Skip to content

EN_8_BIG IP_HA_Support

Jump to bottom
myf5 edited this page Jan 29, 2022 · 1 revision

BIG-IP high availability configuration

Contributor: Lu RuiQiang @luruiqiang

In a production-level environment, BIG-IP high availability needs to be considered. In this case, the CES needs to be connected to the BIG-IP AFM multi-instance cluster. There are two ways to connect the CES to the AFM cluster:

  1. Multiple CES mode. Each CES is connected to the AFM managed by itself, and each CES can issue policies. The configuration of the policy is still a configuration, and each instance is independently and automatically issued in the configuration.

    image-20220128095310228

  2. Single CES mode. Use one CES to connect to the floating IP of the AFM cluster, and automatically synchronize the configuration of the cluster AFM itself. CES delivers the configuration to one of the AFMs, and this AFM automatically synchronizes the configuration to the other AFMs.

image-20220128095401005

Multi-CES mode configuration

  1. Download the installation script
wget https://raw.githubusercontent.com/f5devcentral/container-egress-service/master/dist/install.sh
  1. Before performing the installation, edit the installation script to configure each CES controller. Refer to the installation section to modify the IP address, user name, password, gateway address, etc. of the corresponding AFM.
# IP address of Big-IP server. CES pod will connect this IP.
BIGIP_URL=${BIGIP_URL:-192.168.50.254}        
# BigIP username
BIGIP_USERNAME=${BIGIP_USERNAME:-admin}       
# BigIP password
BIGIP_PASSWORD=${BIGIP_PASSWORD:-yourpassword} 

       gwPool:          
          serverAddresses:           
             - "10.5.0.254"

At the same time, you need to modify the CES deployment name to ensure that the deployment name of each CES is different:

CES_DEPLOMENT_NAME=${CES_DEPLOMENT_NAME:-ces-controller-1}

When the installation script is executed multiple times, the resource existing prompt will appear. This is because the common resource object has been generated when the installation script is executed for the first time. You can ignore these prompts, or manually create a second one directly through the Deployment resource of the controller. Deployment of CES controllers.

  1. After deploying the policy, you can see that each AFM instance has been automatically configured

    AFM-1

    AFM-2

    Since the two AFMs are configured and delivered through two CES respectively, you will see a prompt that the two AFMs are to be synchronized. This prompt can be ignored.

    image-20220128101650195

Single CES mode

First, you should refer to the F5 management manual to correctly configure the BIG-IP dual-machine configuration, and enable the automatic configuration synchronization function. CES will be configured and delivered through floating IP.

  1. Download the installation script
wget https://raw.githubusercontent.com/f5devcentral/container-egress-service/master/dist/install.sh
  1. Before performing the installation, edit the installation script to configure the CES controller. Refer to the installation section to modify the floating IP address, user name, password, and gateway address of the corresponding AFM.
# IP address of Big-IP server. CES pod will connect this IP.
BIGIP_URL=${BIGIP_URL:-192.168.50.254}        
# BigIP username
BIGIP_USERNAME=${BIGIP_USERNAME:-admin}       
# BigIP password
BIGIP_PASSWORD=${BIGIP_PASSWORD:-yourpassword} 

       gwPool:          
          serverAddresses:           
             - "10.5.0.254"

At the same time, you need to modify the CES deployment name:

CES_DEPLOMENT_NAME=${CES_DEPLOMENT_NAME:-ces-controller}
  1. In this mode, the Active AFM instance will receive the configuration delivered by CES. The configuration is automatically synchronized by the AFM itself. The system will prompt for the normal In syncmarkup.

image-20220128102156149

  1. The configuration clear command will have the same effect as above.
  2. After the active/standby switchover of the AFM, the configuration is delivered and cleared again, and the same effect can be seen.

Configuration comparison

  1. Multi-CES way:

    Each CES does not affect each other and manages configurations independently. Since the source of the configuration is still k8s itself, the source of truth is unique.

    The AFM system will prompt you to configure the information to be synchronized. This information can be ignored during operation and maintenance.

    This method is recommended to be preferred.

  2. Single CES way:

    It can save k8s system resources. However, the F5 administrator needs to configure the automatic synchronization capability in advance. In large-scale elastic mode, automatic synchronization between AFM systems may be triggered frequently.

Next step

Application Scenario: Fine-grained SNAT Control with CES

Clone this wiki locally