bigip_virtual_server – Manage LTM virtual servers on a BIG-IP

New in version 1.0.0.

Synopsis

  • Manage LTM virtual servers on a BIG-IP system.

Parameters

Parameter Choices/Defaults Configuration Comments
address_translation
boolean
    Choices:
  • no
  • yes
When enabled, specifies the system translates the address of the virtual server.
When disabled, specifies the system uses the address without translation.
This option is useful when the system is load balancing devices that have the same IP address.
When creating a new virtual server, the default is enabled.
bypass_module_checks
boolean
added in 1.3.0
    Choices:
  • no ←
  • yes
Disables all built-in module verification checks that require BIG-IP device calls. Using this option cuts down on the number of REST calls made by this module. The trade off is that most parameters are sent as is, which requires extra care when defining them.
The device is the final source of truth for such configurations, usable in cases where speed is preferred over accuracy.
If set to yes, the module ignores the value op check_profiles parameter.
This parameter can be used when creating new or updating existing resources.
check_profiles
boolean
added in 1.2.0
    Choices:
  • no
  • yes ←
Specifies whether the client and server SSL profiles specified by the user should be verified to be correct against the existing profiles. This is useful in cases where a large number of profiles are being added at once.
Not recommended for common use. In case of duplicate profiles, or erroneous profiles, the BIG-IP throws an error.
clone_pools
list / elements=dictionary
Specifies a pool or list of pools that the virtual server uses to replicate either client-side or server-side traffic.
Typically this option is used for intrusion detection.
context
string / required
    Choices:
  • clientside
  • serverside
The context option for a clone pool to replicate either client-side or server-side traffic.
pool_name
string / required
The pool name to which the server replicates the traffic.
Only pools created on the Common partition or on the same partition as the virtual server can be used.
Referencing a pool on the Common partition needs to be done in the full path format, for example, /Common/pool_name.
default_persistence_profile
string
Default profile which manages the session persistence.
If you want to remove the existing default persistence profile, specify an empty value; "". See the documentation for an example.
When type is dhcp, this parameter is ignored.
description
string
Virtual server description.
destination
string
Destination IP of the virtual server.
Required when state is present and the virtual server does not exist.
When type is internal, this parameter is ignored. For all other types, it is required.
Destination can also be specified as a name for an existing Virtual Address.

aliases: address, ip
disabled_vlans
list / elements=string
List of VLANs to be disabled. If the partition is not specified in the VLAN, the partition option of this module is used.
This parameter is mutually exclusive with the enabled_vlans parameters.
enabled_vlans
list / elements=string
List of VLANs to enable. When a VLAN named all is used, all VLANs will be allowed. VLANs can be specified with or without the leading partition. If the partition is not specified in the VLAN, the partition option of this module is used.
This parameter is mutually exclusive with the disabled_vlans parameter.
fallback_persistence_profile
string
Specifies the persistence profile you want the system to use if it cannot use the specified default persistence profile.
If you want to remove the existing fallback persistence profile, specify an empty value; "". See the documentation for an example.
When type is dhcp, this parameter is ignored.
firewall_enforced_policy
string
Applies the specified AFM policy to the virtual in an enforcing way.
When creating a new virtual, if this parameter is not specified, the enforced policy is disabled.
firewall_staged_policy
string
Applies the specified AFM policy to the virtual in an enforcing way.
A staged policy shows the results of the policy rules in the log, while not actually applying the rules to traffic.
When creating a new virtual, if this parameter is not specified, the staged policy is disabled.
insert_metadata
boolean
    Choices:
  • no
  • yes ←
When set to no, the module does not set metadata on the device.
Currently there is a limitation that non-admin users cannot set metadata on the object, despite being able to create and modify virtual server objects. Setting this option to no allows such users to use this module to manage virtual server objects on the device.
ip_intelligence_policy
string
Specifies the IP intelligence policy applied to the virtual server.
This parameter requires a valid BIG-IP security module is provisioned, such as ASM or AFM.
ip_protocol
string
    Choices:
  • ah
  • any
  • bna
  • esp
  • etherip
  • gre
  • icmp
  • ipencap
  • ipv6
  • ipv6-auth
  • ipv6-crypt
  • ipv6-icmp
  • isp-ip
  • mux
  • ospf
  • sctp
  • tcp
  • udp
  • udplite
Specifies a network protocol name you want the system to use to direct traffic on this virtual server.
When creating a new virtual server, if this parameter is not specified, the default is tcp.
The Protocol setting is not available when you select Performance (HTTP) as the Type.
The value of this argument can be specified in either its numeric value, or in a select number of named values. Refer to choices for examples.
For a list of valid IP protocol numbers, refer to https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers.
When type is dhcp, this module forces the ip_protocol parameter to 17 (UDP).
irules
list / elements=string
Specifies a list of rules to be applied in priority order.
If you want to remove existing iRules, specify a single empty value; "". See the documentation for an example.
The order in which iRules are specified does matter, so a list that contains the same list elements but in a different order in the playbook will make changes on the device.
When type is dhcp, stateless, reject, or internal, this parameter is ignored.

aliases: all_rules
mask
string
Specifies the destination address network mask. This parameter works with IPv4 and IPv6 addresses.
This is an optional parameter which can be specified when creating or updating virtual server.
If destination is set in CIDR notation format and mask is provided, the mask parameter takes precedence.
If you specify a catchall destination (for example, 0.0.0.0 for IPv4, :: for IPv6) the mask parameter is set to any or any6 respectively.
When the destination is not in CIDR notation and a mask is not specified, 255.255.255.255 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff is set for IPv4 and IPv6 addresses respectively.
When destination is provided in CIDR notation format and a mask is not specified, the mask parameter is inferred from destination.
When destination is provided as a virtual address name, and a mask is not specified, the mask will be None, allowing device set it with its internal defaults.
metadata
raw
Arbitrary key/value pairs you can attach to a virtual server. This is useful in situations where you want to annotate a virtual to be managed by Ansible.
Key names are stored as strings; this includes names that are numbers.
Values for all of the keys are stored as strings; this includes values that are numbers.
Data is persisted, not ephemeral.
mirror
boolean
    Choices:
  • no
  • yes
Specifies the system mirrors connections on each member of a redundant pair.
When creating a new virtual server, if this parameter is not specified, the default is disabled.
name
string / required
Virtual server name.

aliases: vs
partition
string
Default:
"Common"
Device partition to manage resources on.
policies
list / elements=string
Specifies the policies for the virtual server.
When type is dhcp, reject, or internal, this parameter is ignored.

aliases: all_policies
pool
string
Default pool for the virtual server.
If you want to remove the existing pool, specify an empty value; "". See the documentation for an example.
When creating a new virtual server, and type is stateless, this parameter is required.
If type is stateless, the pool must not have any members which define a rate_limit.
port
string
Port of the virtual server. Required when state is present and the virtual server does not exist.
If you do not want to specify a particular port, use the value 0. This means the virtual server listens on any port.
When type is dhcp, this module forces the port parameter to 67.
When type is internal, this module forces the port parameter to 0.
In addition to specifying a port number, a select number of service names may also be provided.
The string ftp may be substituted for for port 21.
The string http may be substituted for for port 80.
The string https may be substituted for for port 443.
The string telnet may be substituted for for port 23.
The string smtp may be substituted for for port 25.
The string snmp may be substituted for for port 161.
The string snmp-trap may be substituted for for port 162.
The string ssh may be substituted for for port 22.
The string tftp may be substituted for for port 69.
The string isakmp may be substituted for for port 500.
The string mqtt may be substituted for for port 1883.
The string mqtt-tls may be substituted for for port 8883.
port_translation
boolean
    Choices:
  • no
  • yes
When enabled, specifies the system translates the port of the virtual server.
When disabled, specifies the system uses the port without translation. Turning off port translation for a virtual server is useful if you want to use the virtual server to load balance connections to any service.
When creating a new virtual server, the default is enabled.
profiles
raw
List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side).
If you only want to apply a particular profile to the client-side of the connection, specify client-side for the profile's context.
If you only want to apply a particular profile to the server-side of the connection, specify server-side for the profile's context.
If context is not provided, it will default to all.
If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list. See examples for an illustration of this.
If you want to add a profile to the list of profiles currently active on the virtual, simply add it to the profiles list. See examples for an illustration of this.
Profiles are important. This module will fail to configure a BIG-IP if you mix up your profiles, or if you attempt to set an IP protocol which your current, or new, profiles do not support. Both this module, and BIG-IP, will report an error if this is incorrect, resembling lists profiles incompatible with its protocol.
If you are unsure what the correct profile combinations are, we suggest having a BIG-IP available in which you can make changes and copy what the correct combinations are.

aliases: all_profiles
context
string
    Choices:
  • all ←
  • server-side
  • client-side
The side of the connection on which the profile should be applied.
name
string
Name of the profile.
This must be specified if a context is specified.
If this is not specified, it is assumed the profile item is only a name of a profile.
provider
dictionary
added in 1.0.0
A dict object containing connection details.
auth_provider
string
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
no_f5_teem
boolean
    Choices:
  • no
  • yes
If yes, TEEM telemetry data is not sent to F5.
You may omit this option by setting the environment variable F5_TEEM.
password
string / required
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD.

aliases: pass, pwd
server
string / required
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
server_port
integer
Default:
443
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
timeout
integer
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
transport
string
    Choices:
  • rest ←
Configures the transport connection to use when connecting to the remote device.
user
string / required
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.
rate_limit
integer
Virtual server rate limit (connections-per-second). Setting this to 0 disables the limit.
The valid value range is 0 - 4294967295.
rate_limit_dst_mask
integer
Specifies a mask, in bits, to be applied to the destination address as part of the rate limiting.
The default value is 0, which is equivalent to using the entire address - 32 in IPv4, or 128 in IPv6.
The valid value range is 0 - 4294967295.
rate_limit_mode
string
    Choices:
  • object ←
  • object-source
  • object-destination
  • object-source-destination
  • destination
  • source
  • source-destination
Indicates whether the rate limit is applied per virtual object, per source address, per destination address, or some combination thereof.
The default value is object, which does not use the source or destination address as part of the key.
rate_limit_src_mask
integer
Specifies a mask, in bits, to be applied to the source address as part of the rate limiting.
The default value is 0, which is equivalent to using the entire address - 32 in IPv4, or 128 in IPv6.
The valid value range is 0 - 4294967295.
security_log_profiles
list / elements=string
Specifies the log profile applied to the virtual server.
To make use of this feature, the AFM module must be licensed and provisioned.
The Log all requests and Log illegal requests are mutually exclusive and therefore, this module raises an error if the two are specified together.
security_nat_policy
dictionary
Specify the Firewall NAT policies for the virtual server.
You can specify one or more NAT policies to use.
The most specific policy is used. For example, if you specify the virtual server should use the device policy and the route domain policy, the route domain policy overrides the device policy.
policy
string
Specifies the policy to apply a NAT policy directly to the virtual server.
The virtual server NAT policy is the most specific, and overrides a route domain and device policy, if specified.
To remove the policy, specify an empty string value.
use_device_policy
boolean
    Choices:
  • no
  • yes
Specifies the virtual server uses the device NAT policy, as specified in the Firewall Options.
The device policy is used if no route domain or virtual server NAT setting is specified.
use_route_domain_policy
boolean
    Choices:
  • no
  • yes
Specifies the virtual server uses the route domain policy, as specified in the Route Domain Security settings.
When specified, the route domain policy overrides the device policy, and is overridden by a virtual server policy.
snat
string
Source network address policy.
When type is dhcp, reject, or internal, this parameter is ignored.
The name of a SNAT pool (like "/Common/snat_pool_name") can be specified to enable SNAT with the specific pool.
To remove SNAT, specify the word none.
To specify automap, use the word automap.
source
string
Specifies an IP address or network from which the virtual server accepts traffic.
The virtual server accepts clients only from one of these IP addresses.
For this setting to function effectively, specify a value other than 0.0.0.0/0 or ::/0 (that is, any/0, any6/0).
In order to maximize the utility of this setting, specify the most specific address prefixes covering all customer addresses and no others.
Specify the IP address in Classless Inter-Domain Routing (CIDR) format; address/prefix, where the prefix length is in bits. For example, for IPv4, 10.0.0.1/32 or 10.0.0.0/24, and for IPv6, ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64.
source_port
string
    Choices:
  • preserve
  • preserve-strict
  • change
Specifies whether the system preserves the source port of the connection.
When creating a new virtual server, if this parameter is not specified, the default is preserve.
state
string
    Choices:
  • present ←
  • absent
  • enabled
  • disabled
The virtual server state. If absent, deletes the virtual server if it exists. If present, creates the virtual server and enables it. If enabled, enables the virtual server if it exists. If disabled, creates the virtual server if needed, and sets the state to disabled.
type
string
    Choices:
  • standard ←
  • forwarding-l2
  • forwarding-ip
  • performance-http
  • performance-l4
  • stateless
  • reject
  • dhcp
  • internal
  • message-routing
Specifies the network service provided by this virtual server.
When creating a new virtual server, if this parameter is not provided, the default is standard.
This value cannot be changed after it is set.
When standard, specifies a virtual server that directs client traffic to a load balancing pool, and is the most basic type of virtual server. When you first create the virtual server, you assign an existing default pool to it. From then on, the virtual server automatically directs traffic to that default pool.
When forwarding-l2, specifies a virtual server that shares the same IP address as a node in an associated VLAN.
When forwarding-ip, specifies a virtual server like other virtual servers, except the virtual server has no pool members to load balance. The virtual server simply forwards the packet directly to the destination IP address specified in the client request.
When performance-http, specifies a virtual server with which you associate a Fast HTTP profile. Together, the virtual server and profile increase the speed at which the virtual server processes HTTP requests.
When performance-l4, specifies a virtual server with which you associate a Fast L4 profile. Together, the virtual server and profile increase the speed at which the virtual server processes layer 4 requests.
When stateless, specifies a virtual server that accepts traffic matching the virtual server address and load balances the packet to the pool members without attempting to match the packet to a pre-existing connection in the connection table. New connections are immediately removed from the connection table. This addresses the requirement for one-way UDP traffic that needs to be processed at very high throughput levels, for example, load balancing syslog traffic to a pool of syslog servers. Stateless virtual servers are not suitable for processing traffic requiring stateful tracking, such as TCP traffic. Stateless virtual servers do not support iRules, persistence, connection mirroring, rateshaping, or SNAT automap.
When reject, specifies the BIG-IP system rejects any traffic destined for the virtual server IP address.
When dhcp, specifies a virtual server that relays Dynamic Host Control Protocol (DHCP) client requests for an IP address to one or more DHCP servers, and provides DHCP server responses with an available IP address for the client.
When internal, specifies a virtual server that supports modification of HTTP requests and responses. Internal virtual servers enable the use of ICAP (Internet Content Adaptation Protocol) servers to modify HTTP requests and responses by creating and applying an ICAP profile and adding Request Adapt or Response Adapt profiles to the virtual server.
When message-routing, specifies a virtual server that uses a SIP application protocol and functions in accordance with a SIP session profile and SIP router profile.

Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
  • Requires BIG-IP software version >= 12.
  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Modify Port of the Virtual Server
  bigip_virtual_server:
    state: present
    partition: Common
    name: my-virtual-server
    port: 8080
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Delete virtual server
  bigip_virtual_server:
    state: absent
    partition: Common
    name: my-virtual-server
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Add virtual server
  bigip_virtual_server:
    state: present
    partition: Common
    name: my-virtual-server
    destination: 10.10.10.10
    port: 443
    pool: my-pool
    snat: Automap
    description: Test Virtual Server
    profiles:
      - http
      - fix
      - name: clientssl
        context: server-side
      - name: ilx
        context: client-side
    policies:
      - my-ltm-policy-for-asm
      - ltm-uri-policy
      - ltm-policy-2
      - ltm-policy-3
    enabled_vlans:
      - /Common/vlan2
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Add FastL4 virtual server
  bigip_virtual_server:
    destination: 1.1.1.1
    name: fastl4_vs
    port: 80
    profiles:
      - fastL4
    state: present
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Add iRules to the Virtual Server
  bigip_virtual_server:
    name: my-virtual-server
    irules:
      - irule1
      - irule2
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Remove one iRule from the Virtual Server
  bigip_virtual_server:
    name: my-virtual-server
    irules:
      - irule2
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Remove all iRules from the Virtual Server
  bigip_virtual_server:
    name: my-virtual-server
    irules: ""
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Remove pool from the Virtual Server
  bigip_virtual_server:
    name: my-virtual-server
    pool: ""
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Add metadata to virtual
  bigip_pool:
    state: absent
    name: my-pool
    partition: Common
    metadata:
      ansible: 2.4
      updated_at: 2017-12-20T17:50:46Z
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Add virtual with two profiles
  bigip_pool:
    state: absent
    name: my-pool
    partition: Common
    profiles:
      - http
      - tcp
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Remove HTTP profile from previous virtual
  bigip_pool:
    state: absent
    name: my-pool
    partition: Common
    profiles:
      - tcp
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Add the HTTP profile back to the previous virtual
  bigip_pool:
    state: absent
    name: my-pool
    partition: Common
    profiles:
      - http
      - tcp
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Add virtual server with rate limit
  bigip_virtual_server:
    state: present
    partition: Common
    name: my-virtual-server
    destination: 10.10.10.10
    port: 443
    pool: my-pool
    snat: Automap
    description: Test Virtual Server
    profiles:
      - http
      - fix
      - name: clientssl
        context: server-side
      - name: ilx
        context: client-side
    policies:
      - my-ltm-policy-for-asm
      - ltm-uri-policy
      - ltm-policy-2
      - ltm-policy-3
    enabled_vlans:
      - /Common/vlan2
    rate_limit: 400
    rate_limit_mode: destination
    rate_limit_dst_mask: 32
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

- name: Add FastL4 virtual server with clone_pools
  bigip_virtual_server:
    destination: 1.1.1.1
    name: fastl4_vs
    port: 80
    profiles:
      - fastL4
    state: present
    clone_pools:
      - pool_name: FooPool
        context: clientside
    provider:
      server: lb.mydomain.net
      user: admin
      password: secret
  delegate_to: localhost

Return Values

The following are the fields unique to this module:

Key Returned Description
address_translation
boolean
changed
The new value specifying whether address translation is on or off.

Sample:
True
clone_pools
list
changed
Pools to which virtual server copies traffic.

Sample:
[{'pool_name': '/Common/Pool1', 'context': 'clientside'}]
default_persistence_profile
string
changed
Default persistence profile set on the virtual server.

Sample:
/Common/dest_addr
description
string
changed
New description of the virtual server.

Sample:
This is my description
destination
string
changed
Destination of the virtual server.

Sample:
1.1.1.1
disabled
boolean
changed
Whether the virtual server is disabled or not.

Sample:
True
disabled_vlans
list
changed
List of VLANs that the virtual is disabled for.

Sample:
['/Common/vlan1', '/Common/vlan2']
enabled
boolean
changed
Whether the virtual server is enabled or not.

enabled_vlans
list
changed
List of VLANs that the virtual is enabled for.

Sample:
['/Common/vlan5', '/Common/vlan6']
fallback_persistence_profile
string
changed
Fallback persistence profile set on the virtual server.

Sample:
/Common/source_addr
firewall_enforced_policy
string
changed
The new enforcing firewall policy.

Sample:
/Common/my-enforced-fw
firewall_staged_policy
string
changed
The new staging firewall policy.

Sample:
/Common/my-staged-fw
ip_intelligence_policy
string
changed
The new IP Intelligence Policy assigned to the virtual.

Sample:
/Common/ip-intelligence
ip_protocol
integer
changed
The new value of the IP protocol.

Sample:
6
irules
list
changed
iRules set on the virtual server.

Sample:
['/Common/irule1', '/Common/irule2']
metadata
dictionary
changed
The new value of the virtual.

Sample:
{'key1': 'foo', 'key2': 'bar'}
mirror
boolean
changed
Specifies the system mirrors connections on each member of a redundant pair.

Sample:
True
policies
list
changed
List of policies attached to the virtual.

Sample:
['/Common/policy1', '/Common/policy2']
pool
string
changed
Pool the virtual server is attached to.

Sample:
/Common/my-pool
port
integer
changed
Port the virtual server is configured to listen on.

Sample:
80
port_translation
boolean
changed
The new value specifying whether port translation is on or off.

Sample:
True
profiles
list
changed
List of profiles set on the virtual server.

Sample:
[{'name': 'tcp', 'context': 'server-side'}, {'name': 'tcp-legacy', 'context': 'client-side'}]
rate_limit
integer
changed
The maximum number of connections per second allowed for a virtual server.

Sample:
5000
rate_limit_dst_mask
integer
changed
Specifies a mask, in bits, to be applied to the destination address as part of the rate limiting.

Sample:
32
rate_limit_mode
string
changed
Sets the type of rate limiting to be used on the virtual server.

Sample:
object-source
rate_limit_src_mask
integer
changed
Specifies a mask, in bits, to be applied to the source address as part of the rate limiting.

Sample:
32
security_log_profiles
list
changed
The new list of security log profiles.

Sample:
['/Common/profile1', '/Common/profile2']
snat
string
changed
SNAT setting of the virtual server.

Sample:
Automap
source
string
changed
Source address set on the virtual server, in CIDR format.

Sample:
1.2.3.4/32
source_port
string
changed
Specifies whether the system preserves the source port of the connection.

Sample:
change


Status

Authors

  • Tim Rupp (@caphrim007)
  • Wojciech Wypior (@wojtek0806)
  • Nitin Khanna (@nitinthewiz)