Every manual change to an F5 BIG-IP via the web UI is a double risk: someone can fat-finger it, and nobody knows exactly what changed. For a load balancer holding a bank's or e-shop's production traffic, that's unacceptable. The fix? Do F5 as code.
Why F5
F5 leads application delivery and security. BIG-IP handles load balancing, NGINX modern app traffic, and Distributed Cloud protection across multi-cloud. They share one trait: they're critical and every change counts.
How we do it
Instead of clicking in the GUI we describe the desired state (VIPs, pools, WAF policies) as code and Ansible (Red Hat AAP) reconciles it. The playbook fetches secrets from Vault and reads the target state from NetBox.
- Audit trail — every change has a commit, author and reason.
- Idempotence — run it a hundred times, same result.
- Speed — what took days via tickets is done in minutes.
---
# Create a VIP + pool on BIG-IP from Git — no GUI clicking
- name: Configure production VIP
hosts: bigip
connection: httpapi
tasks:
- name: Pool with health monitor
f5networks.f5_modules.bigip_pool:
name: "pool_billing_443"
lb_method: least-connections-member
monitors: ["/Common/https"]
state: present
- name: Add pool members (from NetBox)
f5networks.f5_modules.bigip_pool_member:
pool: "pool_billing_443"
host: "{{ item.ip }}"
port: 443
state: present
loop: "{{ billing_backends }}"
- name: Virtual server + TLS profile
f5networks.f5_modules.bigip_virtual_server:
name: "vs_billing_443"
destination: "10.20.0.15"
port: 443
pool: "pool_billing_443"
profiles: ["clientssl", "http"]
state: presentKey point: state: present makes the playbook idempotent — run it a hundred times, identical result. State is read from NetBox, secrets from Vault. Modules: F5 Ansible docs.
For an environment with 87 VIPs we cut the F5 change window from 4 hours (manual changes + change tickets) to a 12-minute audited pipeline run. Illustrative figures — verify before publishing.
Where it gets tricky
- iRules and legacy config. Years of manual edits convert to code gradually, not at once.
- Team discipline. The moment one admin "quickly clicks something" in the GUI, code and reality diverge. Drift detection is a must.
Frequently asked questions
Does this work with our iRules and legacy config?
Yes, but gradually. Years of manual edits convert to code in waves, not at once. We start by exporting the current state, codify new changes, and migrate legacy config in a controlled way. iRules can be versioned as files and deployed by the same pipeline.
What if someone "quickly" clicks in the GUI outside the pipeline?
That's why we deploy drift detection — a scheduled run that compares the real F5 state with the code in Git and reports the difference. A manual change surfaces within the next cycle. Team discipline is required, but the tool enforces it.
Is it only BIG-IP, or also NGINX and F5 Distributed Cloud?
BIG-IP and NGINX via the official Ansible collections. F5 Distributed Cloud has its own API that can also be driven from the pipeline. In practice we most often build a BIG-IP + NGINX combination.
Do we need Red Hat AAP, or is plain Ansible enough?
Community Ansible is fine for a PoC. For production we recommend AAP for RBAC, audit trail, approval workflows and credential management — the things an enterprise audit requires.
Wrestling with manual F5 changes?
Book a 20-minute audit of your F5 estate — we'll review VIP count, config state and a realistic path to F5-as-code. No sales pitch, with a senior network engineer.
Book a 20-min F5 audit →