ASM Sync across AWS Availability Zones

Hello Daniel, you have a built in feature in dsc/asm to synchronise policies between asm devices:

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-2-1/1.html?sr=45163929

 

Hi Daniel, would you mind sharing your 'large amount of success' with synchronizing AWS F5s located in different Availability Zones ? I just start trying this as well, as an alternate solution against our current HA active-standby setup (which unfortunately does not support devices in different zones ). Guess there is no way around using SCF files and some scripts. Might require rather large effort to somehow automate configuration synchronization. We are going to use V11.6 HF4 , only with LTM. Thank you. Urs

I just rolled out to 11.60. HF5 ENG Fix ( For FQDN Autopopulation bug ) and would suggest that as a starting point :). To be honest, the code that does this sync is scp and the heart of it is the below sed command. This is the change for the IPs between AZ A and B. My VPC is setup specifically for the F5 so there is no servers to share my Virtual Server Address space. 2. Edit the SCF file on EM, changing IPs over to AZ B IPs sed -i.old \ -e 's/lbedmzaza/\lbedmzazb/g' \ -e 's/10\.112\.0\./10\.112\.4\./g' \ -e 's/10\.112\.1\./10\.112\.5\./g' \ -e 's/10\.112\.2\./10\.112\.6\./g' \ -e 's/10\.112\.3\./10\.112\.7\./g' \ -e 's/10-112-3-/10-112-7-/g' \ "$LOCALPATH" I have run into some problems with this script, 1. You need to set DNS servers manually instead of using DHCP as once you start using FQDN objects you get issues 2. Deletion on the virtual server and re-using that VS IP before the sync of the deletion hit a bug that caused the config to fail to load on AZ B. Easy fix was to delete the VS on AZ B and the sync worked. I think this was a specific bug versus a sync script issue. Apart from that, the Sync has been pretty trouble free, still got to work out the ASM Sync as we are manually importing/exporting. The tricky bit though is the actually failover between AZ's ; ).

thank you for your feedback. If I understand correctly, you basically copy over the whole scf file, just replace IP addresses (of SelfIPs, VIPs, eventually routing) and load it. And you sync manually after changes or scheduled periodically. We try to have both standalone boxes active , with some loadbalancing in front. Anyway it will get tricky. Would have been great if F5 handled synchronizing devices separatly from failover: sync should basically be no problem between zones, while taking over IP addresses can't work obviously.