Appendix B: Additional Example Declarations

This section contains a number of additional example declarations you can use. The numbering of these examples continues from the Examples section. Use the links on the left to go directly to a specific example.

If you want to see an example that uses all of available AS3 properties, see Appendix C: Declaration using all AS3 Properties.

Example 5: HTTP with no compression, BIG-IP tcp profile, iRule for pool

In example 5, we create separate internal and external pools, and use an iRule to direct traffic based on the IP address of the client. This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_05.
  • Virtual server (HTTP) named serviceMain (called _A1 in the BIG-IP GUI).
  • A TCP profile using the mptcp-mobile-optimized parent. This bigip keyword exists in the TCP profile section schema and tells the system to look for the pathname of an existing TCP profile.
  • Two pools named dfl_pool and pvt_pool, each with 2 members monitored by the default HTTP health monitor.
  • An iRule which sends internal users to a private pool based on their IP address.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "urn:uuid:a858e55e-bbe6-42ce-a9b9-0f4ab33e3bf7",
    "label": "Sample 5",
    "remark": "HTTP with no compression, BIG-IP tcp profile, iRule for pool",
    "constants": {
      "myNotes": "F5 suggested I timestamp declarations, so...",
      "timestamp": "2017-11-27T18:26:45Z",
      "anotherProperty": "And I can put anything I want here...",
      "someUsefulNumber": 3.14159265
    },
    "Sample_05": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.3.10"
          ],
          "pool": "dfl_pool",
          "profileHTTPCompression": "basic",
          "iRules": [
            "choose_pool"
          ],
          "profileTCP": {
            "bigip": "/Common/mptcp-mobile-optimized"
          }
        },
        "dfl_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.3.10",
              "192.0.3.11"
            ]
          }]
        },
        "pvt_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.3.20",
              "192.0.3.21"
            ]
          }]
        },
        "choose_pool": {
          "class": "iRule",
          "remark": "choose private pool based on IP",
          "iRule": "when CLIENT_ACCEPTED {\nif {[IP::client_addr] starts_with \"10.\"} {\n pool `*pvt_pool`\n }\n}"
        }
      }
    }
  }
}

Back to top

Example 6: TCP load-balanced to ICAP with custom monitor

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_06.
  • A TCP virtual server named serviceMain on port 1344 (called _A1 in the BIG-IP GUI).
  • A TCP profile using the mptcp-mobile-optimized parent.
  • A pool named svc_pool containing two members (also using port 1344).
  • A custom TCP health monitor with custom Send and Receive strings for ICAP.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "123456abcd",
    "label": "Sample 6",
    "remark": "TCP load-balanced to ICAP with custom monitor",
    "Sample_06": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "tcp",
        "serviceMain": {
          "class": "Service_TCP",
          "virtualAddresses": [
            "10.0.5.10"
          ],
          "virtualPort": 1344,
          "pool": "svc_pool"
        },
        "svc_pool": {
          "class": "Pool",
          "monitors": [{
            "use": "icap_monitor"
          }],
          "members": [{
            "servicePort": 1344,
            "serverAddresses": [
              "192.0.5.10",
              "192.0.5.11"
            ]
          }]
        },
        "icap_monitor": {
          "class": "Monitor",
          "monitorType": "tcp",
          "send": "OPTIONS icap://icap.example.net/ ICAP/1.0\r\nUser-Agent: f5-ADC\r\n\r\n",
          "receive": "ICAP/1.0 200 OK",
          "adaptive": false
        }
      }
    }
  }
}

Back to top

Example 7: HTTP with custom persistence

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_07.
  • An HTTP virtual server named serviceMain (called _A1 in the BIG-IP GUI).
  • A pool named web_pool containing two members using the HTTP health monitor.
  • A custom persistence profile based on cookie persistence for JSESSIONID.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "fghijkl7890",
    "label": "Sample 7",
    "remark": "HTTP with custom persistence",
    "Sample_07": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.6.10"
          ],
          "pool": "web_pool",
          "persistenceMethods": [{
            "use": "jsessionid"
          }]
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.6.10",
              "192.0.6.11"
            ]
          }]
        },
        "jsessionid": {
          "class": "Persist",
          "persistenceMethod": "cookie",
          "cookieMethod": "hash",
          "cookieName": "JSESSIONID"
        }
      }
    }
  }
}

Back to top

Example 8: HTTP with additional virtual service for corporate clients

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_08.
  • Two HTTP virtual servers named serviceMain (called _A1 in the BIG-IP GUI) and pvt_vs.
  • A pool named web_pool containing two members using the HTTP health monitor. Both virtual servers reference this pool.
  • A custom persistence profile based on cookie persistence for JSESSIONID.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "urn:uuid:76f06c5a-b673-430d-8df4-d817cb3b9f3c",
    "label": "Sample 8",
    "remark": "HTTP with extra corp-only virtual",
    "controls": {
      "trace": true
    },
    "Sample_08": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.7.10"
          ],
          "pool": "web_pool",
          "persistenceMethods": [{
            "use": "jsessionid"
          }]
        },
        "pvt_vs": {
          "class": "Service_HTTP",
          "remark": "Serves corporate LAN clients only",
          "virtualAddresses": [
            [
              "10.1.7.10",
              "10.0.0.0/8"
            ]
          ],
          "snatpool": "auto",
          "pool": "web_pool"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.7.10",
              "192.0.7.11"
            ]
          }]
        },
        "jsessionid": {
          "class": "Persist",
          "persistenceMethod": "cookie",
          "cookieMethod": "hash",
          "cookieName": "JSESSIONID"
        }
      }
    }
  }
}

Back to top

Example 9: HTTP and HTTPS virtual services in one declaration

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_09.
  • An HTTP virtual server named serviceMain (called _A1 in the BIG-IP GUI) and an HTTPS virtual server named A2.
  • A pool named gce_pool and a pool named web_pool, each containing two members using the HTTP health monitor.
  • TLS/SSL profile (including certificate and private key) named TLS_Server. In the BIG-IP UI, this is a Client SSL profile.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "lmnop543421",
    "label": "Sample 9",
    "remark": "An HTTP and an HTTPS application",
    "controls": {
      "trace": true
    },
    "Sample_09": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.9.10"
          ],
          "pool": "gce_pool"
        },
        "gce_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.7.10",
              "192.0.7.11"
            ]
          }]
        }
      },
      "A2": {
        "class": "Application",
        "template": "https",
        "serviceMain": {
          "class": "Service_HTTPS",
          "virtualAddresses": [
            "10.0.9.20"
          ],
          "pool": "web_pool",
          "serverTLS": "webtls"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.9.10",
              "192.0.9.11"
            ]
          }]
        },
        "webtls": {
          "class": "TLS_Server",
          "certificates": [{
            "certificate": "webcert"
          }]
        },
        "webcert": {
          "class": "Certificate",
          "remark": "in practice we recommend using a passphrase",
          "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
          "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
          "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
          }
        }
      }
    }
  }
}

Back to top

Example 10: Two applications sharing a pool

In this example, we show a declaration that creates two applications that use the same load balancing pool. In this scenario, one of our virtual servers is for HTTP (port 80) traffic and one for HTTPS (port 443) traffic.

It creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_10.
  • Three virtual servers, one HTTP and one HTTPS. The names are _A1, _A2, and a _A2-Redirect (created by default to redirect port 80 traffic to 443).
  • TLS/SSL profile (including certificate and private key) named TLS_Server. In the BIG-IP UI, this is a Client SSL profile.
  • Pool named dual_pool with 2 members monitored by the default HTTP health monitor. Both virtual servers reference this same pool.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "zyxwu8675309",
    "label": "Sample 10",
    "remark": "Two applications sharing a pool",
    "Sample_10": {
      "class": "Tenant",
      "Shared": {
        "class": "Application",
        "template": "shared",
        "dual_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.10.10",
              "192.0.10.11"
            ]
          }]
        }
      },
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.10.10"
          ],
          "pool": "/Sample_10/Shared/dual_pool"
        }
      },
      "A2": {
        "class": "Application",
        "template": "https",
        "serviceMain": {
          "class": "Service_HTTPS",
          "virtualAddresses": [
            "10.0.10.20"
          ],
          "pool": "/Sample_10/Shared/dual_pool",
          "serverTLS": "webtls"
        },
        "webtls": {
          "class": "TLS_Server",
          "certificates": [{
            "certificate": "webcert"
          }]
        },
        "webcert": {
          "class": "Certificate",
          "remark": "in practice we recommend using a passphrase",
          "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
          "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
          "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
          }
        }
      }
    }
  }
}

Back to top

Example 11: UDP virtual service

This example is for a UDP DNS load balancer service, and creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_11.
  • A UDP virtual server named serviceMain on port 53.
  • A pool named Pool1 monitored by the default ICMP health monitor.
{
  "class": "AS3",
  "action": "deploy",
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "UDP_DNS_Sample",
    "label": "UDP_DNS_Sample",
    "remark": "Sample of a UDP DNS Load Balancer Service",
    "Sample_11": {
      "class": "Tenant",
      "DNS_Service": {
        "class": "Application",
        "template": "udp",
        "serviceMain": {
          "class": "Service_UDP",
          "virtualPort": 53,
          "virtualAddresses": [
            "10.1.20.121"
          ],
          "pool": "Pool1"
        },
        "Pool1": {
          "class": "Pool",
          "monitors": [
            "icmp"
          ],
          "members": [
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.100"
              ]
            },
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.101"
              ]
            }
          ]
        }
      }
    }
  }
 }

Back to top

Example 12: Using PATCH to add a new Application to a Tenant

This example uses the same declaration as in Example 11, but we use the PATCH method to add an new Application to the Sample_11 tenant.

This PATCH creates the following objects on the BIG-IP:

  • A new Application named NewApp.
  • An HTTP service (virtual server) named serviceMain.
  • A pool named web_poolnew with two servers monitored by the default http health monitor.

If necessary, review the declaration in Example 11 (or first use GET https://<BIG-IP>/mgmt/shared/appsvcs/declare/Sample_11).

Then use PATCH https://<BIG-IP>/mgmt/shared/appsvcs/declare with the following body (because this is a new object, we include the new name in the path):

[
  {
    "op": "add",
    "path": "/Sample_11/NewAPP",
    "value": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "10.0.1.10"
        ],
        "pool": "web_poolnew"
      },
      "web_poolnew": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [{
          "servicePort": 80,
          "serverAddresses": [
            "192.0.1.10",
            "192.0.1.11"
          ]
        }]
      }
    }
  }
]

After submitting this PATCH, the system returns the following (new application highlighted in yellow):

{
  "results": [
    {
      "message": "success",
      "lineCount": 20,
      "code": 200,
      "host": "localhost",
      "tenant": "Sample_11",
      "runTime": 1330
    }
  ],
  "declaration": {
    "Sample_11": {
      "class": "Tenant",
      "DNS_Service": {
        "class": "Application",
        "template": "udp",
        "serviceMain": {
          "class": "Service_UDP",
          "virtualPort": 53,
          "virtualAddresses": [
            "10.1.20.121"
          ],
          "pool": "Pool1"
        },
        "Pool1": {
          "class": "Pool",
          "monitors": [
            "icmp"
          ],
          "members": [
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.100"
              ]
            },
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.101"
              ]
            }
          ]
        }
      },
      "NewAPP": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.1.10"
          ],
          "pool": "web_poolnew"
        },
        "web_poolnew": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [
            {
              "servicePort": 80,
              "serverAddresses": [
                "192.0.1.10",
                "192.0.1.11"
              ]
            }
          ]
        }
      }
    }
  },
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "UDP_DNS_Sample",
  "label": "UDP_DNS_Sample",
  "remark": "Sample of a UDP DNS Load Balancer Service",
  "controls": {
    "archiveTimestamp": "2018-06-04T21:54:18.255Z"
  }
}

Back to top

Example 13: Virtual service referencing an existing security policy

This example creates an HTTP service, and attaches an existing Web Application Firewall (WAF) security policy created with the BIG-IP Application Security Manager (ASM) module. See the BIG-IP ASM Implementations Guide for information on configuring security policies.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_13.
  • A virtual server named serviceMain.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the existing ASM policy named test-policy.
{
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "5489432",
  "label": "ASM_policy_existing",
  "remark": "ASM_policy_existing",
  "controls": {
    "class": "Controls",
    "trace": true,
    "logLevel": "debug"
  },
  "Sample_13": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "bigip": "/Common/test-policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      }
    }
  }
 }

Back to top


Example 13a: Virtual service referencing an external security policy

This example creates an HTTP service, and attaches a Web Application Firewall (WAF) security policy hosted in an external location. See the BIG-IP ASM Implementations Guide for information on configuring security policies, and the Exporting ASM Policies chapter for information on exporting policies.

Note the URL in the following declaration does not resolve, you need to use a valid URL where you have uploaded the ASM policy you exported from a BIG-IP system.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_13a.
  • A virtual server named serviceMain.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the external ASM policy via URL.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "5489432",
  "label": "ASM_policy_external_URL",
  "remark": "ASM_policy_external_URL",
  "controls": {
    "class": "Controls",
    "trace": true,
    "logLevel": "debug"
  },
  "Sample_13a": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "use": "My_ASM_Policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      },
      "My_ASM_Policy": {
        "class": "WAF_Policy",
        "url": "https://example.com/asm-policy.xml",
        "ignoreChanges": true
      }
    }
  }
}

Back to top


Example 14: Virtual service allowing only specific VLANs

This example uses our simple HTTP service in Example 1, but uses a feature introduced in AS3 version 3.2.0, which enables the ability to allow or deny client traffic from specific VLANs (IMPORTANT: The VLAN objects must already exist on the BIG-IP system).

In this case, we are using allowVlans to allow traffic from specific VLANs on our BIG-IP system to access our HTTP service, and denying all other traffic to that service. If we wanted to deny traffic from specific VLANs, we would use rejectVlans instead. In the rejectVlans case, the system would deny traffic from the specified VLANs, and would allow traffic from any other VLAN on the system. If you do not use this property, the system allows all VLANs by default.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_14.
  • A virtual server named serviceMain which is only accessible from the internal-sales and internal-marketing VLANs (which already exist on the BIG-IP system).
  • A pool named web_pool monitored by the default http health monitor.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.2.0",
    "id": "vlan-allow",
    "label": "Sample 14",
    "remark": "Simple HTTP application VLAN restriction",
    "Sample_14": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.1.10"
          ],
          "pool": "web_pool",
          "allowVlans": [
            { "bigip":"/Common/internal-sales" },
            { "bigip":"/Common/internal-marketing" }
          ]
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.1.10",
              "192.0.1.11"
            ]
          }]
        }
      }
    }
  }
}

Back to top


Example 15: Using a Local Traffic Policy to forward HTTP Requests

This example uses a BIG-IP Local Traffic Policy with URL Routing that forwards any HTTP requests that have a path containing example.com to the pool web_pool. For more information, see Local Traffic Policy in the BIG-IP documentation. For usage, see Endpoint_Policy in Appendix A: Schema Reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_15.
  • A virtual server named serviceMain.
  • A pool named web_pool monitored by the default http health monitor.
  • A BIG-IP Local Traffic Policy with a rule that forwards any request for example.com to the web_pool.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "ltm_policy",
  "label": "",
  "remark": "Simple HTTP application with LTM policy",
  "Sample_15": {
    "class": "Tenant",
    "A1": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "10.0.1.10"
        ],
        "policyEndpoint": "forward_policy"
      },
      "web_pool": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [{
          "servicePort": 80,
          "serverAddresses": [
            "192.0.1.10",
            "192.0.1.11"
          ]
        }]
      },
      "forward_policy": {
        "class": "Endpoint_Policy",
        "rules": [{
          "name": "forward_to_pool",
          "conditions": [{
            "type": "httpUri",
            "path": {
              "operand": "contains",
              "values": ["example.com"]
            }
          }],
          "actions": [{
            "type": "forward",
            "event": "request",
            "select": {
              "pool": {
                "use": "web_pool"
              }
            }
          }]
        }]
      }
    }
  }
}

Back to top


Example 16: Using Service Discovery to automatically populate a pool

This example uses the service discovery feature to populate a pool based on tagged resources in AWS. For information on this feature, see the Service Discovery page. In this example, the pool contains two static members on port 443, and then members in our us-west-1 region in AWS that are tagged with foo and bar.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_16.
  • A virtual server named serviceMain.
  • A pool named web_pool monitored by the default http health monitor. The pool members are autodiscovered from AWS.
{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab425d",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "label": "AWS Service Discovery",
    "remark": "Simple HTTP application with a pool using AWS service discovery",
    "Sample_16": {
      "class": "Tenant",
      "verifiers": {
        
      },
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "192.0.2.14"
          ],
          "pool": "web_pool"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [
            {
              "servicePort": 80,
              "addressDiscovery": "aws",
              "updateInterval": 1,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "region": "us-west-1"
            },
            {
              "enable": true,
              "servicePort": 443,
              "serverAddresses": [
                "192.0.2.60",
                "192.0.2.61"
              ]
            }
          ]
        }
      }
    }
  }  

Back to top


Example 16a: Using remote Service Discovery to automatically populate a pool with BIG-IP VE anywhere

This example uses the remote service discovery feature introduced in v3.4.0 to populate a pool based on tagged resources in AWS, Azure, and Google. For information on this feature, see the Service Discovery page. Remote service discovery allows your BIG-IP VE to be located anywhere, not necessarily in a specific cloud or region. For this feature to work properly, you must provide credentials for your cloud provider as shown in the following example.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_16a.
  • A virtual server named serviceMain.
  • A pool named web_pool monitored by the default http health monitor. The pool members are autodiscovered from AWS, Azure, and Google clouds, each on a different port.

Note: This example does not include actual credentials for any of the clouds, or IDs for Azure. You must supply these items from your cloud provider.

{
    "class": "ADC",
    "schemaVersion": "3.4.0",
    "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab425d",
    "label": "AWS Azure GCP Service Discovery",
    "remark": "HTTP application with a pool using local nodes and AWS, GCP, and Azure service discovery",
    "Sample_16a": {
      "class": "Tenant",
      "verifiers": {
  
      },
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "192.0.192.3"
          ],
          "pool": "web_pool"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [
            {
              "servicePort": 8080,
              "addressDiscovery": "azure",
              "updateInterval": 10,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "resourceGroup": "test_group",
              "subscriptionId": "azure subscription ID",
              "directoryId": "azure directory ID",
              "applicationId": "your azure application ID",
              "apiAccessKey": "your api access key",
              "credentialUpdate": false
            },
            {
              "servicePort": 8081,
              "addressDiscovery": "gce",
              "updateInterval": 10,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "region": "us-west1",
              "encodedCredentials": "base 64 encoded credentials",
              "credentialUpdate": false
            },
            {
              "servicePort": 8082,
              "addressDiscovery": "aws",
              "updateInterval": 10,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "region": "us-west-1",
              "accessKeyId": "your key id",
              "secretAccessKey": "your secret access key>",
              "credentialUpdate": false
            },
            {
              "enable": true,
              "servicePort": 80,
              "serverAddresses": [
                "10.128.0.7"
              ]
            }
          ]
        }
      }
    }
  }
    

Back to top

Example 16b: Using an FQDN pool to identify pool members

This example uses an FQDN pool on the BIG-IP VE, which allows the pool member addresses to dynamically follow DNS changes. For complete information on FQDN pools, see https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/22.html. You must have DNS configured on your BIG-IP system before FQDN pools will function properly. See the BIG-IP documentation for details.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_16b.
  • A virtual server named serviceMain.
  • A pool named fqdn_pool. The pool member addresses are discovered using DNS.
{
    "class": "ADC",
    "schemaVersion": "3.4.0",
    "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab425d",
    "label": "AWS Azure GCP Service Discovery",
    "remark": "HTTP application with a pool using local nodes and AWS, GCP, and Azure service discovery",
    "Sample_16a": {
      "class": "Tenant",
      "verifiers": {
  
      },
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "192.0.192.3"
          ],
          "pool": "web_pool"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [
            {
              "servicePort": 8080,
              "addressDiscovery": "azure",
              "updateInterval": 10,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "resourceGroup": "test_group",
              "subscriptionId": "azure subscription ID",
              "directoryId": "azure directory ID",
              "applicationId": "your azure application ID",
              "apiAccessKey": "your api access key",
              "credentialUpdate": false
            },
            {
              "servicePort": 8081,
              "addressDiscovery": "gce",
              "updateInterval": 10,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "region": "us-west1",
              "encodedCredentials": "base 64 encoded credentials",
              "credentialUpdate": false
            },
            {
              "servicePort": 8082,
              "addressDiscovery": "aws",
              "updateInterval": 10,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "region": "us-west-1",
              "accessKeyId": "your key id",
              "secretAccessKey": "your secret access key>",
              "credentialUpdate": false
            },
            {
              "enable": true,
              "servicePort": 80,
              "serverAddresses": [
                "10.128.0.7"
              ]
            }
          ]
        }
      }
    }
  }
    

Back to top


Example 17: Referencing an existing SSL certificate and key in the Common partition

This example shows how to reference an SSL certificate and key that exist in the Common partition.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_17.
  • A virtual server named serviceMain.
  • A pool named pool monitored by the default http health monitor.
  • TLS/SSL profile (which references the default BIG-IP certificate and key in the Common partition) named pTlsServer_Local. In the BIG-IP UI, this is called a Client SSL profile.
{
    "class": "ADC",
    "id": "myid",
    "schemaVersion": "3.0.0",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "Sample_17": {
      "class": "Tenant",
      "test_https": {
        "class": "Application",
        "template": "https",
        "pool": {
          "class": "Pool",
          "members": [
            {
              "serverAddresses": [
                "192.0.2.100"
              ],
              "servicePort": 8080
            }
          ],
          "monitors": [
            "http"
          ]
        },
        "serviceMain": {
          "class": "Service_HTTPS",
          "persistenceMethods": [],
          "pool": "pool",
          "serverTLS": "pTlsServer_Local",
          "snat": "auto",
          "virtualAddresses": [
            "192.168.0.2"
          ],
          "virtualPort": 443
        },
        "pTlsServer_Local": {
          "class": "TLS_Server",
          "label": "simplest decl requires just cert",
          "certificates": [
            {
              "certificate": "tlsserver_local_cert"
            }
          ]
        },
        "tlsserver_local_cert": {
          "class": "Certificate",
          "certificate": {"bigip":"/Common/default.crt"},
          "privateKey": {"bigip":"/Common/default.key"}
        }
      }
    }
  }
  

Back to top


Example 18: Using Firewall Rules, Policies, and logging

This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3–4, stopping them before they reach your data center. To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.

In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.

The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Appendix A: Schema Reference for usage options for your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_18.
  • A virtual server named serviceMain.
  • A pool named ex_pool monitored by the default gateway_icmp health monitor.
  • A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
  • A firewall policy named fwPolicy which references the firewall rule lists.
  • A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "firewall",
        "label": "Sample 18",
        "remark": "Firewall policy, rule, and logging example",
        "controls": {
        "trace": true
        },
        "Sample_18": {
            "class": "Tenant",
            "fwFastL4": {
                "fwAllowedAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "10.0.0.0/8",
                        "172.20.0.0/16",
                        "192.168.0.0/16"
                    ]
                },
                "fwLogDestinationSyslog": {
                    "class": "Log_Destination",
                    "type": "remote-syslog",
                    "remoteHighSpeedLog": {
                        "use": "fwLogDestinationHsl"
                    },
                    "format": "rfc5424"
                },
                "fwLogDestinationHsl": {
                    "class": "Log_Destination",
                    "type": "remote-high-speed-log",
                    "protocol": "tcp",
                    "pool": {
                        "use": "hsl_pool"
                    }
                },
                "fwRuleList": {
                "class": "Firewall_Rule_List",
                "rules": [
                        {
                            "protocol": "tcp",
                            "name": "tcpAllow",
                            "loggingEnabled": true,
                            "destination": {
                                "portLists": [
                                    {
                                        "use": "fwAllowedPortList"
                                    }
                                ]
                            },
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            },
                            "action": "accept"
                        },
                        {
                            "action": "accept",
                            "loggingEnabled": true,
                            "protocol": "udp",
                            "name": "udpAllow",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            }
                        },
                        {
                            "action": "drop",
                            "loggingEnabled": true,
                            "protocol": "any",
                            "name": "defaultDeny",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwDefaultDenyAddressList"
                                    }
                                ]
                            }
                        }
                    ]
                },
                "hsl_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.120.6"
                            ],
                            "enable": true,
                            "servicePort": 514
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/tcp"
                        }
                    ]
                },
                "fwAllowedPortList": {
                    "class": "Firewall_Port_List",
                    "ports": [
                        22,
                        53,
                        80,
                        443,
                        "8080-8081"
                    ]
                },
                "fwSecurityLogProfile": {
                    "class": "Security_Log_Profile",
                    "network": {
                        "publisher": {
                            "use": "fwLogPublisher"
                        },
                        "storageFormat": {
                            "fields": [
                                "action",
                                "dest-ip",
                                "dest-port",
                                "src-ip",
                                "src-port"
                            ]
                        },
                        "logTranslationFields": true,
                        "logTcpEvents": true,
                        "logRuleMatchRejects": true,
                        "logTcpErrors": true,
                        "logIpErrors": true,
                        "logRuleMatchDrops": true,
                        "logRuleMatchAccepts": true
                    }
                },
                "class": "Application",
                "fwDefaultDenyAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "0.0.0.0/0"
                    ]
                },
                "fwPolicy": {
                    "rules": [
                        {
                            "use": "fwRuleList"
                        }
                    ],
                    "class": "Firewall_Policy"
                },
                "ex_L4_Profile": {
                    "class": "L4_Profile"
                },
                "template": "l4",
                "ex_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.31.3"
                            ],
                            "enable": true,
                            "servicePort": 0
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/gateway_icmp"
                        }
                    ]
                },
                "serviceMain": {
                    "translateServerAddress": false,
                    "securityLogProfiles": [
                        {
                            "use": "fwSecurityLogProfile"
                        }
                    ],
                    "virtualAddresses": [
                        "0.0.0.0"
                    ],
                    "policyFirewallEnforced": {
                        "use": "fwPolicy"
                    },
                    "translateServerPort": false,
                    "profileL4": {
                        "use": "ex_L4_Profile"
                    },
                    "virtualPort": 0,
                    "snat": "none",
                    "class": "Service_L4",
                    "pool": "ex_pool"
                },
                "fwLogPublisher": {
                    "class": "Log_Publisher",
                    "destinations": [
                        {
                            "use": "fwLogDestinationSyslog"
                        }
                    ]
                }
            }
        }
    }
}

Back to top


Example 19: Using BIG-IP PEM in a declaration

This example shows how you can use BIG-IP Policy Enforcement Manager (PEM) in your AS3 declarations. BIG-IP PEM helps you deliver high-quality customized services while optimizing your network by efficiently managing the explosion of data and traffic. For more information on BIG-IP PEM, see PEM on f5.com and PEM on AskF5. Also see the Appendix A: Schema Reference for usage options for your AS3 declarations.

Note

The following example declaration includes all of the PEM options currently available. AS3 currently does not create many of the PEM options, so these objects MUST be present on your BIG-IP system and properly referenced in your declaration. The objects that must be present on the BIG-IP include: pem interception-endpoint, pem irule, pem service-chain-endpoint, pem reporting format-script, pem quota-mgmt rating-group, pem forwarding-endpoint, net bwc policy, net vlan, ltm virtual (internal). See the PEM on AskF5 for information on creating these objects.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_19.
  • Because of the large number of objects created and referenced by this declaration, we do not list them all here. See the declaration and the Appendix A: Schema Reference for usage options.
{
    "class": "ADC",
    "schemaVersion": "3.2.0",
    "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d",
    "controls": {
        "logLevel": "debug",
        "trace": true
    },
    "Sample_19": {
        "class": "Tenant",
        "testApp": {
            "class": "Application",
            "template": "generic",
            "testPemPolicy": {
                "class": "Enforcement_Policy",
                "remark": "Test Enforcement Policy",
                "enable": false,
                "allTransactions": true,
                "rules": [
                    {
                        "name": "testPolicyRule1",
                        "precedence": 1,
                        "dscpMarkingDownlink": 0,
                        "dscpMarkingUplink": 0,
                        "gateStatusEnabled": true,
                        "intercept": {
                            "bigip": "/Common/testInterceptionEndpoint"
                        },
                        "iRule": {
                            "bigip": "/Common/testPemIRule"
                        },
                        "l2MarkingDownlink": 0,
                        "l2MarkingUplink": 0,
                        "qosBandwidthControllerUplink": {
                            "policy": {
                                "bigip": "/Common/testBwcPolicy"
                            },
                            "category": "testCat1"
                        },
                        "qosBandwidthControllerDownlink": {
                            "policy": {
                                "bigip": "/Common/testBwcPolicy"
                            },
                            "category": "testCat1"
                        },
                        "serviceChain": {
                            "bigip": "/Common/testServiceChain"
                        },
                        "tclFilter": "set str \"Hello World \";for {set i 1} {$i <= 3} {incr i} {\nappend str \"\" $i; }\n return [string match $str [ concat \"Hello World\" \"123\" ]]",
                        "tcpAnalyticsEnabled": true,
                        "tcpOptimizationDownlink": {
                            "use": "testTcpProfile"
                        },
                        "tcpOptimizationUplink": {
                            "use": "testTcpProfile"
                        },
                        "classificationFilters": [
                            {
                                "name": "testClassFilter1",
                                "application": {
                                    "bigip": "/Common/acrobat"
                                },
                                "invertMatch": true
                            },
                            {
                                "name": "testClassFilter2",
                                "category": {
                                    "bigip": "/Common/Audio"
                                },
                                "invertMatch": true
                            }
                        ],
                        "flowInfoFilters": [
                            {
                                "name": "testFlowFilter",
                                "invertMatch": true,
                                "dscpMarking": 0,
                                "destinationAddress": "10.238.8.60/32",
                                "destinationPort": 8080,
                                "sourceVlan": {
                                    "bigip": "/Common/testVlan"
                                },
                                "sourceAddress": "10.238.8.61/32",
                                "sourcePort": 8081,
                                "protocol": "tcp",
                                "ipAddressType": "ipv4"
                            },
                            {
                                "name": "testFlowFilterDefault"
                            }
                        ],
                        "forwarding": {
                            "type": "icap",
                            "fallbackAction": "continue",
                            "icapType": "both",
                            "icapService": {
                                "bigip": "/Common/testServiceTcp"
                            }
                        },
                        "insertContent": {
                            "duration": 5,
                            "frequency": "once-every",
                            "position": "prepend",
                            "tagName": "testTag",
                            "valueContent": "testContent",
                            "valueType": "tcl-snippet"
                        },
                        "modifyHttpHeader": {
                            "headerName": "testHeaderName",
                            "operation": "insert",
                            "valueContent": "testContent",
                            "valueType": "tcl-snippet"
                        },
                        "qoeReporting": {
                            "highSpeedLogPublisher": {
                                "use": "testLogPublisher"
                            },
                            "formatScript": {
                                "bigip": "/Common/testFormatScript"
                            }
                        },
                        "quota": {
                            "ratingGroup": {
                                "bigip": "/Common/testRatingGroup"
                            },
                            "reportingLevel": "rating-group"
                        },
                        "ranCongestion": {
                            "threshold": 2500,
                            "reportDestinationHsl": {
                                "highSpeedLogPublisher": {
                                    "use": "testLogPublisher"
                                },
                                "formatScript": {
                                    "bigip": "/Common/testFormatScript"
                                }
                            }
                        },
                        "usageReporting": {
                            "destination": "gx",
                            "applicationReportingEnabled": true,
                            "monitoringKey": "testMonitoringKey",
                            "granularity": "session",
                            "interval": 0,
                            "volume": {
                                "downlink": 5000,
                                "total": 10000,
                                "uplink": 5000
                            }
                        },
                        "urlCategorizationFilters": [
                            {
                                "name": "testUrlFilter",
                                "category": {
                                    "bigip": "/Common/Music"
                               },
                                "invertMatch": true
                            }
                        ]
                    },
                    {
                        "name": "testPolicyRule2",
                        "precedence": 1,
                        "gateStatusEnabled": false,
                        "DTOSTethering": {
                            "detectDtos": true,
                            "detectTethering": true,
                            "reportDestinationHsl": {
                                "highSpeedLogPublisher": {
                                    "use": "testLogPublisher"
                                },
                                "formatScript": {
                                    "bigip": "/Common/testFormatScript"
                                }
                            }
                        },
                        "quota": {
                            "reportingLevel": "service-id"
                        },
                        "usageReporting": {
                            "destination": "sd",
                            "applicationReportingEnabled": true,
                            "monitoringKey": "testMonitoringKey",
                            "granularity": "session",
                            "interval": 0,
                            "volume": {
                                "downlink": 5000,
                                "total": 10000,
                                "uplink": 5000
                            }
                        }
                    },
                    {
                        "name": "testPolicyRule3",
                        "precedence": 1,
                        "qosBandwidthControllerUplink": {
                            "policy": {
                                "bigip": "/Common/testBwcPolicy"
                            }
                        },
                        "qosBandwidthControllerDownlink": {
                            "policy": {
                                "bigip": "/Common/testBwcPolicy"
                            }
                        },
                        "forwarding": {
                            "type": "endpoint",
                            "fallbackAction": "continue",
                            "endpoint": {
                                "bigip": "/Common/testForwardEndpoint"
                            }
                        },
                        "usageReporting": {
                            "destination": "hsl",
                            "publisher": {
                                "use": "testLogPublisher"
                            },
                            "formatScript": {
                                "bigip": "/Common/testFormatScript"
                            },
                            "sessionReportingFields": [
                                "3gpp-parameters",
                                "application-id",
                                "called-station-id",
                                "calling-station-id",
                                "concurrent-flows",
                                "downlink-volume",
                                "duration-seconds",
                                "last-record-sent",
                                "new-flows",
                                "observation-time-seconds",
                                "record-reason",
                                "record-type",
                                "report-id",
                                "report-version",
                                "subscriber-id",
                                "subscriber-id-type",
                                "successful-transactions",
                                "terminated-flows",
                                "timestamp-msec",
                                "total-transactions",
                                "uplink-volume"
                            ],
                            "granularity": "session",
                            "interval": 5,
                            "volume": {
                                "downlink": 5000,
                                "total": 10000,
                                "uplink": 5000
                            }
                        }
                    },
                    {
                        "name": "testPolicyRule4",
                        "precedence": 1,
                        "forwarding": {
                            "type": "route-to-network",
                            "fallbackAction": "continue"
                        },
                        "usageReporting": {
                            "destination": "hsl",
                            "publisher": {
                                "use": "testLogPublisher"
                            },
                            "formatScript": {
                                "bigip": "/Common/testFormatScript"
                            },
                           "flowReportingFields": [
                                "application-id",
                                "destination-ip",
                                "destination-transport-port",
                                "downlink-volume",
                                "flow-end-milli-seconds",
                                "flow-end-seconds",
                                "flow-start-milli-seconds",
                                "flow-start-seconds",
                                "observation-time-seconds",
                                "protocol-identifier",
                                "record-type",
                                "report-id",
                                "report-version",
                                "route-domain",
                                "source-ip",
                                "source-transport-port",
                                "subscriber-id",
                                "subscriber-id-type",
                                "timestamp-msec",
                                "total-transactions",
                                "uplink-volume",
                                "url-category-id",
                                "vlan-id"
                            ],
                            "granularity": "flow",
                            "interval": 5,
                            "volume": {
                                "downlink": 5000,
                                "total": 10000,
                                "uplink": 5000
                            }
                        }
                    },
                    {
                        "name": "testPolicyRule5",
                        "precedence": 1,
                        "forwarding": {
                            "type": "http",
                            "redirectUrl": "https://localhost",
                            "fallbackAction": "continue"
                        },
                        "usageReporting": {
                            "destination": "hsl",
                            "publisher": {
                                "use": "testLogPublisher"
                            },
                            "transactionReportingFields": [
                                "application-id",
                                "destination-ip",
                                "destination-transport-port",
                                "downlink-volume",
                                "http-hostname",
                                "http-hostname-truncated",
                                "http-response-code",
                                "http-url",
                                "http-url-truncated",
                                "http-user-agent",
                                "http-user-agent-truncated",
                                "protocol-identifier",
                                "record-type",
                                "report-id",
                                "report-version",
                                "route-domain",
                                "skipped-transactions",
                                "source-ip",
                                "source-transport-port",
                                "subscriber-id",
                                "subscriber-id-type",
                                "transaction-classification-result",
                                "transaction-end-milli-seconds",
                                "transaction-end-seconds",
                                "transaction-number",
                                "transaction-start-milli-seconds",
                                "transaction-start-seconds",
                                "uplink-volume",
                                "url-category-id",
                                "vlan-id"
                            ],
                            "granularity": "transaction",
                            "interval": 0,
                            "transaction": {
                                "hostname": 500,
                                "uri": 60,
                                "userAgent": 10
                            }
                        }
                    },
                    {
                       "name": "testPolicyRule6",
                        "precedence": 1,
                        "usageReporting": {
                            "destination": "radius-accounting",
                            "radiusAAAService": {
                                "bigip": "/Common/testServiceRadiusAAA"
                            },
                            "granularity": "session",
                            "interval": 5,
                            "volume": {
                                "downlink": 5000,
                                "total": 10000,
                                "uplink": 5000
                            }
                        }
                    }
                ]
            },
            "testPemPolicyDefault": {
                "class": "Enforcement_Policy",
                "rules": [
                    {
                        "name": "testPolicyRuleDefault",
                        "precedence": 10
                    }
                ]
            },
            "testPemPolicyDefaultNoRule": {
                "class": "Enforcement_Policy"
            },
            "testTcpProfile": {
                "class": "TCP_Profile"
            },
            "testLogPublisher": {
                "class": "Log_Publisher",
                "destinations": [
                    {
                        "use": "testLogDestination"
                    }
                ]
            },
            "testLogDestination": {
                "class": "Log_Destination",
                "type": "remote-high-speed-log",
                "pool": {
                    "use": "testPool"
                }
            },
            "testPool": {
                "class": "Pool"
            }
        }
    }
}

Back to top


Example 20: One tenant with three applications

This example attempts to clarify the naming conventions used by AS3 when it comes to applications and using the name serviceMain with the required property template. When creating an application service (virtual server on the BIG-IP) in a tenant using AS3, and using one of the templates (http, https, tcp, udp, l4) that is not generic or shared, the application service name MUST be serviceMain. AS3 assigns some default profiles to the serviceMain service that match the template type you specified (such as a default HTTP profile to the service using template HTTP).

If you want to name your service something other than serviceMain, use “template”: “generic” in the application service portion of your declaration. You can still use the class property in the application service to specify Service_HTTP or Service_TCP for example, but for each application service in a tenant that uses one of the templates (http, https, tcp, udp, l4), you must use the name serviceMain for your application service.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_20.
  • Virtual servers named serviceMain, AnyName, and AnotherName.
  • A pool named web_pool used by serviceMain and a pool named web_pool2 used by AnyName, both monitored by the default http health monitor.
  • A pool named web_pool3 used by AnotherName monitored by the default tcp monitor.
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
       "class": "ADC",
       "schemaVersion": "3.0.0",
       "id": "fghijkl7890",
       "label": "Sample 5",
       "remark": "HTTP two applications",
       "Sample_20": {
          "class": "Tenant",
          "A1": {
             "class": "Application",
             "template": "http",
             "serviceMain": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                   "10.0.6.100"
                ],
                "pool": "web_pool"
             },
             "web_pool": {
                "class": "Pool",
                "monitors": [
                   "http"
                ],
                "members": [{
                   "servicePort": 80,
                   "serverAddresses": [
                      "192.0.6.10",
                      "192.0.6.11"
                   ]
                }]
             }
          },
          "A2": {
             "class": "Application",
             "template": "generic",
             "AnyName": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                   "10.0.6.111"
                ],
                "pool": "web_pool2",
                "virtualPort": 80
             },
             "web_pool2": {
                "class": "Pool",
                "monitors": [
                   "http"
                ],
                "members": [{
                   "servicePort": 80,
                   "serverAddresses": [
                      "192.0.6.111",
                      "192.0.6.121"
                   ]
                }]
             }
          },
          "A3": {
            "class": "Application",
            "template": "generic",
            "AnotherName": {
               "class": "Service_TCP",
               "virtualAddresses": [
                  "10.0.6.14"
               ],
               "pool": "web_pool3",
               "virtualPort": 80
            },
            "web_pool3": {
               "class": "Pool",
               "monitors": [
                  "tcp"
               ],
               "members": [{
                  "servicePort": 21,
                  "serverAddresses": [
                     "192.0.6.141",
                     "192.0.6.142"
                  ]
               }]
            }
         }
       }
    }
}
  

Back to top


Example 21: Using BIG-IP DNS features in a declaration

This example shows how you can use some BIG-IP DNS features (DNS profiles, TSIG keys, DNS Zones, Nameservers) in an AS3 declaration. The DNS features we use in this declaration are well-documented in the BIG-IP DNS Services: Implementations guide, so for specific information, see this documentation. Also see the Appendix A: Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_21.
  • A virtual server named serviceMain.
  • A DNS Zone that uses DNS Express.
  • A DNS Nameserver Zone.
  • A DNS TSIG Key using the hmacmd5 algorithm.
{
    "class": "ADC",
    "updateMode": "selective",
    "schemaVersion": "3.0.0",
    "id": "DNS",
    "Sample_21": {
        "class": "Tenant",
        "TEST_DNS_Zone": {
            "class": "Application",
            "template": "generic",
            "dnsZone": {
                "class": "DNS_Zone",
                "label": "dnsZone",
                "remark": "DNS Zone test",
                "dnsExpress": {
                    "enabled": true,
                    "nameserver": {
                        "use": "dnsNameserverZone"
                    },
                    "notifyAction": "consume",
                    "allowNotifyFrom": [
                        "10.1.1.1"
                    ],
                    "verifyNotifyTsig": false
                },
                "responsePolicyEnabled": true,
                "serverTsigKey": {
                    "use": "tsigKeyZone"
                },
                "transferClients": [
                    {
                        "use": "dnsNameserverZone"
                    }
                ]
            },
            "dnsNameserverZone": {
                "class": "DNS_Nameserver",
                "label": "dnsNameserverZone",
                "remark": "A DNS Nameserver",
                "address": "10.1.1.2",
                "port": 53,
                "routeDomain": {
                    "bigip": "/Common/0"
                },
                "tsigKey": {
                    "use": "tsigKeyZone"
                }
            },
            "tsigKeyZone": {
                "class": "DNS_TSIG_Key",
                "label": "tsigKeyZone",
                "remark": "TSIG Key test",
                "algorithm": "hmacmd5",
                "secret": {
                    "ciphertext": "ZjVmNQ==",
                    "miniJWE": true,
                    "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
                    "ignoreChanges": true,
                    "allowReuse": false
                }
            }
        }
    },
    "DNS_PROFILE_1": {
        "class": "Tenant", 
        "DNS_PROFILE_1": {
            "class": "Application",
            "template": "udp",
            "serviceMain": {
                "class": "Service_UDP",
                "virtualPort": 80,
                "virtualAddresses": [
                    "198.19.192.210"
                ],
                "profileUDP": {
                    "use": "profileUdp"
                },

                "profileDNS": {
                    "use": "profileDnsHW"
                }
            },
            "profileDnsHW": {
                "class": "DNS_Profile",
                "label": "profileDnsHW",
                "remark": "DNS Profile test",
                "parentProfile": {
                    "bigip": "/Common/dns"
                },
                "rapidResponseEnabled": false,
                "rapidResponseLastAction": "allow",
                "hardwareQueryValidationEnabled": true,
                "hardwareResponseCacheEnabled": true,
                "dnssecEnabled": false,
                "globalServerLoadBalancingEnabled": false,
                "dnsExpressEnabled": false,
                "cacheEnabled": false,
                "dns64Mode": "secondary",
                "dns64Prefix": "0:0:0:0:0:0:0:0",
                "dns64AdditionalSectionRewrite": "any",
                "unhandledQueryAction": "drop",
                "localBindServerEnabled": false,
                "zoneTransferEnabled": true,
                "recursionDesiredEnabled": false,
                "securityEnabled": false,
                "loggingEnabled": false,
                "statisticsSampleRate": 20
            },
            "profileUdp": {
                "class": "UDP_Profile",
                "datagramLoadBalancing": true
            }

        }
    }
}


 

Back to top


Example 22: Using Firewall (Carrier Grade) NAT features in a declaration

This example shows how you can use some Carrier Grade NAT (CGNAT) features (NAT Policy, NAT Source Translation, Firewall lists) in an AS3 declaration. For more information on CGNAT, see Carrier Grade Nat on f5.com. Also see the Appendix A: Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_21.
  • A Fast L4 virtual server named serviceMain.
  • A NAT Policy.
  • A NAT Source Address Translation object
  • Port and destination address lists (Firewall Address lists).
{
    "class": "ADC",
    "id": "cgnat",
    "label": "Sample_22",
    "remark": "22",
    "schemaVersion": "3.0.0",
    "Sample_22": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "layer4": "any",
                "policyNAT": {
                    "use": "natPolicy"
                },
                "snat": "none",
                "translateServerAddress": false,
                "translateServerPort": false,
                "virtualAddresses": [
                    "0.0.0.0"
                ],
                "virtualPort": 0
            },
            "natDestinationAddressList": {
                "addresses": [
                    "0.0.0.0/0"
                ],
                "class": "Firewall_Address_List"
            },
            "natDestinationPortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natPolicy": {
                "class": "NAT_Policy",
                "rules": [
                    {
                        "destination": {
                            "addressLists": [
                                {
                                    "use": "natDestinationAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natDestinationPortList"
                                }
                            ]
                        },
                        "name": "rule1",
                        "protocol": "tcp",
                        "source": {
                            "addressLists": [
                                {
                                    "use": "natSourceAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natSourcePortList"
                                }
                            ]
                        },
                        "sourceTranslation": {
                            "use": "natSourceTranslation"
                        }
                    }
                ]
            },
            "natSourceAddressList": {
                "addresses": [
                    "192.168.0.0/16"
                ],
                "class": "Firewall_Address_List"
            },
            "natSourcePortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natSourceTranslation": {
                "addresses": [
                    "192.0.2.0/25"
                ],
                "class": "NAT_Source_Translation",
                "clientConnectionLimit": 0,
                "hairpinModeEnabled": false,
                "inboundMode": "explicit",
                "mapping": {
                    "mode": "address-pooling-paired",
                    "timeout": 300
                },
                "patMode": "pba",
                "portBlockAllocation": {
                    "blockIdleTimeout": 3600,
                    "blockLifetime": 0,
                    "blockSize": 64,
                    "clientBlockLimit": 1,
                    "zombieTimeout": 0
                },
                "ports": [
                    "1-65535"
                ],
                "routeAdvertisement": false,
                "type": "dynamic-pat"
            }
        }
    }
}

Back to top


Example 23: Using a FIX profile and data groups in a declaration

This example shows how you can create a FIX (Financial Information eXchange) Profile which is commonly used for electronic trading. It also shows how the tag substitution mapping can be configured using data groups. Note: Some FIX features may require appropriate licensing. For more information, see https://www.f5.com/pdf/solution-profiles/fix-solution-profile.pdf. This declaration creates the following objects on the BIG-IP: • Partition (tenant) named Sample_23. • A standard TCP service named serviceMain with a pool named poolWeb. • A FIX Profile. • A tag substitution mapping using data groups. • Three types of referenced data groups: (new) internal, (new) external, and an external data group from an existing data-group file.

{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "profileFix",
    "label": "sample 23 FIX profile",
    "remark": "Sample Application with FIX Profile",
    "Sample_23": {
        "class": "Tenant",
        "appWeb": {
            "class": "Application",
            "template": "tcp",
            "serviceMain": {
                "class": "Service_TCP",
                "virtualAddresses": [
                    "192.0.2.21"
                ],
                "virtualPort": 100,
                "pool": "poolWeb",
                "profileTCP": "normal",
                "profileFIX": {
                    "use": "profileFIXcustom"
                }
            },
            "poolWeb": {
                "class": "Pool",
                "monitors": [
                    "tcp-half-open"
                ],
                "members": [
                    {
                        "servicePort": 80,
                        "serverAddresses": [
                            "192.0.2.12",
                            "192.0.2.13"
                        ]
                    }
                ]
            },
            "profileFIXcustom": {
                "class": "FIX_Profile",
                "label": "test",
                "parentProfile": {
                    "bigip": "/Common/fix"
                },
                "errorAction": "drop-connection",
                "fullLogonParsingEnabled": false,
                "messageLogPublisher": {
                    "bigip": "/Common/local-db-publisher"
                },
                "reportLogPublisher": {
                    "bigip": "/Common/local-db-publisher"
                },
                "quickParsingEnabled": true,
                "responseParsingEnabled": true,
                "statisticsSampleInterval": 45,
                "senderTagMappingList": [
                    {
                        "senderId": "ExistingInternalDG",
                        "tagDataGroup": {
                            "bigip": "/Common/testInternalDG"
                        }
                    },
                    {
                        "senderId": "ExistingExternalDG",
                        "tagDataGroup": {
                            "bigip": "/Common/testExternalDG",
                            "isExternal": true
                        }
                    },
                    {
                        "senderId": "RefInternalDG",
                        "tagDataGroup": {
                            "use": "dataGroupRefInternal"
                        }
                    },
                    {
                        "senderId": "RefExternalDG",
                        "tagDataGroup": {
                            "use": "dataGroupRefExternal"
                        }
                    },
                    {
                        "senderId": "RefExternalDGFile",
                        "tagDataGroup": {
                            "use": "dataGroupRefExistingFileNoDG"
                        }
                    }
                ]
            },
            "dataGroupRefInternal": {
                "class": "Data_Group",
                "label": "Tag values mapping",
                "storageType": "internal",
                "name": "Internal Int",
                "keyDataType": "integer",
                "records": [
                    {
                        "key": 121212,
                        "value": "Summer"
                    },
                    {
                        "key": 3434,
                        "value": "Internal Field: \"see guide\""
                    }
                ]
            },
            "dataGroupRefExternal": {
                "class": "Data_Group",
                "label": "From URL or file path",
                "storageType": "external",
                "keyDataType": "string",
                "externalFilePath": "http://yourfile.yourdomain.com",
                "ignoreChanges": true,
                "separator": ":"
            },
            "dataGroupRefExistingFileNoDG": {
                "class": "Data_Group",
                "label": "From existing data-group file",
                "storageType": "external",
                "keyDataType": "string",
                "dataGroupFile": {
                    "bigip": "/Common/{{dataGroupFileName}}"
                }
            }
        }
    }
}

Back to top