.
    • Restart the App to make the new settings take effect.

Stop using the f5servicebroker Service

If you no longer want to use the F5 Service Broker for an App, unbind the Service from the Route.

cf unbind-route-service example.com myAppSbTest --hostname myApp