Closed anhlegithub closed 1 month ago
Hi @anhlegithub, the v2 templates are using immutable instance configuration. This allows the autoscale group to scale up to the maximum number of instances allowed by EC2, while using device groups only allows a maximum of four instances. This also mean that to update the config, you need to redeploy the solution which recreates all the instances with the new configuration.
The WAF policy is configured identically on each instance using the runtime init config: https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/f5de1c5849604cd8a183eb9960283f2782e8084e/examples/autoscale/bigip-configurations/runtime-init-conf-payg-with-app.yaml#L164
In order to update the WAF policy, you'll need to change the policy referenced in the runtime init config and then update the solution: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/autoscale/payg#updating-this-solution
You will also need to customize the deployment by adding the ASM cookie protection string. That's documented under Example Customization 1 here: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/autoscale/payg#changing-the-big-ip-deployment
Hope this helps.
Thanks for your answer, i have new question for it. If i using two BIG IP with new configuration and the 3rd BIG IP scale out on ASG with Runtime init config. How the 3rd BIG IP can load the new configuration ? we still get backup config on S3 bucket as same as the Code V1 or we have any solution ?
The new BIG-IP will automatically use the new configuration. The v2 templates do not use backups to restore the configuration; they use whatever was most recently provided for the runtime init configuration.
i saw that on user data when BIG IP Scale out, but i don't see the configuration for runtime init configuration up to date. Could you show me this config or how to setup for runtime init config up to date?
Did you follow the steps here: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/autoscale/payg#updating-this-solution
You need to update the bigIpRuntimeInit config parameter value with the new configuration and then redeploy the CFT. Have you done that?
Yep, I know your ideal. But with this solution, we need manually update bigIPRuntimeInit config file with new configuration and redeploy the CFT. We need this step auto get backup config such as UCS file and import auto when the new BIG IP scale out. Do you know my ideal and can you help me?
Restoring UCS is not supported by this solution. Can you share what you need from the UCS file that can't be obtained using Runtime Init?
I need all configs on the current BIG IP running. Such as Certificate, Certificate profile, network setting, WAF Profile, VIP, iRules, Pool, node, ... Please suggest and guide me. Thanks
You should be able to include all of those resources in the Runtime Init configuration file. We have detailed usage and examples here: https://github.com/F5Networks/f5-bigip-runtime-init
Which can be used to extend the default config file here: https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/autoscale/bigip-configurations/runtime-init-conf-payg-with-app.yaml
@pgouband
Hi @anhlegithub,
Regarding your request, you should contact your F5 account team so they can work with you and check with our Professional Services organisation if they can help you.
Before contacting my Professional Services organization, I need to confirm some info: 1, The solution BIG IP CFT v2 don't include the UCS file for import config when autoscale such as CFT v1. 2, We cannot run the device's current configuration on the newly scaled device with this solution. If we have a daily operations team and daily configuration, then scaling with that running config is not feasible with this solution. Is that what I understand right? 3, If we want to combine CFT v2 and CFT v1 is it possible to solve this problem? Or does the CFT v1 solution still support current versions of BIG IP?
Hi @anhlegithub,
Here our answers:
@pgouband @mikeshimkus Thanks for your support, I will update my team and contact Pro Service Support to confirm via email.
The problem is that the v2code is missing the step config Device Group and joining new instances to the common device group for the purpose of synchronizing WAF policy. Please help me for advice: 1, Recommend another option to synchronize WAF when the new autoscale code no longer has this step 2, In case you still join the device group to sync WAF, please support to provide alternative repo code or instructions to customize the F5’s repo code.