Example Declarations¶
Advanced Routing: Multiple Route Tables, Routes, Nexthops and Subscriptions¶
The following examples leverage the object called “routeGroupDefintions” (released in v1.5.0) to support advanced routing scenarios. NOTE: In AWS and Azure, routeGroupDefintions
translates to route tables. GCP does not have the concept of route tables so it translates to groups or collections of routes. Advanced routing examples include operating in shared services and/or sandwich architectures with multiple BIG-IP clusters (which may share networks) that require per-route table granularity.
AWS Advanced Routing¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | {
"class":"Cloud_Failover",
"environment":"aws",
"controls":{
"class":"Controls",
"logLevel":"silly"
},
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"routeGroupDefinitions":[
{
"scopingName":"rtb-11111111111111111",
"scopingAddressRanges":[
{
"range":"100.100.101.0/29"
},
{
"range":"100.100.102.0/29"
}
],
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.12.11",
"10.0.22.11"
]
}
},
{
"scopingName":"rtb-22222222222222222",
"scopingAddressRanges":[
{
"range":"0.0.0.0/0"
}
],
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.13.11",
"10.0.23.11"
]
}
}
]
}
}
|
Azure Advanced Routing¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | {
"class":"Cloud_Failover",
"environment":"azure",
"controls":{
"class":"Controls",
"logLevel":"silly"
},
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"defaultResourceLocations":[
{
"subscriptionId":"1111"
},
{
"subscriptionId":"2222"
}
],
"routeGroupDefinitions":[
{
"scopingName":"myroutetable-1",
"scopingAddressRanges":[
{
"range":"100.100.101.0/29"
},
{
"range":"100.100.102.0/29"
}
],
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.12.11",
"10.0.12.12"
]
}
},
{
"scopingName":"myroutetable-2",
"scopingAddressRanges":[
{
"range":"0.0.0.0/0"
}
],
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.13.11",
"10.0.13.12"
]
}
}
]
}
}
|
GCP Advanced Routing¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | {
"class":"Cloud_Failover",
"environment":"gcp",
"controls":{
"class":"Controls",
"logLevel":"silly"
},
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"routeGroupDefinitions":[
{
"scopingName":"default-route-for-applications",
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.13.11",
"10.0.13.12"
]
}
},
{
"scopingName":"route-name-2",
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.14.11",
"10.0.14.12"
]
}
}
]
}
}
|
Route Failover Using Route Tags¶
For backwards compatability, you can use tags on the route tables to discover them and provide nexthop Self-IP address mappings. For example, the route table will need two tags, one with the scoping tag (arbitrary key/value) and one with the special key f5_self_ips
and value value that contains a comma-separated list of addresses mapping to a Self-IP address on each instance in the cluster.
"f5_cloud_failover_label": "route-table-1"
"f5_self_ips": "10.0.0.10,10.0.0.11"
Once the route table is tagged with above, the below declaration shows how to configure the solution to look for those tags and nexthop Self-IP address mappings.
Note
You do not need to add the additional tag with the nexthop Self-IP address mapping if you use the static
option for discoveryType
in the CFE declaration. Instead, you will list the nexthop addresses within the declaration. See the Failover Routes section for more information.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | {
"class":"Cloud_Failover",
"environment":"aws",
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"routeGroupDefinitions":[
{
"scopingTags":{
"f5_cloud_failover_label":"DMZ-RouteTable"
},
"scopingAddressRanges":[
{
"range":"192.168.1.0/24"
},
{
"range":"192.168.1.1/24"
}
],
"defaultNextHopAddresses":{
"discoveryType":"routeTag"
}
},
{
"scopingTags":{
"f5_cloud_failover_label":"Internal-RouteTable"
},
"scopingAddressRanges":[
{
"range":"0.0.0.0/0"
}
],
"defaultNextHopAddresses":{
"discoveryType":"routeTag"
}
}
]
}
}
|
Multiple Next Hop addresses¶
This example shows a declaration for Route Failover for Multiple Route Tables and routes pointing at different BIG-IP interfaces/Self-IP nexthops. In the example below, two route tables are tagged with the same tag (f5_cloud_failover_label":"mydeployment
) to provide scoping for the deployment (BIG-IP instance or cluster) but the different Self-IP nexthop mappings are provided explicitly in the declaration (vs. with a f5_self_ips
tag).
Note
F5 Recommends using the newer routeGroupDefinitions
object instead. See Advanced Routing: Multiple Route Tables, Routes, Nexthops and Subscriptions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | {
"class":"Cloud_Failover",
"environment":"aws",
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
},
"scopingAddressRanges":[
{
"range":"192.168.11.0/24",
"nextHopAddresses":{
"discoveryType":"static",
"items":[
"192.0.1.12",
"192.0.1.13"
]
}
},
{
"range":"192.168.12.0/24",
"nextHopAddresses":{
"discoveryType":"static",
"items":[
"192.0.2.12",
"192.0.2.13"
]
}
}
]
}
}
|
AWS IPv6 Route Failover¶
This example shows a declaration for IPv6 routes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | {
"class":"Cloud_Failover",
"environment":"aws",
"controls":{
"class":"Controls",
"logLevel":"silly"
},
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"routeGroupDefinitions":[
{
"scopingName":"myroutetable-1",
"scopingAddressRanges":[
{
"range":"0.0.0.0/0"
},
{
"range":"2001:db8:2:2::/64"
}
],
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"10.0.13.11",
"10.0.23.11",
"2600:1f13:12f:a803:5d15:e0e:1af9:8221",
"2600:1f13:12f:a804:5d15:e0e:1af9:8222"
]
}
}
]
}
}
|
Azure Route Tables in Multiple Subscriptions¶
This example shows a BIG-IP cluster managing route tables in multiple subscriptions. The identity (MSI) assigned to each BIG-IP instance must have appropriate access to the additional subscriptions, see Create and assign a Managed Service Identity (MSI) for more details.
Note
- By default, the cloud failover extension looks in the subscription in which the instances are deployed. The example below looks in three different subscriptions, the one the instances are deployed in as well as 1111 and 2222.
- Beginning with v1.14, the Route Table not the routes are updated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | {
"class":"Cloud_Failover",
"environment":"azure",
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverRoutes":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
},
"scopingAddressRanges":[
{
"range":"192.168.1.0/24"
}
],
"defaultNextHopAddresses":{
"discoveryType":"static",
"items":[
"192.0.2.10",
"192.0.2.11"
]
},
"defaultResourceLocations":[
{
"subscriptionId":"1111"
},
{
"subscriptionId":"2222"
}
]
}
}
|
AWS KMS Server-side encryption (SSE-KMS) Using Default AWS Managed Key¶
This example shows how to configure CFE when the S3 bucket used for failover state uses server-side KMS encryption with the default AWS managed key.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | {
"class": "Cloud_Failover",
"environment": "aws",
"controls": {
"class": "Controls",
"logLevel": "silly"
},
"externalStorage": {
"scopingName": "myCloudFailoverBucket",
"encryption": {
"serverSide": {
"enabled": true,
"algorithm": "aws:kms"
}
}
},
"failoverAddresses": {
"enabled": true,
"scopingTags": {
"f5_cloud_failover_label": "mydeployment"
},
"addressGroupDefinitions": [
{
"type": "networkInterfaceAddress",
"scopingAddress": "10.0.12.101"
},
{
"type": "networkInterfaceAddress",
"scopingAddress": "10.0.12.102"
}
]
},
"failoverRoutes": {
"enabled": true,
"routeGroupDefinitions": [
{
"scopingName": "rtb-11111111111111111",
"scopingAddressRanges": [
{
"range": "0.0.0.0/0"
}
],
"defaultNextHopAddresses": {
"discoveryType": "static",
"items": [
"10.0.13.11",
"10.0.13.12"
]
}
}
]
}
}
|
AWS KMS Server-side encryption (SSE-KMS) Using Customer Managed Key¶
This example shows how to configure CFE when the S3 bucket used for failover state uses server-side KMS encryption with a customer-provided key. Note: The keyId
should be the actual ID, not the arn or alias.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | {
"class": "Cloud_Failover",
"environment": "aws",
"controls": {
"class": "Controls",
"logLevel": "silly"
},
"externalStorage": {
"scopingTags": {
"f5_cloud_failover_label": "mydeployment"
},
"encryption": {
"serverSide": {
"enabled": true,
"algorithm": "aws:kms",
"keyId": "11111111-1111-1111-111-11111111111"
}
}
},
"failoverAddresses": {
"enabled": true,
"scopingTags": {
"f5_cloud_failover_label": "mydeployment"
},
"addressGroupDefinitions": [
{
"type": "networkInterfaceAddress",
"scopingAddress": "10.0.12.101"
},
{
"type": "networkInterfaceAddress",
"scopingAddress": "10.0.12.102"
}
]
},
"failoverRoutes": {
"enabled": true,
"routeGroupDefinitions": [
{
"scopingName": "rtb-11111111111111111",
"scopingAddressRanges": [
{
"range": "0.0.0.0/0"
}
],
"defaultNextHopAddresses": {
"discoveryType": "static",
"items": [
"10.0.13.11",
"10.0.13.12"
]
}
}
]
}
}
|
Setting the Log Level¶
You set the log level in the controls class. To see more information about editing the controls class, see Logging.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | {
"class":"Cloud_Failover",
"environment":"aws",
"controls":{
"class":"Controls",
"logLevel":"silly"
},
"externalStorage":{
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
},
"failoverAddresses":{
"enabled":true,
"scopingTags":{
"f5_cloud_failover_label":"mydeployment"
}
}
}
|
Note
To provide feedback on Cloud Failover Extension or this documentation, you can file a GitHub Issue.