F5 Platform Modernization with Synchronized HA-Pairs

Modernizing F5 BIG-IP Hardware with Ansible Automation

Key Concepts:

• Ansible Automation Platform: An automation engine used for configuration management, application deployment, task automation, and IT orchestration.
• BIG-IP: F5’s Application Delivery Controller (ADC) hardware and software solution.
• VCMP (Virtual Cluster Multiprocessing): A clustering technology used on Viprian chassis to provide high availability and scalability.
• UCS (Unified Configuration System): F5’s configuration file format.
• F5OS: F5’s operating system for BIG-IP devices.
• Tenant OSS: A specific operating system version within F5OS, allowing for isolated environments.
• HA (High Availability): A system design to ensure continuous operation in case of failures.
• Execution Engine: A temporary environment within Ansible used to execute tasks and restore configurations.
• Provision State: The status of a device within the F5 system (e.g., deployed, provisioned).

1. Migration Overview & Environment Details

This demonstration showcases the use of Ansible to modernize F5 BIG-IP hardware, specifically migrating from a Viprian chassis-based deployment to a modern R-series chassis deployment, while simultaneously upgrading the BIG-IP operating system. The source environment consists of an HA pair of BIG-IP instances running version 15.1.10.4 on a Viprian chassis with B2250 blades. The destination environment utilizes separate R5800 chassis running F5OS 1.8.x and 17.5.1.2 tenant OSS. The migration process is platform-agnostic; it can handle source platforms including Viprian, iSeries Viprian, or even virtual instances.

2. Pre-Migration Environment Verification

Prior to automation, the demonstration verifies the state of both the source and destination environments.

• Destination (R-Series): The R-series devices have the target 17.5.1.2 tenant image pre-loaded. VLANs are pre-created and associated with interfaces, although the Ansible code can create VLANs if they are missing, but will not associate them to interfaces.
• Source (Viprian): The Viprian chassis is fully populated with blades, each hosting a BIG-IP instance. VLANs are pre-associated to the instances and trunked through the Viprian chassis using VCMP instances. Each instance runs 15.1.10.4 on a separate blade, maintaining HA synchronization with its own self IP and associated VLANs.
• Application Verification: The source environment hosts 10 tenants, each with 50 applications, all running as expected with correct self IPs and management addresses.

3. Ansible Automation Platform Setup & Playbooks

The migration is orchestrated using the Ansible Automation Platform, connected to a GitHub repository containing the automation code. Three distinct playbooks are utilized, each representing a specific stage of the migration:

• Playbook 1: Backup & Copy: Responsible for backing up the source BIG-IP configuration.
• Playbook 2: Standby Migration: Migrates the standby BIG-IP instance to the first R-series chassis.
• Playbook 3: Active Migration & Failover: Fails over to the migrated standby, then migrates the original active instance to the second R-series chassis.

Inventory within Ansible is structured with groups like “HA Pair Source” and “HA Destination Chassis” to correctly associate source and destination devices.

4. Playbook 1: Backup & Copy – Detailed Process

This playbook performs the following actions on both source BIG-IP instances:

1. Master Key Backup: Backs up the master keys required for the migration.
2. Crypto Key Setup: Sets up encrypted crypto keys.
3. UCS Backup: Creates a UCS backup of the entire BIG-IP configuration.
4. Inventory Collection: Gathers VLAN information and other relevant data.
5. Backup Storage: Stores all backed-up data (UCS files, master keys, inventory) on a designated backup server.

This playbook prepares the environment for the actual migration by securing the existing configuration and gathering necessary information. It then shuts down the standby device to initiate the migration process.

5. Playbook 2: Standby Migration – Detailed Process

This playbook focuses on migrating the standby BIG-IP instance:

1. File Fetching: Fetches the previously backed-up files from the execution engine.
2. Standby Device Validation: Validates that the source standby device is offline (achieved by setting its provision state to "provisioned" on the VCMP instance).
3. Tenant Creation: Creates a new F5OS tenant on the first R-series chassis.
4. Configuration Restoration: Restores the backed-up configuration to the new tenant, including:
   • Management IP addresses
   • Pre-associated VLANs
   • Master Key restoration
   • Crypto Key setup
   • UCS file upload and restoration using the migrate command.
5. OS Upgrade: The migrate command simultaneously upgrades the BIG-IP operating system from 15.1 to 17.5.
6. Validation & Pause: Pauses for 5 minutes to allow the new instance to spin up and then validates functionality and failover status.

The entire process for the standby migration took 15 minutes and 14 seconds. Post-migration, the instance is in a standby state, but functional with all configurations intact, despite the OS mismatch with the original device.

6. Playbook 3: Active Migration & Failover – Detailed Process

This playbook completes the migration by failing over to the migrated standby and migrating the active instance:

1. File Fetching: Fetches the backed-up files from the execution engine.
2. HA Failover: Triggers an HA failover, promoting the newly migrated standby instance on the R-series to the active role.
3. Source Standby Shutdown: Shuts down the original standby instance on the Viprian chassis.
4. Second Tenant Creation: Creates a second F5OS tenant on the remaining R-series chassis.
5. Configuration Restoration (Repeat): Repeats the configuration restoration process from Playbook 2 on the second R-series chassis, restoring the active instance’s configuration.
6. Synchronization: Initiates a synchronization process between the two R-series instances to ensure configuration consistency.

The entire process for the active migration and failover took 15 minutes and 28 seconds.

7. Post-Migration Verification & Results

Following the completion of all three playbooks, the environment is verified:

• Synchronization: Both R-series instances are fully synchronized.
• Cluster Feature Removal: The cluster feature is no longer present, indicating a standalone deployment on the R-series chassis.
• Total Automation Time: The entire migration process, including backups, migration of both instances, and failover, was completed in 35 minutes and 21 seconds.

8. Code Availability

The automation code used in this demonstration is available on a Git repository for users to fork, expand, and adapt to their own environments.

Notable Quote:

“With Ansible automation platform we have the ability to migrate from legacy hardware to modern hardware while doing upgrades at the same time.” – Demonstrator.

This demonstration highlights the power of Ansible to streamline and accelerate the modernization of F5 BIG-IP infrastructure, reducing manual effort and minimizing downtime.