F5BigCneSnatpool

Overview

The F5BigCneSnatpool Custom Resource (CR) configures the Traffic Management Microkernel (TMM) Proxy Pod to perform source network address translations (SNAT) on egress network traffic. When clients connect to resources through TMM, the source IP address of the egress packet is translated to one of the IP addresses in the SNAT pool. Once configured and installed, the F5BigCneSnatpool CR can be referenced by the F5BigContextSecure and F5BigDnsApp CRs to process traffic.

This document guides you through understanding, configuring and deploying a simple F5BigCneSnatpool CR.

Scaling TMM

When scaling the TMM Proxy Pod beyond a single instance in the namespace, the F5BigCneSnatpool CR must be configured to provide a SNAT pool to each TMM replica. The first SNAT pool is applied to the first TMM replica, the second snatpool to the second TMM replica, continuing through the list.

Important: When configuring SNAT pools with multiple IP subnets, ensure all TMM replicas receive the same IP subnets.

Example CR:

 apiVersion: "k8s.f5net.com/v1"
 kind: F5BigCneSnatpool
 metadata:
   name: "egress-snatpool"
   namespace: cnf-gateway
 spec:
   name: "egress_snatpool"
   addressList:
     - - 10.244.10.1
       - 10.244.20.1
       - 2002::10:244:10:1
       - 2002::10:244:20:1
     - - 10.244.10.2
       - 10.244.20.2
       - 2002::10:244:10:2
       - 2002::10:244:20:2

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigCneSnatpool CR shortName is snatpool.

View CR instance:

kubectl get snatpool -n <namespace>

View CR configuration:

kubectl get snatpool -n <namespace> -o yaml

Example deployment:

Note: The SNAT Pool CR supports both IPv4 and IPv6 addresses.

Advertising address lists

By default, SNAT Pool IP addresses are not advertised (redistributed) to BGP neighbors. To advertise SNAT Pool IP addresses, you must configure a prefixList and routeMaps when installing the BIG-IP Controller. For configuration assistance, refer to the BGP Overview.

Requirements

Ensure you have:

• Created an external and internal F5BigNetVlan.
• A Linux based workstation.

Installation

Use the following steps to install the example F5BigCneSnatpool CR.

1. Copy the example F5BigCneSnatpool into a YAML file:

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigCneSnatpool
   metadata:
     name: "egress-snatpool"
     namespace: cnf-gateway
   spec:
     name: "egress_snatpool"
     addressList:
       - - 10.244.10.1
         - 10.244.20.1
         - 2002::10:244:10:1
         - 2002::10:244:20:1
       - - 10.244.10.2
         - 10.244.20.2
         - 2002::10:244:10:2
         - 2002::10:244:20:2
   

2. Install the F5BigCneSnatpool CR:

   kubectl apply -f cnf-snatpool-crd.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigCneSnatpool CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
   F5Snatpool cnf-gateway/46_snatpool was added/updated
   

3. To verify the SNAT pool IP address mappings on the TMMs, use any one of the following methods:

   • Method 1: For individual TMMs, login to the debug sidecar and run the following command to view the SNAT pool members:

     tmctl -w 120 -d blade pool_member_stat -s pool_name,addr
     

     The addresses will be displayed as IPv6 address in hexadecimal format. For example, 10.244.10.1 address is displayed as 00:00:00:00:00:00:00:00:00:00:FF:FF:0A.F4.0A.01:00:00:00:00.

   • Method 2: If dynamicRouting is enabled during startup, in override file of the TMM section, then the following method can be used to verify the SNAT pool membership.

     i. Execute into f5-tmm-routing container:

     $ k exec -it f5-tmm-67d54df997-p7ntl -c f5-tmm-routing – bash
     

     ii. Run the Integrated Management Interface Shell (IMISH) command:

     I have no name!@f5-tmm-67d54df997-p7ntl:/code$ imish
     

     iii. Run show ip route command:

     f5-tmm-67d54df997-p7ntl[0]>show ip route
     Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
         O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default
     IP Route Table for VRF "default"
     K       10.244.10.1/32 [0/0] is directly connected, tmm
     K       10.244.20.1/32 [0/0] is directly connected, tmm
     C       10.244.99.91/32 is directly connected, eth0
     C       11.11.11.0/24 is directly connected, tmm-client
     C       22.22.22.0/24 is directly connected, tmm-server
     C       127.20.0.0/16 is directly connected, tmm_bp
     C       169.254.0.0/24 is directly connected, tmm
     Gateway of last resort is not set
     

     iv. Run show ipv6 route command:

     f5-tmm-67d54df997-p7ntl[0]>show ipv6 route
     IPv6 Routing Table
     Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
           IA - OSPF inter area, E1 - OSPF external type 1,
           E2 - OSPF external type 2, N1 - OSPF NSSA
           external type 1,
           N2 - OSPF NSSA external type 2, I - IS-IS, B - BGP
     Timers: Uptime
     
     IP Route Table for VRF "default"
     C      2002::11:11:11:0/112 via ::, tmm-client, 00:04:52
     C      2002::22:22:22:0/112 via ::, tmm-server, 00:04:52
     K      2002::10:244:10:1/128 [0/0] via ::, tmm, 00:04:50
     K      2002::10:244:20:1/128 [0/0] via ::, tmm, 00:04:50
     C      fd00:10:244:25:4aa:40cb:5dc6:8b9a/128 via ::, eth0, 00:05:20
     C      fe80::/64 via ::, tmm-server, 00:04:52
     

4. The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, and only on the subscriber-vlan interface. The CR also references the F5BigCneSnatpool profile. Copy and paste the example into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-context"
     namespace: "cnf-gateway"
   spec:
      ipv6destinationAddress: "2002::200:200:200:0/112"
      destinationPort: 0
      ipProtocol: "tcp"
      profile: "tcp"
      snat:
        type: "snat"
        pool: "egress_snatpool"
      vlans:
        vlanList:
          - "subscriber-vlan"
   

5. Install the F5BigContextSecure CR:

   kubectl apply -f f5-cnf-context.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
   SecureContext cnf-gateway/cnf-context was added/updated
   

6. Continue to the Next step section to begin using the F5BigCneSnatpool.

Next step

Select and install one of the Traffic Management CNF CRs to begin processing application traffic:

• F5BigContextSecure - Full proxy TCP and UDP application layer gateway services.
• F5BigDnsApp - High-performance DNS resolution and caching.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.