Manual Chapter : Managing BIG-IQ Global Applications

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Managing BIG-IQ Global Applications

What is an application and how do I create one?

An application is just a container that houses multiple application services in the BIG-IQ user interface. There are a number of different application types you can create depending on what you plan to do with it. The work flow for creating each type varies a little.
  • An application is a collection of application services that all work to support a common business process. By combining these into one container, you can manage all of the services required to operate that process from one place in the BIG-IQ user interface.
  • A multi-cloud, or multi-site application distributes multiple versions of a common application service across different physical locations or cloud platforms. With versions hosted on different platforms or locations, your availability improves, and the overall application health is more robust. If one data center or cloud platform goes down, application traffic just flows to the other one. Or, you might just want the performance benefits that can come from processing traffic locally.

Standard Application

The basic work flow for creating a standard application is to:
  1. Create a new application. This creates the 'container' along with a single application service.
  2. Add each of the application services needed to perform the business process you need to support.
Once all of the services are live, you can track their aggregate health and performance; or, you can drill down to track the performance of each application service.

Multi-Cloud Application

The basic work flow for creating a multi-cloud application is to:
  1. Create or modify an AS3 or service template that defines the objects you need in your application service.
  2. Create the application that will house your application services.
  3. Use the template to deploy an application service to one cloud provider or data center.
  4. Use the template to deploy the same application service to a second cloud provider or data center.
  5. Use a template to create a DNS application service that load balances the traffic between the two application services.
If one cloud platform or data center experiences performance issues, traffic automatically routes to the other platform, so your application continues to perform.

How do I create an application service using BIG-IQ?

There are a number of ways you can create an application service using the BIG-IQ user interface. The work flow you use mostly depends on what you plan to do with it.
  • If you are creating an application service that deploys to a service scaling group (SSG), use a service catalog template that defines the objects in that application.
  • If you are creating an application service that deploys to a managed BIG-IP device, you can still use a service catalog template, but you can also use an AS3 template.
The workflow for creating an application service depends on a number of factors. Use the process appropriate for your needs. The following workflows are documented on
support.f5.com
.
What are you trying to do?
AS3 Template
Service Catalog Template
Then use this workflow
Create an application service for an AWS SSG.
Not supported.
OK.
BIG-IQ Centralized Management: Managing Applications in an Auto-Scaled AWS Cloud
Create an application service for an Azure SSG.
Not supported.
OK.
BIG-IQ Centralized Management: Managing Applications in an Auto-Scaled Azure Cloud
.
Create an application service for an VMware SSG.
Not supported.
OK.
F5 BIG-IQ Centralized Management: Managing Applications in an Auto-Scaled VMware Cloud
.
Create an application service for a managed device.
No.
Yes.
Create an application service using a service catalog template
.
Create an application service for a managed device.
Yes.
No.
Create an application service using an AS3 template
.

Create an application service using a service catalog template

Before you can create and deploy an application, you must have configured a service catalog template.
Creating a new application from a template allows you to start from the set of objects defined in the template, modify or add objects, and then deploy the application to your BIG-IP devices. As you create the application, you define which of the template objects you want to include and revise the settings that need to be customized.
Your service catalog template must have an HTTP profile associated with its virtual server, or you will not be able to deploy it.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click
    Create
    .
    The Create Application Service screen opens.
  3. Decide whether you want to add a service to an existing application or to a new application.
    To add a service to a new application:
    1. For Grouping, select
      New Application
      .
    2. For
      Application Name
      , type a name for the new application.
    3. You can type a
      Description
      to identify the new application.
    To add a service to an existing application:
    1. For Grouping, select
      Part of an Existing Application
      .
    2. From
      Application Name
      , select the name of the application to which you want to add this application service.
    3. You can type a
      Description
      to identify the application.
  4. For the
    Template Type
    , select the service catalog template you want to use to create this application from.
  5. For
    Name
    type a unique name for the application service.
  6. For the
    Environment
    field, identify where you want the application to deploy:
    Option
    Description
    Service Scaling Group
    From the
    Service Scaling Group
    field select the name of the service scaling group to which you want to deploy this application.
    BIG-IP
    1. From the
      BIG-IP
      field select the name of the device to which you want to deploy this application.
    2. To gather statistical data about the performance of this application on the device you deploy it to, select
      Collect HTTP Statistics
      .
      This option only supports applications managed by BIG-IP version 13.1.0.5 or later. If your template is intended for applications from multiple version of BIG-IP, you can manually enable HTTP statistic collection from the Application Properties configuration (
      Applications
      APPLICATIONS
      <Application Name>
      :
      Properties
      :
      CONFIGURATION
      ).
  7. Determine the objects that you want to deploy in this application.
    Required fields for the selected template are marked with a yellow border.
    1. To omit any of the objects defined in this template, click the (
      X
      ) icon that corresponds to that object.
    2. To create additional copies of any of the objects defined in this template, click the (
      +
      ) icon that corresponds to that object.
    3. For each object you decide to include in the application, revise the settings that you need to change.
      You can select a value for an object that you are creating in this application that is also created as part of this application. That is, if your service catalog template contains a pool member and a node, in most cases you want to use the node you are creating in the application for that pool member in the application. For example a template could define a pool
      MyPool1
      and a node
      45.54.45.54
      . To specify the application-created object, you select the value that is prefixed with a pound sign (#) when you select the value for that node. (That option would appear as
      #45.54.45.54
      in the example cited here.)
    4. If you have parameters for the servers required for this application saved in a comma separated values (CSV) file, click
      Load from CSV file
      , then navigate to the file, and click
      Open
      .
      The CSV file must list an IP address and a port for each server, and each server must be on it's own line. For example:
      1.1.1.1, 80 2.2.2.2, 443 3.3.3.3, 668 4.4.4.4, 22
  8. If this application includes a client-SSL profile, and the
    Ciphers
    are editable, there are three potential cipher settings you can configure. You can inherit the settings from the parent profile, you can specify a cipher of your own, or you can select a cipher group.
    • To inherit the cipher settings from the parent profile:
      1. For
        Ciphers
        , select
        Inherit
        .
      2. For
        Cipher Group Override as None
        , select
        Inherit
        .
      3. For
        Cipher Group
        , select
        Inherit
        .
    • To specify a cipher for this application:
      1. For
        Ciphers
        , select
        Other
        , and then type the cipher text in the adjacent field.
      2. For
        Cipher Group Override as None
        , select
        Other
        and
        None
        .
      3. For
        Cipher Group
        , select
        Inherit
        .
    • To specify a cipher group for this application:
      1. For
        Ciphers
        , select
        Other
        , and then leave the adjacent field blank.
      2. For
        Cipher Group Override as None
        , select
        Inherit
        .
      3. For
        Cipher Group
        , select
        Other
        , and then select the group from the adjacent list.
  9. When you have configured the objects that you want to include in this application, click
    Create
    .
    BIG-IQ creates the application service and deploys it to the target you specified.

Create an application service using an AS3 template

Before you can create and deploy an AS3 application, you must have configured an AS3 template.
Creating a new application from a template allows you to start from the set of objects defined in the template, modify or add objects, and then deploy the application to your BIG-IP devices. As you create the application, you define which of the template objects you want to include and revise the settings that need to be customized.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click
    Create
    .
    The Create Application Service screen opens.
  3. Decide whether you want to add a service to an existing application or to a new application.
    To add a service to a new application:
    1. For Grouping, select
      New Application
      .
    2. For
      Application Name
      , type a name for the new application.
    3. You can type a
      Description
      to identify the new application.
    To add a service to an existing application:
    1. For Grouping, select
      Part of an Existing Application
      .
    2. From
      Application Name
      , select the name of the application to which you want to add this application service.
    3. You can type a
      Description
      to identify the application.
  4. For the
    Template Type
    , select the AS3 template you want to use to create this application from.
  5. Use the
    Application Service Name
    and
    Description
    fields to identify this application service.
  6. For the
    Target
    field, identify the BIG-IP device to which you want the application to deploy.
    When you choose a target device, bear in mind that when AS3 deploys an application service, it deploys to the tenant partition specified in the AS3 template you are using. As part of the deployment process AS3 removes any objects previously existing in that target partition. For example, if you had manually deployed a number of virtual servers to a partition named
    my-app-servers
    on a BIG-IP named
    my.server.com
    and then use AS3 to deploy an application service to that same partition and device, AS3 would remove all of the virtual servers and then deploy the application service.
  7. If the template you are using to deploy this application service specifies that the
    Tenant
    is editable, specify where you want to deploy this application service.
    When the application service deploys, the BIG-IQ creates a partition on the target device using the name you specify here.
    If you have deployed configuration objects to BIG-IP devices and you plan to use this template to deploy application services to those same devices, do not choose a
    Tenant
    name that might match the name of partitions on which your previously deployed configuration objects reside. For more detail on how AS3 uses the tenant name and guidelines for using this control effectively, see AS3 tenant name details.
  8. Determine the objects that you want to deploy in this application.
    Required fields for the selected template are marked with a yellow border.
    1. To omit any of the objects defined in this template, click the (
      X
      ) icon that corresponds to that object.
    2. To create additional copies of any of the objects defined in this template, click the (
      +
      ) icon that corresponds to that object.
    3. For each object you decide to include in the application, revise the settings that you need to change.
      If you are deploying an application service to a device that resides in an Amazon or Azure cloud, you must type
      0.0.0.0/0
      for the
      Virtual Address
      . For both of these cloud environments, F5 recommends that you use an AWS or Azure load balancer in front of the device. The applications you plan to deploy on this device determine the required load balancer listener settings. Use the protocol and port appropriate for the template used to create this application.
      Use care when you configure a template to create objects that are used by other objects that are created in the same template. (For example, a template might create a service and a pool that the service uses.) If you name an object (you could name the pool Pool1 for example), and allow it to be edited, then when the application deploys, BIG-IQ looks for the name specified in the template; but, the person deploying the application service can edit that name to something else. Continuing the example, if the application deployer edits the pool name to something like
      MyPool1
      , the deployment would fail. It fails because the template creates a pool named
      Pool1
      , but the deployment ‘looks for’ a pool named
      MyPool1
      . To ensure successful application deployment, best practice is to leave editable objects in the template un-named so that the application deployer can use the name that best suits their need at the time.
  9. When you have configured the objects that you want to include in this application, click
    Create
    .
    BIG-IQ creates the application and deploys it to the target you specified.
When you to deploy an AS3 application service, BIG-IQ creates or updates the configuration objects defined by that service on the managed device you targeted. You can view these objects, as they perform their function as part of an application service, on the application services dashboard.
Before you can view these newly-deployed objects on the Configuration tab, you must rediscover and re-import services for each service impacted by the deployment. Keep in mind that objects deployed with AS3 are view-only on the Configuration tab. To make changes to these objects, you make changes to the AS3 application.

Assign a new user access to an application

If you want to authentication users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
When you create an application or an application service, BIG-IQ creates custom roles for them. To provide access to an application or application service, you assign users to these roles. Each application or application service has both a manager and a viewer role. The manager role is read-write; the viewer role is read only.
Since some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
    button.
  4. From the
    Auth Provider
    list, select the authentication method you want to use for this user.
    A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  5. In the
    User Name
    field, type the name for this user.
  6. In the
    Password
    and
    Confirm Password
    fields, type the password for this new user.
    You can change the password any time.
  7. To associate this user with an existing user group, select the group from the
    User Groups
    list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click
    +
    .
  8. For the
    Roles
    setting, from the
    Available
    list, select the roles to which you want to grant access, and move them to the
    Selected
    list.
    You can find the custom roles that BIG-IQ created for the new application by looking for the application, tenant name, and application service names in the list of roles.
    • The application role names uses the syntax: <application-name> Manager/Viewer.
    • The application service role names uses the syntax: <tennant-name_application-service-name> Manager/Viewer.
    For example, if you created an application named
    MyAwesomeApp
    and defined an application service for it named
    MyAwesomeService
    that uses a tenant named
    MyTennant
    , BIG-IQ would create four new custom roles.
    Role Name
    Access Permissions
    MyAwesomeApp Manager
    Read-write permissions for the application and "all" of it's application services.
    MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeService Manager
    Read-write permissions for the application and "all" of it's application services.
    MyTennane_MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  9. Click the
    Save & Close
    button.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user using the authentication method you have configured.
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Assign an existing user access to an application

If you want to authentication users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
When you create an application or an application service, BIG-IQ creates custom roles for them. To provide access to an application or application service, you assign users to these roles. Each application or application service has both a manager and a viewer role. The manager role is read-write; the viewer role is read only.
Since some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. For the
    Roles
    setting, from the
    Available
    list, select the roles to which you want to grant access, and move them to the
    Selected
    list.
    You can find the custom roles that BIG-IQ created for the new application by looking for the application, tenant name, and application service names in the list of roles.
    • The application role names uses the syntax: <application-name> Manager/Viewer.
    • The application service role names uses the syntax: <tennant-name_application-service-name> Manager/Viewer.
    For example, if you created an application named
    MyAwesomeApp
    and defined an application service for it named
    MyAwesomeService
    that uses a tenant named
    MyTennant
    , BIG-IQ would create four new custom roles.
    Role Name
    Access Permissions
    MyAwesomeApp Manager
    Read-write permissions for the application and "all" of it's application services.
    MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeService Manager
    Read-write permissions for the application and "all" of it's application services.
    MyTennane_MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  4. Click the
    Save & Close
    button.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user locally.
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Review and edit an application service's Traffic Management services

Before you can review or revise an application, you must have created an application using a template with traffic management services.
An application service specifies a set of objects that can be deployed to a BIG-IP device or to the devices in a service scaling group. It's a good idea to review an application after you deploy it to make sure that the application's traffic management services have precisely the right objects and parameter settings. If you find issues with the application service that you want to resolve, there are two ways to make changes:
  • If you discover minor issues (for example, you might decide you want to change the value for some of the existing objects in the application service, or maybe you want to change the state of a pool member), you can make direct edits to the application service as described here.
  • For more substantive changes (for example, if you find that there are objects you need to add or remove), you should make your changes by revising the template upon which the application service is based. For details, refer to
    Modify an application service
    on
    support.f5.com
    .
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click the name of the application that you want to edit.
    BIG-IQ displays the Application dashboard for the selected application and lists the application services that comprise it.
  3. In the Application Configuration Map, under APPLICATION SERVICES, click
    Traffic Management
    .
  4. Click
    CONFIGURATION
    near the middle of the screen.
    The objects defined for this application for the service type you selected are listed.
  5. Click each of the object types (Virtual Server or Pool) defined in this application to review the settings.
    The right side of the configuration area displays an application map portraying the selected object type.
  6. To change a setting for a selected object, click
    Quick Edit
    and the object is defined as editable in the service catalog template, then revise the parameters that you want to change.
    If you have administrative access, you can make additional changes to the application template's settings. You can see the application template title when you click APPLICATION Properties at the center left of the screen (make sure you select the CONFIGURATION area). For more information about template configuration, see the section
    Managing Service Catalog Templates
    .
  7. When your edits are complete, click
    Save & Close
    .
    The system updates the application with the settings you specified.
You must deploy this application to the BIG-IP device before these objects and settings are created on the device.

Modify an application service

Modifying an application service changes the configuration objects deployed to your devices or service scaling group.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Select the name of the application that you want to modify.
    BIG-IQ lists the application services defined for the selected application.
  3. Select the name of the application service that you want to modify.
  4. On the lower part of the screen, select the Configuration tab and make a note of the template listed next to
    Created from Template
    .
  5. Click
    Cancel
    then click
    Applications
    APPLICATION TEMPLATES
    to list the templates defined on this BIG-IQ system so you can select the check box for the template identified in the last step.
  6. Click
    More
    Clone
    , then type a name for the cloned template and click
    Clone
    again. The system creates a clone of the service template and then opens the new template so you can make changes.
  7. Determine the objects that you want to revise for this application, and then specify values for those objects.
  8. When you have configured the objects that you want to revise for this application, click
    Publish
    .
    BIG-IQ creates the new template and assigns it the read-only status of published, which makes it available to use to create an application.
  9. Click
    Applications
    then, on the left, click
    APPLICATIONS
    and select the name of the application you want to revise.
    BIG-IQ lists the application services defined for the selected application.
  10. Select the name of the application service that you want to modify.
  11. Click
    Switch to template
    ; then select the name of the template clone you just created.
    Objects that you did not revise when you created the clone are left unchanged and the list of editable objects for the cloned template are displayed.
  12. Revise the settings for the editable objects, and then click
    Save
    .
    The application service deploys with the changes you wanted.

Move an application service

You can move an application service from one application to another so you can get your services organized the way you want them.
One potentially common scenario that requires moving or merging application services occurs when you use an API to create an AS3 application service. The AS3 API creates these services as components of an application named
Unknown Applications
. You can organize these API-created services (using the
Move
or
Merge
button) to organize these services into the application that works best for you.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Select the name of the application that contains the application service(s) you want to move.
    BIG-IQ lists the application services defined for the selected application.
  3. Select the check box for the application service(s) that you want to move.
  4. Click
    Move
    .
    BIG-IQ displays the Move Application Services popup.
  5. For Grouping, decide where you want to move the application service.
    • To create a new application and move the application service into it,
      1. Click
        New Application
        .
      2. Type the
        Application Name
        for the new application.
    • To move the application service to another application:
      1. Click
        Part of an Existing Application
        .
      2. Type the
        Application Name
        to which you want it to move.
  6. If you are moving all of the application services from this application and you want to delete the empty application, click
    Remove applications without services
    .
  7. Click
    OK
    to move the application service(s).
    BIG-IQ moves the application services and (if you asked it to) deletes the empty application.

Merge applications

You can merge application services from multiple applications. You can either merge them into an existing application, or create a new application depending on what works best for you.
One potentially common scenario that requires moving or merging application services occurs when you use an API to create an AS3 application service. The AS3 API creates these services as components of an application named
Unknown Applications
. You can organize these API-created services (using the
Move
or
Merge
button) to organize these services into the application that works best for you.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Select the names of the applications that you want to merge.
    BIG-IQ lists the application services defined for the selected application.
  3. Select the check box for the application service(s) that you want to move.
  4. Click
    Merge
    .
    BIG-IQ displays the Merge Applications popup.
  5. For Grouping, decide how you want to merge the applications.
    • To merge all of the application services into a new application:
      1. Click
        New Application
        .
      2. Type the
        Application Name
        for the new application.
    • To merge all of the application services into another application:
      1. Click
        Part of an Existing Application
        .
      2. Type the
        Application Name
        into which you want the application services to merge.
  6. If you want to delete the empty applications that result from the merge, click
    Remove applications without services
    .
  7. Click
    OK
    to merge the application service(s).
    BIG-IQ merges the applications and (if you asked it to) deletes the empty applications.