CIS and ScaleN (N+1) - w/ Auto Config-Sync

Description: The ScaleN architecture allows you to create a redundant system configuration for multiple BIG-IP devices on a network.This guide will focus on the tips and best practices for building this in a lab for testing. For a full guide to the installation, please refer to the official documentation on AskF5 or F5 Cloud Docs.

Prerequisites:

  • BIG-IP licenses and basic understanding of the BIG-IP system.
  • Existing Kubernetes cluster and basic understanding of the Kubernetes platform.

Sample Diagram:

mod-2-1

Configuration tips and caveats

  • Ensure proper disaggregation in front of BIG-IP
  • Ensure that AS3 Tenant/Partition names do not overlap
  • Ensure that AS3 declaration specifies below:
    • trafficGroup property
      • number assignment method example: TG1=prod, TG2=staging
      • details below
    • shareNodes property
      • To allow Nodeport IPs to be configured in /Common so other partitions can use it
      • details below
  • Only Nodeport or potentially Calico BGP could work
    • auto-sync and Flannel cannot be configured together
  • Multi K8s Cluster with 1 CIS deployment per cluster
  • BIG-IP in scalen A/A/S with auto config-sync (optional)
  • Ensure no more than 3 CIS point to a single VE (max tested)
  • Configure HA order to favor a standby before converging TGs on a single VE
  • Consider multiple regions of cluster and use GSLB (DNS) for load balancing between regions
  • For IPv6 addresses, use hostAliases as CIS does not connect right now to an IPv6 address (known issue)

trafficGroup property: You can specify the traffic group associated with any virtual address so that all associated objects float with that traffic group in a ScaleN (N+1) configuration. See F5 Cloud Docs for more details.

You can then reference the Service_Address name for the virtualAddresses property for your virtual server.

shareNodes property: You can configure shareNodes so that multiple tenants can use the same node IP, which gets created in the /Common partition. See F5 Cloud Docs for more details.

serviceMain: If you use a template with a value of http, https, tcp, udp, or l4, you MUST specify an object with the matching Service class Service_HTTP, Service_HTTPS, Service_TCP, Service_UDP, or Service_L4 and name it serviceMain as described in the following Service Class section. See F5 Cloud Docs for more details.

Sample Configuration:

 kind: ConfigMap
 apiVersion: v1
 metadata:
 name: stg-as3-declaration-demo
 namespace: kube-system
 labels:
     f5type: virtual-server
     as3: "true"
 data:
 template: |
     {
     "class": "AS3",
     "action": "deploy",
     "persist": true,
     "declaration": {
         "class": "ADC",
         "schemaVersion": "3.18.0",
         "id": "demoapp",
         "label": "f5-istio",
         "remark": "An HTTP application",
         "stg_tenant": {
         "class": "Tenant",
         "stg_app": {
             "class": "Application",
             "template": "http",
             "stg_svc_addr": {
                 "class": "Service_Address",
                 "virtualAddress":  "240b:ab11:cd22:a101::10",
                 "arpEnabled": false,
                 "icmpEcho": "disable",
                 "routeAdvertisement": "any",
                 "trafficGroup": "/Common/traffic-group-2"
             },
             "serviceMain": {
             "class": "Service_HTTP",
             "virtualAddresses": [{"use": "stg_svc_addr"}],
             "pool": "stg_nginx_pool"
             },
             "stg_nginx_pool": {
             "class": "Pool",
             "monitors": [
                 "tcp"
             ],
             "members": [{
                 "servicePort": 80,
                 "serverAddresses": [],
                 "shareNodes": true
             }]
             }
             }
         }
         }
     }