Network automation of BIG-IP F5 using Ansible Tower ATL Slide... · Ansible adoption at Lockheed...
Transcript of Network automation of BIG-IP F5 using Ansible Tower ATL Slide... · Ansible adoption at Lockheed...
Network automation of BIG-IP F5 using Ansible Tower
Ansible adoption at Lockheed MartinRaj GaneshanInfrastructure architect – Lockheed-Martin Enterprise IT
My automation story
1. How did you get started with Ansible?I am an Infrastructure Architect at Lockheed Martin. I got started with Ansible
to provision Infrastructure (Compute, Storage, Network, SSL/TLS Certificates, Containers etc.)
2. How long have you been using it?3 years
3. What's your favorite thing to do when you Ansible?BIG-IP F5 automation, Infrastructure-as-Code
Agenda
• Why automate network Infrastructure ?• Infrastructure-as-Code (IaC) defined• Ansible adoption at Lockheed Martin• BIG-IP F5 - Ansible modules, AS3, DO, Jinja2 templates• Ansible Tower concepts and workflows• Simple Gitlabs lifecycle• Deep dive - IaC with Gitlabs, Ansible Tower and BIG-IP F5• The Ansible approach to network automation• Ansible with 2FA/MFA
Why automate ?
There are really 3 main reasons
• Speed – Spin up an entire infrastructure architecture by running a script/playbook• Consistency – Standardize setup of infrastructure to reduce errors and deviations• Efficiency – All code and version control processes can be applied to infrastructure
Enablers
• Virtualization and Cloud computing• Software-defined-everything (Compute, storage, networking, security etc.) a.k.a.
Infrastructure-as-Code
IaC defined
Managing and provisioning computer data centers through machine-readable definition files
Commit Trigger
Build System
Deployment API
Compute
Storage
Network
Security
Repository
Automation ToolsManaged Infrastructure
Before there was an IaC process …
Difficult to have a repeatable process with varying interfaces
iControlREST example to create an application pool –
curl -k -u <user:password> -H "Content-Type: application/json" -X POST -d '{"name":“some-pool","members":[ \{"name":"10.10.0.64:80","description":"first member"} ] }' https://10.10.0.1/mgmt/tm/ltm/pool
CISCO API example –
curl -v -X POST https://10.10.0.64/api/v1/auth/token-services -H "Accept:application/json" -u “user:password" -d "" --insecure -3
Use token to do something –curl -v -H "Accept:application/json" -H "X-Auth-Token: <token>" -H "content-type: application/json" -X POST https://10.10.0.64/api/v1/nat-svc/pool -d '{"nat-pool-id": "test4-nat-pool", "start-ip-address": “10.10.0.1", "end-ip-address": "10.10.0.63", "prefix-length": 32}' --insecure -3
Documentation - https://clouddocs.f5.com/api/
Ansible adoption at Lockheed Martin
• Ansible is the foundation of our IaC approach
• Ansible is being used for provisioning and configuring infrastructure (compute, storage, network, security) for on-prem environments, public cloud, and hybrid cloud environments
• Ansible Tower is being used for managing orgs, users, templates, workflows etc. and is an important part of the automation tool-chain
• We are using RedHat provided training and complimenting it with internal training
• Ansible engine and Ansible Tower software is licensed through RedHat
BIG-IP F5
Application traffic routing and management• Load balancing• HTTP/HTTPS• Health monitors
Secures applications using SSL/TLS• SSL termination and pass-thru• Different ciphers and algorithms
Monitoring, analytics and metrics
Automation• API• Application Services 3 Extension (AS3)• Declarative onboarding (DO)
Integration• Ansible templates and modules
Ansible modules for BIG-IP F5
• Automating initial configuration on the BIG-IP
• Automation to network the BIG-IP (VLANS, Self-Ips)
• Automated deployment of HTTP and HTTPS applications
• Managing Virtual-Servers, Pools, Monitors and other configuration objects
• Documentation –https://clouddocs.f5.com/products/orchestration/ansible/devel/#https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html#f5
• Open source –https://github.com/F5Networks/f5-ansible
BIG-IP Application Services 3 (AS3) Extension
• Declarative model for managing BIG-IP configuration• Defined by a JSON schema• Layer 4-7 application and security services• Atomic and idempotent• BIG-IP version 12.1.x or higher
• POST to https://<BIG-IP>:<port>/mgmt/shared/appsvcs/declare
• Documentation –https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/
BIG-IP Declarative Onboarding (DO)
• A declarative model to initially configure a BIG-IP device
• BIG-IP version 13.1.0 or higher
• Layer 1-3 configuration
• POST and GET to https://<BIG-IP>:<port>/mgmt/shared/declarative-onboarding
• Documentationhttps://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/
Ansible approach – Imperative vs. Declarative
• Declarative (Functional) – WhatYou define the desired state and the system
executes what needs to happen
• Imperative (Procedural) - HowYou defines specific commands to be
executed in the appropriate order to reach the desired state
• Intelligent (Environment aware) - WhySystem determines the desired state before it
executes what needs to happen to achieve the desired state
• Ansible uses a push-type, declarative and imperative approach.
Declarative
IntelligentImperative
Jinja2 templates for network configuration
- Jinja2 templates used for templating a file to a remote device- Write the contents of a file to a remote location
Jinja2 templates for network configuration
Global YAML vars
Local YAML vars
Jinja2 Templates Configs
Ansible
Ansible Tower
• Ansible Tower is the easy-to-use UI, dashboard, and REST API for Ansible• Role-based access control – Teams, users in various roles, integration with
LDAP/AD• Job and workflow templates for automation, workflows and much more ! • Job scheduling - schedule your jobs and set repetition options• Fully documented REST API
• User guide –https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html
Ansible Tower – Workflow Templates
• A combination of job templates, project syncs, and inventory syncs linked together to execute them as a single unit.
• Extra vars and prompt-on-launch –Overrides other vars specified elsewhereProvide an inventory or extra variables when workflow template is launched
• Assign Permissions• Create Notifications• Create Schedules• Create Surveys (Dialogs)• Use Workflow Visualizer to build a workflow• Launch the template
Ansible Tower – End to end flow
Commit Trigger
Repository Change control approval
Approval
Template automation
SCM update
Modules
Pull
API CallDeveloper/Engineer
End usersSelf-service portal
Validation/Integration
Self-service
Validation/Integration
Developers/Engineers
Ansible Tower
status_code
- Declarative onboarding used to initially configure a BIG-IP device (Layer 1-3)- AS3 used for applications and security (Layer 4-7)
Simple Gitlabs lifecycle
• Clone the repo to get a working copy• Modify working copy by editing/adding files• Fetch changes made by other developers• To see commits added to the upstream master –
git log --oneline master..origin/master
• Merge the commits into your local mastergit checkout mastergit merge origin/master
• Commit your changes• Push to master
Deep dive notional architecture
• Multi-AZ deployment for HA and DR with network load-balancer
• Public and private subnets for network isolation and security
• Security groups for ingress/egress rules
• BIG-IP and computes in private subnet
Deep dive environment
• EC2 instances with NICs and elastic IPs
• Security group with ingress/egress rules
• A role for the BIG-IP EC2 instance
https://github.com/ansible/workshops/tree/master/exercises/ansible_f5/3.0-as3-introhttps://github.com/f5devcentral/f5-big-iq-labhttps://github.com/rajganeshan/ansiblefest2019
Ansible network modules
• Automate repetitive tasks
• Configure, test and validate network state
• Separate data model from the execution layer (Ansible engine)
• Simple, agentless automation
• Can communicate over SSH or HTTPS
• Documentation –https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html
Ansible network modules – Local execution
• Network devices do not typically have Python installed on them• So, Ansible can not execute tasks directly on the host• As a work around Ansible uses itself as a proxy for the tasks to be executed against• Tasks are eventually executed on the remote network device by calling the REST API
Inventory Playbook ANSIBLE ENGINE
API
A list of hosts
A file describing actions to take
Executes playbook for each host in the inventory
Git concepts
• Git repo – A virtual storage to save versions of your code• Tags - A meaningful name for a version. Tags are immutable and meant for product releases• Branches – A line of development created to work on a new feature. When completed it is
merged back with the master branch• HEAD – A pointer that always points to the latest commit in the branch. HEAD is updated with
the latest commit
Gitflow lifecycle
• A strict branching model designed around project releases- Dev and Master branches
- Master stores official release history (with tags) and Dev used for integrating features
• Feature branches- Use Dev as their parent branch- When complete gets merged back into Dev
• Release branches- Forked off Dev and meant for a release candidate- No feature branches till it is merged into Master and back into
Dev
MFA/2FA for BIG-IP F5
Remote user account management –
• BIG-IP system requires one or more administrative user accounts
• Store BIG-IP user accounts on a remote authentication server (not locally)- LDAP - Active Directory- RADIUS - TACACS+
• Remote server performs all authentication of user accounts
• Configure BIG-IP system to use the remote server to authenticate system accounts
• Documentation –https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html