F5 Virtual Network Functions Manager (VNFM)

F5 utilizes an orchestration framework to bring you the F5 Virtual Network Functions Manager (VNFM). This cloud orchestration tool uses OASIS TOSCA-compliant blueprints and plugins to manage the processing resources between your packet gateway and the Internet (Gi-LAN), in a private cloud environment (such as, OpenStack or VMware), auto-scaling your BIG-IP VE virtual machines, during high-volume periods. VNFM relies on BIG-IQ 6.0.1 and BIG-IP or BIG-IP 14.1.X images to provide services such as, scaling services and resources, load-balancing, and high availability (HA).

F5 VNFM solutions

F5 offers the following VNFM solutions with built-in services that your system can utilize:

Solution Description

An F5 blueprint and inputs file that instantiates a BIG-IQ HA pair that other VNFM solution blueprints use as a highly available license manager. This blueprint is responsible for creating and configuring the BIG-IQ instances automatically, as well as licensing and activating the host and pool ELA license automatically by way of the configuration node. The deployment outputs return the required license name and BIG-IQ address information to the other main, F5 solution blueprints (see below). You can manually create and configure a BIG-IQ license manager; however, using this blueprint automates that process for you. The BIG-IQ blueprint solution supports the following additional configurations:

  • A VMware Integrated OpenStack (VIO) environment
  • Due to a limitation of BIG-IQ Version 6.0.1, deploying BIG-IQ blueprint solution without DHCP requires L2 connectivity between VNFM and BIG-IQ machines.

VNFM is comprised of an F5 blueprint with specific parameters plus an inputs YAML file that defines those parameters with your system requirements. These components use plugins, enabling you to automatically deploy all the necessary pieces to create a highly-available set of services, deployed in service layers. These layers auto-scale virtual machines and services to provide a complete and fully configured set of lifecycle management workflows:

  1. Install (push button)
  2. Auto-Scale (out and in)
  3. Auto-Heal (with quarantine of instances for troubleshooting)
  4. Update (push button)
  5. Upgrade (push button)
  6. Delete (push button)

Use the Gi LAN blueprint for implementing policy enforcement, subscriber-awareness, application-classification, and other similar features.

You can also enable CGNAT with a provisioned address pool, using a CGNAT-enabled AS3 declaration and by defining CGNAT inputs.

Gi Firewall

VNFM is comprised of an F5 blueprint with specific parameters plus this solution also uses a similar inputs YAML file as the previous solution, which defines those parameters with your system requirements. These components use plugins enabling you to utilize firewall protection services only like, DDoS mitigation, and intrusion protection.

You can also enable CGNAT with a provisioned address pool, using a CGNAT-enabled AS3 declaration and by defining CGNAT inputs.

Base The base F5 blueprint and an inputs YAML file enables you to deploy BIG-IP VEs in an open configuration model. No auto-scale and auto-heal functionality exists, but you can run scale and heal workflows, manually.
DNS The standalone F5 DNS solution for VNFM 1.3.1 and later ensures top-application performance by providing queries and name translation for client requests. This DNS solution translates top-level Internet domains, such as .com, .net, .gov, .edu, and .org. This solution blueprint will deploy into the same space as the Gi LAN solution; such as, between the packet gateway and the Internet. Scaling and usage-billing is based on queries translated/second, so once you reach the internally defined threshold, VNFM will auto-scale an additional layer to meet your system demands.
DNS Security VNF Service A single-purpose DNS+security blueprint for VNFM 1.4 and later, specifically designed to protect against DNS volumetric attacks. This security solution also includes a Standalone DNS security service layer. Scaling and usage-billing is based on queries cleaned/second, so once you reach the internally defined threshold, VNFM will auto-scale an additional layer to meet your system demands.
CGNAT-Offering A blueprint solution for VNFM 2.0 and later used to implement CGNAT VNFs on environments with VNFs homed on different networks, not connected to DAG layers, but instead connected to the packet gateway and the provider network.

VNFM orchestration framework

F5 uses an open source orchestration framework to create the VNFM. You can use the console manager to deploy the orchestration elements, or the VNFM CLI in the F5 VNF Manager ONLY. Each VFM solution deploys elements like, a blueprint responsible for executing and managing the following orchestration components and process:

  • Nodes—-all components in your network are listed in the nodes section (YAML list) in the blueprint YAML file, which defines the application topology of those components and the relationship between them.

  • Workflows—-the different automation processes for the application are defined in the workflow section of the blueprint YAML file. Workflows are orchestration algorithms written in an executable language (for example, Python) using dedicated, APIs. VNFM workflows are delivered by way of plugins.

  • Plugins-—communicate with external services, such as: cloud services like OpenStack or VMware, container-management systems like Kubernetes, configuration management tools like Ansible, and other communication protocols like HTTP and SSH. Plugins are Python Wheels (compiled modules) packaged together using Wagon. Plugins provide an abstraction for using a certain tool or API by providing TOSCA types and matching implementation code that you can use in your blueprints:

    Plugin Description
    f5-gilan-plugin Used to deploy F5 Service Layer infrastructure of BIG-IPs. This plugin contains all the logic for operating the VNFM solution deployed by all F5 blueprcints.
    f5-ric-plugin F5 Resource Information Collector plugin used to collect Gi LAN Service Layer information and generate reports. Installation includes, uploading a wagon file (wagons/centos/f5_ric_plugin-0.4-py27-none-any-none-none.wgn) and ./plugin.yaml to your VNFM.
    vnfm-openstack-plugin Enables you to use an OpenStack-based cloud infrastructure for deploying services and applications, and provisioning resources in VNFM. For more information about OpenStack, see https://www.openstack.org/.
    vnfm-utilities-plugin Contains utilities for extending the use of F5 VNFM. Requires Python version 2.7.x and Pip version 9.0.1.
    vnfm–vsphere-plugin Contains built-in types and plugin definitions supporting VMware vSphere.
    vnfm-managed-nagios-plugin Used to install and configure Nagios on the Centos machine.
    vnfm-nagiosrest-plugin Used to interface the VNFM Nagios REST service and activate the system monitoring in Nagios.
    f5-bigiq-plugin Used to interface the VNFM with the BIG-IQ, so you can use the F5 VNF BIG-IQ blueprint to auto-configure the BIG-IQ license manager.


    Each plugin zip file consists of YAML TOSCA definition file and wagon implementation file.

F5 blueprint

A blueprint is a model (graph) of your application’s topology and its operations implementation written in a YAML Domain Specific Language (DSL). The F5 blueprint defines all node types and the relationship between each node, for example:

 - gilan_vnfd.yaml

   type: integer
   default: 1
 type: integer
 default: 1000

 type: integer
 default: 1
 type: integer
 default: 1000

 type: integer
 default: 1
 type: integer
 default: 1000


 type: f5.gilan.nodes.Configuration
   port: 443
   ssl: true
   verify: false
         template_file: templates/check-all-services.yaml
           username: { get_secret: bigip_username }
           password: { get_secret: bigip_admin_password }
           host: { get_attribute: [ SELF, target_host_ip ] }
   - type: relationships.contained_in
     target: pgw_lbs_ve
           implementation: gilan.gilan_plugin.relationship_lifecycle.copy_runtime_properties
               - value: {get_attribute: [TARGET, ip]}
                 name: target_host_ip
   - type: relationships.depends_on
     target: pgw_lbs_ve_revoke_license

F5 recommendations

F5 recommends the following guidelines when implementing VNFM for your organization:

  • Deploy the VNFM solution in a test environment first, to determine the scaling parameters and workflows required for your network traffic.
  • If implementing High Availability, deploy three VNF Managers (see the High availability guide).

What’s Next?

Release notes