Managing Policies with BIG-IQ 5.0

Published June 13, 2016

The latest version of BIG-IQ is now shipping.  The introduction of BIG-IQ Centralized Management 5.0 marks a substantial advance in F5’s Management and Orchestration story. The release is the most important BIG-IQ release since the product was launched 3 years ago. While the list of what’s new is long, I want to focus today on a philosophical change that is key to understanding BIG-IQ 5.0.

BIG-IQ has always been open-ended. By that, I mean that when asked “what do you use it for?”, the answer was always, “whatever you want.” BIG-IQ presented the user with a lot of information, some levers and buttons – and users were expected to go figure out what to do with it. Even BIG-IQ’s UI was open-ended – a series of vertical panels that could be added or removed or re-ordered to suit whim and task.

BIG-IQ 5.0, however, is a different kind of beast. One of the fundamental concepts behind this release is the idea of workflows. Now BIG-IQ’s new sister product, iWorkflow, is also about workflows. iWorkflow was built to provide tools to enable automatic deployment of BIG-IP services in support of new app deployments or changes. BIG-IQ 5.0’s goal is more straight forward – we just want to make it easy to manage BIG-IP devices and deploy policies to BIG-IPs or groups of BIG-IPs without introducing errors. The UI has been revamped to make it simpler, more like TMOS, and to help guide users through common workflows.

All of BIG-IQ now has a consistent workflow that looks something like this:

Policy Workflow in BIG-IQ

Each stage is managed by a user with a specified role. Roles are overlapping and specific to the module (i.e., there is an Access Editor distinct from the ADC Editor) – there are also roles for viewing and auditing specific modules. Roles can be stacked so that a user has all the rights he or she requires.

The Discover & Establish Trust stage is where trust is established between BIG-IQ and the BIG-IP, certs are exchanged and, if necessary, the REST framework on the BIG-IP is upgraded.

The Import Settings stage is a where the user selects which module’s configs are to be imported. LTM must be imported for configuration of anything beyond basic device management. The user is given the option of creating a snapshot of the config for later comparison and potential roll-back. Discrepancies between the existing config and the config being imported are highlighted and must be resolved before completing the import stage.

Editors, Managers, and Administrators can make changes to configuration settings. Those changes are not immediately deployed. Instead, the new config is “staged” as part of the BIG-IQ working configuration.

During the Evaluation Stage, BIG-IQ retrieves the current BIG-IP config (in case it changed since it was last imported into BIG-IQ) and generates graphical comparison of the two configs. Differences are highlighted and the user is given a chance to select what changes to keep.

Finally, a deployment job is created and the changes can be pushed out immediately or scheduled for later. An audit log is maintained and configurations can be rolled-back if necessary.

A common workflow for policy management is just one of the many enhancements in BIG-IQ 5.0. More information on this release can be found on the BIG-IQ product page. Contact your sales representative for more information and for a free trial.