Now that the App Services iApp template is installed, we can deploy a new Layer 4 to 7 Service. We will start with Creating a Basic HTTP Service, demonstrate Modifying/Mutate the service by changing the node state, and finally Delete the whole service. Once we’ve demonstrated with these tasks, we’ll introduce more complex deployments options with iRules, Custom Profiles, Certificates, and an ASM Policy.
Note
This lab work will be performed from
Lab 2.3 - Create iApp Deployments using the REST API
folder in the
Postman Collection
Perform the following steps to complete this task:
Send the Step 1: Get Deployed iApp Services
request to view current iApp deployments on the BIG-IP device:
Review the JSON Response Body. The BIG-IP device does not have
any iApp deployments. As a result the items
array is empty ([]
):
Perform the following steps to complete this task:
Click Step 2: Deploy Service - HTTP
. Review the Request JSON
Body. The JSON body of the POST contains the input for the iApp
template to execute the deployment of the service.
Click the Send button to Create a Basic HTTP Service:
In this task, we will deploy our first service. Review the Response JSON Body to verify if the Service has been deployed.
Note
We’ve just progressed into a Declarative instantiation, by defining the end state and relying on the iApp templates to handle the order of operations and configuration of specific objects. By doing this, we have drastically reduced the amount of Domain Specific Knowledge required to interact with the device. In the next module, we will combine this concept with Abstraction to further simplify the interface the service consumer has to interact with.
Now that the service has been deployed, let’s review the BIG-IP configuration.
You can validate by sending the Step 1: Get Deployed iApp Services
request again. Alternatively, you can login to BIG-IP A GUI to observe the service
deployment via TMUI:
REST: Send Step 1: Get Deployed iApp Services
request:
TMUI GUI:
From the TMUI GUI, examine the Virtual Server that was created from this deployment by clicking
. The configuration is simple, but it does contain the key components for an HTTP service (Listener, HTTP Profile, Monitor, Pool, and Pool Members):The service is available and active, you can connect to the Virtual Server
using Chrome web browser at http://10.1.20.121
and examine its responses:
Note
The colors of the text, images, and borders may vary depending on the back-end server selected during the load balancing process.
In this task, we will modify the existing service. We will disable all pool members and bring the service down.
Perform the following steps to complete this task:
Click on Step 3: Modify Service - HTTP
. Review the Request URL and
JSON Body. Notice that we specified the Resource URL for our
deployment. Modifying or Redeploying a service is handled by sending
only the updated JSON to the specific Resource (our service) using a
PUT
request method. We set the state of the pool members to disabled
which forces the service to go offline.
Click the Send button to Modify the previously deployed Basic HTTP Service:
In the BIG-IP GUI click http://10.1.20.121
because all the Members in the Pool have been disabled:
The lifecycle of a service also includes the service removal. We will now delete an existing service.
Perform the following steps to complete this task:
Send the Step 4: Delete Service - HTTP
request to
Delete the previously deployed Basic HTTP Service:
Similar to modification process, the deletion of a service is performed on
the Resource URL. When we created the service, we defined a Declarative
state to the iApp template which subsequently created the configuration and
all of its associated objects. With a DELETE
request, BIG-IP will process
the removal of all objects linked to the ASO in a recursive manner. This is
crucial to Application Lifecycle Management as it provides a mechanism to
make sure all parts of the service are removed successfully.
Note
There is no JSON body to a DELETE
call, as the HTTP Method
is defining the action.
Now that the service has been deleted, let’s review the BIG-IP configuration.
You can review via REST by sending the Step 1: Get Deployed iApp Services
request again, or you can login to the BIG-IP A GUI to observe the service
deployment via TMUI:
REST: Send Step 1: Get Deployed iApp Services
request:
TMUI GUI:
Perform the following steps to complete this task:
Send the Step 5: Deploy Service - HTTP w/ iRule and
Custom Profiles
request to deploy an HTTP Service with Custom Profiles
and an iRule:
The App Services iApp can Create or Reference various objects. In this deployment we perform two actions:
Create custom profiles on the BIG-IP device with various options specified. These profiles do not exist on the BIG-IP but are created dynamically during the deployment.
Create an iRule on the BIG-IP device by using a URL Reference. The App Services iApp downloads the iRule resource from the URL and then creates a new iRule object on the system. The iRule object is then automatically linked to the Virtual Server
Warning
When using URL references, it is important to properly secure the repository which hosts the resource(s). The example in this lab uses a publicly readable repository, however, most environments should use a private repository with appropriate access control.
Review the Request JSON Body to see how the desired outcomes above were declared:
Custom Profiles:
URL Referenced iRule:
iRule linked to Virtual Server: (
)Open Chrome and connect to the Virtual Server at http://10.1.20.121
. The
iRule that was attached to the service contains an HTTP_RESPOND
event,
which responds with a simple Maintenance Page.
Perform the following steps to complete this task:
Send the Step 6: Deploy Service - HTTPS
request to deploy
an HTTPS Service using URL Resources for the SSL/TLS Key, Certificate and
Certificate Bundle.
iApps are a Declarative interface, allowing us to modify deployment without the need to delete it (this also means we can re-name objects if we needed too). For this service we will:
Use the same custom profiles
Remove the iRule
Change the Listener port to 443
(HTTPS)
Use URL Resources to obtain the SSL/TLS Key, Certificate and Certificate Bundle
Warning
When using URL references, it is important to properly secure the repository which hosts the resource(s). The example in this lab uses a publicly readable repository. However, most environments should use a private repository with appropriate access control.
Create and apply a Client SSL Profile
Review the Request JSON Body to see how the desired outcomes above were declared:
Review the configured Virtual Servers in the TMUI GUI. The App Services iApp
created a new Virtual Server to redirect TCP/80
traffic to TCP/443
and reconfigured the Virtual Server to listen on TCP/443
The configuration of the Virtual Server now uses an SSL Client profile containing our imported SSL Resources. The deployment is now providing SSL Offload for the backend compute nodes.
Open Chrome and access the service with http://10.1.20.121
. It should
redirect you to https://10.1.20.121
.
Note
We are using self signed certificates in the lab so an SSL warning will be shown.
Important
RFC2616 (HTTP/1.1) allows for a TCP session to stay open. Had we not included “noserver Cache-Control no-cache Connection Close” in the iRule the following would have happened:
When you would have refreshed the page, the maintenance page would still appear because of two reasons:
As a result, because Chrome has not closed the actual TCP connection, BIG-IP still processes traffic with the configuration that was present when the connection was originally created. That stale connection was still using the version of the configuration with the iRule attached to the Virtual Service resulting in the maintenance page being shown.
Another advantage of Service Deployment using iApp Templates is that they can deploy advanced Layer 4-7 services from various F5 modules. In this task we will deploy a service that includes a Web Application Firewall policy with the base HTTPS offload and load balancing features.
Perform the following steps to complete this task:
Send the Step 7: Deploy Service - HTTPS w/ WAF Policy
request
to deploy an HTTPS Service using URL Resources for a Web Application
Firewall policy that will be used with the Application Security Manager
(ASM) module.
This final iApp deployment will build upon our service by having the iApp load a WAF policy Resource from our repository. The App Services iApp will then create a Layer 7 Traffic Policy and apply it to the Virtual Server.
This deployment recognizes the need for Security from the beginning of the application lifecycle. It lays the groundwork for Continuous Improvement by having the policy reside in a repository. It allows us to treat resources as code leading to an Infrastructure as Code (IaC) methodology. As the policy is updated in the repository, additional automation and orchestration can be enabled to deploy the policy into the environment. The result is an ability to rapidly build, test and iterate Layer 7 security policies and guarantee deployment into the environment.
Review the Request JSON Body to see how the desired outcomes above were declared:
Layer 7 Policy Rules:
Layer 7 Policy Actions:
ASM Policy URL:
In the TMUI GUI, you will notice a Layer 7 policy has been applied to the Virtual Server. In Application Security, we will be able to observe that the policy is being dynamically fetched, applied, and set to Blocking mode.
Layer 7 Policy:
Layer 7 Policy attached to Virtual Server:
ASM WAF Policy: