End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller API Management Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller API- Management customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.
End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller Application Delivery Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller Application Delivery customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

NGINX Controller Tech Specs

Guidelines and recommendations for configuring F5 NGINX Controller.

Overview

This guide lists the technical recommendations for F5 NGINX Controller v3 and NGINX Controller Agent. Review this guide before installing or updating NGINX Controller or NGINX Controller Agent.

Supported Distributions

NGINX Controller, the NGINX Controller Agent, and the NGINX Controller Application Security Add-on support the following distributions and architectures.

See Also:
Refer to the NGINX Plus Technical Specifications guide for the distributions that NGINX Plus supports.
Distribution
and Version
NGINX Controller
(Control Plane)
Agent
(Data Plane)
ADC App. Sec.
(Data Plane)
APIM Adv. Sec.
(Data Plane)
Notes
Amazon Linux
2
(x86_64)
Not supported v3.0+ Not supported Not supported
Amazon Linux
2017.09+
(x86_64)
Not supported v3.0+ Not supported Not supported
CentOS
6.5+
(x86_64)
Not supported v3.0+ Not supported Not supported • CentOS 6.5 and later versions in the CentOS 6 family are partially supported.
• This distribution does not support AVRD.
CentOS
7.4+
(x86_64)
v3.0+ v3.0+ v3.12+ v3.19+ • CentOS 7.4 and later versions in the CentOS 7 family are supported.
Debian
8
(x86_64)
Not supported v3.0–3.21 Not supported Not supported • This distribution does not support AVRD.
Debian
9
(x86_64)
v3.0+ v3.0–3.21 v3.12+ v3.19+
Debian
10
(x86_64)
Not supported v3.17+ v3.17+ v3.19+ See the NGINX Plus Admin Guide for requirements for Debian 10.
Red Hat Enterprise Linux
6.5+
Not supported v3.0+ Not supported Not supported • RHEL 6.5 and later versions in the RHEL 6 family are partially supported.
Red Hat Enterprise Linux
7.4+
(x86_64)
v3.5+ v3.5+ v3.12+ v3.19+ • RHEL 7.4 and later versions in the RHEL 7 family are supported.
• SELinux may interfere with NGINX Controller installation and operation. If you do enable SELinux, it must use permissive mode. Use of enforcing mode is not supported.
Red Hat Enterprise Linux
8.0+
(x86_64)
v3.22+ v3.22+ v3.22+ Not supported • RHEL 8.0 and later versions in the RHEL 8 family are supported.
• SELinux may interfere with NGINX Controller installation and operation. If you do enable SELinux, it must use permissive mode. Use of enforcing mode is not supported.
Ubuntu
18.04 LTS
(x86_64)
v3.0+ v3.0+ v3.13+ v3.19+
Ubuntu
20.04 LTS
(x86_64)
v3.20+ v3.12+ v3.16.1+ v3.19+

Analytics, Visibility, and Reporting Daemon (AVRD)

NGINX Controller v3.1 and later use an Analytics, Visibility, and Reporting daemon (AVRD) to aggregate and report app-centric metrics, which you can use to track and check the health of your apps. To learn more about these metrics, see the NGINX Metrics Catalog topic.

 


Storage Requirements

The following table shows the minimum storage requirements we recommend for NGINX Controller. Your final storage requirements may differ depending on your environment, configuration, and the number of instances, apps, and APIs you’re managing. Production deployments, for example, will require more storage than trial deployments. Contact your NGINX Controller sales associate if you have questions about sizing for your particular environment.

We recommend using a local volume for the analytics and config databases for trial deployments, for simplicity’s sake so you can get started using NGINX Controller right away. For production environments, we recommend using an external volume for the databases for resiliency.

Resource Path(s) Minimum Storage
NGINX Controller /opt/nginx-controller 80 GB
Analytics database /opt/nginx-controller/clickhouse_data • 50 GB
• 150 GB if App Security is enabled
Config database /opt/nginx-controller/postgres_data 10 GB
Logs • /var/log/nginx-controller
• /var/log/journal
• /var/log/pods
• /var/lib/docker/containers
• /var/lib/kubelet
• /var/lib/kubernetes
15 GB cumulative

 


Supported Deployment Environments

You can deploy NGINX Controller v3 into the following environments:

  • Bare metal
  • Public cloud: Amazon Web Services, Google Cloud Platform, Microsoft Azure
  • Virtual Machine

 


NGINX Plus Instances

NGINX Controller, using the Controller Agent, can monitor and manage up to 100 NGINX Plus instances. When using Controller App Security, NGINX Controller can monitor and manage up to 30 NGINX Plus instances with NGINX App Protect installed.

NGINX Controller supports the following NGINX Plus versions:

NGINX Plus NGINX Controller NGINX Controller ADC NGINX Controller APIM
R30 Not supported 3.22.9+ Not supported
R29 Not supported 3.22.9+ 3.19.6+
R28 Not supported 3.22.6+ 3.19.6+
R27 Not supported 3.22.4+ 3.19.6+
R26 Not supported 3.22.2+ 3.19.6+
R25 Not supported 3.20.1+ 3.19.2+
R24 3.17+ 3.20+ 3.18+
R23 3.12+ 3.20.0 - 3.22.2 3.18+
R22 3.5+ 3.20.0 - 3.22.1 3.18+
R21 3.5 - 3.12 Not supported Not supported
R20 3.0 - 3.12 Not supported Not supported
R19 2.6 - 3.5 Not supported Not supported

 


NGINX App Protect Compatibility Matrix

The App Security add-on for the NGINX Controller Application Delivery module is compatible with the versions of NGINX Plus and NGINX App Protect shown in the table below. New releases of NGINX Controller ADC support the last four versions of NGINX Plus at release time.

See Also:
Refer to Using NGINX App Protect with NGINX Controller for installation instructions and additional information.
NGINX Controller version NGINX App Protect version(s) NGINX Plus version(s)
NGINX Controller ADC v3.22.9 v4.5
v4.3, v4.4
v4.0, v4.1, v4.2
v3.12, v3.11
R30
R29
R28
R27
NGINX Controller ADC v3.22.8 v4.0, v4.1
v3.12, v3.11
v3.10.0, v3.9.1, v3.9.0
v3.8, v3.7, v3.6
R28
R27
R26
R25
NGINX Controller ADC v3.22.7 v4.0, v4.1
v3.12, v3.11
v3.10.0, v3.9.1, v3.9.0
v3.8, v3.7, v3.6
R28
R27
R26
R25
NGINX Controller ADC v3.22.6 v4.0, v4.1
v3.12, v3.11
v3.10.0, v3.9.1, v3.9.0
v3.8, v3.7, v3.6
R28
R27
R26
R25
NGINX Controller ADC v3.22.5 v3.12, v3.11
v3.10.0, v3.9.1, v3.9.0
v3.8, v3.7, v3.6
v3.5, v3.4, v3.3, v3.2
R27
R26
R25
R24
NGINX Controller ADC v3.22.4 v3.11
v3.10.0, v3.9.1, v3.9.0
v3.8, v3.7, v3.6
v3.5, v3.4, v3.3, v3.2
R27
R26
R25
R24
NGINX Controller ADC v3.22.3 v3.10.0, v3.9.1, v3.9.0
v3.8, v3.7, v3.6
v3.5, v3.4, v3.3, v3.2
v3.1, v3.0, v2.3
R26
R25
R24
R23
NGINX Controller ADC v3.22.2 v3.9.1, v3.9.0
v3.8, v3.7, v3.6
v3.5, v3.4, v3.3, v3.2
v3.1, v3.0, v2.3
R26
R25
R24
R23
NGINX Controller ADC v3.22, v3.22.1 v3.8, v3.7, v3.6
v3.5, v3.4, v3.3, v3.2
v3.1, v3.0, v2.3
v2.1.1
R25
R24
R23
R22
NGINX Controller ADC v3.21 v3.6
v3.5, v3.4, v3.3, v3.2
v3.1, v3.0, v2.3
v2.1.1
R25
R24
R23
R22
NGINX Controller ADC v3.20.1 v3.6
v3.5, v3.4, v3.3, v3.2
v3.1, v3.0, v2.3
v2.1.1
R25
R24
R23
R22
NGINX Controller ADC v3.20 v3.5, v3.4, v3.3, v3.2
v3.1, v3.0, v2.3
v2.1.1
R24
R23
R22
NGINX Controller APIM v3.19.2 v3.6
v3.5, v3.4
R25
R24
NGINX Controller APIM v3.19 v3.5, v3.4 R24
NGINX Controller v3.18 v3.5, v3.2
v3.1, v3.0, v2.3
v2.1.1
R24
R23
R22
NGINX Controller v3.17 v3.2
v3.1, v3.0, v2.3
v2.1.1
R24
R23
R22
NGINX Controller v3.16 v3.1, v3.0, v2.3
v2.1.1
R23
R22
NGINX Controller v3.14, v3.15 v3.0, v2.3
v2.1.1
R23
R22
NGINX Controller v3.13 v2.3
v2.1.1
R23
R22
NGINX Controller v3.12 v2.1.1 R22

Supported Browsers

NGINX Controller works best with the newest and the last prior version of these browsers with JavaScript, cookies, and SSL enabled:

Important:

You may need to turn off any ad blockers while using the NGINX Controller user interface.

In some cases, the NGINX Controller user interface may not display analytics or security events if an ad blocker is enabled. Refer to the AskF5 KB article K48603454 to learn more about this issue and how to resolve it.

 


Hardware Specifications

The following minimum hardware specifications are required for each node running NGINX Controller:

  • RAM: 8 GB RAM
  • CPU: 8-Core CPU @ 2.40 GHz or similar
  • Disk space: 155–255 GB free disk space. 255 GB of free space is recommended if NGINX Controller App Security is enabled. See the Storage Requirements section for a categorized list of the storage requirements.

The NGINX Controller Agent consumes as little memory and CPU as possible. CPU usage should be under 10%, and RSS memory consumption should be just a few dozen MBs. If you notice the NGINX Controller Agent consuming resources at a higher rate, you should contact NGINX Support for assistance.

 


NGINX Controller Database Requirements

When installing NGINX Controller, you can choose the type of volume to use for the analytics and config databases. The types of volumes that are supported are:

We recommend using a local volume for the analytics and config databases for trial deployments, for simplicity’s sake so you can get started using NGINX Controller right away. For production environments, we recommend using an external volume for the databases for resiliency.

 

Local Storage

When using local storage for the analytics and/or config database, we recommend the following specs:

  • 100 IOPS
  • 155–255 GB free disk space. 255 GB of free space is recommended if NGINX Controller App Security is enabled. See the Storage Requirements section for a categorized list of the storage requirements.
Tip:
To conserve IO and/or disk space, you can use a separate disk for the local storage directory /opt/nginx-controller/clickhouse_data.

 

NFS

To use NFS for external storage for the analytics and/or config database, consider the following:

  • Make certain that the NFS version used by the server is supported by the client system where you’re installing NGINX Controller.
  • If you’re using NFS v4 file locking or Network Lock Manager (NLM) on the NFS server, make sure that the client system that’s running your NGINX Controller has access to the mount point.
  • Install the nfs-common (on Ubuntu/Debian) or nfs-utils (on CentOS/RedHat) package on all hosts on which NGINX Controller will be installed.
  • The no_root_squash option must be set for the mount point on the NFS server. If this is not allowed, the owner of the path used for the analytics database must be set to 101:101 and owner of the path for config database must be set to 70:70.
  • The config database should support a throughput of 2 MiB/s or greater.

 

AWS EBS

Important:
If you plan to run NGINX Controller on AWS EC2 instances, we recommend using NFS shares for the external volumes. Using EBS shares for multi-node clusters is not recommended because of the EBS Availability Zone limitations; for example, the requirement to have EC2 instances and EBS volumes in the same Availability Zone.

If you are installing NGINX Controller on AWS EC2 instances and plan to use EBS volumes for the analytics and/or config database, consider the following:

You will need add an IAM role like that shown below.

  • IAM Role for Single-Node Installation

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeLaunchConfigurations",
            "autoscaling:DescribeTags",
            "ec2:DescribeInstances",
            "ec2:DescribeRegions",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:CreateSecurityGroup",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:ModifyInstanceAttribute",
            "ec2:ModifyVolume",
            "ec2:AttachVolume",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateRoute",
            "ec2:DeleteRoute",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteVolume",
            "ec2:DetachVolume",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DescribeVpcs",
            "iam:CreateServiceLinkedRole",
            "kms:DescribeKey"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
    
  • IAM Role for Multi-Node Installation

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeLaunchConfigurations",
            "autoscaling:DescribeTags",
            "ec2:DescribeInstances",
            "ec2:DescribeRegions",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:CreateSecurityGroup",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:ModifyInstanceAttribute",
            "ec2:ModifyVolume",
            "ec2:AttachVolume",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateRoute",
            "ec2:DeleteRoute",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteVolume",
            "ec2:DetachVolume",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DescribeVpcs",
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:AttachLoadBalancerToSubnets",
            "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
            "elasticloadbalancing:CreateLoadBalancer",
            "elasticloadbalancing:CreateLoadBalancerPolicy",
            "elasticloadbalancing:CreateLoadBalancerListeners",
            "elasticloadbalancing:ConfigureHealthCheck",
            "elasticloadbalancing:DeleteLoadBalancer",
            "elasticloadbalancing:DeleteLoadBalancerListeners",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeLoadBalancerAttributes",
            "elasticloadbalancing:DetachLoadBalancerFromSubnets",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:ModifyLoadBalancerAttributes",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:CreateListener",
            "elasticloadbalancing:CreateTargetGroup",
            "elasticloadbalancing:DeleteListener",
            "elasticloadbalancing:DeleteTargetGroup",
            "elasticloadbalancing:DescribeListeners",
            "elasticloadbalancing:DescribeLoadBalancerPolicies",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetHealth",
            "elasticloadbalancing:ModifyListener",
            "elasticloadbalancing:ModifyTargetGroup",
            "elasticloadbalancing:RegisterTargets",
            "elasticloadbalancing:DeregisterTargets",
            "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
            "iam:CreateServiceLinkedRole",
            "kms:DescribeKey"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
    

 


Supported PostgreSQL Versions

NGINX Controller supports the following versions of PostgreSQL:

  • PostgreSQL 12.x – works with NGINX Controller 3.9 and later.
  • PostgreSQL 9.5 – works with NGINX Controller 3.0 and later.

For a system monitoring 100 NGINX Plus instances, we recommend at least 32 GB of database storage. Database storage requirements can vary, depending on the number of NGINX Plus instances, components, published API specs, and the churn rate for configuration changes. For monitor-only implementations, the database storage needs are small; for API Management (APIM) and/or App Delivery Controller (ADC) implementations in production, the storage needs are greater.

Important:
If you use PostgreSQL 12, we recommend disabling Just-in-Time (JIT) compilation to improve NGINX Controller’s performance. To disable JIT, edit the postgresql.conf file and set jit=off.

 


Firewall/IP Settings

Configure NGINX Controller with the following firewall settings:

Port Used by Used for
5432 TCP NGINX Controller database Incoming connections to the NGINX Controller database from the NGINX Controller host. This is the default PostgreSQL port.
443 TCP • NGINX Controller
• NGINX Controller licensing
• Incoming connections to NGINX Controller from a browser; for example, from an internal network and NGINX Plus instances
• Incoming and outgoing connections used to used to validate the entitlements for your NGINX Controller license
8443 TCP NGINX Controller Incoming connections from NGINX Plus instances
You need to open port 8443 TCP if you’re running NGINX Controller v3.18.2 or earlier
8883 TCP NGINX Controller licensing Incoming and outgoing connections used to validate the entitlements for your NGINX Controller license
Port 8883 TCP needs to be opened only if you’re running NGINX Controller v3.15 or earlier

If you have a firewall running on the NGINX Controller host, enable NAT (masquerade) and open the following ports. These ports are used for internal traffic only and don’t need to be open to the outside:

Port Used by Used for
2379 TCP
2380 TCP
6443 TCP
NGINX Controller Incoming requests to the Kubernetes control plane; used for the Kubernetes API server and etcd
10250 TCP NGINX Controller Incoming requests to the Kubernetes worker node; used for the Kubelet API
10251 TCP NGINX Controller Incoming requests to the Kubernetes kube-scheduler; used for the pod scheduling
10252 TCP NGINX Controller Incoming requests to the Kubernetes kube-controller-manager; used for regulating the state of the system
8472 UDP NGINX Controller Used for pod-to-pod communication in multi-node resilient clusters

For more information about these ports, see the Kubernetes guide Installing kubeadm.

 


Supported Python Versions

NGINX Controller and the NGINX Controller Agent versions 3.6 and earlier require Python 2.6 or 2.7. Python is not needed for NGINX Controller or the NGINX Controller Agent versions 3.7 and later.

 


Open-Source Licenses

The list of open-source packages and their licenses used by NGINX Controller can be found in the downloaded file that is part of the NGINX Controller package. On your NGINX Controller host, see controller-installer/files/license-controller.md.

In addition, see the AskF5 KB article Third-party software for NGINX Controller controller-datacollection-components for third-party software packages that may be used by or distributed with controller-datacollection-components. This information is not included in the license-controller.md that’s mentioned above.