Appendix B: Additional Example Declarations

This section contains a number of additional example declarations you can use. The numbering of these examples continues from the Examples section.

If you want to see an example that uses all of available AS3 properties, see Appendix C: Declaration using all AS3 Properties.

Example 5: HTTP with no compression, BIG-IP tcp profile, iRule for pool

In example 5, we create separate internal and external pools, and use an iRule to direct traffic based on the IP address of the client. This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_05.
  • Virtual server (HTTP) named serviceMain (called _A1 in the BIG-IP GUI).
  • A TCP profile using the mptcp-mobile-optimized parent. This bigip keyword exists in the TCP profile section schema and tells the system to look for the pathname of an existing TCP profile.
  • Two pools named dfl_pool and pvt_pool, each with 2 members monitored by the default HTTP health monitor.
  • An iRule which sends internal users to a private pool based on their IP address.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "urn:uuid:a858e55e-bbe6-42ce-a9b9-0f4ab33e3bf7",
    "label": "Sample 5",
    "remark": "HTTP with no compression, BIG-IP tcp profile, iRule for pool",
    "constants": {
      "myNotes": "F5 suggested I timestamp declarations, so...",
      "timestamp": "2017-11-27T18:26:45Z",
      "anotherProperty": "And I can put anything I want here...",
      "someUsefulNumber": 3.14159265
    },
    "Sample_05": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.3.10"
          ],
          "pool": "dfl_pool",
          "profileHTTPCompression": "basic",
          "iRules": [
            "choose_pool"
          ],
          "profileTCP": {
            "bigip": "/Common/mptcp-mobile-optimized"
          }
        },
        "dfl_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.3.10",
              "192.0.3.11"
            ]
          }]
        },
        "pvt_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.3.20",
              "192.0.3.21"
            ]
          }]
        },
        "choose_pool": {
          "class": "iRule",
          "remark": "choose private pool based on IP",
          "iRule": "when CLIENT_ACCEPTED {\nif {[IP::client_addr] starts_with \"10.\"} {\n pool `*pvt_pool`\n }\n}"
        }
      }
    }
  }
}

Back to top

Example 6: TCP load-balanced to ICAP with custom monitor

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_06.
  • A TCP virtual server named serviceMain on port 1344 (called _A1 in the BIG-IP GUI).
  • A TCP profile using the mptcp-mobile-optimized parent.
  • A pool named svc_pool containing two members (also using port 1344).
  • A custom TCP health monitor with custom Send and Receive strings for ICAP.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "123456abcd",
    "label": "Sample 6",
    "remark": "TCP load-balanced to ICAP with custom monitor",
    "Sample_06": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "tcp",
        "serviceMain": {
          "class": "Service_TCP",
          "virtualAddresses": [
            "10.0.5.10"
          ],
          "virtualPort": 1344,
          "pool": "svc_pool"
        },
        "svc_pool": {
          "class": "Pool",
          "monitors": [{
            "use": "icap_monitor"
          }],
          "members": [{
            "servicePort": 1344,
            "serverAddresses": [
              "192.0.5.10",
              "192.0.5.11"
            ]
          }]
        },
        "icap_monitor": {
          "class": "Monitor",
          "monitorType": "tcp",
          "send": "OPTIONS icap://icap.example.net/ ICAP/1.0\r\nUser-Agent: f5-ADC\r\n\r\n",
          "receive": "ICAP/1.0 200 OK",
          "adaptive": false
        }
      }
    }
  }
}

Back to top

Example 7: HTTP with custom persistence

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_07.
  • An HTTP virtual server named serviceMain (called _A1 in the BIG-IP GUI).
  • A pool named web_pool containing two members using the HTTP health monitor.
  • A custom persistence profile based on cookie persistence for JSESSIONID.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "fghijkl7890",
    "label": "Sample 7",
    "remark": "HTTP with custom persistence",
    "Sample_07": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.6.10"
          ],
          "pool": "web_pool",
          "persistenceMethods": [{
            "use": "jsessionid"
          }]
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.6.10",
              "192.0.6.11"
            ]
          }]
        },
        "jsessionid": {
          "class": "Persist",
          "persistenceMethod": "cookie",
          "cookieMethod": "hash",
          "cookieName": "JSESSIONID"
        }
      }
    }
  }
}

Back to top

Example 8: HTTP with additional virtual service for corporate clients

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_08.
  • Two HTTP virtual servers named serviceMain (called _A1 in the BIG-IP GUI) and pvt_vs.
  • A pool named web_pool containing two members using the HTTP health monitor. Both virtual servers reference this pool.
  • A custom persistence profile based on cookie persistence for JSESSIONID.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "urn:uuid:76f06c5a-b673-430d-8df4-d817cb3b9f3c",
    "label": "Sample 8",
    "remark": "HTTP with extra corp-only virtual",
    "controls": {
      "trace": true
    },
    "Sample_08": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.7.10"
          ],
          "pool": "web_pool",
          "persistenceMethods": [{
            "use": "jsessionid"
          }]
        },
        "pvt_vs": {
          "class": "Service_HTTP",
          "remark": "Serves corporate LAN clients only",
          "virtualAddresses": [
            [
              "10.1.7.10",
              "10.0.0.0/8"
            ]
          ],
          "snatpool": "auto",
          "pool": "web_pool"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.7.10",
              "192.0.7.11"
            ]
          }]
        },
        "jsessionid": {
          "class": "Persist",
          "persistenceMethod": "cookie",
          "cookieMethod": "hash",
          "cookieName": "JSESSIONID"
        }
      }
    }
  }
}

Back to top

Example 9: HTTP and HTTPS virtual services in one declaration

This example creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_09.
  • An HTTP virtual server named serviceMain (called _A1 in the BIG-IP GUI) and an HTTPS virtual server named A2.
  • A pool named gce_pool and a pool named web_pool, each containing two members using the HTTP health monitor.
  • TLS/SSL profile (including certificate and private key) named TLS_Server. In the BIG-IP UI, this is a Client SSL profile.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "lmnop543421",
    "label": "Sample 9",
    "remark": "An HTTP and an HTTPS application",
    "controls": {
      "trace": true
    },
    "Sample_09": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.9.10"
          ],
          "pool": "gce_pool"
        },
        "gce_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.7.10",
              "192.0.7.11"
            ]
          }]
        }
      },
      "A2": {
        "class": "Application",
        "template": "https",
        "serviceMain": {
          "class": "Service_HTTPS",
          "virtualAddresses": [
            "10.0.9.20"
          ],
          "pool": "web_pool",
          "serverTLS": "webtls"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.9.10",
              "192.0.9.11"
            ]
          }]
        },
        "webtls": {
          "class": "TLS_Server",
          "certificates": [{
            "certificate": "webcert"
          }]
        },
        "webcert": {
          "class": "Certificate",
          "remark": "in practice we recommend using a passphrase",
          "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
          "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
          "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
          }
        }
      }
    }
  }
}

Back to top

Example 10: Two applications sharing a pool

In this example, we show a declaration that creates two applications that use the same load balancing pool. In this scenario, one of our virtual servers is for HTTP (port 80) traffic and one for HTTPS (port 443) traffic.

It creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_10.
  • Three virtual servers, one HTTP and one HTTPS. The names are _A1, _A2, and a _A2-Redirect (created by default to redirect port 80 traffic to 443).
  • TLS/SSL profile (including certificate and private key) named TLS_Server. In the BIG-IP UI, this is a Client SSL profile.
  • Pool named dual_pool with 2 members monitored by the default HTTP health monitor. Both virtual servers reference this same pool.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "zyxwu8675309",
    "label": "Sample 10",
    "remark": "Two applications sharing a pool",
    "Sample_10": {
      "class": "Tenant",
      "Shared": {
        "class": "Application",
        "template": "shared",
        "dual_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.10.10",
              "192.0.10.11"
            ]
          }]
        }
      },
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.10.10"
          ],
          "pool": "/Sample_10/Shared/dual_pool"
        }
      },
      "A2": {
        "class": "Application",
        "template": "https",
        "serviceMain": {
          "class": "Service_HTTPS",
          "virtualAddresses": [
            "10.0.10.20"
          ],
          "pool": "/Sample_10/Shared/dual_pool",
          "serverTLS": "webtls"
        },
        "webtls": {
          "class": "TLS_Server",
          "certificates": [{
            "certificate": "webcert"
          }]
        },
        "webcert": {
          "class": "Certificate",
          "remark": "in practice we recommend using a passphrase",
          "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
          "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
          "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
          }
        }
      }
    }
  }
}

Back to top

Example 11: UDP virtual service

This example is for a UDP DNS load balancer service, and creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_11.
  • A UDP virtual server named serviceMain on port 53.
  • A pool named Pool1 monitored by the default ICMP health monitor.
{
  "class": "AS3",
  "action": "deploy",
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "UDP_DNS_Sample",
    "label": "UDP_DNS_Sample",
    "remark": "Sample of a UDP DNS Load Balancer Service",
    "Sample_11": {
      "class": "Tenant",
      "DNS_Service": {
        "class": "Application",
        "template": "udp",
        "serviceMain": {
          "class": "Service_UDP",
          "virtualPort": 53,
          "virtualAddresses": [
            "10.1.20.121"
          ],
          "pool": "Pool1"
        },
        "Pool1": {
          "class": "Pool",
          "monitors": [
            "icmp"
          ],
          "members": [
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.100"
              ]
            },
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.101"
              ]
            }
          ]
        }
      }
    }
  }
 }

Back to top

Example 12: Using PATCH to add a new Application to a Tenant

This example uses the same declaration as in Example 11, but we use the PATCH method to add an new Application to the Sample_11 tenant.

This PATCH creates the following objects on the BIG-IP:

  • A new Application named NewApp.
  • An HTTP service (virtual server) named serviceMain.
  • A pool named web_poolnew with two servers monitored by the default http health monitor.

If necessary, review the declaration in Example 11 (or first use GET https://<BIG-IP>/mgmt/shared/appsvcs/declare/Sample_11).

Then use PATCH https://<BIG-IP>/mgmt/shared/appsvcs/declare with the following body (note that because this is a new object, we include the new name in the path):

[
  {
    "op": "add",
    "path": "/Sample_11/NewAPP",
    "value": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "10.0.1.10"
        ],
        "pool": "web_poolnew"
      },
      "web_poolnew": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [{
          "servicePort": 80,
          "serverAddresses": [
            "192.0.1.10",
            "192.0.1.11"
          ]
        }]
      }
    }
  }
]

After submitting this PATCH, the system returns the following (new application highlighted in yellow):

{
  "results": [
    {
      "message": "success",
      "lineCount": 20,
      "code": 200,
      "host": "localhost",
      "tenant": "Sample_11",
      "runTime": 1330
    }
  ],
  "declaration": {
    "Sample_11": {
      "class": "Tenant",
      "DNS_Service": {
        "class": "Application",
        "template": "udp",
        "serviceMain": {
          "class": "Service_UDP",
          "virtualPort": 53,
          "virtualAddresses": [
            "10.1.20.121"
          ],
          "pool": "Pool1"
        },
        "Pool1": {
          "class": "Pool",
          "monitors": [
            "icmp"
          ],
          "members": [
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.100"
              ]
            },
            {
              "servicePort": 53,
              "serverAddresses": [
                "10.1.10.101"
              ]
            }
          ]
        }
      },
      "NewAPP": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.1.10"
          ],
          "pool": "web_poolnew"
        },
        "web_poolnew": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [
            {
              "servicePort": 80,
              "serverAddresses": [
                "192.0.1.10",
                "192.0.1.11"
              ]
            }
          ]
        }
      }
    }
  },
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "UDP_DNS_Sample",
  "label": "UDP_DNS_Sample",
  "remark": "Sample of a UDP DNS Load Balancer Service",
  "controls": {
    "archiveTimestamp": "2018-06-04T21:54:18.255Z"
  }
}

Back to top

Example 13: Virtual service referencing an existing security policy

This example creates an HTTP service, and attaches an existing Web Application Firewall (WAF) security policy created with the BIG-IP Application Security Manager (ASM) module. See the BIG-IP ASM Implementations Guide for information on configuring security policies.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_13.
  • A virtual server named serviceMain.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the existing ASM policy named test-policy.
{
  "class": "ADC",
  "schemaVersion": "3.0.0",
  "id": "5489432",
  "label": "ASM_policy_existing",
  "remark": "ASM_policy_existing",
  "controls": {
    "class": "Controls",
    "trace": true,
    "logLevel": "debug"
  },
  "Sample_13": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "bigip": "/Common/test-policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      }
    }
  }
 }

Back to top


Example 13a: Virtual service referencing an external security policy

This example creates an HTTP service, and attaches a Web Application Firewall (WAF) security policy hosted in an external location. See the BIG-IP ASM Implementations Guide for information on configuring security policies, and the Exporting ASM Policies chapter for information on exporting policies.

Note the URL in the following declaration does not resolve, you need to use a valid URL where you have uploaded the ASM policy you exported from a BIG-IP system.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_13a.
  • A virtual server named serviceMain.
  • A pool named Pool1 monitored by the default http health monitor.
  • An LTM policy named _WAF__HTTP_Service which references the external ASM policy via URL.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "5489432",
  "label": "ASM_policy_external_URL",
  "remark": "ASM_policy_external_URL",
  "controls": {
    "class": "Controls",
    "trace": true,
    "logLevel": "debug"
  },
  "Sample_13a": {
    "class": "Tenant",
    "HTTP_Service": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "192.0.10.107"
        ],
        "snat": "auto",
        "pool": "Pool1",
        "policyWAF": {
          "use": "My_ASM_Policy"
        }
      },
      "Pool1": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [
          {
            "servicePort": 8001,
            "serverAddresses": [
              "10.10.10.143"
            ]
          },
          {
            "servicePort": 8002,
            "serverAddresses": [
              "10.10.10.144"
            ]
          }
        ]
      },
      "My_ASM_Policy": {
        "class": "WAF_Policy",
        "url": "https://example.com/asm-policy.xml",
        "ignoreChanges": true
      }
    }
  }
}

Back to top


Example 14: Virtual service allowing only specific VLANs

This example uses our simple HTTP service in Example 1, but uses a feature introduced in AS3 version 3.2.0, which enables the ability to allow or deny client traffic from specific VLANs (IMPORTANT: The VLAN objects must already exist on the BIG-IP system).

In this case, we are using allowVlans to allow traffic from specific VLANs on our BIG-IP system to access our HTTP service, and denying all other traffic to that service. If we wanted to deny traffic from specific VLANs, we would use rejectVlans instead. In the rejectVlans case, the system would deny traffic from the specified VLANs, and would allow traffic from any other VLAN on the system. If you do not use this property, the system allows all VLANs by default.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_14.
  • A virtual server named serviceMain which is only accessible from the internal-sales and internal-marketing VLANs (which already exist on the BIG-IP system).
  • A pool named web_pool monitored by the default http health monitor.
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.2.0",
    "id": "vlan-allow",
    "label": "Sample 14",
    "remark": "Simple HTTP application VLAN restriction",
    "Sample_14": {
      "class": "Tenant",
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "10.0.1.10"
          ],
          "pool": "web_pool",
          "allowVlans": [
            { "bigip":"/Common/internal-sales" },
            { "bigip":"/Common/internal-marketing" }
          ]
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [{
            "servicePort": 80,
            "serverAddresses": [
              "192.0.1.10",
              "192.0.1.11"
            ]
          }]
        }
      }
    }
  }
}

Back to top


Example 15: Using a Local Traffic Policy to forward HTTP Requests

This example uses a BIG-IP Local Traffic Policy with URL Routing that forwards any HTTP requests that have a path containing example.com to the pool web_pool. For more information, see Local Traffic Policy in the BIG-IP documentation. For usage, see Endpoint_Policy in Appendix A: Schema Reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_15.
  • A virtual server named serviceMain.
  • A pool named web_pool monitored by the default http health monitor.
  • A BIG-IP Local Traffic Policy with a rule that forwards any request for example.com to the web_pool.
{
  "class": "ADC",
  "schemaVersion": "3.2.0",
  "id": "ltm_policy",
  "label": "",
  "remark": "Simple HTTP application with LTM policy",
  "Sample_15": {
    "class": "Tenant",
    "A1": {
      "class": "Application",
      "template": "http",
      "serviceMain": {
        "class": "Service_HTTP",
        "virtualAddresses": [
          "10.0.1.10"
        ],
        "policyEndpoint": "forward_policy"
      },
      "web_pool": {
        "class": "Pool",
        "monitors": [
          "http"
        ],
        "members": [{
          "servicePort": 80,
          "serverAddresses": [
            "192.0.1.10",
            "192.0.1.11"
          ]
        }]
      },
      "forward_policy": {
        "class": "Endpoint_Policy",
        "rules": [{
          "name": "forward_to_pool",
          "conditions": [{
            "type": "httpUri",
            "path": {
              "operand": "contains",
              "values": ["example.com"]
            }
          }],
          "actions": [{
            "type": "forward",
            "event": "request",
            "select": {
              "pool": {
                "use": "web_pool"
              }
            }
          }]
        }]
      }
    }
  }
}

Back to top


Example 16: Using Service Discovery to automatically populate a pool

This example uses the Service Discovery feature to populate a pool based on tagged resources in AWS. For information on this feature, see the Service Discovery page. In this example, the pool contains two static members on port 443, and then members in our us-west-1 region in AWS that are tagged with foo and bar.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_16.
  • A virtual server named serviceMain.
  • A pool named web_pool monitored by the default http health monitor.
  • A BIG-IP Local Traffic Policy with a rule that forwards any request for example.com to the web_pool.
{
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab425d",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "label": "AWS Service Discovery",
    "remark": "Simple HTTP application with a pool using AWS service discovery",
    "Sample_16": {
      "class": "Tenant",
      "verifiers": {
        
      },
      "A1": {
        "class": "Application",
        "template": "http",
        "serviceMain": {
          "class": "Service_HTTP",
          "virtualAddresses": [
            "192.0.2.14"
          ],
          "pool": "web_pool"
        },
        "web_pool": {
          "class": "Pool",
          "monitors": [
            "http"
          ],
          "members": [
            {
              "servicePort": 80,
              "addressDiscovery": "aws",
              "updateInterval": 1,
              "tagKey": "foo",
              "tagValue": "bar",
              "addressRealm": "private",
              "region": "us-west-1"
            },
            {
              "enable": true,
              "servicePort": 443,
              "serverAddresses": [
                "192.0.2.60",
                "192.0.2.61"
              ]
            }
          ]
        }
      }
    }
  }  

Back to top


Example 17: Referencing an existing SSL certificate and key in the Common partition

This example shows how to reference an SSL certificate and key that exist in the Common partition.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_17.
  • A virtual server named serviceMain.
  • A pool named pool monitored by the default http health monitor.
  • TLS/SSL profile (which references the default BIG-IP certificate and key in the Common partition) named pTlsServer_Local. In the BIG-IP UI, this is called a Client SSL profile.
{
    "class": "ADC",
    "id": "myid",
    "schemaVersion": "3.0.0",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "Sample_17": {
      "class": "Tenant",
      "test_https": {
        "class": "Application",
        "template": "https",
        "pool": {
          "class": "Pool",
          "members": [
            {
              "serverAddresses": [
                "192.0.2.100"
              ],
              "servicePort": 8080
            }
          ],
          "monitors": [
            "http"
          ]
        },
        "serviceMain": {
          "class": "Service_HTTPS",
          "persistenceMethods": [],
          "pool": "pool",
          "serverTLS": "pTlsServer_Local",
          "snat": "auto",
          "virtualAddresses": [
            "192.168.0.2"
          ],
          "virtualPort": 443
        },
        "pTlsServer_Local": {
          "class": "TLS_Server",
          "label": "simplest decl requires just cert",
          "certificates": [
            {
              "certificate": "tlsserver_local_cert"
            }
          ]
        },
        "tlsserver_local_cert": {
          "class": "Certificate",
          "certificate": {"bigip":"/Common/default.crt"},
          "privateKey": {"bigip":"/Common/default.key"}
        }
      }
    }
  }
  

Back to top


Example 18: Using Firewall Rules, Policies, and logging

This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3–4, stopping them before they reach your data center. To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.

In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.

The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Appendix A: Schema Reference for usage options for your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_18.
  • A virtual server named serviceMain.
  • A pool named ex_pool monitored by the default gateway_icmp health monitor.
  • A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
  • A firewall policy named fwPolicy which references the firewall rule lists.
  • A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "firewall",
        "label": "Sample 18",
        "remark": "Firewall policy, rule, and logging example",
        "controls": {
        "trace": true
        },
        "Sample_18": {
            "class": "Tenant",
            "fwFastL4": {
                "fwAllowedAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "10.0.0.0/8",
                        "172.20.0.0/16",
                        "192.168.0.0/16"
                    ]
                },
                "fwLogDestinationSyslog": {
                    "class": "Log_Destination",
                    "type": "remote-syslog",
                    "remoteHighSpeedLog": {
                        "use": "fwLogDestinationHsl"
                    },
                    "format": "rfc5424"
                },
                "fwLogDestinationHsl": {
                    "class": "Log_Destination",
                    "type": "remote-high-speed-log",
                    "protocol": "tcp",
                    "pool": {
                        "use": "hsl_pool"
                    }
                },
                "fwRuleList": {
                "class": "Firewall_Rule_List",
                "rules": [
                        {
                            "protocol": "tcp",
                            "name": "tcpAllow",
                            "loggingEnabled": true,
                            "destination": {
                                "portLists": [
                                    {
                                        "use": "fwAllowedPortList"
                                    }
                                ]
                            },
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            },
                            "action": "accept"
                        },
                        {
                            "action": "accept",
                            "loggingEnabled": true,
                            "protocol": "udp",
                            "name": "udpAllow",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            }
                        },
                        {
                            "action": "drop",
                            "loggingEnabled": true,
                            "protocol": "any",
                            "name": "defaultDeny",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwDefaultDenyAddressList"
                                    }
                                ]
                            }
                        }
                    ]
                },
                "hsl_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.120.6"
                            ],
                            "enable": true,
                            "servicePort": 514
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/tcp"
                        }
                    ]
                },
                "fwAllowedPortList": {
                    "class": "Firewall_Port_List",
                    "ports": [
                        22,
                        53,
                        80,
                        443,
                        "8080-8081"
                    ]
                },
                "fwSecurityLogProfile": {
                    "class": "Security_Log_Profile",
                    "network": {
                        "publisher": {
                            "use": "fwLogPublisher"
                        },
                        "storageFormat": {
                            "fields": [
                                "action",
                                "dest-ip",
                                "dest-port",
                                "src-ip",
                                "src-port"
                            ]
                        },
                        "logTranslationFields": true,
                        "logTcpEvents": true,
                        "logRuleMatchRejects": true,
                        "logTcpErrors": true,
                        "logIpErrors": true,
                        "logRuleMatchDrops": true,
                        "logRuleMatchAccepts": true
                    }
                },
                "class": "Application",
                "fwDefaultDenyAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "0.0.0.0/0"
                    ]
                },
                "fwPolicy": {
                    "rules": [
                        {
                            "use": "fwRuleList"
                        }
                    ],
                    "class": "Firewall_Policy"
                },
                "ex_L4_Profile": {
                    "class": "L4_Profile"
                },
                "template": "l4",
                "ex_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.31.3"
                            ],
                            "enable": true,
                            "servicePort": 0
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/gateway_icmp"
                        }
                    ]
                },
                "serviceMain": {
                    "translateServerAddress": false,
                    "securityLogProfiles": [
                        {
                            "use": "fwSecurityLogProfile"
                        }
                    ],
                    "virtualAddresses": [
                        "0.0.0.0"
                    ],
                    "policyFirewallEnforced": {
                        "use": "fwPolicy"
                    },
                    "translateServerPort": false,
                    "profileL4": {
                        "use": "ex_L4_Profile"
                    },
                    "virtualPort": 0,
                    "snat": "none",
                    "class": "Service_L4",
                    "pool": "ex_pool"
                },
                "fwLogPublisher": {
                    "class": "Log_Publisher",
                    "destinations": [
                        {
                            "use": "fwLogDestinationSyslog"
                        }
                    ]
                }
            }
        }
    }
}