iWorkflow is a multi-tenant platform for deploying application delivery policy onto BIG-IP devices. Only available as a virtual appliance, it accelerates the deployment of application-oriented services, simplifies architecture, and reduces exposure to operational risk. iWorkflow is an extensible platform that you can use to join together application deployment workflows. It provides the following benefits:

  • Rapid deployment of performance, high-availability, and security policy.
  • Simplification of network policy execution through the abstraction of configuration complexity.
  • Extending continuous deployment practices to include scalability and security services.

iWorkflow 2.3.0 introduces GUI support for multi-tenant capabilities of the BIG-IP that were added to the API in version 2.2.0. The GUI offers simple workflows to manage and provision tenant networks on managed devices in multi-tenant BIG-IP clouds, displayed through a newly added “Tenant Networks” panel.

BIG-IP Device discovery in a multiple tenants network

To add a BIG-IP device using the iWorkflow GUI

  1. Log in to iWorkflow with your administrator user name and password, select the Clouds and Services component.
  2. On the Devices header, click the + icon, then click Discover Device.
  3. On the Discover Device panel, enter the BIG-IP device IP address, user name, and password. Specify whether or not this device will be used for multiple tenants. As shown in the diagram below this setup is configured for managing tenant networks. This is a BIG-IP that will host services from multiple tenants.
  4. After the form is completed, click Save.

Associating a BIG-IP cloud connector with a device

To create a BIG-IP cloud using the iWorkflow GUI

A BIG-IP connector is a resource that identifies the local or virtual environment in which a tenant deploys applications, and, when necessary, adds parameters required by third-party cloud providers. The BIG-IP cloud connector enables multiple iWorkflow tenants to deploy services on shared BIG-IPs.

  1. Select the Clouds and Services component.
  2. On the Clouds header click the + icon
  3. The New Cloud screen opens.
  4. In the Name and Description fields, type a name and description. You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  5. From the Connector Type list, select BIG-IP.
  6. From the Devices list, select the device you want to associate with this connector. To select additional devices to associate with this connector, click the + icon at the right of the list.
  7. Check the Allows Multiple Networks checkbox as shown below. This field enables this cloud to support multiple Tenant Networks, and must be used in combination with BIG-IP multi-tenant devices.

Creating Tenants

You can create tenants to provide access to customized cloud resources and applications.

  1. At the top of the screen, click Clouds and Services and then, on the Tenants header, click the + icon.
  2. The panel expands to display property fields for the new tenant.
  3. In the Name and Description fields, type a name and an optional description for this tenant. The name can consist of a combination of numbers and symbols, but cannot contain any spaces.
  4. From the Available Clouds list, select the cloud associated with the resources that you are going to provide to this tenant. To add another connector, click the plus (+) sign and select a connector from the additional Available Clouds list. In the example shown below I have added two tenants.

Note: When an iWorkflow tenant places services on a multi-tenant BIG-IP that is in a BIG-IP cloud, this results in a default service isolation, which is described below.

  • Tenant Config Boundary – This is a specific partition that is configured on behalf of a tenant on every BIG-IP on which the tenant may place services. This partition will contain all the L4-L7 tenant configurations that may be created during service placement.
  • Network Isolation Boundary – This is the isolated L2-L3 network space configured on a BIG-IP to host L4-L7 service

You can now associate a user with this tenant to provide access to applications and services. You also need to associate a user with a tenant's role. Consult the iWorkflow administrators guide on creating a cloud user and associating a user with a tenant's role

Creating Tenant Network

You should understand the following terms before attempting to configure a multi-tenant network on BIG-IP.

  • Multi Network Connector – This is a BIG-IP cloud connector that supports more than one network. This is required to provide the necessary address space isolation at the network level. A multi-network BIG-IP cloud can only contain multi-tenant BIG-IPs.
  • Multi Tenant Device – This is a BIG-IP that will host services from multiple tenants. The devices must be brought under iWorkflow management (discovered) and marked multi-tenant compatible. If a BIG-IP already hosts L4-L7 services in single-tenant mode, it cannot change to multi-tenant. You will have to remove the device and re-discover.
  • Isolated Network – This is the isolated tenant network on a BIG-IP cloud that supports L2-L3 isolation,  IP address overlap and routing isolation. A tenant network can only have one isolation boundary per device. {Route domain}
  • Tenant Network Association – This is a permission given to a tenant to place services on a network in the BIG-IP cloud. A tenant can only be associated with one network in a particular cloud.

To take advantage of multi-tenancy, you’ll need to understand service isolation and the data exposed by the system. iWorkflow isolates a L4-L7 service as follows.

  • iWorkflow uses, or creates if necessary, an auth-partition for a tenant on the BIG-IP that has been selected for the service placement. The partition name will be taken from the tenant name as shown in the example below. The partition name is a property of the tenant and will be the same across all BIG-IPs on which the tenant may place services.

  • iWorkflow uses, or creates if necessary, a BIG-IP route-domain for a tenant network on the BIG-IP that has been selected for the service placement. The route-domain is automatically assigned by iWorkflow. The route-domain is a property of the network. On a particular BIG-IP this route-domain is configured as the default-route-domain for the tenant partition.

You can create a new tenant network and partition on BIG-IP

  1. At the top of the screen, click Clouds and Services and then, on the Tenant Networks header, click the + icon.
  2. The panel expands to display property fields for the new tenant network.
  3. In the Network Name, type a tenant/partition name. This will be a tenant partition on BIG-IP
  4. From the Available Clouds list, select the cloud associated with the resources that you are going to provide to this tenant.
  5. From the Tenant list, select the tenant associated
  6. Add the Network Address Block in the format as Self IP/Mask and Gateway. This is optional. It’s just a scoping validation for tenant’s subnets while make sure all subnets are within the CIDR range.

Note: To enable L2-L3 tenant network isolation, you must provide unique VLANs for each tenant. For example, in this scenario both Red and Blue tenants have the same Network Address Block, Default Gateway, Self-IPs. However, the VLANs are unique. iWorkflow will enable VLAN tagging. Therefore, you will need to create trunk port group in the vSwitch to allow BIG-IP to tag it. We need to tag it at BIG-IP because BIG-IP’s route domain requires tagged VLANs IIRC.

Click the Provision tab to provision the new tenant network to the BIG-IP.

Validate the red tenant self IP address configuration on the BIG-IP. 

Validate the red tenant VLAN configuration on the BIG-IP.

Validate the red tenant route-domain configuration on the BIG-IP. 

Validate the network tenant configuration on iWorkflow after it is provisioned using the BIG-IP Connectivity menu.