Manual Chapter : Managing BIG-IQ Global Applications

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Managing BIG-IQ Global Applications

What is an application and how do I create one?

An application is just a container that houses multiple application services in the BIG-IQ user interface. There are a number of different application types you can create depending on what you plan to do with it. The work flow for creating each type varies a little.
Regardless of what kind of application you create, once all of the services are live, you can track their aggregate health and performance; or, you can drill down to track the performance of each application service.
As with every other task you can perform using BIG-IQ, creating applications requires permissions that are set up by the BIG-IQ admin. At a minimum (unless you are the Admin), your user ID must be assigned a custom Application Creator role and that role must be assigned access to the resources you need.
  • An application is a collection of application services that all work to support a common business process. By combining these into one container, you can manage all of the services required to operate that process from one place in the BIG-IQ user interface.
  • A multi-cloud, or multi-site application distributes multiple versions of a common application service across different physical locations or cloud platforms. With versions hosted on different platforms or locations, your availability improves, and the overall application health is more robust. If one data center or cloud platform goes down, application traffic just flows to the other one. Or, you might just want the performance benefits that can come from processing traffic locally.

Template Applications

The basic work flow for creating a standard application is to:
  1. Create or modify an AS3 or service catalog template that defines the objects you need in your application service.
  2. Create a new application. This creates the 'container' along with a single application service.
  3. Add additional application services needed to perform the business process you need to support.

Multi-Cloud Application

A multi-cloud application is a type of template application. It gets it's name from the location and type of application services it deploys. The basic work flow for creating a multi-cloud application is to:
  1. Create or modify an AS3 or service template that defines the objects you need in your application services.
  2. Create the application that will house your application services.
  3. Use the template to deploy an application service to one cloud provider or data center.
  4. Use the template to deploy the same application service to a second cloud provider or data center.
  5. Use a template to create a DNS application service that load balances the traffic between the two application services.
If one cloud platform or data center experiences performance issues, traffic automatically routes to the other platform, so your application continues to perform.

Legacy Application

A legacy application uses virtual servers that you have already deployed to your managed devices. Pools, pool members, nodes, and certain HTTP and TCP profiles associated with the deployed virtual servers are also included in a legacy application. With a legacy application, you can use the application dashboard to view statistics and analytic metrics without having to redeploy everything. Although you can still make changes to these objects using the Configuration tab, there are limitations on the type of edits you can make to the application itself using the application dashboard. These limits depend (in part) on the role to which your user name is assigned. For example, if you are assigned the application manager role for a specific application service, you can use the dashboard to enable, disable, or force offline virtual servers, pools, and pool members. If you need to make substantive changes to these objects, F5 recommends you redeploy the services using an AS3 template.

Add a new BIG-IQ user for a custom role

If you want to authenticate users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
Using a template to create an application and deploy it to a BIG-IP device, requires a set of permissions. These permissions attach to a user ID. For a custom role like application creator, it's easiest to create the user ID before you create the role.
When logged in as a user with a custom role, you cannot create an application that uses virtual servers that have been deployed to your managed devices. To create these legacy applications, you need to log in as admin.
Since custom roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a custom role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
    button.
  4. From the
    Auth Provider
    list, select the authentication method you want to use for this user.
    A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  5. In the
    User Name
    field, type the name for this user.
  6. In the
    Password
    and
    Confirm Password
    fields, type the password for this new user.
    You can change the password any time.
    At this point, you could add this user to user groups or assign one or more existing roles to this user. But you don't need to do that if you are creating a user just so you can assign that user a custom role. For instructions on assigning groups and roles refer to the
    Role-Based User Access
    chapter of the
    Managing Authentication, Roles, and Users from BIG-IQ
    guide on
    support.f5.com
    .
  7. Click the
    Save & Close
    button.
BIG-IQ creates a new user ID, but at this point, there are no privileges and no with the roles associated with it. BIG-IQ will authenticate this user using the authentication method you have configured.
Before you tell the user about the new ID, you need to create the custom role and assign it to this user.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Define an application creator role

Before you can define an application creator role, you must have completed the following tasks:
  • Define the resources (templates, service scaling groups (SSGs), devices, or device groups that you want to assign to this role.
  • Define the user ID that you want to assign to this role.
When you assign a user the application creator role, you specify the permissions necessary for creating an application and which templates that user can be use. You can also control which resources the user can use when deploying application services. By controlling access to these resources, you reduce the number of decisions the user needs to make to deploy applications and application services.
Assume for example, that you want a user named Sam to use a specific set of templates to deploy applications to a particular set of BIG-IP devices. You create an application creator role for Sam and then assign her access to only the templates and devices you want her to use when she deploys applications.
If an application has been deployed to the tenant to which you want this Application Creator assignee to deploy applications, then you must also assign that user an Application Manager role for one of the applications that deployed to that tenant. For details about how to assign that role, refer to
Assign an existing user access to an application
of
support.f5.com
.
When logged in as a user with a custom role, you cannot create an application that uses virtual servers that have been deployed to your managed devices. To create these legacy applications, you need to log in as admin.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Roles
    CUSTOM ROLES
    Application Roles
    .
  3. Near the top of the screen, click the
    Add
    button.
  4. Give this Application Creator role a
    Name
    and an optional
    Description
    .
    The name and description can make it clear what this role is for.
    You could use a name like
    Sam-Create-HTTP-Apps
    and a description like
    Deploy HTTP services to Seattle devices
    to indicate that this role is for Sam to use to create applications that deploy HTTP services to devices located in Seattle.
  5. From the
    Active Users and Groups
    list, select the check box next to
    Sam
    , and click the select arrow.
  6. Scroll down to the Resources area and specify the resources you want this role to access.
    You can identify the templates, devices, or service scaling groups that you want users with this role to use when deploying applications or application services. When Sam logs in with this role to create applications, she will be able to see only the resources you specified for her. This gives you peace of mind, and Sam can be confident she is using the correct templates and deploying to the correct target.
    To give access to
    Do this
    Service Catalog Templates
    Scroll to the
    Service Catalog Templates
    list, select the check box next to the templates that you want Sam to use when deploying applications, and then click the select arrow.
    AS3 Templates
    Scroll to the
    AS3 Templates
    list, select the check box next to the templates that you want Sam to use when deploying applications, and then click the select arrow.
    AS3 APIs
    Scroll to the
    AS3 Templates
    list, and select
    Allow using AS3 without Template
    .
    Service Scaling Groups
    Scroll to the
    Service Scaling Groups
    list, and select the check box next to the SSGs that you want Sam to deploy applications to, and then click the select arrow.
    Devices
    Scroll to either the
    Devices
    or
    Device Groups
    list, and select the check box next to the devices or device groups that you want Sam to deploy applications to, and then click the select arrow.
    If you do not identify any devices or device groups, Sam will be able to deploy applications to any managed device.
  7. Click the
    Save & Close
    button.
When Sam logs in with the Application Creator role you created, she will be able to use only the resources you specified to create applications and application services. This limitation can be quite helpful in reducing errors due to miscommunication or misunderstanding.

How do I create an application using BIG-IQ?

There are two ways you can use a template to create an application and the configuration objects it needs. If you have deployed legacy applications that you want to manage, you can also import those. The work flow you use mostly depends on what you plan to do with it.
  • Using an AS3 template to create your applications provides the greatest control and flexibility.
  • If you are creating an application service that deploys to a service scaling group (SSG), use a service catalog template that defines the objects in that application.
  • If you have deployed virtual servers that are performing as applications, you can import those servers to create a legacy application. Once you create this legacy application, you can monitor application performance just as you would for an application created using a template.
The work flow for creating an application service depends on a number of factors. Use the process appropriate for your needs. The following work flows are documented on
support.f5.com
.
What are you trying to create?
AS3 Template
Service Catalog Template
Legacy application
Then use this work flow
A new application for an AWS SSG.
Not supported.
Yes.
Not supported.
Managing Applications in an Auto-Scaled AWS Cloud from BIG-IQ
A new application for an Azure SSG.
Not supported.
Yes.
Not supported.
Managing Applications in an Auto-Scaled Azure Cloud from BIG-IQ
.
A new application for an VMware SSG.
Not supported.
Yes.
Not supported.
Managing Applications in an Auto-Scaled VMware Cloud from BIG-IQ
.
A new application on a managed device.
Yes, (recommended).
Yes
Not supported.
Create an application using an AS3 template
; or
Create an application using a service catalog template
.
An application that uses virtual servers already deployed to a managed device.
No.
No.
Yes.
Create an application using deployed virtual servers
.

Create an application service using an AS3 template

Before you can create and deploy an AS3 application service, you must be must be assigned a custom Application Creator role, or have user permissions to access the resources (templates, devices, etc.) needed to deploy the application.
If other application services have been deployed to the same tenant, then you must be assigned a user role that has access permissions for every template that has been used to deploy application services to that tenant before you can deploy an application to that tenant.
Creating a new application service from a template allows you to start from the set of objects defined in the template, modify or add objects, and then deploy the application service to your BIG-IP devices. As you create the application, you define at least one application service. The application services specify which of the template objects you want to include and revise the settings that need to be customized.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click
    Create
    .
    The Create Application Service screen opens.
  3. Decide whether you want to add a service to an existing application or to create a new application and application service.
    To add a service to a new application:
    1. For Grouping, select
      New Application
      .
    2. For
      Application Name
      , type a name for the new application.
    3. You can type a
      Description
      to identify the new application.
    To add a service to an existing application:
    1. For Grouping, select
      Part of an Existing Application
      .
    2. From
      Application Name
      , select the name of the application to which you want to add this application service.
    3. You can type a
      Description
      to identify the application.
  4. For Application Service Method, select
    Using Templates
    .
    The screen displays additional controls.
  5. For the
    Template Type
    , select the AS3 template you want to use to create this application from.
  6. Use the
    Application Service Name
    and
    Description
    fields to identify this application service.
  7. For the
    Target
    field, identify the BIG-IP device to which you want the application to deploy.
    When you choose a target device, bear in mind that when AS3 deploys an application service, it deploys to the tenant partition specified in the AS3 template you are using. As part of the deployment process AS3 removes any objects previously existing in that target partition. For example, if you had manually deployed a number of virtual servers to a partition named
    my-app-servers
    on a BIG-IP named
    my.server.com
    and then use AS3 to deploy an application service to that same partition and device, AS3 would remove all of the virtual servers and then deploy the application service.
  8. Determine the objects that you want to deploy in this application.
    Required fields for the selected template are marked with a yellow border.
    1. To omit any of the objects defined in this template, click the (
      X
      ) icon that corresponds to that object.
    2. To create additional copies of any of the objects defined in this template, click the (
      +
      ) icon that corresponds to that object.
    3. For each object you decide to include in the application, revise the settings that you need to change.
      If you are deploying an application service to a device that resides in an Amazon or Azure cloud, you must type
      0.0.0.0/0
      for the
      Virtual Address
      . For both of these cloud environments, F5 recommends that you use an AWS or Azure load balancer in front of the device. The applications you plan to deploy on this device determine the required load balancer listener settings. Use the protocol and port appropriate for the template used to create this application.
      Use care when you configure a template to create objects that are used by other objects that are created in the same template. (For example, a template might create a service and a pool that the service uses.) If you name an object (you could name the pool Pool1 for example), and allow it to be edited, then when the application deploys, BIG-IQ looks for the name specified in the template; but, the person deploying the application service can edit that name to something else. Continuing the example, if the application deployer edits the pool name to something like
      MyPool1
      , the deployment would fail. It fails because the template creates a pool named
      Pool1
      , but the deployment ‘looks for’ a pool named
      MyPool1
      . To ensure successful application deployment, best practice is to leave editable objects in the template un-named so that the application deployer can use the name that best suits their need at the time.
  9. When you have configured the objects that you want to include in this application, click
    Create
    .
    BIG-IQ creates the application and deploys the application service to the target you specified.
When you to deploy an AS3 application service, BIG-IQ creates or updates the configuration objects defined by that service on the managed device you targeted. You can view these objects, as they perform their function as part of an application service, on the application services dashboard.
Before you can view these newly-deployed objects on the Configuration tab, you must rediscover and re-import services for each service impacted by the deployment. Keep in mind that objects deployed with AS3 are view-only on the Configuration tab. To make changes to these objects, you make changes to the AS3 application.

Create an application using a service catalog template

Before you can create and deploy an application service, you must have configured a service catalog template.
Creating a new application from a template allows you to start from the set of objects defined in the template, modify or add objects, and then deploy the application to your BIG-IP devices. As you create the application, you define at least one application service. The application services specify which of the template objects you want to include and revise the settings that need to be customized.
Your service catalog template must have an HTTP profile associated with its virtual server, or you will not be able to deploy it.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click
    Create
    .
    The Create Application Service screen opens.
  3. Decide whether you want to add a service to an existing application or to create a new application and application service.
    To add a service to a new application:
    1. For Grouping, select
      New Application
      .
    2. For
      Application Name
      , type a name for the new application.
    3. You can type a
      Description
      to identify the new application.
    To add a service to an existing application:
    1. For Grouping, select
      Part of an Existing Application
      .
    2. From
      Application Name
      , select the name of the application to which you want to add this application service.
    3. You can type a
      Description
      to identify the application.
  4. For Application Service Method, select
    Using Templates
    .
    The screen displays additional controls.
  5. For the
    Template Type
    , select the service catalog template you want to use to create this application from.
  6. For
    Name
    type a unique name for the application service.
  7. For the
    Environment
    field, identify where you want the application to deploy:
    Option
    Description
    Service Scaling Group
    From the
    Service Scaling Group
    field select the name of the service scaling group to which you want to deploy this application.
    BIG-IP
    1. From the
      BIG-IP
      field select the name of the device to which you want to deploy this application.
    2. To gather statistical data about the performance of this application on the device you deploy it to, select
      Collect HTTP Statistics
      .
      This option only supports applications managed by BIG-IP version 13.1.0.5 or later. If your template is intended for applications from multiple version of BIG-IP, you can manually enable HTTP statistic collection from the Application Properties configuration (
      Applications
      APPLICATIONS
      <Application Name>
      :
      Properties
      :
      CONFIGURATION
      ).
  8. Determine the objects that you want to deploy in this application.
    Required fields for the selected template are marked with a yellow border.
    1. To omit any of the objects defined in this template, click the (
      X
      ) icon that corresponds to that object.
    2. To create additional copies of any of the objects defined in this template, click the (
      +
      ) icon that corresponds to that object.
    3. For each object you decide to include in the application, revise the settings that you need to change.
      You can select a value for an object that you are creating in this application that is also created as part of this application. That is, if your service catalog template contains a pool member and a node, in most cases you want to use the node you are creating in the application for that pool member in the application. For example a template could define a pool
      MyPool1
      and a node
      45.54.45.54
      . To specify the application-created object, you select the value that is prefixed with a pound sign (#) when you select the value for that node. (That option would appear as
      #45.54.45.54
      in the example cited here.)
    4. If you have parameters for the servers required for this application saved in a comma separated values (CSV) file, click
      Load from CSV file
      , then navigate to the file, and click
      Open
      .
      The CSV file must list an IP address and a port for each server, and each server must be on it's own line. For example:
      1.1.1.1, 80 2.2.2.2, 443 3.3.3.3, 668 4.4.4.4, 22
  9. If this application includes a client-SSL profile, and the
    Ciphers
    are editable, there are three potential cipher settings you can configure. You can inherit the settings from the parent profile, you can specify a cipher of your own, or you can select a cipher group.
    • To inherit the cipher settings from the parent profile:
      1. For
        Ciphers
        , select
        Inherit
        .
      2. For
        Cipher Group Override as None
        , select
        Inherit
        .
      3. For
        Cipher Group
        , select
        Inherit
        .
    • To specify a cipher for this application:
      1. For
        Ciphers
        , select
        Other
        , and then type the cipher text in the adjacent field.
      2. For
        Cipher Group Override as None
        , select
        Other
        and
        None
        .
      3. For
        Cipher Group
        , select
        Inherit
        .
    • To specify a cipher group for this application:
      1. For
        Ciphers
        , select
        Other
        , and then leave the adjacent field blank.
      2. For
        Cipher Group Override as None
        , select
        Inherit
        .
      3. For
        Cipher Group
        , select
        Other
        , and then select the group from the adjacent list.
  10. When you have configured the objects that you want to include in this application, click
    Create
    .
    BIG-IQ creates the application and deploys the application service to the target you specified.

Create a legacy application using deployed virtual servers

Before you can create a legacy application service, you must deploy the virtual servers that host your application to a managed BIG-IP device.
Just as you must log in as Admin to deploy or configure virtual servers or their associated configuration objects, you must log in as Admin to deploy a legacy application service.
If you want to view statistical and analytic data for this application, you need:
  • at least one data collection device to this BIG-IQ system.
  • an analytics profile attached to the deployed virtual server application.
  • Application Visibility & Reporting (AVR) provisioned on the BIG-IP device on which the application resides must be provisioned.
  • statistics data collection enabled on the BIG-IP device on which the application resides.
  • devices on which the virtual servers are deployed must be at BIG-IP version 13.1.0 or higher.
For the most current and complete requirements detailing the prerequisites for viewing statistical and analytic data for a legacy application refer to the F5 Knowledge Base article K02142132.
An application that uses virtual servers that have already been deployed to your managed devices is referred to as a legacy application. When you create a legacy application, you are just creating a container that BIG-IQ uses to group these objects so you can monitor their performance just like you can monitor applications created using a template. You can view statistics and analytical data about the application performance without having to reconfigure or redeploy the virtual servers and specific configuration objects (pools, pool members, nodes, and some HTTP and TCP profiles) associated with them.
If you plan to use Analytics to monitor a legacy application, it is strongly recommended to configure the host virtual server to its own pool. If a legacy application's virtual server shares a pool with other virtual servers, this may affect certain data parameters that appear in your monitoring screens.
If you create a legacy application without statistical and analytics capability, you can still use the application to manage the pool members assigned to the application's virtual servers.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click
    Create
    .
    The Create Application Service screen opens.
  3. Decide whether you want to add a service to an existing application or to create a new application and application service.
    To add a service to a new application:
    1. For Grouping, select
      New Application
      .
    2. For
      Application Name
      , type a name for the new application.
    3. You can type a
      Description
      to identify the new application.
    To add a service to an existing application:
    1. For Grouping, select
      Part of an Existing Application
      .
    2. From
      Application Name
      , select the name of the application to which you want to add this application service.
    3. You can type a
      Description
      to identify the application.
  4. For Application Service Method, select
    Using Existing Device Configuration
    .
    The screen displays additional controls.
  5. Use
    Application Service Name
    to identify this application service.
  6. For the
    BIG-IP
    field, identify the BIG-IP device on which the virtual servers you want to include in this application service are deployed.
    The screen lists the virtual servers that reside on the device you selected.
  7. Use
    Application Service Type
    to identify whether this is an HTTP and TCP application or just a TCP application.
  8. For Virtual Servers, double click the name of each server that you want to include in this application service.
  9. When you finish selecting the virtual servers that you want to include in this application, click
    Create
    .
BIG-IQ adds the legacy application service to the Applications dashboard. If you satisfied the analytics prerequisites, you can monitor the application performance just like applications created using a template.
If you use the BIG-IQ to make and deploy changes to the virtual servers that comprise this legacy application service, or if you import changes made on the BIG-IP to these virtual servers, BIG-IQ automatically syncs the application service with those changes.

Assign a new user access to an application

If you want to authenticate users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
When you create an application or an application service, BIG-IQ creates custom roles for them. To provide access to an application or application service, you assign users to these roles. Each application or application service has both a manager and a viewer role. The manager role is read-write; the viewer role is read only.
One situation in which you need to assign the Application Manager role is when you delegate permissions to deploy applications to a tenant that already has applications deployed to it. If the template assigned to this Application Creator specifies a tenant that has an application already deployed to it, then before that user can deploy additional applications to the tenant, they must have the Application Manager role for one of those deployed applications.
Because some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate these constraints to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note, these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
    button.
  4. From the
    Auth Provider
    list, select the authentication method you want to use for this user.
    A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  5. In the
    User Name
    field, type the name for this user.
  6. In the
    Password
    and
    Confirm Password
    fields, type the password for this new user.
    You can change the password any time.
  7. To associate this user with an existing user group, select the group from the
    User Groups
    list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click
    +
    .
  8. For the
    Roles
    setting, from the
    Available
    list, select the roles to which you want to grant access, and move them to the
    Selected
    list.
    You can find the custom roles that BIG-IQ created for the new application by looking for the application, tenant name, and application service names in the list of roles.
    • The application role names uses the syntax: <application-name> Manager/Viewer.
    • The application service role names uses the syntax: <tennant-name_application-service-name> Manager/Viewer.
    For example, if you created an application named
    MyAwesomeApp
    and defined an application service for it named
    MyAwesomeService
    that uses a tenant named
    MyTennant
    , BIG-IQ would create four new custom roles.
    Role Name
    Access Permissions
    MyAwesomeApp Manager
    Read-write permissions for the application and "all" of it's application services.
    MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeService Manager
    Read-write permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  9. Click the
    Save & Close
    button.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user using the authentication method you have configured.
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Assign an existing user access to an application

If you want to authenticate users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
When you create an application or an application service, BIG-IQ creates custom roles for them. To provide access to an application or application service, you assign users to these roles. Each application or application service has both a manager and a viewer role. The manager role is read-write; the viewer role is read only.
One situation in which you need to assign the Application Manager role is when you delegate permissions to deploy applications to a tenant that already has applications deployed to it. If the template assigned to this Application Creator specifies a tenant that has an application already deployed to it, then before that user can deploy additional applications to the tenant, they must have the Application Manager role for one of those deployed applications.
Because some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate these constraints to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note, these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. For the
    Roles
    setting, from the
    Available
    list, select the roles to which you want to grant access, and move them to the
    Selected
    list.
    You can find the custom roles that BIG-IQ created for the new application by looking for the application, tenant name, and application service names in the list of roles.
    • The application role names uses the syntax: <application-name> Manager/Viewer.
    • The application service role names uses the syntax: <tennant-name_application-service-name> Manager/Viewer.
    For example, if you created an application named
    MyAwesomeApp
    and defined an application service for it named
    MyAwesomeService
    that uses a tenant named
    MyTennant
    , BIG-IQ would create four new custom roles.
    Role Name
    Access Permissions
    MyAwesomeApp Manager
    Read-write permissions for the application and "all" of it's application services.
    MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeService Manager
    Read-write permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  4. Click the
    Save & Close
    button.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user locally.
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Review and edit an application service's Traffic Management services

Before you can review or revise an application, you must have created an application using a template with traffic management services.
You cannot use this work flow to make substantive changes to a legacy application (one that uses virtual servers previously deployed to a managed device). Except for enabling, disabling or forcing offline virtual servers, pools, or pool members, you make changes to legacy applications by editing the virtual server settings. Refer to
Managing Virtual Servers
in the
BIG-IQ Centralized Management: Local Traffic and Network Implementations
guide on
support.f5.com
.
An application service specifies a set of objects that are deployed to a BIG-IP device or to the devices in a service scaling group. It's a good idea to review an application after you deploy it to make sure that the application's traffic management services have precisely the right objects and parameter settings. If you find issues with the application service that you want to resolve, there are two ways to make changes:
  • If you discover minor issues (for example, you might decide you want to change the value for some of the existing objects in the application service, or maybe you want to change the state of a pool member), you can make direct edits to the application service as described here.
  • For more substantive changes (for example, if you find that there are objects you need to add or remove), you should make your changes by revising the template upon which the application service is based. For details, refer to
    Modify an application service
    on
    support.f5.com
    .
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Click the name of the application that you want to edit.
    BIG-IQ displays the Application dashboard for the selected application and lists the application services that comprise it.
  3. In the Application Configuration Map, under APPLICATION SERVICES, click
    Traffic Management
    .
  4. Click
    CONFIGURATION
    near the middle of the screen.
    The objects defined for this application for the service type you selected are listed.
  5. Click each of the object types (Virtual Server or Pool) defined in this application to review the settings.
    The right side of the configuration area displays an application map portraying the selected object type.
  6. To change a setting for a selected object, click
    Quick Edit
    and the object is defined as editable in the service catalog template, then revise the parameters that you want to change.
    If you have administrative access, you can make additional changes to the application template's settings. You can see the application template title when you click APPLICATION Properties at the center left of the screen (make sure you select the CONFIGURATION area). For more information about template configuration, see the section
    Managing Service Catalog Templates
    .
  7. When your edits are complete, click
    Save & Close
    .
    The system updates the application with the settings you specified.

Modifying a template-based application service

Before you can edit an application service, you must be assigned a role that has permissions to access the template that was used to deploy the application service.
If the application service you need to modify is deployed to a tenant to which other application services have been deployed, then you must be assigned a user role that has access permissions for every template that has been used to deploy application services to that tenant before you will be able to modify this application.
Modifying an application service changes the configuration objects deployed to your devices or service scaling group.
You cannot use this work flow to make substantive changes to a legacy application (one that uses virtual servers previously deployed to a managed device). Except for enabling, disabling or forcing offline virtual servers, pools, or pool members, you make changes to legacy applications by editing the virtual server settings. Refer to
Managing Virtual Servers
in the
BIG-IQ Centralized Management: Local Traffic and Network Implementations
guide on
support.f5.com
.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Select the name of the application that you want to modify.
    BIG-IQ lists the application services defined for the selected application.
  3. Select the name of the application service that you want to modify.
  4. On the lower part of the screen, select the Configuration tab and make a note of the template listed next to
    Created from Template
    .
  5. Click
    Cancel
    then click
    Applications
    APPLICATION TEMPLATES
    to list the templates defined on this BIG-IQ system so you can select the check box for the template identified in the last step.
  6. Click
    More
    Clone
    , then type a name for the cloned template and click
    Clone
    again. The system creates a clone of the service template and then opens the new template so you can make changes.
  7. Determine the objects that you want to revise for this application, and then specify values for those objects.
  8. When you have configured the objects that you want to revise for this application, click
    Publish
    .
    BIG-IQ creates the new template and assigns it the read-only status of published, which makes it available to use to create an application.
  9. Click
    Applications
    then, on the left, click
    APPLICATIONS
    and select the name of the application you want to revise.
    BIG-IQ lists the application services defined for the selected application.
  10. Select the name of the application service that you want to modify.
  11. Click
    Switch to template
    ; then select the name of the template clone you just created.
    Objects that you did not revise when you created the clone are left unchanged and the list of editable objects for the cloned template are displayed.
  12. Revise the settings for the editable objects, and then click
    Save
    .
    The application service deploys with the changes you specified.

Move an application service

You can move an application service from one application to another so you can get your services organized the way you want them.
One potentially common scenario that requires moving or merging application services occurs when you use an API to create an AS3 application service. The AS3 API creates these services as components of an application named
Unknown Applications
. You can organize these API-created services (using the
Move
or
Merge
button) to organize these services into the application that works best for you.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Select the name of the application that contains the application service(s) you want to move.
    BIG-IQ lists the application services defined for the selected application.
  3. Select the check box for the application service(s) that you want to move.
  4. Click
    Move
    .
    BIG-IQ displays the Move Application Services popup.
  5. For Grouping, decide where you want to move the application service.
    • To create a new application and move the application service into it,
      1. Click
        New Application
        .
      2. Type the
        Application Name
        for the new application.
    • To move the application service to another application:
      1. Click
        Part of an Existing Application
        .
      2. Type the
        Application Name
        to which you want it to move.
  6. If you are moving all of the application services from this application and you want to delete the empty application, click
    Remove applications without services
    .
  7. Click
    OK
    to move the application service(s).
    BIG-IQ moves the application services and (if you asked it to) deletes the empty application.

Merge applications

You can merge application services from multiple applications. You can either merge them into an existing application, or create a new application depending on what works best for you.
One potentially common scenario that requires moving or merging application services occurs when you use an API to create an AS3 application service. The AS3 API creates these services as components of an application named
Unknown Applications
. You can organize these API-created services (using the
Move
or
Merge
button) to organize these services into the application that works best for you.
You cannot merge or move an application service to an application created with a different template type. That is, a service catalog application service cannot be a part of an AS3 application, and vice versa. Further, a legacy application service cannot be part of an application created with either type of template.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    APPLICATIONS
    .
    The screen lists the applications currently defined on this device.
  2. Select the names of the applications that you want to merge.
    BIG-IQ lists the application services defined for the selected application.
  3. Select the check box for the application service(s) that you want to move.
  4. Click
    Merge
    .
    BIG-IQ displays the Merge Applications popup.
  5. For Grouping, decide how you want to merge the applications.
    • To merge all of the application services into a new application:
      1. Click
        New Application
        .
      2. Type the
        Application Name
        for the new application.
    • To merge all of the application services into another application:
      1. Click
        Part of an Existing Application
        .
      2. Type the
        Application Name
        into which you want the application services to merge.
  6. If you want to delete the empty applications that result from the merge, click
    Remove applications without services
    .
  7. Click
    OK
    to merge the application service(s).
    BIG-IQ merges the applications and (if you asked it to) deletes the empty applications.