How to: Create an Application with an Inbound Gateway Mode Policy

Overview

An Inbound Gateway is the entry point mode where the client targets an address and port hosted behind the BIG-IP, where the BIG-IP is a routed next-hop in that path. The primary attributes of the inbound gateway are a wildcard IP (and optional wildcard port) listener, no pool assignment, and address and port translation (NAT and PAT) disabled. The SSL Orchestrator inbound gateway deployment essentially binds a policy to a specialized application template.

Note: When an application includes both SSL Orchestrator policy and static service chain, the dynamic service chain included in the policy is implemented before the static service chain.

Procedure

To create an inbound gateway policy application from the Central Manager UI:

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon next to the F5 logo, and click Applications.

  2. If this is the first application service you are adding to BIG-IP Next Central Manager, click Start Adding Apps. Otherwise, at the top of the screen, click Add Application.

  3. Select From Template.

  4. Select sslo-inbound-gateway-topology from the Application Template drop-down list.

  5. For Application Service Name, specify a name for the application service and click Start Creating.
    The Application Service Properties screen opens.

  6. For the Description, specify a description of the application service and click Start Creating.
    The Virtual Servers tab of the Application Service Properties screen opens.

  7. Click the Virtual Servers tab.
    The Virtual Servers tab opens.

  8. For the Virtual Server Name, specify a name for the virtual server.

  9. For the Virtual Port, specify the port number to use to access the virtual server.

  10. To specify Protocols or Profiles, click the edit icon under Protocols & Profiles.
    The Protocols screen opens.

    a. Select the protocols you want to enable.

    b. If the protocol you selected requires a certificate, a field displays so you can choose one.

    c. When you have specified the protocols and profiles needed, click Save to return to the Application Service Properties screen.

  11. To specify security policies, click the edit icon under Security Policies.
    The Security Policies screen opens.

    a. To specify an SSL Orchestrator policy:

    i. Click Use an SSL Orchestrator Policy.

    ii. Select the SSLO Policy for the application service.

    Note: Only Inbound Gateway type policies will be listed when you are creating an application from the template.

    b. To specify an SSL Orchestrator service chain:

    a. Click Use an SSL Orchestrator Static Service Chain.

    b. Click Start Adding to add an inspection service or Click + Add Row if you already selected an inspection service and want to add more inspection services to the service chain.

  12. When you have specified the policies and/or service chains needed, click Save to return to the Application Service Properties screen.

  13. To specify iRules, click the edit icon under iRules.
    The iRules screen opens.

    a. To Enable iRules, click Use iRules.

    b. To specify iRules for this application service, click Add.

    c. Use the controls to specify the iRules (and version) for this application service and arrange the order in which they run.

    d. When the iRules are correctly specified, click Save to return to the Application Service Properties screen.

  14. Repeat steps 11-16 to specify settings for additional virtual servers as needed.

  15. When you finish specifying settings for the application service, click Review & Deploy.
    The Instance/Locations page opens.

  16. Click Start Adding and then select the instances to which you want to deploy the application service, then click Add to List.
    The Deploy screen opens.

  17. For each instance/location you added in the previous step, under Virtual Address, specify the IP address(es) of the virtual server(s). Typically, you can enter a wild card 0.0.0.0/0 for Inbound Gateway Mode.

  18. Select the edit icon in the Configure column.

  19. Click Enable VLAN to listen on.

  20. From the VLANS drop-down list, select the VLAN that you want your application to listen on.

  21. Click Deploy Changes.
    The Deploy Application Service screen displays a summary of the changes to be deployed.

  22. Click Yes Deploy to complete the deployment.

To create an inbound gateway policy application using Central Manager GUI:

The basic implementation of SSL Orchestrator in Next is to attach a policy to an application AS3 declaration. The Inbound Gateway requires a few additional options compared to Inbound Application.

"policySslOrchestrator": {
   "cm": "my-sslo-gw-policy"
}

All application deployments require two steps:

  • Create the application in Central Manager

  • Deploy that application to a BIG-IP Next instance.

The below example provides a simple inbound application declaration.

Basic: Create Application

POST /api/v1/spaces/default/appsvcs/documents
{
  "class": "ADC",
  "id": "http-canonical-cm-example-template",
  "label": "Central Manager Example Template",
  "schemaVersion": "3.43.0",
  "my_tenant": {
    "class": "Tenant",
    "my_app": {
      "class": "Application",
      "my_server_tls": {
        "class": "TLS_Server",
        "certificates": [
          {
           "certificate": "webcert",
           "sniDefault": true
          }
        ],
        "ciphers": "DEFAULT",
        "tls1_1Enabled": false,
        "tls1_2Enabled": true,
        "tls1_3Enabled": true
      },
      "my_client_tls": {
        "class": "TLS_Client",
        "ciphers": "DEFAULT",
        "tls1_1Enabled": false,
        "tls1_2Enabled": true,
        "tls1_3Enabled": true
      },
      "my_service": {
        "class": "Service_HTTPS",
        "allowNetworks": [
          {
            "bigip": "Default L3-Network"
          }
        ],
        "persistenceMethods": [],
        "policySslOrchestrator": {
          "cm": "my-sslo-gw-policy"
        },
        "clientTLS": "my_client_tls",
        "serverTLS": "my_server_tls",
        "snat": "auto",
        "translateServerAddress": false,
        "virtualAddresses": [
          "0.0.0.0"
        ],
        "virtualPort": 443
      },
      "webcert": {
        "class": "Certificate",
        "certificate": {
          "cm": "wildcard.f5labs.com.crt"
        },
        "privateKey": {
          "cm": "wildcard.f5labs.com.pem"
        }
      }
    }
  }
}

Notice that there is no pool defined in this declaration, and that “translateServerAddress” is false. The virtualAddress is a wildcard listener (0.0.0.0), and in this case the virtualPort is 443 to specifically intercept HTTPS traffic. The response to successful creation will contain a JSON payload including an ID value. That ID value is then used in the following request to deploy the application to a BIG-IP Next instance, where {{Next-Instance-IP-Address}} is the IP address of the target instance.

Basic: Deploy Application

POST /api/v1/spaces/default/appsvcs/documents/{{application_id}}/deployments
{
  "target": "{{Next-Instance-IP-Address}}"
}

Curl: Create Application

APP=$(cat <<EOF
{
  "class": "ADC",
  "id": "http-canonical-cm-example-template",
  "label": "Central Manager Example Template",
  "schemaVersion": "3.43.0",
  "my_tenant": {
    "class": "Tenant",
    "my_app": {
      "class": "Application",
      "my_server_tls": {
        "class": "TLS_Server",
        "certificates": [
          {
           "certificate": "webcert",
           "sniDefault": true
          }
        ],
        "ciphers": "DEFAULT",
        "tls1_1Enabled": false,
        "tls1_2Enabled": true,
        "tls1_3Enabled": true
      },
      "my_client_tls": {
        "class": "TLS_Client",
        "ciphers": "DEFAULT",
        "tls1_1Enabled": false,
        "tls1_2Enabled": true,
        "tls1_3Enabled": true
      },
      "my_service": {
        "class": "Service_HTTPS",
        "allowNetworks": [
          {
            "bigip": "Default L3-Network"
          }
        ],
        "persistenceMethods": [],
        "policySslOrchestrator": {
          "cm": "my-sslo-gw-policy"
        },
        "clientTLS": "my_client_tls",
        "serverTLS": "my_server_tls",
        "snat": "auto",
        "translateServerAddress": false,
        "virtualAddresses": [
          "0.0.0.0"
        ],
        "virtualPort": 443
      },
      "webcert": {
        "class": "Certificate",
        "certificate": {
          "cm": "wildcard.f5labs.com.crt"
        },
        "privateKey": {
          "cm": "wildcard.f5labs.com.pem"
        }
      }
    }
  }
}
EOF
)
app_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/appsvcs/documents" -d "${APP}")

Curl: Deploy Application

DEPLOY=$(cat <<EOF
{
  "target": "${Next-Instance-IP-Address}"
}
EOF
)
curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/appsvcs/documents/${app_id}/deployments" -d "${DEPLOY}"

${\normalsize{\textsf{\color{white}===}}}$

${\large{\textbf{\textsf{\color{red}Ansible\ Reference}}}}$

Execute with:

bigip_next_cm_mgmt_ip="10.1.1.6"
bigip_next_password="my_password"
ansible-playbook -i notahost, sslo-inbound-gateway.yaml --extra-vars "bigip_next_cm_mgmt_ip=$bigip_next_cm_mgmt_ip bigip_next_password=$bigip_next_password"
---
- hosts: all
  connection: local

  tasks:
    - name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
        method: GET
        status_code: 405
        validate_certs: false
      until: json_response.status == 405
      retries: 50
      delay: 30
      register: json_response


    - name: Authenticate to BIG-IP Next CM API
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
        method: POST
        headers:
          Content-Type: application/json
        body: |
          {
              "username": "admin",
              "password": "{{ bigip_next_password }}"
          }
        body_format: json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: bigip_next_cm_token
      retries: 30
      delay: 30


    - name: Set the BIG-IP Next CM token
      set_fact:
        bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"
    
    
    - name: Create SSLO Inbound Gateway
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/appsvcs/documents
        method: POST
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        body: |
          {
             "class": "ADC",
             "id": "http-canonical-cm-example-template",
             "label": "Central Manager Example Template",
             "schemaVersion": "3.43.0",
             "my_tenant": {
               "class": "Tenant",
               "my_app": {
                 "class": "Application",
                 "my_server_tls": {
                   "class": "TLS_Server",
                   "certificates": [
                     {
                       "certificate": "webcert",
                       "sniDefault": true
                     }
                   ],
                   "ciphers": "DEFAULT",
                   "tls1_1Enabled": false,
                   "tls1_2Enabled": true,
                   "tls1_3Enabled": true
                 },
                 "my_client_tls": {
                   "class": "TLS_Client",
                   "ciphers": "DEFAULT",
                   "tls1_1Enabled": false,
                   "tls1_2Enabled": true,
                   "tls1_3Enabled": true
                 },
                 "my_service": {
                   "class": "Service_HTTPS",
                   "allowNetworks": [
                     {
                       "bigip": "Default L3-Network"
                     }
                   ],
                   "persistenceMethods": [],
                   "policySslOrchestrator": {
                     "cm": "my-sslo-gw-policy"
                   },
                   "clientTLS": "my_client_tls",
                   "serverTLS": "my_server_tls",
                   "snat": "auto",
                   "translateServerAddress": false,
                   "virtualAddresses": [
                     "0.0.0.0"
                   ],
                   "virtualPort": 443
                 },
                 "webcert": {
                   "class": "Certificate",
                   "certificate": {
                     "cm": "wildcard.f5labs.com.crt"
                   },
                   "privateKey": {
                     "cm": "wildcard.f5labs.com.pem"
                   }
                 }
               }
             }
           }
        body_format: json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: json_response


    - name: Set application ID
      set_fact:
        app_id: "{{ json_response.json.id}}"


    - name: Deploy Inbound Gateway to BIG-IP Instance
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/appsvcs/documents/{{ app_id }}/deployments
        method: POST
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        body: |
          {
            "target": "10.1.1.7"
          }
        body_format: json
        timeout: 60
        status_code: 202
        validate_certs: false
      register: json_response


    - debug:
        var: json_response