Write SLB Policy
Writing a policy for a load balancer is similar to writing a policy for a workload, except for the following differences:
Leave the service as unspecified and the port and protocol of the discovered VIP will determine the service automatically.
Specify “Uses Virtual Services” in the rule.
A rule that is provided between a virtual server (or its labels) and a set of consumers implicitly programs two sets of rules:
Rules between the consuming workloads or labels and the frontend VIP of the F5 on the discovered VIP port and protocol: Traffic flows between consuming workloads and the VIP are enforced on both ends if the virtual server is managed and enforced.
Rules between the F5 pool and the virtual server providers on the service specified in the virtual server object (usually All Services): These rules are enforced for inbound traffic to the virtual server provider if the virtual server provider workloads are enforced.
SLB Methods
The SLB APIs are used to enable automation for F5 policy management.
Functionality | HTTP | URI |
|---|---|---|
Get the list of SLBs |
|
|
Get a specified SLB |
|
|
Create an SLB object |
|
|
SLB Parameters
The parameters for the SLB methods are:
Parameter | Description | Type |
|---|---|---|
| The short friendly name of the server load balancer | String |
| Network Function Controller managing this SLB | String |
| Device type of the server load balancer | String |
| Configuration and runtime state of the devices backing this SLB Network VF. | String |
Configure an SLB Object
Step 1. Create an SLB object and instruct the NEN to sync with it.
POST /api/v2/orgs/{org id}/slbs{
"devices" : [
{
"config" : {
"username" : "admin",
"port" : 443,
"credential" : "admin", # never replayed in northbound API
"host" : "10.2.32.6",
"credential_type" : "password",
"check_certificate" : false
}
}
],
"device_type" :“F5 Big-IP LTM”
"name" : "Illumio Test SLB"
}Step 2. GET an SLB response.
GET /orgs/{org id}/slbs/{UUID of SLB object{
"name" : "Illumio Test SLB",
"devices" : [
{
"status" : {"connection_state" : "pending"}, # will become successful
when NEN syncs w/ device
"href" : "/orgs/1/slb_devices/9349ff36-ab38-42bf-909a-eb5aa3baf187",
"config" : {
"username" : "admin",
"check_certificate" : false,
"credential_type" : "password",
"host" : "10.2.32.6",
"credential" : null,
"port" : 443
}
}
],
"href" : "/orgs/1/slbs/8a82a1b0-c2ce-43ec-abf7-77bd8a3fd22c",
"device_type" : "f5_bigip_afm"
[ ... ] # created_at, updated_at, etc.
}Step 3. GET a list of Discovered Virtual Servers.
GET /orgs/1/discovered_virtual_servers
{
"snat_type" : "snat_pool",
"dvs_identifier" : "d3b784c2fd24ad364c5adb3319169bd2",
"mode" : "snat",
"vip_port" : {"port" : 8080, "protocol" : 6, "vip" : "172.16.27.88" },
"service_checks" : [{"protocol" : 1}],
"name" : "Common/QL_VIP_1",
"slb" : {
"href" : "/orgs/1/slbs/8a82a1b0-c2ce-43ec-abf7-77bd8a3fd22c"
},
"snat_pool_ips" : ["172.16.26.27", "172.16.26.18", "172.16.27.18"],
"local_ips" : ["172.16.26.18", "172.16.27.18"],
"href" : "/orgs/1/discovered_virtual_servers/
2c460b98-2176-4a44-9ba4-e77f3eacd0f1"
[ ... ] # created_at, updated_at, etc.
}Step 4. Manage a VIP by creating a Virtual Server object.
POST /orgs/1/sec_policy/draft/virtual_servers
{
"name" : "Common/chris-VIP1",
"service" : {
"href" : "/orgs/1/sec_policy/draft/services/1"
},
"labels" : [],
"providers" : [],
"mode" : "unmanaged", # enforced
"discovered_virtual_server" : {
"href" : "/orgs/1/discovered_virtual_servers/
23338ceb-7580-466a-bbcf-a645b82ce97b"
}
}Step 5. Modify the enforcement mode, labels, and backend/provider labels of the Virtual Server.
PUT /orgs/1/sec_policy/draft/virtual_servers/84bae9dd-f1f6-4322-bffc-f07354b0622a
{
"mode” : "enforced",
"labels” : [{"href” : "/orgs/1/labels/448"}, {"href” : "/orgs/1/labels/444"}],
# any RAEL tuple
"providers” : [{"label":{"href":"/orgs/1/labels/449"}}]
# note: providers may have different labels
}Step 6. Provision the Virtual Server into an active policy.
POST /orgs/1/sec_policy
{
"update_description” : "Provision my first VS",
"change_subset” : {
"virtual_servers” : [{"href” : "/orgs/1/sec_policy/draft/virtual_servers/
84bae9dd-f1f6-4322-bffc-f07354b0622a"}]
}
}
/orgs/1/sec_policy/draft/virtual_servers/84bae9dd-f1f6-4322-bffc-f07354b0622a
/orgs/1/sec_policy/active/virtual_servers/84bae9dd-f1f6-4322-bffc-f07354b0622aStep 7. Write rules that apply to the Virtual Server.
POST /orgs/1/sec_policy/draft/rule_sets/1480/sec_rules
{
"enabled" : true,
"providers" : [
{"label" : {"href" : "/orgs/1/labels/444"}},
{"label" : {"href" : "/orgs/1/labels/448"}}
],
"resolve_labels_as" : {
"consumers" : ["workloads"],
"providers" : ["virtual_services"] # NOTE: Must be virtual_services
},
"consumers" : [
{"actors" : "ams"} # All Workloads
]
}
{
"consumers" : [
{"label" : {"href" : "/orgs/1/labels/444"}}
],
"providers" : [
{
"virtual_server" :
{"href" : "/orgs/1/sec_policy/draft/virtual_servers/
84bae9dd-f1f6-4322-bffc-f07354b0622a"}
}
],
"enabled" : true,
"resolve_labels_as" : {
"consumers" : ["workloads"],
"providers" : ["virtual_services"]
}Remove Filtering
Some types of virtual servers are not visible, such as those without default server pools. From the NEN 2.1.0 release onwards, you can do filtering related to such virtual servers. You can see VIPs that do not have a pool associated with them or are not SNAT/Auto-SNAT.
To view all types of virtual servers configured on the F5 load balancers, you must enter specific commands during the NEN installation (on a NEN by NEN basis). These commands disable (enabled by default) the built-in filter running on the NEN on the Leader PCE cluster.
Navigate to the following directory:
/opt/illumio-pce/Enter the following command:
sudo -su ilo-pce ./illumio-nen-ctl slb-enable --virtual-server-filtering disabled
Restart the NEN on both db0 and db1 nodes:
sudo -u ilo-pce ./illumio-pce-ctl restart