How to: Create an Application with an Inbound Application Mode Policy

Overview

An Inbound Application is the entry point mode where the client targets an address and port hosted on the BIG-IP. The primary attributes of the inbound application are an IP address and port-specific listener, pool assignment, and address and port translation (NAT and PAT). The SSL Orchestrator inbound application deployment essentially binds a policy to a typical “default” application template.

Note: When an application includes both SSL Orchestrator policy and static service chain, the dynamic service chain included in the policy is implemented before the static service chain.

Procedure

Use this procedure to deploy a new application service with an Inbound Application Mode Policy to a managed BIG-IP Next instance from the UI.

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon next to the F5 logo, and click Applications.

  2. If this is the first application service you are adding to BIG-IP Next Central Manager, click Start Adding Apps. Otherwise, at the top of the screen, click Add Application.

  3. For Application Service Name, specify a name for the application service and click Start Creating.
    The Application Service Properties screen opens.

    Note: For Application Mode, you need to create a Standard Application which is selected by default.

  4. For the Description, specify a description of the application service and click Start Creating.
    The Virtual Servers tab of the Application Service Properties screen opens.

  5. Click the Pools tab. The Pools tab opens so you can specify the pools the application service will use.

  6. For the Name of pool, specify a name for the pool.

  7. Specify the Service Port to use for this pool.

  8. Select a Load-Balancing Mode for the pool.

  9. Select a Monitor Type for the pool.

  10. Click the Virtual Servers tab. The Virtual Servers tab opens.

  11. For the Virtual Server  Name, specify a name for the virtual server.

  12. For Pool, select the pool that you want this virtual server to use.

  13. For the Virtual Port, specify the port number to use to access the virtual server.

  14. To specify Protocols or Profiles, click the edit icon under Protocols & Profiles.
    The Protocols screen opens.

    a. Select the protocols you want to enable.

    b. If the protocol you selected requires a certificate, a field displays so you can choose one.

    c. When you have specified the protocols and profiles needed, click Save to return to the Application Service Properties screen.

  15. To specify security policies, click the edit icon under Security Policies.
    The Security Policies screen opens.

    a. To specify an SSL Orchestrator policy:

    i. Click Use an SSL Orchestrator Policy.

    ii. Select the SSLO Policy for the application service.

    Note: Only Inbound Application type policies will be listed when you are creating a standard application.

    b. To specify an SSL Orchestrator service chain:

    i. Click Use an SSL Orchestrator Static Service Chain.

    ii. Click Start Adding to add an inspection service or Click + Add Row if you already selected an inspection service and want to add more inspection services to the service chain.

  16. When you have specified the policies and/or service chains needed, click Save to return to the Application Service Properties screen.

  17. To specify iRules, click the edit icon under iRules.
    The iRules screen opens.

    a. To Enable iRules, click Use iRules.

    b. To specify iRules for this application service, click Add.

    c. Use the controls to specify the iRules (and version) for this application service and arrange the order in which they run.

    d. When the iRules are correctly specified, click Save to return to the Application Service Properties screen.

  18. Repeat steps 11-16 to specify settings for additional virtual servers as needed.

  19. When you finish specifying settings for the application service, click Review & Deploy.
    The Instance/Locations page opens.

  20. Click Start Adding and select the instances to which you want to deploy the application service, click Add to List.
    The Deploy screen opens.

  21. For each instance/location you added in the previous step, under Virtual Address, specify the IP address(es) of the virtual server(s).

  22. Add Pool Members for each pool.

    a. For the first pool, click the down arrow under Members, click the + Pool Members button.
    The Pool Members (endpoints) screen opens.

    b. Click Add Row and then specify a Name and IP Address for the first pool member.

    c. To add additional members, click Add Row again.

    d. When you finish adding pool members, click Save.

    e. Repeat sub-steps 1 - 4 to add pool members for each pool.

  23. Select the edit icon in the Configure column.

  24. Click Enable VLAN to listen on.

  25. From the VLANS drop-down list, select the VLAN that you want your application to listen on.
    Note: You must create VLANs using /L1 Networks endpoint on BIG-IP Next Instance, before adding the VLANS to Central Manager.

  26. Click Deploy Changes.
    The Deploy Application Service screen displays a summary of the changes to be deployed.

  27. Click Yes, Deploy to complete the deployment.

The basic implementation of SSL Orchestrator in BIG-IP Next is to attach a policy to an application AS3 declaration.

"policySslOrchestrator": {
   "cm": "my-sslo-gw-policy"
}

The application deployments require two steps:

  • Create the application in Central Manager.

  • Deploy that application to a BIG-IP Next instance.

The below example provides a simple inbound application declaration.

Basic: Create Application

POST /api/v1/spaces/default/appsvcs/documents
{
  "class": "ADC",
  "id": "adc-canonical",
  "schemaVersion": "3.43.0",
  "my_tenant": {
    "class": "Tenant",
    "my_app": {
      "class": "Application",
      "my_server_tls": {
        "class": "TLS_Server",
        "certificates": [
          {
            "certificate": "webcert"
          }
        ],
        "ciphers": "DEFAULT",
        "tls1_1Enabled": true,
        "tls1_2Enabled": true,
        "tls1_3Enabled": false
      },
      "my_client_tls": {
        "class": "TLS_Client",
        "ciphers": "DEFAULT",
        "tls1_1Enabled": true,
        "tls1_2Enabled": true,
        "tls1_3Enabled": false
      },
      "my_pool": {
        "class": "Pool",
        "loadBalancingMode": "round-robin",
        "members": [
          {
            "serverAddresses": [
              "192.168.100.11",
              "192.168.100.12",
              "192.168.100.13"
            ],
            "servicePort": 443
          }
        ],
        "monitors": [
          "https"
        ]
      },
      "my_pool_service": {
        "class": "Service_Pool",
        "pool": "my_pool"
      },
      "my_service": {
        "class": "Service_HTTPS",
         "allowNetworks": [
          {
            "bigip": "Default L3-Network"
          }
        ],
        "persistenceMethods": [],
        "policySslOrchestrator": {
          "cm": "my-api-policy"
        },
        "clientTLS": "my_client_tls",
        "serverTLS": "my_server_tls",
        "pool": "my_pool",
        "snat": "auto",
        "virtualAddresses": [
          "10.1.10.22"
        ],
        "virtualPort": 443
      },
      "webcert": {
        "class": "Certificate",
        "certificate": {
          "cm": "wildcard.f5labs.com.crt"
        },
        "privateKey": {
          "cm": "wildcard.f5labs.com.pem"
        }
      }
    }
  }
}

The response to successful creation will contain a JSON payload including an ID value. That ID value is then used in the following request to deploy the application to a BIG-IP Next instance, where {{Next-Instance-IP-Address}} is the IP address of the target instance.

Basic: Deploy Application

POST /api/v1/spaces/default/appsvcs/documents/{{application_id}}/deployments
{
  "target": "{{Next-Instance-IP-Address}}"
}

Curl: Create Application

APP=$(cat <<EOF
{
  "class": "ADC",
  "id": "adc-canonical",
  "schemaVersion": "3.43.0",
  "my_tenant": {
    "class": "Tenant",
    "my_app": {
      "class": "Application",
      "my_server_tls": {
        "class": "TLS_Server",
        "certificates": [
          {
            "certificate": "webcert"
          }
        ],
        "ciphers": "DEFAULT",
        "tls1_1Enabled": true,
        "tls1_2Enabled": true,
        "tls1_3Enabled": false
      },
      "my_client_tls": {
        "class": "TLS_Client",
        "ciphers": "DEFAULT",
        "tls1_1Enabled": true,
        "tls1_2Enabled": true,
        "tls1_3Enabled": false
      },
      "my_pool": {
        "class": "Pool",
        "loadBalancingMode": "round-robin",
        "members": [
          {
            "serverAddresses": [
              "192.168.100.11",
              "192.168.100.12",
              "192.168.100.13"
            ],
            "servicePort": 443
          }
        ],
        "monitors": [
          "https"
        ]
      },
      "my_pool_service": {
        "class": "Service_Pool",
        "pool": "my_pool"
      },
      "my_service": {
        "class": "Service_HTTPS",
         "allowNetworks": [
          {
            "bigip": "Default L3-Network"
          }
        ],
        "persistenceMethods": [],
        "policySslOrchestrator": {
          "cm": "my-api-policy"
        },
        "clientTLS": "my_client_tls",
        "serverTLS": "my_server_tls",
        "pool": "my_pool",
        "snat": "auto",
        "virtualAddresses": [
          "10.1.10.22"
        ],
        "virtualPort": 443
      },
      "webcert": {
        "class": "Certificate",
        "certificate": {
          "cm": "wildcard.f5labs.com.crt"
        },
        "privateKey": {
          "cm": "wildcard.f5labs.com.pem"
        }
      }
    }
  }
}
EOF
)
app_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/appsvcs/documents" -d "${APP}")

Curl: Deploy Application

DEPLOY=$(cat <<EOF
{
  "target": "${Next-Instance-IP-Address}"
}
EOF
)
curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/appsvcs/documents/${app_id}/deployments" -d "${DEPLOY}"

Ansible

Execute with:

bigip_next_cm_mgmt_ip="10.1.1.6"
bigip_next_password="my_password"
ansible-playbook -i notahost, sslo-inbound-application.yaml --extra-vars "bigip_next_cm_mgmt_ip=$bigip_next_cm_mgmt_ip bigip_next_password=$bigip_next_password"
---
- hosts: all
  connection: local

  tasks:
    - name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
        method: GET
        status_code: 405
        validate_certs: false
      until: json_response.status == 405
      retries: 50
      delay: 30
      register: json_response


    - name: Authenticate to BIG-IP Next CM API
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
        method: POST
        headers:
          Content-Type: application/json
        body: |
          {
              "username": "admin",
              "password": "{{ bigip_next_password }}"
          }
        body_format: json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: bigip_next_cm_token
      retries: 30
      delay: 30


    - name: Set the BIG-IP Next CM token
      set_fact:
        bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"
    
    
    - name: Create SSLO Inbound Application
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/appsvcs/documents
        method: POST
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        body: |
          {
            "class": "ADC",
            "id": "adc-canonical",
            "schemaVersion": "3.43.0",
            "my_tenant": {
              "class": "Tenant",
              "my_app": {
                "class": "Application",
                "my_server_tls": {
                  "class": "TLS_Server",
                  "certificates": [
                    {
                      "certificate": "webcert"
                    }
                  ],
                  "ciphers": "DEFAULT",
                  "tls1_1Enabled": true,
                  "tls1_2Enabled": true,
                  "tls1_3Enabled": false
                },
                "my_client_tls": {
                  "class": "TLS_Client",
                  "ciphers": "DEFAULT",
                  "tls1_1Enabled": true,
                  "tls1_2Enabled": true,
                  "tls1_3Enabled": false
                },
                "my_pool": {
                  "class": "Pool",
                  "loadBalancingMode": "round-robin",
                  "members": [
                    {
                      "serverAddresses": [
                        "192.168.100.11",
                        "192.168.100.12",
                        "192.168.100.13"
                      ],
                      "servicePort": 443
                    }
                  ],
                  "monitors": [
                    "https"
                  ]
                },
                "my_pool_service": {
                  "class": "Service_Pool",
                  "pool": "my_pool"
                },
                "my_service": {
                  "class": "Service_HTTPS",
                  "allowNetworks": [
                    {
                      "bigip": "Default L3-Network"
                    }
                  ],
                  "persistenceMethods": [],
                  "policySslOrchestrator": {
                    "cm": "my-api-policy"
                  },
                  "clientTLS": "my_client_tls",
                  "serverTLS": "my_server_tls",
                  "pool": "my_pool",
                  "snat": "auto",
                  "virtualAddresses": [
                    "10.1.10.22"
                  ],
                  "virtualPort": 443
                },
                "webcert": {
                  "class": "Certificate",
                  "certificate": {
                    "cm": "wildcard.f5labs.com.crt"
                  },
                  "privateKey": {
                    "cm": "wildcard.f5labs.com.pem"
                  }
                }
              }
            }
          }
        body_format: json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: json_response


    - name: Set application ID
      set_fact:
        app_id: "{{ json_response.json.id}}"


    - name: Deploy Inbound Application to BIG-IP Instance
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/appsvcs/documents/{{ app_id }}/deployments
        method: POST
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        body: |
          {
            "target": "10.1.1.7"
          }
        body_format: json
        timeout: 60
        status_code: 202
        validate_certs: false
      register: json_response


    - debug:
        var: json_response