Migration from Application Services iApp AS2 to AS3

The purpose of this page is to provide guide migrating from the Application Services iApp AS2 using iWorkflow service catalog to Application Services 3 Extension (referred to as AS3 extension or more often simply AS3). This migration will focus on the following feature collections commonly used with iWorkflow 2.3.0 service catalog and Application Services iApp AS2.

  • f5-https-offload_v2.0.004
  • f5-http-lb_v2.0.004
  • f5-fastl4-tcp-lb_v2.0.004
  • f5-fastl4-udp-lb_v2.0.004
  • f5-fasthttp-lb_v2.0.004
  • f5-http-url-routing-lb_v2.0.004 - Work in progress
  • f5-https-waf-lb_v2.0.004

Getting Started

The Application Services 3 Extension uses a declarative model that is different than Application Services iApp AS2. To get started with AS3, see About AS3.

AS3 simplifies migrating from the Application Services iApp AS2 due to the JSON schema and declaration the use of ADC defaults. An AS3 declaration doesn’t require index columns used by certain APL Tables in Application Services iApp AS2. Also AS3 does not require advanced options or create string syntax. Additionally, AS3 doesn’t need certain fields to expose functionality specific entry for the field/table/column in question in the Presentation Layer Reference.

f5-https-offload_v2.0.004

A migration AS3 declaration for following feature collection f5-https-offload_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-https-offload_v2.0.004",
    "label": "Sample 1",
    "remark": "f5-https-offload",
    "Sample_01": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "https",
            "serviceMain": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                    "192.168.100.61"
                ],
                "pool": "web_pool",
                "serverTLS": "webtls"
            },
                "web_pool": {
                "class": "Pool",
                "monitors": [
                    "http"
                ],
                "members": [
                    {
                        "servicePort": 8080,
                        "serverAddresses": [
                            "10.128.0.214",
                            "10.128.0.215",
                            "10.128.0.216",
                            "10.128.0.217",
                            "10.128.0.218"
                        ]
                    }
                ]
            },
            "webtls": {
                "class": "TLS_Server",
                "certificates": [
                    {
                        "certificate": "webcert"
                    }
                ]
            },
            "webcert": {
                "class": "Certificate",
                "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
                "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
                "passphrase": {
                    "ciphertext": "ZjVmNQ==",
                    "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                }
            }
        }
    }
}

f5-http-lb_v2.0.004

A migration AS3 declaration for following feature collection f5-http-lb_v2.0.004 could look like:

{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "f5-http-lb_v2.0.004",
        "label": "Sample 2",
        "remark": "f5-http-lb",
        "Sample_02": {
            "class": "Tenant",
            "A1": {
                "class": "Application",
                "template": "http",
                "serviceMain": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "192.168.100.62"
                ],
                "pool": "web_pool"
                },
                "web_pool": {
                    "class": "Pool",
                    "monitors": [
                        "http"
                    ],
                    "members": [
                            {
                            "servicePort": 8080,
                            "serverAddresses": [
                                "10.128.0.209",
                                "10.128.0.210",
                                "10.128.0.211",
                                "10.128.0.212",
                                "10.128.0.213"
                            ]
                            }
                    ]
                }
            }
        }
    }
}

f5-fastl4-tcp-lb_v2.0.004

A migration AS3 declaration for following feature collection f5-fastl4-tcp-lb_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-fastl4-tcp-lb_v2.0.004",
    "label": "Sample 3",
    "remark": "f5-fastl4-tcp-lb",
    "Sample_03": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "virtualAddresses": [
                    "192.168.100.62"
                ],
                "profileL4": "basic",
                "virtualPort": 81,
                "pool": "svc_pool"
            },
            "svc_pool": {
                "class": "Pool",
                "monitors": [
                    {
                        "use": "tcp_monitor"
                    }
                ],
                "members": [
                    {
                        "servicePort": 8080,
                        "serverAddresses": [
                                "10.128.0.209",
                            "10.128.0.210",
                            "10.128.0.211",
                            "10.128.0.212",
                            "10.128.0.213"
                        ]
                    }
                ]
            },
            "tcp_monitor": {
                "class": "Monitor",
                "monitorType": "tcp",
                "targetPort": 8080,
                "send": "",
                "receive": ""
            }
        }
    }
}

f5-fastl4-udp-lb_v2.0.004

A migration AS3 declaration for following feature collection f5-fastl4-udp-lb_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-fastl4-udp-lb_v2.0.004",
    "label": "Sample 4",
    "remark": "f5-fastl4-udp-lb",
    "Sample_04": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "layer4":"udp",
                "virtualAddresses": [
                    "192.168.100.63"
                ],
                "profileL4": "basic",
                "virtualPort": 53,
                "pool": "svc_pool"
            },
            "svc_pool": {
                "class": "Pool",
                "monitors": [
                    {
                        "use": "udp_monitor"
                    }
                ],
                "members": [
                    {
                        "servicePort": 53,
                        "serverAddresses": [
                                "10.128.0.209",
                            "10.128.0.210",
                            "10.128.0.211",
                            "10.128.0.212",
                        "10.128.0.213"
                        ]
                    }
                ]
            },
            "udp_monitor": {
                "class": "Monitor",
                "monitorType": "udp",
                "targetPort": 53,
                "send": "",
                "receive": ""
            }
        }
    }
}

f5-fasthttp-lb_v2.0.004

AS3 doesn’t currently have support for Performance (HTTP) and Protocol Profile (Client) FastHTTP.

f5-https-waf-lb_v2.0.004

When using AS3 to reference a security policy the policy must already exist on the BIG-IP. A migration AS3 declaration for following feature collection f5-https-waf-lb_v2.0.004 could look like:

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "f5-https-waf-lb_v2.0.004",
    "label": "Sample 6",
    "remark": "f5-https-waf-lb",
    "updateMode": "selective",
    "Sample_06": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "https",
            "serviceMain": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                    "192.168.100.66"
                ],
                "pool": "web_pool",
                "serverTLS": "webtls",
                "policyWAF": {
                        "bigip": "/Common/linux-high"
                                }
            },
            "web_pool": {
                "class": "Pool",
                "loadBalancingMode": "predictive-node",
                "monitors": [
                    "http"
                ],
                "members": [
                    {
                        "servicePort": 8080,
                        "serverAddresses": [
                            "10.128.0.209",
                             "10.128.0.210",
                             "10.128.0.211",
                             "10.128.0.212",
                             "10.128.0.213"
                        ]
                    }
                ]
            },
            "webtls": {
                "class": "TLS_Server",
                "certificates": [
                    {
                        "certificate": "webcert"
                    }
                ]
            },
            "webcert": {
                "class": "Certificate",
                "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
                "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
                "passphrase": {
                    "ciphertext": "ZjVmNQ==",
                    "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
                }
            }
        }
    }
}

Example migration from AS 2.0 to AS 3.0

This sections provides an example migration, and also covers some features that you cannot migrate using AS 3.0 (things that are not in AS 3.0, but you can workaround outside of AS 3.0):

  • Ability to disable arp/icmp on a virtual-address

Example features that AS 2.0 uses that you can leverage in AS 3.0:

  • Tier-1
    • http/https virtual server
    • attach custom Local Traffic Policy
    • attach custom iRule
    • attach custom tcp profile
    • attach custom http profile (xff headers)
    • enable snat automap
  • Tier-2
    • http/https virtual server
    • attach custom Local Traffic Policy
    • attach custom iRule
    • attach custom tcp profile
    • attach custom http profile (xff headers)
    • enable snat automap
    • attach custom http compression profile
    • attach custom web acceleration profile
  • fastl4
    • create custom fastl4 profile
    • disable destination address/port translation (DSR)