search

F5Networks / f5-aws-cloudformation-v2

AWS Cloudformation Templates for quickly deploying BIG-IP services in AWS
12 stars 21 forks source link

The problem is that the CFT v2 code is missing the step config Device Group #52

Closed anhlegithub closed 1 month ago

anhlegithub commented 2 months ago

The problem is that the v2code is missing the step config Device Group and joining new instances to the common device group for the purpose of synchronizing WAF policy. Please help me for advice: 1, Recommend another option to synchronize WAF when the new autoscale code no longer has this step 2, In case you still join the device group to sync WAF, please support to provide alternative repo code or instructions to customize the F5’s repo code.

mikeshimkus commented 2 months ago

Hi @anhlegithub, the v2 templates are using immutable instance configuration. This allows the autoscale group to scale up to the maximum number of instances allowed by EC2, while using device groups only allows a maximum of four instances. This also mean that to update the config, you need to redeploy the solution which recreates all the instances with the new configuration.

The WAF policy is configured identically on each instance using the runtime init config: https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/f5de1c5849604cd8a183eb9960283f2782e8084e/examples/autoscale/bigip-configurations/runtime-init-conf-payg-with-app.yaml#L164

In order to update the WAF policy, you'll need to change the policy referenced in the runtime init config and then update the solution: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/autoscale/payg#updating-this-solution

You will also need to customize the deployment by adding the ASM cookie protection string. That's documented under Example Customization 1 here: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/autoscale/payg#changing-the-big-ip-deployment

Hope this helps.

anhlegithub commented 1 month ago

Thanks for your answer, i have new question for it. If i using two BIG IP with new configuration and the 3rd BIG IP scale out on ASG with Runtime init config. How the 3rd BIG IP can load the new configuration ? we still get backup config on S3 bucket as same as the Code V1 or we have any solution ?

mikeshimkus commented 1 month ago

The new BIG-IP will automatically use the new configuration. The v2 templates do not use backups to restore the configuration; they use whatever was most recently provided for the runtime init configuration.

anhlegithub commented 1 month ago

i saw that on user data when BIG IP Scale out, but i don't see the configuration for runtime init configuration up to date. Could you show me this config or how to setup for runtime init config up to date?

mikeshimkus commented 1 month ago

Did you follow the steps here: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/autoscale/payg#updating-this-solution

You need to update the bigIpRuntimeInit config parameter value with the new configuration and then redeploy the CFT. Have you done that?

anhlegithub commented 1 month ago

Yep, I know your ideal. But with this solution, we need manually update bigIPRuntimeInit config file with new configuration and redeploy the CFT. We need this step auto get backup config such as UCS file and import auto when the new BIG IP scale out. Do you know my ideal and can you help me?

mikeshimkus commented 1 month ago

Restoring UCS is not supported by this solution. Can you share what you need from the UCS file that can't be obtained using Runtime Init?

anhlegithub commented 1 month ago

I need all configs on the current BIG IP running. Such as Certificate, Certificate profile, network setting, WAF Profile, VIP, iRules, Pool, node, ... Please suggest and guide me. Thanks

mikeshimkus commented 1 month ago

You should be able to include all of those resources in the Runtime Init configuration file. We have detailed usage and examples here: https://github.com/F5Networks/f5-bigip-runtime-init

Which can be used to extend the default config file here: https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/autoscale/bigip-configurations/runtime-init-conf-payg-with-app.yaml

@pgouband

pgouband commented 1 month ago

Hi @anhlegithub,

Regarding your request, you should contact your F5 account team so they can work with you and check with our Professional Services organisation if they can help you.

anhlegithub commented 1 month ago

Before contacting my Professional Services organization, I need to confirm some info: 1, The solution BIG IP CFT v2 don't include the UCS file for import config when autoscale such as CFT v1. 2, We cannot run the device's current configuration on the newly scaled device with this solution. If we have a daily operations team and daily configuration, then scaling with that running config is not feasible with this solution. Is that what I understand right? 3, If we want to combine CFT v2 and CFT v1 is it possible to solve this problem? Or does the CFT v1 solution still support current versions of BIG IP?

pgouband commented 1 month ago

Hi @anhlegithub,

Here our answers:

  1. Yes.
  2. Yes. In CFT autoscale v2, the Runtime Init config file is the source of truth. Configuration should not be managed from the BIG-IP devices themselves.
  3. No. You cannot combine v1 and v2 CFTs as they use different models for updating configuration. Also, the v1 templates are deprecated and read-only (they will not be updated for or tested with newer versions of BIG-IP).
anhlegithub commented 1 month ago

@pgouband @mikeshimkus Thanks for your support, I will update my team and contact Pro Service Support to confirm via email.