Last updated on: 2023-08-29 10:06:08.

F5 Virtual Network Functions Manager (VNFM)

F5 utilizes an orchestration framework to bring you the F5 Virtual Network Functions Manager (VNFM). This cloud orchestration tool uses OASIS TOSCA-compliant blueprints and plugins to manage the processing resources between your packet gateway and the Internet (Gi-LAN), in the following private cloud environments:

  • OpenStack v13 and Redhat OpenStack v16,
  • VMware ESXi v6.5 - 7.0.3,

auto-scaling your BIG-IP VE virtual machines, during high-volume periods. VNFM relies on the following F5 images:

  • BIG-IQ v6.0.1 and v8.2.0.1
  • BIG-IP and

to provide services such as, scaling services and scaling VNF resources, as well as load-balancing.

F5 VNFM solutions

F5 offers the following VNFM blueprint solutions with built-in services that your system can utilize:

Solution Description

An F5 blueprint and inputs file that instantiates a BIG-IQ HA pair that other VNFM solution blueprints use as a highly available license manager. This blueprint is responsible for creating and configuring the BIG-IQ instances automatically, as well as licensing and activating the host and pool ELA license automatically by way of the configuration node. The deployment outputs return the required license name and BIG-IQ address information to the other main, F5 solution blueprints (consult the following solutions). You can manually create and configure a BIG-IQ license manager; however, using this blueprint automates that process for you. The BIG-IQ blueprint solution supports the following additional configurations:

  • VMware ESXi
  • OpenStack

NOTE: Due to a limitation of BIG-IQ Virtual Edition, deploying BIG-IQ blueprint solution without DHCP requires L2 connectivity between VNFM and BIG-IQ machines. BIG-IQ REQUIRES a policy-compliant password. See knowledge article K49507549 for complete details.


VNFM is comprised of an F5 blueprint with specific parameters plus an inputs YAML file that defines those parameters with your system requirements. These components use plugins, enabling you to automatically deploy all the necessary pieces to create a highly-available set of services, deployed in service layers. These layers auto-scale virtual machines and services to provide a complete and fully configured set of lifecycle management workflows:

  1. Install (push button)
  2. Auto-Scale (out and in)
  3. Auto-Heal (with quarantine of instances for troubleshooting)
  4. Update (push button)
  5. Upgrade (push button)
  6. Delete (push button)

Use the Gi LAN blueprint for implementing policy enforcement, subscriber-awareness, application-classification, and other similar features.

You can also enable CGNAT with a provisioned address pool, using a CGNAT-enabled F5® BIG-IP® Application Services 3 Extension (AS3) and by defining CGNAT inputs.

Gi Firewall

VNFM is comprised of an F5 blueprint with specific parameters plus this solution also uses a similar inputs YAML file as the previous solution, which defines those parameters with your system requirements. These components use plugins enabling you to utilize firewall protection services like DDoS mitigation, and intrusion protection only.

You can also enable CGNAT with a provisioned address pool, using a CGNAT-enabled AS3 declaration and by defining CGNAT inputs.

Base The base F5 blueprint and an inputs YAML file enables you to deploy BIG-IP VEs in an open configuration model. No auto-scale and auto-heal functionality exists, but you can run scale and heal workflows, manually.
DNS The standalone F5 DNS solution for VNFM 1.3.1 and later ensures top-application performance by providing queries and name translation for client requests. This DNS solution translates top-level Internet domains, such as .com, .net, .gov, .edu, and .org. This solution blueprint will deploy into the same space as the Gi LAN solution; such as, between the packet gateway and the Internet. Scaling and usage-billing is based on queries translated/second, so once you reach the internally defined threshold, VNFM will auto-scale an additional layer to meet your system demands.
DNS Security VNF Service A single-purpose DNS+security blueprint for VNFM 1.4 and later, specifically designed to protect against DNS volumetric attacks. This security solution also includes a Standalone DNS security service layer. Scaling and usage-billing is based on queries cleaned/second, so once you reach the internally defined threshold, VNFM will auto-scale an additional layer to meet your system demands.
CGNAT-Offering A blueprint solution for VNFM 2.0 and later used to implement CGNAT VNFs on environments with VNFs homed on different networks, not connected to DAG layers, but instead connected to the packet gateway and the provider network.
PostgreSQL database For more control over your database and related processes, you can use your own external PostgreSQL hosted on a Centos VM. This feature is PREVIEW ONLY and may not work as expected.

VNFM orchestration framework

F5 uses an open source orchestration framework to create the VNFM. You can use the console manager to deploy the orchestration elements, or the VNFM CLI in the F5 VNF Manager ONLY. Each VFM solution deploys elements like a blueprint responsible for executing and managing the following orchestration components and processs:

  • Nodes—-all components in your network are listed in the nodes section (YAML list) in the blueprint YAML file, which defines the application topology of those components and the relationship between them.

  • Workflows—-the different automation processes for the application are defined in the workflow section of the blueprint YAML file. Workflows are orchestration algorithms written in an executable language (for example, Python) using dedicated, APIs. VNFM workflows are delivered by way of plugins.

  • Plugins-—communicate with external services, such as: cloud services like OpenStack or VMware, container-management systems like Kubernetes, configuration management tools like Ansible, and other communication protocols like HTTP and SSH. Plugins are Python Wheels (compiled modules) packaged together using Wagon. Plugins provide an abstraction for using a certain tool or API by providing TOSCA types and matching implementation code that you can use in your blueprints:

    Plugin Description
    f5-gilan-plugin Used to deploy F5 Service Layer infrastructure of BIG-IPs. This plugin contains all the logic for operating the VNFM solution deployed by all F5 blueprints.
    f5-ric-plugin F5 Resource Information Collector plugin used to collect Gi LAN Service Layer information and generate reports. Installation includes, uploading a wagon file (wagons/centos/f5_ric_plugin-0.4-py27-none-any-none-none.wgn) and ./plugin.yaml to your VNFM.
    vnfm-openstack-plugin Enables you to use an OpenStack-based cloud infrastructure for deploying services and applications, and provisioning resources in VNFM. For more information about OpenStack, consult
    vnfm-utilities-plugin Contains utilities for extending the use of F5 VNFM. Requires Python version 2.7.x and Pip version 9.0.1.
    vnfm–vsphere-plugin Contains built-in types and plugin definitions supporting VMware vSphere.
    vnfm-managed-nagios-plugin Used to install and configure Nagios on the Centos machine.
    vnfm-nagiosrest-plugin Used to interface the VNFM Nagios REST service and activate the system monitoring in Nagios.
    f5-bigiq-plugin Used to interface the VNFM with the BIG-IQ, so you can use the F5 VNF BIG-IQ blueprint to auto-configure the BIG-IQ license manager.


    Each plugin zip file consists of YAML TOSCA definition file and wagon implementation file.

    To view plugins in the VNF Manager, in the left-side menu click the Resources blade, and then click the Plugins tab.

F5 blueprint

A blueprint is a model (graph) of your application’s topology and its operations implementation written in a YAML Domain Specific Language (DSL). The F5 blueprint defines all node types and the relationship between each node, for example:

 - gilan_vnfd.yaml

   type: integer
   default: 1
 type: integer
 default: 1000

 type: integer
 default: 1
 type: integer
 default: 1000

 type: integer
 default: 1
 type: integer
 default: 1000


 type: f5.gilan.nodes.Configuration
   port: 443
   ssl: true
   verify: false
         template_file: templates/check-all-services.yaml
           username: { get_secret: bigip_username }
           password: { get_secret: bigip_admin_password }
           host: { get_attribute: [ SELF, target_host_ip ] }
   - type: relationships.contained_in
     target: pgw_lbs_ve
           implementation: gilan.gilan_plugin.relationship_lifecycle.copy_runtime_properties
               - value: {get_attribute: [TARGET, ip]}
                 name: target_host_ip
   - type: relationships.depends_on
     target: pgw_lbs_ve_revoke_license

F5 recommendations

F5 recommends the following guidelines when implementing VNFM for your organization:

  • Deploy the VNFM solution in a test environment first, to determine the scaling parameters and workflows required for your network traffic.

What’s Next?

Release notes