Extend bigip_virtual_server to support address lists

[Cajga]

ISSUE TYPE

• Feature Idea

COMPONENT NAME

bigip_virtual_server

BIGIP VERSION

# tmsh show sys version

Sys::Version
Main Package
  Product     BIG-IP
  Version     14.1.0.3
  Build       0.5.6
  Edition     Engineering Hotfix
  Date        Wed Apr  3 19:03:00 PDT 2019

Hotfix List
ID755254-1

SUMMARY

Firmware version 14 one can define an IP address list (https://devcentral.f5.com/s/question/0D51T00006j41NGSAY/multiple-source-address-on-virtual-server) and select that as source or destination address. This feature is very handy when one would like to have multiple addresses as source or destination selector. Unfortunately, there is no good workaround as one can create the ip address lists with ansible calling the "create /net address-list test { addresses add { 192.168.27.111 {} 192.168.27.112 {} } }" command but then this address list cannot be used through ansible due to lack of support in the module.

[wojtek0806]

FMFA-322

[Sam-Hall]

@Cajga did you find a workaround? It seems like it's not even possible via TMSH to modify a virtual server, adding "traffic-matching-criteria" and removing the "destination" and "mask" attributes (on version 14.1.2). I can't even seem to remove the "destination" attribute using tmsh edit.

[Sam-Hall]

Nevermind, I read the manual and found a mention of default value "any:any" which seems to wipe it out. So as a workaround, we could do something like this perhaps...

create net address-list <address_list_name> { addresses add { 192.168.111.111 {} 192.168.222.111 {} } }
create ltm traffic-matching-criteria <tmc_name> { destination-address-inline 0.0.0.0 destination-address-list <address_list_name> destination-port-inline <port> source-address-inline 0.0.0.0 }
modify ltm virtual <vs_name> { destination any:any traffic-matching-criteria <tmc_name> }

On topic though, I'd like to see an Ansible module to control the traffic matching criteria. In the LTM GUI there is no way specify the name, the default name was based on the virtual, which blew out the 64 character limit and threw an error while testing this feature. I had to rename the virtual to get it to work just to look at what configuration it was creating.

[Cajga]

@Sam-Hall, No, I ended up creating two seperate VS (luckily I had only two addresses). I will get rid of them when this feature will be added.

[Sam-Hall]

I have three. I'm considering creating dummy virtuals with an irule that calls the main virtual, but I think your suggestion is probably more sane. Thanks for the reply.

[mkyrc]

Is there any progress in this enhancement? It would be a useful improvement. @wojtek0806 can you write any update/progress/plan?

Now I'm migrating some older "load-balancers" to f5 with lot of IP addresses connected to the same "virtual server". Multiple "IP" (address list) to the same "virtual server" is very helpful in this case. Currently I can't add it using ansible, because this enhancement is not implemented.

[bradstapleton94]

I am experiencing this same limitation. Do we know if/when this might be fixed?

[quaffles]

I was informed by F5 support to make a comment here for visibility. I was also looking for this feature.

Right now there is bigip_firewall_address_list which requires the AFM module. It would be nice for a method that does the simple address list.

[mkyrc]

@quaffles: address list for AFM is different "list" that uses virtual server (LTM). In this case is not possible use "bigip_firewall_address_list". I tried it. Check configuration (/config/partitions//bigip.conf) after setup "address list" for virtual server using web gui or tmsh. There is no reference to "address list" but completely different configuration. I was surprised.

[bradstapleton94]

@quaffles @mkyrc Regardless if its the same or different list, I don't see a way to use the list in a virtual server. My workaround has been to use CIDR notation in the destination field. But, that's not as clean as the list. Easier to view in our setup. I take it this is a feature request that has gone dormant?

[mkyrc]

@bradstapleton94 sure - this is a feature request. It is currently not possible to define an "address list" for a virtual server using available module bigip_virtual_server.

There is of course possibility - using AS3 (f5 bigip collection (v2)), but the feature request made by @Cajga is talking about virtual server module (f5 modules collection (v1)). In some situation is better to use v1 (imperative) instead of v2 (declarative principle).

[quaffles]

@bradstapleton94 @mkyrc

I see what you guys are saying. It seems that bigip_virtual_server doesn't support using address list for the destination. That is unfortunate.

[DorCohen93]

Hi guys, is there any news about this one? can we open a feature request for it? it is stopping many users from using Ansible and F5 out of the box without external tools

[trinaths]

This is prioritized for June 2022 release.

[trinaths]

Created [INFRAANO-99] for internal tracking

[j-morse]

I'm looking forward to the June release for this fix also. TIA

[nickamon]

Any update?

[j-morse]

Still looking forward to this update. Any ETA?

[KrithikaChidambaram]

We are reviewing this internally and we will provide you an update.

[j-morse]

I'm being impacted without this fix and the ability to fully automate using Ansible when adjusting F5 vips with TMC/address-list applied.

Please consider prioritizing this update. Thanks.

[pmawan]

Hi - i want to add a port list using ansible - will that feature al be added in a new release

[pgouband]

Hi @pmawan,

Have you tried using the declarative collection and AS3?

[pmawan]

does this mean the feature is not available in Ansible yet ?

[nickamon]

Hi, when will an update be provided, @KrithikaChidambaram?

[pgouband]

Hi,

It's impossible to add address list in virtual server module due to some limitation on BIG-IP API. The solution is to use AS3 and the declarative collection.