F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Device
  4. BIG-IQ Device: Device Management
  5. Integrating VMware
Manual Chapter : Integrating VMware

Applies To:

Show Versions Show Versions

BIG-IQ Device

  • 4.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: VMware integration

There are three VMware products that you can integrate with BIG-IQ software.

  • For VMware NSX version 6.1 (only), BIG-IQ Cloud provides you with the tools to manage VMware resources required to run applications. Management tasks include discovering, creating, starting, and stopping BIG-IP VE devices running in the private cloud. You can use this feature to accommodate seasonal traffic fluctuations by periodically adding and retracting devices and application servers as needed. Additionally, you can provide tenants access to self-deployable iApps through VMware integration.
  • For vCloud Director versions 1.5 and 5.1, the BIG-IQ software integration makes it possible for you to use the VCD interface with your cloud applications to manage the F5 cloud applications.
  • For VMware vShield version 5.1 and 5.5 (also known as VCNS version 5.5), and VMware NSX 6.0, the BIG-IQ software integration provides you with the tools to provide tenants access to self-deployable iApps.

To provide access to these services for VMware tenants, you configure communication between VMware products, and BIG-IQ Cloud. Then you associate a VMware cloud connector with a device, and create a catalog entry for a corresponding VMware service profile. The tenants to whom you give access to the catalog entry see it in their applications panel. From there, they can use it to self-deploy their own iApps.

Network requirements for communication with VMware cloud services

For proper communication, BIG-IQ Cloud must have network access to the resources on which VMware software is installed. Before you can manage cloud resources, you must define a network route between the BIG-IQ Cloud device’s internal VLAN and the management VLAN on the VMware.

Integrating VMware with your cloud applications

Integrating VMware with your cloud applications makes it possible for you to use the VMware interface to manage your F5 cloud applications.

  1. Authenticate with the F5 Cloud REST API.
    Tip: Refer to Authentication with the F5 REST API in the BIG-IQ Cloud Overview chapter of this guide for information about authentication strategies.
    Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task.
  2. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST
  3. Create a catalog of BIG-IQ Cloud applications to publish into the VMware vendor template using the Create provider iApp template API. /mgmt/cm/cloud/provider/templates/iapp POST
  4. Create new tenants for VMware using the Create tenant API. /mgmt/cm/cloud/tenant POST
  5. Create a VMware cloud connector using the Create VMware connection API, specifying the IP address and appropriate credentials. /mgmt/cm/cloud/connectors/vmware POST The applications you included when you created the VMware vendor template are published to the VMware interface.
The tenants that you created and connected to VMware can now use the VMware interface to create applications. Fields that are tenant-editable are displayed in the VMware user interface.

Associating a VMware cloud connector with a device

To enable integration between a third-party cloud provider and the BIG-IQ device, you must configure a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.
  1. Hover over the Connectors header and click the + icon when it appears.
  2. In the Name and Description fields, type a name and description. You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  3. From the Cloud Provider list, select VMware Networking.
  4. From the Devices list, select the device you want to associate with this connector.
  5. To select additional devices to associate with this connector, click the + icon at the right of the list. BIG-IQ system discovers application servers associated with this connector, and populates them in the Server panel. If the system discovers F5 devices, it populates the Device panel with them.
  6. In the VMware Networking Address field, type the IP address of the VMware system. The VMware IP address must be fully accessible from the BIG-IQ device's internal VLAN.
  7. In the VMware Networking User Name and VMware Networking Password fields, type the credentials for the VMware administrator.
  8. From the BIG-IQ User Name list, select the BIG-IQ user the VMware administrator should contact and, in the BIG-IQ Password field, type the password for that user.
  9. Click the Save button.

How vShield Manager processes tenant-editable values

There are a few complexities to be aware of when you create a service profile in the vShield interface to access the applications in your template.

Tenant Editable Field Action
Tenant Name Make a note of the tenant name you created. You need to enter it in the vShield interface. If you choose an incorrect tenant name or leave the tenant name blank, the VSM create service profile task fails.
Pool members Enter values in the Service Attributes portion of the VSM interface.
Virtual IP addresses Enter values in the Service Attributes portion of the VSM interface.
Tabular data There is additional complexity for API values represented in a table. Editable table columns appear in the VSM interface as an entry in the list of Vendor Attributes. To specify multiple values for an entry, you enter them in a comma-delimited list. Consider the following example.
{ "name": "pool__members", "columns": [ { "name": "addr", "isRequired": false, "providerType": "NODE"}, { "name": "port", "isRequired": true, }, { "name": "port_secure", "isRequired": true, }, { "name": "connection_limit", "isRequired": true, "provider": "10000" }, { "name": "ratio", "isRequired": true, "provider": "1" }, { "name": "priority", "isRequired": true, "provider": "0" } ], "serverTier": "default" }

For the table represented in this example, there are two editable columns, port and port_secure. In the VSM interface there are Vendor Attributes rows to represent these values. The port appears as pool__members.port and the secure port entry appears as pool__members.port_secure. Enter values for these in a comma-delimited list (for example, pool__members.port_secure 443, 444).

About VMware NSX version 6.1 integration

The tasks you perform to set up and configure BIG-IQ devices to manage BIG-IP system traffic in a VMware NSX version 6.1 network, use both the BIG-IQ software user interface and the VMware NSX user interface. There is also a task for which you can have greater control and flexibility using a REST API call to the NSX API. This optional task is included at the end of the task sequence.

In most production environments, data plane and control plane traffic are segregated for security reasons. To accommodate this requirement, traffic management functions are not permitted on the same network subnet with flowing network traffic. To accomplish this topology, this integration configures a total of four subnets. Two are used for BIG-IQ network management and the other two are for BIG-IP system traffic flow.

Task summary

Configuring VMware NSX 6.1 for BIG-IQ

You must have installed a BIG-IQ system with two control plane subnets: one to be used for provisioning BIG-IP devices, and the other for BIG-IP device discovery. These two subnets need to be interconnected.

Additionally, you must configure the following objects in VMware vSphere Web Client before you can perform this task.

  • A Datacenter.
  • A Datastore for your Datacenter.

Configuring the VMware objects described in this task makes it possible for a BIG-IQ system to configure and license a BIG-IP VE that you can manage with NSX as a load balancing service runtime. Your vCenter users can use this service runtime to deploy load-balanced virtual servers.

  1. In the VMware vSphere Web Client, create four networks. Two networks must be control plane networks; the BIG-IQ system uses one for provisioning BIG-IQ systems and the other to discover BIG-IP devices. The other two networks are data plane; the BIG-IP device uses one to pass external traffic and the other to pass internal traffic.
  2. In the VMware vSphere Web Client, create four IP Pools, one for each network. As you create each pool, you are prompted for a name. Make a note of the names you choose so that when you need to associate each pool to a network interface, you will know which is which.
    1. Define the provisioning network for the BIG-IP device. Use a typical IP address range to refer to the first management IP pool: 192.168.11.0/24.
    2. Define the external data network. Use a typical IP address range to refer to the first data IP pool: 10.22.0.0/16.
    3. Define the internal data network. Use a typical IP address range to refer to the second data IP pool: 10.33.0.0/16.
    4. Define the discovery network for the BIG-IP device. Use a typical IP address range to refer to the second management IP pool: 192.168.44.0/24.
  3. In the VMware vSphere Web Client, set up a web server on one of the just-created management networks. The NSX Manager uses the URL of this web server to access the installation file (OVF) for the BIG-IP VE you intend to provision.
  4. Copy the OVF file that the NSX Manager will use to create the BIG-IP VE to an accessible location on the just-created web server.
  5. Create a new user using the Create user API. /mgmt/shared/authz/users POST
    Important: BIG-IQ APIs use the name specified for this user to reference the BIG-IQ and NSX integration.
  6. Add the new user to the Administrator role using either the Update a role or Modify a role API. /mgmt/shared/authz/users POST or /mgmt/shared/authz/users PATCH

Next you must activate a pool license.

About activating a license pool

When you integrate with VMware NSX to create BIG-IP VEs, you can activate a pool license so that BIG-IQ software can use a license from that pool to license the BIG-IP VEs that it creates.

If you choose not to use a pool license, the BIG-IQ device still creates BIG-IP VEs, but you need to license them.

You initiate the license activation process with a base registration key. The base registration key is a character string that the license server uses to verify the functionality that you are entitled to license. If the system has access to the internet, you select an option to automatically contact the F5 license server and activate the license. If the system is not connected to the internet, you must manually retrieve the activation key from a system that is connected to the internet, and then transfer it to the BIG-IQ system.

Note: If you do not have a base registration key, contact your F5 Networks sales representative.

Activating a license pool automatically

You need a base registration key to activate the license pool.
If the resources you are licensing are connected to the public internet, you can use this procedure to activate the license pool.
  1. Authenticate with the F5 Cloud REST API.
    Tip: Refer to Authentication with the F5 REST API in the BIG-IQ Cloud Overview chapter of this guide for information about authentication strategies.
    Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task.
  2. Create a new license pool using the Create a License Pool API. /mgmt/cm/shared/licensing/pools POST
  3. Get the text of the end user license agreement (EULA) using the Get the EULA API. /mgmt/cm/shared/licensing/pools/[uuid] GET
  4. Agree to the EULA using the Accept the EULA API. /mgmt/cm/shared/licensing/pools/[uuid] PATCH The value of the eulaText parameter must match precisely the text returned in the previous step.
    Tip: If a EULA has been previously accepted for this license, you might not need to perform this step.
  5. Add a device to the license pool and activate it using the Activate a device API. /mgmt/cm/shared/licensing/pools/[uuid]/members POST

Activating a license pool manually

You need a base registration key to activate the license pool.
If the resources you are licensing are not connected to the public internet, you can use this procedure to activate the license pool.
  1. Authenticate with the F5 Cloud REST API.
    Tip: Refer to Authentication with the F5 REST API in the BIG-IQ Cloud Overview chapter of this guide for information about authentication strategies.
    Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task.
  2. Create a new license pool using the Create a License Pool API. /mgmt/cm/shared/licensing/pools POST
  3. Get the license text for manual activation using the Get the Dossier API. /mgmt/cm/shared/licensing/pools/[uuid] GET
  4. Submit the base registration key using the Patch the License Text API. /mgmt/cm/shared/licensing/pools/[uuid] PATCH The value of the licenseText parameter must match precisely the text returned in the previous step.
    Tip: If a EULA has been previously accepted for this license, you might not need to perform this step.
  5. Add a device to the license pool and activate it using the Activate a device API. /mgmt/cm/shared/licensing/pools/[uuid]/members POST

Create a connection between the BIG-IQ device and NSX

To enable integration between a third-party cloud provider and the BIG-IQ device, you must configure a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.
  1. Log in to BIG-IQ Cloud with your administrator user name and password.
  2. Hover over the Connectors header and click the + icon when it appears.
  3. In the Name and Description fields, type a name and description. You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  4. From the Cloud Provider list, select VMware NSX.
  5. In the VMware NSX Address field, type the IP address of the VMware system. The VMware IP address must be fully accessible from the BIG-IQ device's internal VLAN.
  6. In the VMware NSX User Name and VMware NSX Password fields, type the credentials that the BIG-IQ device will use to authenticate to the NSX Manager REST API.
  7. In the VMware vCenter Server Address field, type the IP address of the vCenter server.
  8. In the VMware vCenter Server User Name and VMware vCenter Server Password fields, type the credentials that the BIG-IQ device will use to authenticate to the vCenter SOAP API.
  9. In the BIG-IQ User Name and BIG-IQ Password fields, type the credentials that NSX Manager uses to authenticate to the BIG-IQ REST API.
  10. If you plan to use a pool of licenses, in the Device License field, specify the pool of licenses to use when the NSX and BIG-IQ integration provisions a BIG-IP VE. If you skip this step, you'll need to specify a license each time you add a new device.
  11. If you want to specify values for the remaining optional fields (Timezone, NTP Server(s), DNS Servers(s), and DNS Suffix(s)) so that the NSX and BIG-IQ system integration will use them when it provisions a BIG-IP VE, specify those values next.
  12. Click the Save button.

Defining an NSX Runtime Deployment specification

VMware NSX uses a Runtime Deployment to specify parameters for BIG-IP virtual devices provisioned using a BIG-IQ software connection. Node templates simplify the task of specifying the parameters for the Runtime Deployment. This task uses the Create node template API to create a node template. The BIG-IQ and NSX integration uses this template when it provisions new BIG-IP virtual devices.

  1. Authenticate with the F5 Cloud REST API.
    Tip: Refer to Authentication with the F5 REST API in the BIG-IQ Cloud Overview chapter of this guide for information about authentication strategies.
    Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task.
  2. Use the Create node template API to make a new template that specifies values needed for a deployment specification. /mgmt/cm/cloud/connectors/vmware-nsx/<connectorId>/nodes
    Option Description
    OvfUrl The entry identifies the URL specified previously for the OVF file that the BIG-IQ device uses to create the BIG-IP VE.
    BIG-IP Setting this entry to true indicates that the template specifies provisioning details for a BIG-IP device.
    NodeTemplateName The entry identifies the name you want NSX users to specify when requesting deployment of this type of BIG-IP VE.
    { "state": "TEMPLATE", "properties":[ { "id": "BIG-IP", "provider": "true" }, { "id": "NodeTemplateName", "value": "BIGIP-11.5.0.0.0.221.LTM_1SLOT-scsi.ovf" }, { "id": "OvfUrl", "provider": "http://server/ovfs/BIGIP-11.5.0.0.0.221.LTM_1SLOT-scsi/BIGIP-11.5.0.0.0.221-scsi.ovf" } ] }
The API call registers the deployment specification received from the NSX API with the BIG-IQ software's NSX Partner Service. The REST API response includes the property ID ImageId. This value identifies the just-created deployment specification that confirms that the connection between the BIG-IQ system and the NSX device is established.
Make a note of the ImageId value. You will need it in the next task to identify which deployment specification you want to use to provision the BIG-IP VE.

Discovering devices located in the VMware cloud

After you license and perform the initial configuration for the BIG-IQ system, you can discover BIG-IP devices running version 11.3 or later. For proper communication, you must configure each F5 device you want to manage with a route to the BIG-IQ system. If you do not specify the required network communication route between the devices, then device discovery fails.

For devices located in a third-party cloud, you must know the internal self IP address (For OpenStack or VMware cloud) or the external self IP address for Amazon EC2. You also must configure BIG-IQ Cloud with DNS so it can resolve the endpoint by name. To access this setting, log in to BIG-IQ System, select the BIG-IQ system you want to modify, and click the gear icon.

  1. Hover over the Devices header, click the + icon when it appears, and then select Discover Device.
  2. In the IP Address field, type the device's external self IP address. You cannot discover a BIG-IP device using its management IP address.
  3. When the BIG-IQ system and the BIG-IP device are on different subnets, you must create a route:
    1. Use SSH to log in to the BIG-IQ system's management IP address as the root user.
    2. Type the following command: tmsh create net route <route name> {gw <x.x.x.x> network default}
    Where <route name> is a user-provided name to identify the new route, and <x.x.x.x> is the IP address of the default gateway for the internal network.
  4. In the Admin User Name and Admin Password fields, type the administrator user name and password for the managed device.
  5. Select the Auto Update Framework check box to direct the BIG-IQ system to perform any required REST framework updates on the BIG-IP device. For the BIG-IQ system to properly manage a BIG-IP device, the BIG-IP device must be running the most recent REST framework. If you do not select the Auto Update Framework check box before you click the Add button, a message displays prompting you do update the framework or cancel the task.
  6. Click the Add button.
BIG-IQ System populates the properties of the device that you added, and displays the device in the Devices panel.
You can now associate this device with an VMware cloud connector and allocate resources to tenants.

About vCloud Director integration

Integrating vCloud Director (VCD) with your cloud applications makes it possible for you to use the VCD interface to manage the F5 cloud applications. The integration process involves tasks using the user interface in both the F5 BIG-IQ Cloud and the VMware VCD.

After you integrate vCloud Director (VCD) with BIG-IQ Cloud, you can use VCD to manage your cloud applications. After integration, a catalog of BIG-IP Cloud applications appears in the VCD user interface.

BIG-IQ Cloud refers to a service provider's customers as tenants. The VCD equivalent to a tenant is referred to as an organization. BIG-IQ Cloud identifies tenants using a tenant ID. One key to successfully integrating VCD with BIG-IQ Cloud is associating the tenant ID assigned to that catalog with a VCD organization.

To deploy an F5 application catalog in vShield Manager (VSM), you deploy a VSM service profile. While VSM service profiles do not currently recognize F5 tenants, they do recognize VCD organizations. So when your tenant’s ID is associated with a VCD organization, you can use VSM and VCD to administer and deploy the tenant’s application catalog.

When you create a tenant for VCD integration, make a note of the tenant ID so you can connect it to a VCD organization.

Task summary

When you are integrating vCloud Director (VCD) and BIG-IQ Cloud, you must configure VCD, then BIG-IQ, then VCD again.

Before you begin vCloud Director integration

Before you integrate BIG-IQ Cloud with your vCloud Director applications, make sure that you have completed the following prerequisites.

  • Customize and store at least one provider template in the catalog.
  • Create at least one tenant.

Determining an organization's globally unique identifier

The globally unique identifier (GUID) is the figurative glue that binds the BIG-IQ Cloud connector to your vCloud Director (VCD) applications. You use the GUID when you create a tenant for a VCD connector.

  1. Log in to your VCD system and complete the initial setup. Setup must include creating at least one VMware organization virtual data center (VDC).
  2. In VCD, navigate to the list of organization VDCs.
  3. In VCD, select the organization VDC that you are going to use to manage BIG-IQ applications. When you select the VDC, an alphanumeric string, known as the GUID appends to the end of the displayed URL. In the following example, the GUID is highlighted.
    GUID in browser address bar
Make a note of the GUID; you will need it when you create a tenant for this connector.

Creating BIG-IQ Cloud integration objects

The BIG-IQ Cloud integration objects you create in this task are available in your VMware vCloud Director (VCD) applications, so you can manage these objects using the VCD user interface.

  1. Authenticate with the F5 Cloud REST API.
    Tip: Refer to Authentication with the F5 REST API in the BIG-IQ Cloud Overview chapter of this guide for information about authentication strategies.
    Tip: Refer to the BIG-IQ Cloud Service API Reference Guide for details about using the APIs required for this task.
  2. Discover at least one BIG-IP system using the Add a managed device API. /mgmt/cm/cloud/managed-devices POST
  3. Create a catalog of BIG-IQ Cloud applications to publish into the vShield Manager vendor template using the Create provider iApp template API. /mgmt/cm/cloud/provider/templates/iapp POST
  4. Using the BIG-IQ Cloud APIs, create a VMware vShield Manager connector using the Create VMware connection API (/mgmt/cm/cloud/connectors/vmware POST), specifying the IP address and appropriate credentials.
  5. Using the BIG-IQ Cloud APIs, create a new tenant using the Create tenant API. /mgmt/cm/cloud/tenants POST
    Important: You must use the organization's vCloud Director globally unique identifier (GUID) for the new tenant's name.

Integrating vCloud Director with your cloud applications

You must create a VMware connector in BIG-IQ Cloud before you can perform this task.

Connecting BIG-IQ integration objects to your vCloud Director (VCD) applications makes it possible for you to manage BIG-IQ applications using the VCD user interface.

  1. In VCD, enable the cloud connector you just created for the Organization VDC that corresponds to the tenant you created for VCD.
  2. In VCD, create an edge gateway for the organization VDC that corresponds to the tenant.
  3. In VCD, create an edge gateway service for the edge gateway you just created. As part of creating the service, you need to first specify a pool, and then a virtual machine.
The tenants that you created and connected to VCD can now use the VCD interfaces to create and manage applications. The VCD user interface displays the fields that are tenant-editable.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information