Migration from Application Services iApp AS2 to AS3

The purpose of this page is to provide guide migrating from the Application Services iApp AS2 using iWorkflow service catalog to Application Services 3 Extension (referred to as AS3 extension or more often simply AS3). This migration will focus on the the following feature collections commonly used with iWorkflow 2.3.0 service catalog and Application Services iApp AS2.

  • f5-https-offload_v2.0.004
  • f5-http-lb_v2.0.004
  • f5-fastl4-tcp-lb_v2.0.004
  • f5-fastl4-udp-lb_v2.0.004
  • f5-fasthttp-lb_v2.0.004
  • f5-http-url-routing-lb_v2.0.004 - Work in progress
  • f5-https-waf-lb_v2.0.004

Getting Started

The Application Services 3 Extension uses a declarative model that is different than Application Services iApp AS2. To get started with AS3, see About AS3.

Migrating from Application Services iApp AS2 should be simplified by AS3 due to the JSON schema and declaration the use of ADC defaults. An AS3 declaration doesn’t require index columns used by various APL Tables in Application Services iApp AS2. Also no advanced options and create string syntax is required. AS3 also doesn’t need various fields to expose functionality specific entry for the field/table/column in question in the Presentation Layer Reference.

f5-https-offload_v2.0.004

A migration AS3 declaration for following feature collection f5-https-offload_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-https-offload_v2.0.004",
    "label": "Sample 1",
    "remark": "f5-https-offload",
    "Sample_01": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "https",
            "serviceMain": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                    "192.168.100.61"
                ],
                "pool": "web_pool",
                "serverTLS": "webtls"
            },
                "web_pool": {
                "class": "Pool",
                "monitors": [
                    "http"
                ],
                "members": [
                    {
                        "servicePort": 8080,
                        "serverAddresses": [
                            "10.128.0.214",
                            "10.128.0.215",
                            "10.128.0.216",
                            "10.128.0.217",
                            "10.128.0.218"
                        ]
                    }
                ]
            },
            "webtls": {
                "class": "TLS_Server",
                "certificates": [
                    {
                        "certificate": "webcert"
                    }
                ]
            },
            "webcert": {
                "class": "Certificate",
                "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
                "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
                "passphrase": {
                    "ciphertext": "ZjVmNQ==",
                    "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                }
            }
        }
    }
}

f5-http-lb_v2.0.004

A migration AS3 declaration for following feature collection f5-http-lb_v2.0.004 could look like:

{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "f5-http-lb_v2.0.004",
        "label": "Sample 2",
        "remark": "f5-http-lb",
        "Sample_02": {
            "class": "Tenant",
            "A1": {
                "class": "Application",
                "template": "http",
                "serviceMain": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "192.168.100.62"
                ],
                "pool": "web_pool"
                },
                "web_pool": {
                    "class": "Pool",
                    "monitors": [
                        "http"
                    ],
                    "members": [
                            {
                            "servicePort": 8080,
                            "serverAddresses": [
                                "10.128.0.209",
                                "10.128.0.210",
                                "10.128.0.211",
                                "10.128.0.212",
                                "10.128.0.213"
                            ]
                            }
                    ]
                }
            }
        }
    }
}

f5-fastl4-tcp-lb_v2.0.004

A migration AS3 declaration for following feature collection f5-fastl4-tcp-lb_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-fastl4-tcp-lb_v2.0.004",
    "label": "Sample 3",
    "remark": "f5-fastl4-tcp-lb",
    "Sample_03": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "virtualAddresses": [
                    "192.168.100.62"
                ],
                "profileL4": "basic",
                "virtualPort": 81,
                "pool": "svc_pool"
            },
            "svc_pool": {
                "class": "Pool",
                "monitors": [
                    {
                        "use": "tcp_monitor"
                    }
                ],
                "members": [
                    {
                        "servicePort": 8080,
                        "serverAddresses": [
                                "10.128.0.209",
                            "10.128.0.210",
                            "10.128.0.211",
                            "10.128.0.212",
                            "10.128.0.213"
                        ]
                    }
                ]
            },
            "tcp_monitor": {
                "class": "Monitor",
                "monitorType": "tcp",
                "targetPort": 8080,
                "send": "",
                "receive": ""
            }
        }
    }
}

f5-fastl4-udp-lb_v2.0.004

A migration AS3 declaration for following feature collection f5-fastl4-udp-lb_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-fastl4-udp-lb_v2.0.004",
    "label": "Sample 4",
    "remark": "f5-fastl4-udp-lb",
    "Sample_04": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "layer4":"udp",
                "virtualAddresses": [
                    "192.168.100.63"
                ],
                "profileL4": "basic",
                "virtualPort": 53,
                "pool": "svc_pool"
            },
            "svc_pool": {
                "class": "Pool",
                "monitors": [
                    {
                        "use": "udp_monitor"
                    }
                ],
                "members": [
                    {
                        "servicePort": 53,
                        "serverAddresses": [
                                "10.128.0.209",
                            "10.128.0.210",
                            "10.128.0.211",
                            "10.128.0.212",
                        "10.128.0.213"
                        ]
                    }
                ]
            },
            "udp_monitor": {
                "class": "Monitor",
                "monitorType": "udp",
                "targetPort": 53,
                "send": "",
                "receive": ""
            }
        }
    }
}

f5-fasthttp-lb_v2.0.004

AS3 doesn’t currently have support for Performance (HTTP) and Protocol Profile (Client) FastHTTP.

f5-https-waf-lb_v2.0.004

When using AS3 to reference a security policy the policy must already exist on the BIG-IP. A migration AS3 declaration for following feature collection f5-https-waf-lb_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-https-waf-lb_v2.0.004",
    "label": "Sample 6",
    "remark": "f5-https-waf-lb",
    "updateMode": "selective",
    "Sample_06": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "https",
            "serviceMain": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                    "192.168.100.66"
                ],
                "pool": "web_pool",
                "serverTLS": "webtls",
                "policyWAF": {
                        "bigip": "/Common/linux-high"
                                }
            },
            "web_pool": {
                "class": "Pool",
                "loadBalancingMode": "predictive-node",
                "monitors": [
                    "http"
                ],
                "members": [
                    {
                        "servicePort": 8080,
                        "serverAddresses": [
                            "10.128.0.209",
                             "10.128.0.210",
                             "10.128.0.211",
                             "10.128.0.212",
                             "10.128.0.213"
                        ]
                    }
                ]
            },
            "webtls": {
                "class": "TLS_Server",
                "certificates": [
                    {
                        "certificate": "webcert"
                    }
                ]
            },
            "webcert": {
                "class": "Certificate",
                "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
                "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
                "passphrase": {
                    "ciphertext": "ZjVmNQ==",
                    "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                }
            }
        }
    }
}

Example migration from AS 2.0 to AS 3.0

This sections provides an example migration. Also covers some features that cannot be migrated using AS 3.0. Things that are not in AS 3.0, but they can workaround outside of AS 3.0:

  • Ability to disable arp/icmp on a virtual-address

Example features that are used in AS 2.0 that can be leverage in AS 3.0

  • Tier-1
    • http/https virtual server
    • attach custom Local Traffic Policy
    • attach custom iRule
    • attach custom tcp profile
    • attach custom http profile (xff headers)
    • enable snat automap
  • Tier-2
    • http/https virtual server
    • attach custom Local Traffic Policy
    • attach custom iRule
    • attach custom tcp profile
    • attach custom http profile (xff headers)
    • enable snat automap
    • attach custom http compression profile
    • attach custom web acceleration profile
  • fastl4
    • create custom fastl4 profile
    • disable destination address/port translation (DSR)