Deploying CIS with BIG-IP HA

When deploying F5 Container Ingress Services (CIS) with BIG-IP in a High Availability (HA) setup, the choice of Container Network Interface (CNI) and its configuration can significantly impact how CIS interacts with the HA pair (active/standby BIG-IP units).

Single CIS with Floating Self IP and Failover

In this model, CIS points to a floating self IP, and failover is automatically handled by the BIG-IP HA mechanism. This configuration simplifies deployment by requiring only one CIS instance.

Prerequisites:

  • BIG-IP HA is configured with auto sync enabled.
  • Floating IPs are assigned to the relevant traffic group.
  • BIG-IP management port is enabled on the floating self IP address.

Supported Configurations

You can use a single CIS instance in the following scenarios:

  1. NodePort mode
  • CIS operates in NodePort mode, which is CNI-agnostic, making it compatible with most CNIs.
  • Floating self IP handles the failover seamlessly.
  1. NodePortLocal mode with Antrea CNI
  • When CIS is configured in NodePortLocal mode with Antrea CNI, it supports failover with a floating self IP.
  • NodePortLocal improves performance by sending traffic directly to the local node.
  1. Static Routes

When CIS is configured with Static Route Support , the following CNIs support using one CIS instance pointing to the floating self IP, with failover handled by the BIG-IP HA:

  • OVN-Kubernetes
  • Cilium
  • Calico
  • Flannel
  • Antrea

Two CIS Instances (One per BIG-IP)

Certain CNIs or scenarios require two CIS instances due to limitations with tunnel-based routing or missing HA synchronisation capabilities.

Prerequisites:

  • CIS is configured in ClusterIP mode or Auto mode. Refer Deployments Options for detailed information.
  1. VXLAN-Based CNIs

These CNIs rely on VXLAN tunnels, which are not auto-synced during a failover event, requiring one CIS per BIG-IP:

  • Cilium
  • Flannel
  • OpenShift SDN
  1. Calico with BGP Protocol
  • When Calico is configured with BGP, it requires two CIS instances due to BGP handling routing independently per BIG-IP.
  1. BIG-IP HA without Auto Sync
  • If auto sync is disabled in BIG-IP HA, dual CIS instances are necessary to ensure continuous traffic handling.