Applies To:

Show Versions Show Versions

Manual Chapter: Integrating with VMware NSX
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Integrating with VMware NSX

Network requirements for communication with VMware cloud services

For proper communication, iWorkflow™ must have network access to the resources on which VMware software is installed. Before you can manage cloud resources, you must define a network route between the iWorkflow device’s VLAN and the management VLAN on the VMware.

Discovering devices located in the VMware cloud

After you license and perform the initial configuration for the iWorkflow™ system, you can discover BIG-IP® devices running supported versions.
Note: For the most current list of compatible versions, refer to the F5 iWorkflow compatibility matrix (K11198324) on support.f5.com.
For discovery to succeed, you must configure the iWorkflow system with a route to each F5 device that you want to manage. If you do not specify the required network communication route between the devices, then device discovery fails.

You must know the IP address that the iWorkflow device will use to access the BIG-IP device.

Discover a device by providing the iWorkflow™ system with the device's IP address, user name, and password.

  1. Log in to iWorkflow™ with the administrator user name and password.
  2. On the Devices header, click the + icon, and then select Discover Device.
    The Devices panel expands to show the New Device screen.
  3. In the IP Address field, type the device's IP address.
    The preferred address for discovering a BIG-IP device is its management IP address.
  4. If the iWorkflow system and the BIG-IP device are on different subnets, then you need to specify an IP route between them.
    • If the iWorkflow device and the BIG-IP device communicate using the management IP address, then use SSH to issue a route command.
      1. Use SSH to log in to the iWorkflow system's management IP address as the root user.
      2. Type the following command: route <route name> {gw <x.x.x.x> network default}
    • If the iWorkflow device and the BIG-IP device use something other than the management IP address to communicate, then use SSH to issue a tmsh route command.
      1. Use SSH to log in to the iWorkflow system's management IP address as the root user.
      2. Type the following command: tmsh create net route <route name> {gw <x.x.x.x> network default}
      Note: Where <route name> is a user-provided name to identify the new route, and <x.x.x.x> is the IP address of the default gateway for the internal network.
  5. In the User Name and Password fields, type the administrator user name and password for the managed device.
  6. For the Auto Update Framework setting, select the Update Automatically check box to direct the iWorkflow system to perform any required REST framework updates on the BIG-IP device.
    For the iWorkflow system to properly manage a BIG-IP device, the BIG-IP device must be running the most recent REST framework.
  7. Click the Add button.
The iWorkflow system populates the properties of the device that you added, and displays the device in the Devices panel and its configuration files display in the Configuration panel.
To complete discovery of BIG-IP® devices and populate the Devices panel, provide the administrator user name and password when requested. You can then associate tenants with this resource.

About configuring the iWorkflow device for a VMware integration

The iWorkflow ™device facilitates the integration between the VMware NSX and the BIG-IP® device or device cluster. The work flow for configuring this integration takes you back and forth between the two participants in this integration.

You can either integrate with a standalone BIG-IP virtual machine, or with a high availability (HA) cluster of BIG-IP virtual machines. The process for setting up the two configurations is nearly identical. Optional steps and settings to enable HA are noted where applicable.

You can ensure that the traffic management function is always available by configuring two BIG-IP systems in a high availability (HA) configuration. Any configuration change that occurs on one BIG-IP system is immediately synchronized with its peer devices. If one BIG-IP system in an HA configuration fails, a peer BIG-IP system takes over the traffic management.
Note: The maximum HA cluster size this iWorkflow release supports is two BIG-IP devices.

The BIG-IP HA cluster that you create with this process is a single failover group that uses the default traffic group and automatic sync. For a complete discussion of the significance of these details, refer to the BIG-IP® Device Service Clustering: Administration guide, which is available on http://support.f5.com/kb/en-us.html.

Task summary

Prepare the iWorkflow devices for NSX integration

To begin the process of preparing the iWorkflow™ device for integration, you set up one or more iWorkflow devices, create an NSX call back user, and an NSX connector, and then create a new server image.

About activating a pool license

When you integrate with VMware NSX to create BIG-IP® VE virtual machines, you must activate a pool license to license the BIG-IP virtual machines that that iWorkflow™ software creates using the VMware NSX connector.

You can choose not to use a pool license and skip to discovering devices. If you make this choice, the iWorkflow device still creates BIG-IP VE systems, but you need to license them before they can be used.

You initiate the license activation process with a base registration key. The base registration key is a character string that the license server uses to verify the functionality that you are entitled to license. If the system has access to the internet, you select an option to automatically contact the F5 license server and activate the license. If the system is not connected to the internet, you must manually retrieve the activation key from a system that is connected to the internet, and then transfer it to the iWorkflow system.

Note: If you do not have a base registration key, contact your F5 Networks sales representative.
Automatically activating a pool license
You must have a base registration key before you can activate the license pool.
If the resources you are licensing are connected to the public internet, you can automatically activate the license pool.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. At the top of the screen, click Clouds and Services and then, on the Licenses header, click the + icon.
    The New License screen opens.
  3. In the License Name field, type the name you want to use to identify this license.
  4. In the Base Registration Key field, type or paste the iWorkflow registration key.
  5. In the Add-on Keys field, paste any additional license key you have.
  6. For the Activation Method setting, select Automatic.
    The End User Software License Agreement (EULA) displays.
  7. To accept, click the Accept button.
    The system reads your license key and adds the activated license to the License panel.
Manually activating a pool license
You must have a base registration key before you can activate the pool license.
If the iWorkflow™ Device you are licensing is not connected to the public internet, you can activate the pool license manually.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. At the top of the screen, click Clouds and Services and then, on the Licenses header, click the + icon.
    The New License screen opens.
  3. In the License Name field, type the name you want to use to identify this license.
  4. In the Base Registration Key field, type or paste the iWorkflow registration key.
  5. In the Add-on Keys field, paste any additional license key you have.
  6. For the Activation Method setting, select Manual and click the Get Dossier button.
    The iWorkflow system refreshes and displays the dossier in the Device Dossier field.
  7. Copy the text displayed in the Device Dossier field, and click the Click here to access F5 Licensing Server link.
    Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  8. Click Activate License.
    The Activate F5 Product page opens.
  9. Paste the dossier into the Enter your dossier field, and then click the Next button.
    After a pause, the license key text displays.
  10. Copy the license key.
  11. On iWorkflow Device, into the License Text field, paste the license key.
  12. Click the Activate button.
    If the license does not display as activated in the Licenses panel after several minutes, click the arrow next to the license to contract the list, then click it again to expand. The screen should refresh and display the license as activated.

Creating an NSX callback user

You need to create a user credential that the iWorkflow™ system can use to communicate with the VMware NSX system.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. On the User header, and click the + icon.
    The New User screen opens, displaying property fields for the new user.
  3. In the Username field, type the name of the user account that VMware NSX will use when it interacts with the iWorkflow system.
    The entry can contain a combination of letters, numbers, periods, and hyphens.
    Note: You need to recall this name when you configure the NSX.
  4. From the Auth Provider list, select Local.
  5. In the Full Name field, type a (human friendly) name to identify the NSX account.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  6. In the Password and Confirm Password fields, type the password for the callback user account.
  7. Click the Add button.

Creating a connection between iWorkflow and NSX Manager

To enable integration between a third-party cloud provider and iWorkflow™, you must configure a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.

For VMware NSX, iWorkflow also helps you manage VMware NSX load-balancing service insertion to BIG-IP® machines. Management tasks include discovering, creating, starting, and stopping VMware NSX application servers running in the private cloud. You can use this feature to accommodate seasonal traffic fluctuations by periodically adding and retracting devices and application servers as needed. Additionally, you can also provide tenants access to self-deployable iApps® through VMware integration.

Note: Only one VMware NSX connector is supported per VMware NSX environment. For information about the compatibility of iWorkflow with VMware NSX releases, see K11198324: F5 iWorkflow compatibility matrix at support.f5.com.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. On the Clouds header, and click the + icon.
    The New Cloud screen opens.
  3. In the Name and Description fields, type a name and description.
    You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
    Important: You will need to recall the name you assign to this connector so that you can select it when you are configuring the VMware user interface. The name you specify is used as the service definition name in the VMware user interface.
  4. From the Cloud Provider list, select VMware NSX.
    The screen displays additional settings specific to VMware NSX.
  5. In the VMware NSX Address field, type the IP address of the NSX server.
    The VMware IP address must be fully accessible from the iWorkflow device.
  6. For the VMware NSX Host Certificate SHA-512 Hash field, to avoid security threats, verify the SSL certificate hash of the host.
    Note: Either manually enter or automatically retrieve the certificate hash. Run the command openssl x509 -noout -fingerprint -sha512 -in <path to certificate file> | tr -d ':' to verify with OpenSSL. If the iWorkflow certificate unexpectedly changes in the future, a warning displays and interactions with the host are prevented.
  7. In the VMware NSX User Name and VMware NSX Password fields, type the credentials that the iWorkflow device will use to authenticate to the NSX Manager.
  8. In the VMware vCenter Server Address field, type the IP address of the vCenter server.
  9. In the VMware vCenter Server User Name and VMware vCenter Server Password fields, type the credentials that the iWorkflow device will use to authenticate to vCenter.
  10. In the Device Provisioning area, from the Time Zone list, select your local time zone.
  11. In the NTP Servers fields, type the IP addresses of your Network Time Protocol (NTP) servers.
  12. In the DNS Servers field, type the IP address of your DNS server.
  13. In the DNS Suffix(s) field, type the name of your search domain.
    The DNS search domain list allows the iWorkflow system to search for local domain lookups to resolve local host names.
  14. In the Callback Settings area, from the iWorkflow Callback User Name list, select the user name that NSX Manager uses to authenticate to the iWorkflow system.
    Note: Select the user name you specified when you created an NSX callback user.
  15. In the iWorkflow Callback Password field, type the password that NSX Manager uses to authenticate to the iWorkflow REST system.
    Note: Specify the password you used when you created an NSX callback user.
  16. From the iWorkflow Callback Address list, select the IP address that this NSX Manager uses to access each iWorkflow device in the HA cluster.
    By default, the management IP address is used, but you can specify a self IP address if you choose.
  17. From the Licensing list, select the name of the license pool that you created for the NSX integration.
  18. Click the Save button.

As part of the connection creation process, the iWorkflow system takes the following actions:

  • Creates a new default tenant for the new connector.
  • Verifies connectivity to the NSX Manager and vCenter APIs, and registers the iWorkflow system as an NSX Partner Service provider.
  • Creates a callback user role that enables NSX to access the iWorkflow software resources necessary for interaction with the iWorkflow REST API.

Creating a new server image

Before you create a new server image, you must know the accessible location of an F5 BIG-IP ®VE installation file. The accessible location must be either an HTTP URL, or a VCenter datastore. These installation files use the .ovf file extension.
When VMware NSX creates a new server as part of the iWorkflow™ and VMware NSX integration, it uses the server image file you specify as the template.
  1. In the iWorkflow system Clouds panel, hover over the connector you created previously, click the gear icon (gear), and then select Properties.
    The properties screen for that connector opens.
  2. Scroll down to Server Images, and click New.
    The New Server Image screen opens.
  3. In the Machine Image Name field, type a name for the server image.
    It is helpful if the image name identifies the version of the BIG-IP software you are using.
  4. In the OVF URL field, specify the accessible location of an F5 BIG-IP VE installation file.
  5. Click the Save button.
    This saves the settings for the new device image.
  6. Click the Save button.
    This saves the settings for the connector.

Prepare VMware NSX for integration

After you finish preparing the iWorkflow™ device for integration, there are a couple of tasks to perform in the VMware NSX environment to complete the integration. You need to create an NSX Edge Service Gateway and enable a load balancing service for it.

Creating an NSX Edge Services Gateway

The NSX Edge Service Gateway establishes the network within which network services such as firewall, NAT, and load balancing are deployed. To integrate a BIG-IP® device with NSX, you must create at least one Edge Service Gateway.

Important: You perform the following task using the vSphere Web Client user interface. At time of release, these steps accurately describe the VMware user interface. For the most current instructions for performing these steps, refer to the VMware web site http://pubs.vmware.com/.
In the vSphere web client user interface, create a new NSX Edge.
Important: When you are configuring the Edge Services Gateway, make sure to observe the following:
  • Choose to create the gateway in undeployed mode.
  • For Tenant, enter a tenant ID
    • iWorkflow uses an existing iWorkflow tenant name matching your tenant ID. If no matching tenant exists
    • iWorkflow creates a new tenant from this ID.
    • If you do not enter a tenant ID, NSX Edge and iWorkflow use an existing default tenant created when you created the NSX cloud connector.

  • If you are configuring an HA cluster of BIG-IP virtual machines, select Enable High Availability, otherwise leave it cleared.
  • Choose the X-Large Appliance size.
  • Make sure that the NSX Edge you create identifies the Cluster/Resource Pool and the Datastore, but does not identify any interfaces. Otherwise, follow your standard practice for NSX Edge creation.
When you finish editing an Edge, it appears in the list under NSX Edges.

Enabling a service for the Edge

You must provision IP pools and port groups before you enable an Edge load balancer.

If you are configuring an HA cluster of BIG-IP® virtual machines for two-arm deployments, you need to configure four vNICs (1 for management, 2 for data, and 1 for HA). For one-arm deployments, you need three vNICs (management, data, and HA). If you are not using HA, you can use one less vNIC in each case.

The NSX Edge Service Gateway establishes the network within which network services such as firewall, NAT, and load balancing are deployed. To integrate a BIG-IP® device with NSX, you must create at least one Edge Service Gateway.

Important: You perform the following step using the vSphere Web Client user interface. At time of release, these steps accurately describe the VMware user interface. For the most current instructions for performing these steps, refer to the VMware web site http://pubs.vmware.com/.
  1. In the vSphere web client user interface, select the NSX Edge you just created.
  2. On the Manage tab for the selected Edge, select the Load Balancer tab and click Edit.
    The Edit Load balancer global configuration screen opens.
  3. Select Enable Load Balancer and Enable Service Insertion.
    Additional options are enabled, so that you can specify additional details.
  4. For the Service Definition, select the iWorkflow connector that you created previously.
  5. For the Service Configuration, select F5 ADC-Provision dedicated BIG-IP VE(s).
  6. For the Deployment Specification, select the BIG-IP system server image you created previously.
  7. Specify the configuration details for the Runtime NICs that you expect NSX to use as load balancers.
    Note: The connectivity types you specify depend on whether you are configuring an HA cluster. For HA, you configure 1 management vNIC, 1 HA vNIC, and 1 or 2 data vNICs. For standalone, you configure 1 management vNIC and 1 - 3 data vNICs.
    1. Configure vnic0.
      • For the Connected To setting, use the management port group you created as a prerequisite.
      • For Connectivity type, use Management.
      • For the Primary IP Allocation Mode, use IP Pool.
      • For the IP Pool, use the management pool you created as a prerequisite.
    2. Configure vnic1.
      • For the Connected To setting, use the external port group you created as a prerequisite.
      • For Connectivity type, use Data.
      • For the Primary IP Allocation Mode, use IP Pool.
      • For the IP Pool, use the external pool you created as a prerequisite.
    3. Configure vnic2.
      • For the Connected To, use the internal port group you created as a prerequisite.
      • For the Connectivity type, use Data.
      • For the Primary IP Allocation Mode, use IP Pool.
      • For the IP Pool, use the internal pool you created as a prerequisite.
    4. Configure vnic3.
      • For the Connected To setting, use the HA port group you created as a prerequisite.
      • For Connectivity type, use HA if you are configuring an HA cluster of BIG-IP virtual machines, otherwise use Data.
      • For the Primary IP Allocation Mode, use IP Pool.
      • For the IP Pool, use the HA pool you created as a prerequisite.
  8. On the Edit Load balancer global configuration screen, select the Typed Attributes tab.
  9. For the Fully qualified host name of BIG-IP VE? value, type a host name for the BIG-IP VEs that the NSX Edge will create.

The NSX Edge creates two new runtimes. These runtimes create BIG-IP virtual machines based on the specifications you provided. These virtual machines will be managed by the iWorkflow™ as an HA Cluster.

When iWorkflow discovers the virtual machines, it adds an entry for each BIG-IP virtual machine to the iWorkflow user interface in the Activities panel under Clouds and Services.

Prepare the new BIG-IP devices for integration

After the VMware NSX integration adds the BIG-IP® virtual edition instances into the high availability cluster, there are a couple of tasks to perform on the BIG-IP device environment to complete the integration. If the devices are configured in an HA cluster, you only perform these tasks on one device, after which the configuration is replicated on the other cluster members using Config sync.

Exporting an iApps Template

Before exporting an iApps® Template, make sure to discover a BIG-IP® device or guest in your network by its IP address.
You export an iApps Template on a BIG-IP system in order to continue the discovery process before importing an iApps Template to iWorkflow™.
  1. Log in to a BIG-IP system with your username and password.
  2. On the Main tab, click iApps > Templates .
    The Templates list screen opens.
  3. In the template list Name column, click f5.http.
    The template properties screen opens.
  4. Scroll to the bottom of the screen and click Export.
  5. On the Export Templates and Scripts screen, for the Archive File setting, click Download:<file name> and save the file locally.
  6. With a text editor, open the file you just downloaded. The default file name is template.tmpl.
  7. Search for the template value within the iApps file; this is typically found toward the top of the file.
    Example of the template value for f5.http.iApp: sys application template /Common/f5.http.
  8. Update the version details in compliance with the iWorkflow requirements.
    The version numbers are arbitrary, but must increment in ascending order for iWorkflow to automatically import updates. Use this format for an iApps file: name.v#.#.# or name_v#.#.#, where name is the file name and v#.#.# is the version number. Example using f5.http: sys application template /Common/f5.http.v1.0.0.
  9. Click Save.

Importing an iApps Template

Before you can import an iApps® Template, to integrate a BIG-IP® device with NSX, you must create at least one Edge Service Gateway.
You manually import an iApps Template to the iWorkflow™ system. iApps Templates create configuration-specific forms used by application services to guide authorized users through complex system configurations.
Important: If you make a modification to an iApps template, the version number in the file must change, but the file name can remain the same. A best practice is to include the version number in the file. The version numbers are arbitrary, but must increment in ascending order for iWorkflow to automatically import updates. Use this format for an iApps file: name.v#.#.# or name_v#.#.#, where name is the file name and v#.#.# is the version number.
  1. Log in to iWorkflow with your administrator user name and password.
  2. At the top of the screen, click Clouds and Services.
  3. On the iApps Templates header, click the + icon.
    The panel expands to display the New iApps Template.
  4. For the Template Source setting, either import a template from a local file, or copy and paste the template content:
    • To select a file to import, click Choose File.
    • To paste template content that you have, first, from the list select Input template contents, and then paste the contents of the template in the text box.
  5. In the Template JSON setting, either select a BIG-IP device to use, or paste JSON content.
    • Use an existing BIG-IP device:
      1. Leave the first list setting as Retrieve JSON from BIG-IP.
      2. From the second drop-down list, click Select and select a managed BIG-IP device to use to retrieve the JSON representation.
    • Provide custom JSON form a local file:
      1. From the first drop-down list, select Provide JSON.
      2. Then click Choose File to import a file.
    • Provide custom JSON directly:
      1. From the first drop-down list, select Provide JSON.
      2. Then from the second drop-down list, select Input JSON.
      3. In the text box, paste the contents of a template.
  6. Optional: In the Minimum BIG-IP Version field, type the earliest version of BIG-IP software that is supported for deployment with the iApps Template.
  7. Optional: In the Maximum BIG-IP Version field, type the latest version of BIG-IP software that is supported for deployment with the iApps Template.
  8. Optional: In the Excluded BIG-IP Versions field, click the + icon to type each individual BIG-IP version you want to exclude.
    Click the x icon to remove a version.
  9. Click Save.

Creating a customized service template

Before you can customize the application template for the NSX integration, you must upload the template to the managed device and then wait for it to be exported to the managing iWorkflow™ device.

You customize an iApps® Template, specifying which parameters to display, and which are tenant-editable. Once deployed, these parameters are available in the NSX user interface.

Note: Once you have deployed a service using a template, the template cannot be modified until the associated services are removed. Alternatively, you can create a new template based on the template already in use.
  1. Log in to iWorkflow™ with your administrator user name and password.
  2. At the top of the screen, click Clouds and Services.
  3. On the Service Templates header, click the + icon.
    The panel expands to display the New L4-L7 Service Template.
  4. In the Name field, type a name for a new L4-L7 Service template.
  5. For the Input Parameters setting, select All Options to view all of the parameters for the template you select.
  6. From the Cloud list, select the name of a cloud template previously created.
  7. From the Base Template list, select the iApps or Service Template that meets your requirements.
    The options and values defined in this template will be inherited by the new Service Template.
  8. In the Service Tier Information area, define variable names in the drop-down lists.
    Examples of variable names that are known to work with the f5.http iApps Template:
    • Name: base_template
    • Virtual Address: pool_addr
    • Virtual Port: pool_port
    • Pool: pool_members
    • Server Address: addr
    • Server Port: port
    • SSL Cert: ssl_cert
    • SSL Key: ssl_key
  9. In the area that displays each of the variable names, either type a Default Value, or select the Tenant Editable check box to define each variable name. The exception is Name, which is not defined in the iApps Template.
    Note: Wrong values can cause issues with deployments as VMware NSX tries to set variable names that are not defined in the Service Template.
  10. Click Save to save the template.
    The values set as Tenant Editable are now part of the defined Common Options for the newly created Service Template.
You can now use this connector to complete the NSX integration.

Complete the NSX integration

After you finish preparing the BIG-IP® devices for integration, there are a couple of tasks to perform in the BIG-IP device environment to complete the integration. Because the devices are configured in an HA cluster, you only perform these tasks on one device, after which the configuration is replicated on the other cluster members using Config sync.

Configuring a pool of virtual machines to handle data plane traffic

Before you can create a pool of virtual machines, you must allow NSX integration to create the virtual machines. You also must create and configure the web servers for which the virtual machines will manage traffic.
The web server pool services the data plane traffic generated by your applications.
Use the VMware NSX user interface to create a web server pool.
Populate the pool using the previously created web servers.
Note: This task is performed entirely within the VMware NSX user interface. Refer to the appropriate VMware documentation for details on how to create a web server pool.

Configuring the NSX virtual server

The virtual server you create here resides on the BIG-IP® virtual machine created by the NSX integration.
  1. Log in to vSphere Web Client with your administrator username and password.
    Note: This task is performed entirely within the VMware NSX user interface. Refer to the appropriate VMware documentation for details on how to create a web server pool.
  2. In the Navigator, click Networking & Security.
  3. In the Navigator, click NSX Edges.
  4. Double-click the name of the NSX Edge for which you defined a server pool previously.
  5. Click the Manage tab, then click the Load Balancer tab, then click Virtual Servers.
  6. On the New Virtual Server General tab, from the Application Profile list, choose the name of the custom application template you created on the iWorkflow system.
    The settings that can be specified on the Advanced tab are now determined by the parameters marked Tenant Editable in the application template.
  7. For the IP Address, click IP Pool, and then select the external pool you created earlier to handle data plane traffic.
  8. In the Name field, specify a name to identify this virtual server.
  9. From the Default Pool list, select the just-created web server pool.
  10. If you want to revise any of the tenant editable values, click the Advanced tab and make your changes.
  11. Click OK to finish creating the new virtual server
    VMware NSX creates the new server.
The new server status is indicated by the Service Profile Status. If the status is other than In Service, you can get more information under Detailed Status, or even more information by viewing the new server on the iWorkflow™ device.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)