Onboard and deploy Application Services to a Tenant using BIG-IQ


Now you have created a tenant, you can use Declarative Onboarding (DO) with BIG-IQ to initially configure the BIG-IP with all of the required settings to get up and running.

Once the BIG-IP is ready to accept configure, use Application Services 3 Extension (AS3) to deploy Layer 4-7 Application and Security Services.


Before you can onboard the tenant and deploy application services, refer to the Chassis Partition - Tenant Lifecycle workflow.

Get Authentication Token

F5 disables basic authentication for HTTP/HTTPS requests to the BIG-IQ API by default for security enhancement. You can make HTTP/HTTPS requests to the BIG-IQ API while keeping basic authentication disabled by sending the requests to the BIG-IQ and by including a valid BIG-IQ authentication token in the X-Auth-Token header.

Whenever you perform an authenticated login to the BIG-IQ, and request a token using the Auth Token, you receive both an access token and refresh token. You can use the access token to send HTTP/HTTPS requests to BIG-IQ.

Request a new token from the BIG-IQ using an authenticated login. Using your username and password, log into the BIG-IQ.

POST: https://<cbigiq-ip>/mgmt/shared/authn/login
    "username": "admin",
    "password": "secret",
    "loginProviderName": "tmos"

The value set in the X-Auth-Token in the response Headers is the access token value to use in subsequent requests header along with the application/yang-data+json Content-Type.

  • Content-Type: application/yang-data+json
  • X-Auth-Token: {{ X-Auth-Token }}

Onboard Tenant with Declarative Onboarding

Below example will onboard the tenant and provision LTM, AVR, ASM and APM along with NTP, DNS, Self-IPs & Vlans, users & passwords, hostname. More examples and details on how to use DO _here <https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/>.

Note that once the tenant is successfully onboarded, it will be added as a manage device on BIG-IQ.

POST: https://<bigiq-ip>/mgmt/shared/declarative-onboarding
    "class": "DO",
    "declaration": {
        "schemaVersion": "1.18.0",
        "class": "Device",
        "async": true,
        "Common": {
            "class": "Tenant",
            "myProvision": {
                "class": "Provision",
                "avr": "nominal",
                "ltm": "nominal",
                "asm": "nominal",
                "apm": "nominal"
            "myDns": {
                "class": "DNS",
                "nameServers": [
            "myNtp": {
                "class": "NTP",
                "servers": [
                "timezone": "UTC"
            "internal-self": {
                "class": "SelfIp",
                "address": "",
                "vlan": "vlan-444",
                "allowService": "all",
                "trafficGroup": "traffic-group-local-only"
            "external-self": {
                "class": "SelfIp",
                "address": "",
                "vlan": "vlan-555",
                "trafficGroup": "traffic-group-local-only",
                "allowService": "default"
            "myDbVariables": {
                "class": "DbVariables",
                "ui.advisory.enabled": "true",
                "ui.advisory.color": "red",
                "ui.advisory.text": "Configuration deployed with AS3. Do not make any change directly on the BIG-IP or those changes may be lost."
            "admin": {
                "class": "User",
                "userType": "regular",
                "shell": "bash",
                "partitionAccess": {
                    "all-partitions": {
                        "role": "admin"
                "password": "secret-admin"
            "root": {
                "class": "User",
                "userType": "root",
                "newPassword": "secret-root",
                "oldPassword": "secret-admin"
            "hostname": "tenant1-velos.example.com"
    "targetHost": "<chassis-tenant1-ip>",
    "targetUsername": "admin",
    "targetPassphrase": "admin",
    "bigIqSettings": {
        "failImportOnConflict": false,
        "conflictPolicy": "USE_BIGIQ",
        "deviceConflictPolicy": "USE_BIGIP",
        "versionedConflictPolicy": "KEEP_VERSION",
        "statsConfig": {
            "enabled": true,
            "zone": "default"
        "accessModuleProperties": {
            "cm:access:access-group-name": "tenant1-apm-group",
            "cm:access:import-shared": true
        "snapshotWorkingConfig": false

Deploy Layer 4-7 Application and Security Services using AS3

Below example will create a simple HTTP application service using AS3. More examples and details on how to use AS3 _here <https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/>.

POST: https://<bigiq-ip>/mgmt/shared/appsvcs/declare
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d",
        "label": "Sample 1",
        "remark": "Simple HTTP application with RR pool",
        "target": {
            "address": "<chassis-tenant1-ip>"
        "Sample_01": {
            "class": "Tenant",
            "A1": {
                "class": "Application",
                "service": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                "pool": "web_pool"
                "web_pool": {
                "class": "Pool",
                "monitors": [
                "members": [{
                    "servicePort": 80,
                    "serverAddresses": [