F5 Container Connector - Cloud Foundry¶
This document provides general information regarding the F5 Integration for Cloud Foundry. For deployment and usage instructions, please refer to the guides below.
The BIG-IP Controller for Cloud Foundry (
cf-bigip-ctlr) lets you use an F5 BIG-IP device(s) as an Application Delivery Controller (ADC) serving North-South traffic in Cloud Foundry or Pivotal Cloud Foundry (PCF). See the Container Ingress Service compatibility table for compatibility information.
The BIG-IP Controller is a Docker container-based application that runs on a Cloud Foundry Diego cell. It uses a two-tier architecture:
- One virtual server handles all ingress traffic for the cloud (tier 1);
- this “ingress” virtual server uses URI routing and L7 forwarding policies to send traffic to the appropriate virtual server for each Route (tier 2).
For each Cloud Foundry Route, the BIG-IP Controller creates a set of forwarding policy rules, a virtual server, pool, and pool members.
By default, the BIG-IP Controller creates a single HTTP virtual server in tier 1, which handles traffic on port 80. You can create an HTTPS virtual server (which uses port 443) by specifying a BIG-IP SSL profile in the Application manifest when you Deploy the BIG-IP Controller for Cloud Foundry.
The BIG-IP Controller creates an L4 (TCP) virtual server for each TCP route.
The F5 Container Connector for Cloud Foundry’s documentation set assumes that you:
- already have a functional PCF or Cloud Foundry cloud;
- are familiar with the Cloud Foundry CLI and API;
- already have a BIG-IP device licensed and provisioned for your requirements; and
- are familiar with BIG-IP LTM concepts and
- how to deploy the BIG-IP Controller into the Cloud Foundry environment,
- how to log in to the BIG-IP device,
- how to set up the BIG-IP device when you launch the BIG-IP Controller for the first time, and
- how to access orchestration information from the environment.
The BIG-IP Controller requires Administrator permissions in order to provide full functionality.
To upgrade to a newer version of the BIG-IP Controller for Cloud Foundry, take the steps below.
Update the App manifest as desired.
cf-bigip-ctlrApp using the cf push command.
Be sure to use the
-oflag to specify the Docker image and version you want to use.
cf push cf-bigip-ctlr -o f5networks/cf-bigip-ctlr:1.1.0 -f manifest.yaml
Apply BIG-IP Services to Cloud Foundry Routes¶
You can use the BIG-IP Controller to apply existing BIG-IP services – health monitors, policies, profiles, and SSL profiles – to the virtual server(s) and pools for HTTP routes. (These configurations do not apply to TCP routes.) Likewise, you can select any BIG-IP load balancing mode for both HTTP and TCP pools.
The Cloud Foundry Application Manifest file provides the means of identifying the BIG-IP policies, profiles, etc., you want to apply. Some policy and profile configurations only apply to L7 (HTTP) virtual servers. See the cf-bigip-ctlr configuration parameters table for more information.
See Apply BIG-IP policies and profiles for an example using “x-forwarded-for” and “x-forwarded-proto” headers.
The BIG-IP Controller runs in
global mode by default, meaning a single set of configurations apply to all of the pools/pool members created for Cloud Foundry Routes and Applications.
If you need a greater degree of control over the configurations for Routes associated with specific Apps, you can run the BIG-IP Controller in
broker_mode as a Cloud Foundry Service Broker. See Deploy the BIG-IP Controller for Cloud Foundry with per-Route Virtual Servers for instructions.
BIG-IP High Availability and Multi-tenancy¶
If you’re using a BIG-IP device pair or cluster, you can use automatic configuration sync to back up your configurations across all devices. Be sure to use a BIG-IP floating IP address as the external address (
bigip.external_addr) in your Application Manifest. It is possible to run multiple BIG-IP Controller instances – each of which would manage a separate BIG-IP device – provided you have not registered the Controller as a Service Broker. If you go this route, disable auto config sync.
You can use the BIG-IP Controller for Cloud Foundry to manage all of your Cloud Foundry Routes in one BIG-IP partition. You can create per-Route virtual servers – from different Service Plans – to achieve isolation within that partition.
Key Cloud Foundry Concepts¶
Routes, NATS, and Routing API¶
In Cloud Foundry, the Gorouter component routes all incoming L7 traffic. The TCP Router component routes all incoming L4 traffic. Similarly, the BIG-IP Controller uses Cloud Foundry’s routing tables to direct traffic to the correct virtual machine(s) for a requested application. The BIG-IP Controller watches the NATS bus and Routing API for route updates; when the Controller discovers changes, it configures the BIG-IP device(s) accordingly.
When you deploy a new application with a mapped HTTP route in Cloud Foundry, the BIG-IP Controller automatically creates a BIG-IP VIP, pool, pool members, and traffic policy rule for the route. When you deploy a new application with a mapped TCP route in Cloud Foundry, the BIG-IP Controller automatically creates a BIG-IP virtual server, pool, and pool members for the route.