If you enjoy hoarding vast depths of knowledge from your business partners this article is not for you.  If you want to provide a scalable and simplified deployment model to empower and enable your teams then read on my friend.  Of of the two pieces of the BIG-IP Cloud Edition ecosystem, BIG-IQ 6.0 provides a streamlined way to deploy applications for the rest of us.  Tying simplified application deployment to BIG-IP Per App Virtual Edition's auto-scaling functionality within AWS or VMWare, Cloud Edition provides scalable deployment models you've been looking for from F5. Quick application compliance is a button click away for any team wanting complete ADC and Advanced WAF features provided by BIG-IQ and BIG-IP. Using role-based access controls (RBAC) our below example will deploy an application with the assistance of a BIG-IP admin, a Security Manager, and Application Owner.

A Template for You and A Template For You; Templates for Everyone!

Our BIG-IP admin provides a service catalog of application templates to users who have roles allowing app creation/deployment. Predefining a service catalog gives them the ability to create traffic profiles and tune networking requirements without complicating the deployment process for his application owners. This keeps our BIG-IP admin in control of the network and applications traffic profiles running on it without slowing down deployments. In our example, they'll clone a BIG-IQ default template so the rest of the team can deploy a web application firewall (WAF) enabled application. Our security engineer will create his security policies based on corporate compliance requirements and Dwayne will apply Mick's security policies to the service catalog offerings. Mary our App Manager will choose the new WAF enabled catalog item to deploy a new application in front of her web servers. tl;dr - check out the pretty picture.

BIG-IQ 6 Application Deployment Workflow

BIG-IQ 6 comes with several prebuilt templates. They're quite useful for new BIG-IQ administrators to review so they'll see how service catalog items are built from preexisting BIG-IP profiles and configurations. The prebuilt templates, similar to default BIG-IP profiles, are not modified by administrators but cloned or used as references for  new service catalog offerings.

Note: Templates that do not define an HTTP profile cannot be deployed to a service-scaling group (used for auto-scaling in AWS and VMWare).

Security Policies

Our Security Manager needs to build a new WAF template for the upcoming application. They've been granted the Security Manger role within BIG-IQ to create and manage security policies, relying on the BIG-IP admin to apply them to service catalog items. In this particular case our Security Manager will edit the policy viol_subviol, change the learning mode to manual and make it available to application templates for use.

Fig 2 - WAF Policy

To apply the new security policy, the BIG-IP admin will clone the default f5-HTTPS-WAF-lb-template, in this case we're calling it f5-HTTPS-WAF-lb-custom1 (not too creative, I know). The admin can now select the updated ASM policy viol_subviol and the logging profile templates-default for the virtual servers.

Fig 3 - Applying ASM Policies

Deploying A Service Catalog As An Applications

With our  creation complete our Application Owner can log into BIG-IQ and starting deploying. The Application Manager role was granted and will permit them to deploy, edit, and monitor applications (within allowances set by our admins service catalog template). When our App Manager logs in, they'll see a Application Manager specific dashboard; RBAC limits the Application Manager role's view and prevents access to device, security, or global configurations. They'll create a new application named site18.example.com (she's not very creative either) based on our predefined f5-HTTPS-WAF-lb-custom1 template. The only information our Application Manager needs to provide to the service catalog is the IP address of the virtual server, the IP address and ports open for the application servers, and the FQDN of her application.

Fig 4 - App Creation

The Application Manager fills out the application template and clicks Create. BIG-IQ is off to the races to deploy the application and within minutes we'll sees a healthy status on the new site18.example.com application.

Fig 5 - Application Manager Dashboard

NOTE: If there was a configuration issue or deployment failure, Dwayne our admin can tail the BIG-IQ logs at /var/log/restjavad.0.log to determine the cause.

If the Applicaiton Manager noticed an issue they can click through the application dashboard to find out further details. In this case, the application is fine but they'll update the application health alert rules to coincide with the application's SLA. We can also request other people in the applicaiton team access to monitor this application specifically without viewing others. Our BIG-IP admin has no problem achieving this with RBAC.

Reviewing Application Statistics

Application deployment is complete and the App team has completed traffic and application testing. Our security manager will log back in, check the viol_subviol ASM policy and then accept the learning completed from the testing. After that they'll change the enforcement mode to blocking. When our Application Manager logs back in they can click on security within traffic diagram under Application Services. This will give them security specific analytics and configurations. "Start Blocking" is available for our manager to enable now now that traffic learning was accepted and applied to the system. Sooner or later some cranky people start sending us some malicious traffic some malice and we can view the changes in traffic behavior.

Fig 6 - Blocking Mode Enabled Fig 7 - App Security Info

Automating Your Deployments

BIG-IQ can also assist with automation. BIG-IQ's use of RBAC allows administrators to create automation-centric service accounts for deployment and management needs. Administrators can segregate service accounts based on unique requirements and further control your application lifecycles as you and your team see fit. Should Application Manager have decided to deploy the application via Ansible they could have clicked View Sample API Request and BIG-IQ will provide the JSON snippet along with entered data to populate the playbook. Of course this is a one-off example but it's providing the template needed to deploy further applications should Ansible authenticate with the appropriate credentials.

Fig 8 - Sample API Request

BIG-IQ 6 is a significant step forward to provide ADC and Security functions in front of ALL of your applications, not just the mission critical. We just scratched the surface with application deployment in what BIG-IQ 6 can do for you. In our next article we'll cover auto-scaling applications using service scaling groups with BIG-IP Per App VE. Together BIG-IQ and Per App VE form BIG-IP Cloud Edition and a new way to protect and maintain all of your applications no matter how big or small. As always, if you have questions or feedback, please go to our BIG-IP Cloud Edition Discussion in Q&A. Happy Admining.