Overview: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager

The following module assists the application service migration experience of Local Traffic Manager (LTM), Access, and Web Application Firewall (WAF) services into BIG-IP Next from existing BIG-IP devices. The process provides an end-to-end automation of application migration with minimal disruption to ongoing operations. Application migration into BIG-IP Next Central Manager provides feature compatibility checks and application validation to ensure the application is properly migrated and deployed to your BIG-IP Next instances. In addition, as some features are not yet supported on BIG-IP Next, the migration tool ensures that only supported features are migrated.

About application service migration

The application service migration tool allows you to select virtual servers currently running on your BIG-IP devices to convert into Application Services (AS3 declaration) and deploy them to BIG-IP Next instances. This version of BIG-IP Next Central Manager supports migration from a UCS archive for application delivery and control services for HTTP and HTTPS applications services.

The migrated application services are added to BIG-IP Next Central Manager and you can edit the AS3 declaration later.

In addition, when you select the application service to migrate as draft, you can import shared objects, such as, SSL certificates, and WAF or Access policies to BIG-IP Next Central Manager. Once included, these objects can be attached to application services and modified in BIG-IP Next Central Manager. Modifying objects (except iRules) will be automatically updated on attached applications services.

Overview of application migration at a glance

  • Supports per-application service migration and their dependencies from BIG-IP to BIG-IP Next (per-app only).

  • Supports migration of applications with LTM services on BIG-IP version 12.1.0 or later to AS3 declarations onto BIG-IP Next.

    Note: The migration process from the UCS archive to BIG-IP Next Central Manager applies bigip.conf translation to AS3. The application services are then migrated as draft to use AS3 API.

  • Supports migration of HTTP and HTTPS applications.

  • Supports migration of applications with WAF services on BIG-IP version 12.1.0 or later.

  • Supports migration of applications with Access services on BIG-IP version 12.1.0 or later.

  • Supports migration of iRules found on migrated applications.

  • Supports platform destination of Virtual Edition (VE), VELOS, and rSeries.

  • Supports application service migration of the following default objects within the declaration: monitors, profiles, and iRules.

  • Supports iApps translation, but it’s limited to virtual servers configuration.

Application migration and deployment process

You can migrate and deploy your application services to a BIG-IP Next instance in three steps:

  • Upload the UCS archive from your BIG-IP device and select how to group the virtual servers in their application services.

  • View application services and manage their virtual server configuration. When you select application services to Migrate as Draft, the Include Shared Objects checkbox is selected by default to import the shared objects, including certificates, iRules, WAF, and Access policies.

  • View the AS3 declaration, make necessary changes if required and select the deployment destination to BIG-IP Next Instance.

    Note: When you save an application service as a draft, you can make changes to the AS3 declaration. In some cases, the configuration of the application service or virtual server is not supported by BIG-IP Next. You can make these changes and later deploy the application service with the supported changes.

For more information, see How to: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager.

Application Objects

The migration module might discover objects in virtual servers that BIG-IP Next does not support. BIG-IP Next Central Manager provides a conversion status when you select applications for migration. During the application selection process you can review and verify the objects that will be automatically removed or converted. These application services can then be saved to BIG-IP Next Central Manager as a draft for manual changes before you deploy to an instance.

For more information about migration statuses, see Reference: Application migration status.

For more information about selecting application services for migration, see How to: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager.

Default object conversion

The migration module recognizes default objects in the UCS archives, but only migrates iRules. These iRules import into BIG-IP Next Central Manager as shared objects during the migration process. Other default objects, like profiles or monitors, will use the default settings specific to the selected destination system.
However, if you manually modify a default shared object (for example, a default iRule), the migration process discards those changes. The migration module does not copy default shared object definitions from the UCS. Instead, it uses hardcoded definitions based on the source BIG-IP version.

Entries within objects that are not supported on BIG-IP Next are removed during conversion to an AS3 declaration.

Supported default objects include iRules, monitors, and profiles.

Supported Certificates

SSL certificate and key pairs that are unsupported report a security warning status. The BIG-IP Next supports cipher suites that use the following algorithms:

  • RSA (2048/3072/4096)

  • ECDSA (prime256v1/secp384r1)

Unsupported certificate and key pairs will be marked and can be replaced in the AS3 declaration after you save the migrated application service as a draft.

Note: Mutual Transport Layer Security (mTLS) is not supported during the migration. A certificate and key pair from a Server SSL profile with this service can be imported, but would not be attached to the application service.

If multiple SSL profiles of the same type (for example, both client SSL or server SSL) are found on the same virtual server, you will need to select only one of the profiles to ensure proper deployment to an instance.

PKCS type certificates

BIG-IP Next supports PKCS #12 and PKCS #8 certificates. If you created an application with a PKCS #1 certificate and encrypted key, the migration process will automatically convert the certificate to PKCS #8. Following the migration and import of the certificate to BIG-IP Next Central Manager, you will be able to access the certificate and private key.

Unsupported virtual servers

Certain types of virtual servers are not supported on BIG-IP Next. If these virtual server types are found in your application services, ensure they are removed from the application service during the application Migration selection process.

The following virtual servers are not supported on BIG-IP Next and cannot be deployed to a BIG-IP Next instance:

  • Internal virtual servers: Before migration, if you have configured internal virtual server for HTTP request and response adaptation to your BIG-IP device.

  • Forwarding IP type virtual servers.

  • Wildcard virtual servers (0.0.0.0/0): Deploying more than one wildcard virtual server to a single instance can cause unexpected instance behavior.