Install the BIG-IP Controller: Marathon

The BIG-IP Controller for Marathon installs as a Marathon Application.

Task Summary
Step Task
Initial Setup
Set up RBAC Authentication
Launch the BIG-IP Controller for Marathon
Upload the App to the Marathon API server
Verify creation

Initial Setup

  1. If you want to use BIG-IP High Availability (HA), set up two or more F5 BIG-IPs in a Device Service Cluster (DSC).

  2. Create a new partition on your BIG-IP system.


    • The BIG-IP Controller can not manage objects in the /Common partition.
    • [Optional] The Controller can declare the IP addresses it configures on the BIG-IP with a Route Domain identifier. You may want to use route domains if you have many applications using the same IP address space that need isolation from one another. After you create the partition on your BIG-IP system, you can 1) create a route domain and 2) assign the route domain as the partition’s default. See create and set a non-zero default Route Domain for a partition for setup instructions.
    • [Optional] If you’re using a BIG-IP HA pair or cluster, sync your changes across the group.

Set up RBAC Authentication

Set up authentication to your secure DC/OS cluster.

See the Mesosphere DC/OS Security documentation for more information.

Launch the BIG-IP Controller for Marathon

Define a Marathon Application using valid JSON. See the marathon-bigip-ctlr configuration parameters reference for all supported configuration options.


The BIG-IP Controller requires Administrator permissions in order to provide full functionality.

// See marathon-bigip-ctlr docs for information about all available configuration
// options
  "id": "marathon-bigip-ctlr",
  "cpus": 0.5,
  "mem": 64.0,
  "instances": 1,
  "container": {
    "type": "DOCKER",
    "docker": {
      "image": "f5networks/marathon-bigip-ctlr:1.3.0",
      "network": "BRIDGE"
  "env": {
    "MARATHON_URL": "",
    "F5_CC_PARTITIONS": "mesos",
    "F5_CC_BIGIP_USERNAME": "admin",
    "F5_CC_BIGIP_PASSWORD": "admin",
    "F5_CC_DCOS_AUTH_CREDENTIALS": "{ \"scheme\": \"RS256\", \"uid\": \"my-dcos-account\", \"login_endpoint\": \"\", \"private_key\": \"<my-private_key-string>\" }",
    "F5_CC_DCOS_AUTH_TOKEN": "<authentication-token>"
    "F5_CC_MARATHON_CA_CERT": "<marathon_ca_cert>",


Use BIG-IP SNAT Pools and SNAT automap


By default, the BIG-IP Controller uses BIG-IP Automap SNAT for all of the virtual servers it creates. From marathon-bigip-ctlr v1.3.0 forward, you can designate a specific SNAT pool in the Controller Application instead of using SNAT automap.

See BIG-IP SNATs and SNAT automap for more information.

To use a specific SNAT pool, add the following label to the BIG-IP Controller Application file:

"F5_CC_VS_SNAT_POOL_NAME": "<name-of-snat-pool>"

Replace <snat-pool> with the name of any SNAT pool that already exists in the /Common partition on the BIG-IP device. The BIG-IP Controller cannot define a new SNAT pool for you.


Upload the App to the Marathon API server

You can use a curl command to upload the App definition to the Marathon API server.

curl -X POST -H "Content-Type: application/json" http://<marathon_uri>/v2/apps -d @marathon-bigip-ctlr.json

Verify creation

Send a GET request to the Marathon API server to verify successful creation of the BIG-IP Controller App.


You can pass the response through a pretty-print tool like jq for better readability.

curl -X GET http://<marathon_uri>/v2/apps/marathon-bigip-ctlr | jq .