F5 AS3 and Red Hat Ansible Automation

If you have already started automating F5 application services, you are likely familiar with using automation tools such as Ansible. There are 115 Ansible modules for F5 today that allow you to automate and manage a variety of F5 activities and configurations, such as licensing, load balancing, global availability, traffic and security policies, and more. Based on customer requests, these Ansible modules are built and supported by F5. To support more use cases and make application service deployment easier, F5 is releasing Application Services 3 (AS3) as part of the F5 Automation Toolchain (refer to the AS3 User Guide for additional background information).

In conversations with customers about automating F5 with Ansible, it has become evident that some of automation veterans are on the lookout for making existing automation more sustainable, robust, and portable. One of the questions often heard goes something like this: “I use Ansible to automate most of my application infrastructure, now I am hearing about AS3. It appears that AS3, just like Ansible, can configure application services on F5 BIG-IP. Do these solutions accomplish the same thing? Is there a recommended approach that I should take?”

Without getting into picking one over the other, the right approach for you really depends on the problems you are trying to solve and, in some cases, your corporate policies. The goal here is to try and answer this question with some surrounding context and to present ideas on how these two tools are very complimentary. Interested? Keep reading…

AS3 is a BIG-IP API extension that uses a JSON document to configure Layer 4-7 Application Services on a BIG-IP using a single declarative interface. AS3 is intended to be delivered with a monthly cadence, typically at the beginning of every month and is already supported by F5 for TMOS 12.1.x and above.

When to use AS3, when to use Ansible modules, and when to use both

At its simplest, the decision between AS3 and Ansible depends on your preference for imperative and declarative configuration approaches. AS3 allows you to approach F5 configuration in a declarative way versus an imperative way. Using AS3 with Ansible can abstract and templatize your configuration using industry-standard terms in its declaration (e.g., WAF). Furthermore, as AS3 gets equipped with new features, it should be easier for you to add these features to your application configuration. This is because, as you are evolving your AS3 declaration, you do not have to sequence the tasks in a specific order; AS3 will figure out the steps and order of operations for you.

Overall AS3 is a good choice when you want to use a declarative interface to templatize entire BIG-IP configurations using JSON. Ansible modules are a good choice when you want to continue using an imperative approach or lead with ad hoc operations and tasks. There is no right or wrong approach. It all depends on your requirements, needs, and constraints in your automation strategy.

Enterprise F5 Automation with Red Hat Ansible Tower

If you are already using Ansible across your data center and are leveraging Ansible’s ecosystem, you will now have 2 options:

1. Use Ansible to configure L4-L7 services via F5 Ansible modules
2. Use Ansible to configure L4-L7 service via AS3

This means you have additional flexibility if you want to automate with the open source Ansible project: The method of automating tasks using discrete BIG-IP modules, and now a templated method using AS3.

To configure F5 Application Services using Ansible and AS3, you can use the F5 built bigip_appsvcs_extension module or the Ansible’s URI module.

To configure F5 App Services using Ansible modules, you can use the built-in modules that are distributed as part of the Ansible open source distribution.

So now how do you operationalize your automated F5 environments? How do you enable your automation solution to be supported by both F5 and Red Hat? Do you have a distributed team that requires advanced automation features such as RBAC, scheduled automation runs, or a RESTful API to integrate into other larger workflows? Answers can be found with Red Hat Ansible Tower. F5 customers can enhance the power of Red Hat Ansible Tower in driving more efficient CI/CD pipelines.

Red Hat Ansible Tower leverages the freedom for Ansible Playbook development but adds safeguard features network operators may need, particularly if they aren’t automation experts. With Red Hat Ansible Tower, teams can now have the flexibility to automate their F5 environments (via AS3 or F5 Ansible modules) but in a way that configurations can be applied and validated on an ongoing basis.

Getting Started

To get you started, here is a 2 min video overview on AS3 and a sandbox Ansible environment that highlights the benefits of abstraction when utilizing automation tools. Once you familiarize yourself with the concept, give the F5 Ansible roles on galaxy a try as well.