Forum Discussion

Marco_Bayarena_'s avatar
Marco_Bayarena_
Icon for Altostratus rankAltostratus
Sep 11, 2015

APMs in multiple datacenters

Has anyone configured an APM in one datacenter to sync to another APM in a DR datacenter?

 

We have three APMs with their main purpose is VPN. My original thought was to have an HA pair (sync-failover-group) in our main datacenter and have one of them sync (sync-only-group) to another at our DR datacenter. The DR datacenter contains different IP subnets not local to the main datacenter however it is routeable between the two.

 

APM1 --sync-failover-group--> APM2 APM1 --sync-only-group--> APM3 (DR)

 

On the main DC APM, I have two VIPs created - one on a local subnet and the other local only at the DR DC. The firewall at main DC NATs out the local VIP. When the sync-only occurs to the DR DC APM, the VIP local to DR will be NATed.

 

After configsync occurs the only thing left would be to change the assigned IP Pool for connecting clients at DR. We have GTMs that would determine which APM (Main or DR) users go to.

 

As it turns out, this doesn't seem to be a supported method. Supports says configsyncs should occur between local systems.

 

Our APM has a large amount of configuration I would hate to have to manually copy to DR (via SCF). This will be prone to errors or have out of sync issues.

 

I am hoping someone else has VPN requirements at a DR site that needs to have the same policies synchronized with their main site.

 

Any suggestions?

 

APM
application delivery
design
LTM
security

10 Replies

Sort By
  • amolari's avatar
    amolari
    Icon for Cirrus rankCirrus
    Sep 14, 2015
    how does support define "local systems"? Interesting scenario
  • amolari's avatar
    amolari
    Icon for Cirrus rankCirrus
    Sep 16, 2015
    do you still have a support case open by F5? Could you fetch the RFE ID (I bet something already exists) to implement that? I would be happy to open multiple cases on behalf of my customers to be linked to that ID. APM is a massive limitation to all the nice deployments marketed by F5 nowadays (automation, global deployments around the globe etc..)
  • Marco_Bayarena_'s avatar
    Marco_Bayarena_
    Icon for Altostratus rankAltostratus
    Sep 16, 2015
    I do have a support case open (C1881563). They are trying to find a solution to my problem. They first recommended manually configuring the DR APM. I told them that is not practical... prone to errors, out of sync. They next said I can try to use SCF to import into DR APM. Trying that now but not very easy. Certain things need to be imported before other things.
  • arpydays's avatar
    arpydays
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2015

    I'm interested in this functionality also, I was looking at the APM specific policy sync feature in the guide and ability to select static resources that do not sync because of localised configuration, did this not help in your case?

     

    "Configuring static resources with access policy sync. A BIG-IP® Access Policy Manager® might exist in a different physical location from another BIG-IP in the same device group, and might use different resources that are specific to that location or local network. For example, different authentication servers might exist in each location. Configure static resources to set these static resources for devices in different locations.

     

    Click the Advanced Settings button, then click Static Resources. The list displays a name, type, and Location Specific check box for each resource. You might need to configure a location-specific resource differently on a remote system. With the Location Specific check box selected, the first time a resource is synced as part of a policy, you must resolve its configuration on the remote system. Subsequent access policy sync operations do not modify a previously synced location-specific resource."

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-6-0/4.html?sr=48273023

     

  • Marco_Bayarena_'s avatar
    Marco_Bayarena_
    Icon for Altostratus rankAltostratus
    Oct 14, 2015
    I worked with an ENE and we were not able to configure the APMs for this scenario. We were able to get a sync-only group to sync the configuration at least. However, we couldn't get a sync-failover (between two local APMs) and sync-only (on two different networks) to work. There were a few bugs and some design issues that prevents this to work. Having most of the configuration in a different user partition instead of /common didn't help matters. We did try creating other partitions to separate what to sync/not sync. It became really complex at that point.
  • Ryan77777's avatar
    Ryan77777
    Icon for Altocumulus rankAltocumulus
    Feb 21, 2017

    Can't believe this isn't something that isn't built-in. I've been trying to get this going as well... and isn't working for me either.

     

  • Marco_Bayarena_'s avatar
    Marco_Bayarena_
    Icon for Altostratus rankAltostratus
    Feb 21, 2017

    Agreed. I have to manually export the local user database as well as the policy and import it to our DR instance.

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 22, 2017

    have you double checked with support about this? we are about a year and a half further. please check for any RFEs and if they exist report them back so others can join the request.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2017

    LocalDB sync for Sync-only APMs still not implemented - RFE 508289