I was introduced to F5 AS3 doing a migration for a customer recently. For deploying new applications on an F5 LTM, this seems to be a pretty slick solution when you’re considering infrastructure as code. The entire configuration can be contained in a json file, which will simplify checking it into some kind of repository.
One application I’ve been tasked with helping customers deploy is Vmware Horizon. Vmware has a very prescriptive F5 deployment guide which spells out the steps in great detail. I figure this is an optimal app to deploy with an AS3 template, so that’s what I’ve done. Typically these customers deploy Horizon, and AppVolumes on the same F5, so this template deploys both.
Here is a link to a github repo where I’ve uploaded the AS3 template. There are a few variables you’ll need to fill in which I’ll try to detail here.
Deployment ID
"id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d",
This is a text Identifier that you give the AS3 system for deployment. It will be in the logs, and referenced with saved configurations on the system. Good idea to keep these unique, it’s free-text so feel free to use CHG ticket numbers or project IDs, something unique for your customer.
Certificates
"AppVol_cert": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/default.crt"
},
"privateKey": {
"bigip": "/Common/default.key"
}
}
"Horizon_cert": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/default.crt"
},
"privateKey": {
"bigip": "/Common/default.key"
}
}
You need to reference real certificates. The AS3 documentation should help you here, but you can either include certificates as BASE64 encoded strings, or refer to certificates already on the F5. If you are using the BASE64 encoded please ensure you have proper controls on your repository, as the KEY will be stored effectively in plaintext.
Monitors
"AppVol_Monitor": {
"class": "Monitor",
"monitorType": "https",
"timeout": 15,
"interval": 30,
"send": "GET /health_check HTTP/1.1\r\nHost: {FQDN}\r\nConnection: Close\r\n\r\n",
"receive": "200 OK"
}
"Horizon_Monitor": {
"class": "Monitor",
"monitorType": "https",
"timeout": 91,
"interval": 30,
"send": "GET /broker/xml HTTP/1.1\r\nHost: {FQDN}\r\nConnection: Close\r\n\r\n",
"receive": "clientlaunch-default"
},
"UAG_Maintenance": {
"class": "Monitor",
"monitorType": "https",
"timeout": 91,
"interval": 30,
"send": "GET /favicon.ico HTTP/1.1\r\nHost: {FQDN}\r\nConnection: Close\r\n\r\n",
"receive": "200",
"receiveDown": "503"
},
These monitors define health-checks to the back-end servers, you need to replace {FQDN} with valid URLs or these will fail. This is Horizon specific setup, so refer to that setup for these values.
Pool Members
"members": [
{
"hostname": "Server1",
"servicePort": 443,
"shareNodes": false,
"servers": [
{
"name": "Server1",
"address": "192.168.200.20"
}
]
},
{
"hostname": "Server2",
"servicePort": 443,
"shareNodes": false,
"servers": [
{
"name": "Server2",
"address": "192.168.200.21"
}
]
}
]
The pool members are dummy values in every Pool in the configuration, you need to replace these with valid Names and IP addresses. We are not using shareNodes as that puts the members in the /Common partition on the F5. If you change this you need to change it everywhere that member is referenced.
Partition Name, and App Name
"Horizon": {
"class": "Tenant",
"AppVolume": {
"class": "Application",
...
}
"Horizon": {
"class": "Application",
...
}
These directly translate to the names the F5 will deploy. Horizon will be the Partition, as that is the top most level class (Tenant) of the configuration. Rename this to what your customer might want the partition called. Underneath this tenant we have two applications, AppVolume and Horizon. Again rename those to whatever your client wants to name them.
General Notes
Most of the rest of the configuration is pretty straightforward and could stand as written. Naming is such a sensitive topic for companies that anything can be renamed. Pools, VIPs, Monitors, etc are all available. One customer wanted their VIPs name the FQDN of the URL they would present users, so we did that for all references to the Horizon VIP.