End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller API Management Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller API- Management customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller Application Delivery Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller Application Delivery customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
NGINX Controller Tech Specs
Guidelines and recommendations for configuring F5 NGINX Controller.
Overview
This guide lists the technical recommendations for F5 NGINX Controller v3 and NGINX Controller Agent. Review this guide before installing or updating NGINX Controller or NGINX Controller Agent.
Supported Distributions
NGINX Controller, the NGINX Controller Agent, and the NGINX Controller Application Security Add-on support the following distributions and architectures.
See Also:
Refer to the NGINX Plus Technical Specifications guide for the distributions that NGINX Plus supports.
| Distribution and Version |
NGINX Controller (Control Plane) |
Agent (Data Plane) |
ADC App. Sec. (Data Plane) |
APIM Adv. Sec. (Data Plane) |
Notes |
|---|---|---|---|---|---|
| Amazon Linux 2 (x86_64) |
Not supported | v3.0+ | Not supported | Not supported | |
| Amazon Linux 2017.09+ (x86_64) |
Not supported | v3.0+ | Not supported | Not supported | |
| CentOS 6.5+ (x86_64) |
Not supported | v3.0+ | Not supported | Not supported | • CentOS 6.5 and later versions in the CentOS 6 family are partially supported. • This distribution does not support AVRD. |
| CentOS 7.4+ (x86_64) |
v3.0+ | v3.0+ | v3.12+ | v3.19+ | • CentOS 7.4 and later versions in the CentOS 7 family are supported. |
| Debian 8 (x86_64) |
Not supported | v3.0–3.21 | Not supported | Not supported | • This distribution does not support AVRD. |
| Debian 9 (x86_64) |
v3.0+ | v3.0–3.21 | v3.12+ | v3.19+ | |
| Debian 10 (x86_64) |
Not supported | v3.17+ | v3.17+ | v3.19+ | See the NGINX Plus Admin Guide for requirements for Debian 10. |
| Red Hat Enterprise Linux 6.5+ |
Not supported | v3.0+ | Not supported | Not supported | • RHEL 6.5 and later versions in the RHEL 6 family are partially supported. |
| Red Hat Enterprise Linux 7.4+ (x86_64) |
v3.5+ | v3.5+ | v3.12+ | v3.19+ | • RHEL 7.4 and later versions in the RHEL 7 family are supported. • SELinux may interfere with NGINX Controller installation and operation. If you do enable SELinux, it must use permissive mode. Use of enforcing mode is not supported. |
| Red Hat Enterprise Linux 8.0+ (x86_64) |
v3.22+ | v3.22+ | v3.22+ | Not supported | • RHEL 8.0 and later versions in the RHEL 8 family are supported. • SELinux may interfere with NGINX Controller installation and operation. If you do enable SELinux, it must use permissive mode. Use of enforcing mode is not supported. |
| Ubuntu 18.04 LTS (x86_64) |
v3.0+ | v3.0+ | v3.13+ | v3.19+ | |
| Ubuntu 20.04 LTS (x86_64) |
v3.20+ | v3.12+ | v3.16.1+ | v3.19+ |
Analytics, Visibility, and Reporting Daemon (AVRD)
NGINX Controller v3.1 and later use an Analytics, Visibility, and Reporting daemon (AVRD) to aggregate and report app-centric metrics, which you can use to track and check the health of your apps. To learn more about these metrics, see the NGINX Metrics Catalog topic.
Storage Requirements
The following table shows the minimum storage requirements we recommend for NGINX Controller. Your final storage requirements may differ depending on your environment, configuration, and the number of instances, apps, and APIs you’re managing. Production deployments, for example, will require more storage than trial deployments. Contact your NGINX Controller sales associate if you have questions about sizing for your particular environment.
We recommend using a local volume for the analytics and config databases for trial deployments, for simplicity’s sake so you can get started using NGINX Controller right away. For production environments, we recommend using an external volume for the databases for resiliency.
| Resource | Path(s) | Minimum Storage |
|---|---|---|
| NGINX Controller | /opt/nginx-controller |
80 GB |
| Analytics database | /opt/nginx-controller/clickhouse_data |
• 50 GB • 150 GB if App Security is enabled |
| Config database | /opt/nginx-controller/postgres_data |
10 GB |
| Logs | • /var/log/nginx-controller • /var/log/journal • /var/log/pods • /var/lib/docker/containers • /var/lib/kubelet • /var/lib/kubernetes |
15 GB cumulative |
Supported Deployment Environments
You can deploy NGINX Controller v3 into the following environments:
- Bare metal
- Public cloud: Amazon Web Services, Google Cloud Platform, Microsoft Azure
- Virtual Machine
NGINX Plus Instances
NGINX Controller, using the Controller Agent, can monitor and manage up to 100 NGINX Plus instances. When using Controller App Security, NGINX Controller can monitor and manage up to 30 NGINX Plus instances with NGINX App Protect installed.
NGINX Controller supports the following NGINX Plus versions:
| NGINX Plus | NGINX Controller | NGINX Controller ADC | NGINX Controller APIM |
|---|---|---|---|
| R30 | Not supported | 3.22.9+ | Not supported |
| R29 | Not supported | 3.22.9+ | 3.19.6+ |
| R28 | Not supported | 3.22.6+ | 3.19.6+ |
| R27 | Not supported | 3.22.4+ | 3.19.6+ |
| R26 | Not supported | 3.22.2+ | 3.19.6+ |
| R25 | Not supported | 3.20.1+ | 3.19.2+ |
| R24 | 3.17+ | 3.20+ | 3.18+ |
| R23 | 3.12+ | 3.20.0 - 3.22.2 | 3.18+ |
| R22 | 3.5+ | 3.20.0 - 3.22.1 | 3.18+ |
| R21 | 3.5 - 3.12 | Not supported | Not supported |
| R20 | 3.0 - 3.12 | Not supported | Not supported |
| R19 | 2.6 - 3.5 | Not supported | Not supported |
NGINX App Protect Compatibility Matrix
The App Security add-on for the NGINX Controller Application Delivery module is compatible with the versions of NGINX Plus and NGINX App Protect shown in the table below. New releases of NGINX Controller ADC support the last four versions of NGINX Plus at release time.
See Also:
Refer to Using NGINX App Protect with NGINX Controller for installation instructions and additional information.
| NGINX Controller version | NGINX App Protect version(s) | NGINX Plus version(s) |
|---|---|---|
| NGINX Controller ADC v3.22.9 | v4.5 v4.3, v4.4 v4.0, v4.1, v4.2 v3.12, v3.11 |
R30 R29 R28 R27 |
| NGINX Controller ADC v3.22.8 | v4.0, v4.1 v3.12, v3.11 v3.10.0, v3.9.1, v3.9.0 v3.8, v3.7, v3.6 |
R28 R27 R26 R25 |
| NGINX Controller ADC v3.22.7 | v4.0, v4.1 v3.12, v3.11 v3.10.0, v3.9.1, v3.9.0 v3.8, v3.7, v3.6 |
R28 R27 R26 R25 |
| NGINX Controller ADC v3.22.6 | v4.0, v4.1 v3.12, v3.11 v3.10.0, v3.9.1, v3.9.0 v3.8, v3.7, v3.6 |
R28 R27 R26 R25 |
| NGINX Controller ADC v3.22.5 | v3.12, v3.11 v3.10.0, v3.9.1, v3.9.0 v3.8, v3.7, v3.6 v3.5, v3.4, v3.3, v3.2 |
R27 R26 R25 R24 |
| NGINX Controller ADC v3.22.4 | v3.11 v3.10.0, v3.9.1, v3.9.0 v3.8, v3.7, v3.6 v3.5, v3.4, v3.3, v3.2 |
R27 R26 R25 R24 |
| NGINX Controller ADC v3.22.3 | v3.10.0, v3.9.1, v3.9.0 v3.8, v3.7, v3.6 v3.5, v3.4, v3.3, v3.2 v3.1, v3.0, v2.3 |
R26 R25 R24 R23 |
| NGINX Controller ADC v3.22.2 | v3.9.1, v3.9.0 v3.8, v3.7, v3.6 v3.5, v3.4, v3.3, v3.2 v3.1, v3.0, v2.3 |
R26 R25 R24 R23 |
| NGINX Controller ADC v3.22, v3.22.1 | v3.8, v3.7, v3.6 v3.5, v3.4, v3.3, v3.2 v3.1, v3.0, v2.3 v2.1.1 |
R25 R24 R23 R22 |
| NGINX Controller ADC v3.21 | v3.6 v3.5, v3.4, v3.3, v3.2 v3.1, v3.0, v2.3 v2.1.1 |
R25 R24 R23 R22 |
| NGINX Controller ADC v3.20.1 | v3.6 v3.5, v3.4, v3.3, v3.2 v3.1, v3.0, v2.3 v2.1.1 |
R25 R24 R23 R22 |
| NGINX Controller ADC v3.20 | v3.5, v3.4, v3.3, v3.2 v3.1, v3.0, v2.3 v2.1.1 |
R24 R23 R22 |
| NGINX Controller APIM v3.19.2 | v3.6 v3.5, v3.4 |
R25 R24 |
| NGINX Controller APIM v3.19 | v3.5, v3.4 | R24 |
| NGINX Controller v3.18 | v3.5, v3.2 v3.1, v3.0, v2.3 v2.1.1 |
R24 R23 R22 |
| NGINX Controller v3.17 | v3.2 v3.1, v3.0, v2.3 v2.1.1 |
R24 R23 R22 |
| NGINX Controller v3.16 | v3.1, v3.0, v2.3 v2.1.1 |
R23 R22 |
| NGINX Controller v3.14, v3.15 | v3.0, v2.3 v2.1.1 |
R23 R22 |
| NGINX Controller v3.13 | v2.3 v2.1.1 |
R23 R22 |
| NGINX Controller v3.12 | v2.1.1 | R22 |
Supported Browsers
NGINX Controller works best with the newest and the last prior version of these browsers with JavaScript, cookies, and SSL enabled:
Important:
You may need to turn off any ad blockers while using the NGINX Controller user interface.
In some cases, the NGINX Controller user interface may not display analytics or security events if an ad blocker is enabled. Refer to the AskF5 KB article K48603454 to learn more about this issue and how to resolve it.
Hardware Specifications
The following minimum hardware specifications are required for each node running NGINX Controller:
- RAM: 8 GB RAM
- CPU: 8-Core CPU @ 2.40 GHz or similar
- Disk space: 155–255 GB free disk space. 255 GB of free space is recommended if NGINX Controller App Security is enabled. See the Storage Requirements section for a categorized list of the storage requirements.
The NGINX Controller Agent consumes as little memory and CPU as possible. CPU usage should be under 10%, and RSS memory consumption should be just a few dozen MBs. If you notice the NGINX Controller Agent consuming resources at a higher rate, you should contact NGINX Support for assistance.
NGINX Controller Database Requirements
When installing NGINX Controller, you can choose the type of volume to use for the analytics and config databases. The types of volumes that are supported are:
We recommend using a local volume for the analytics and config databases for trial deployments, for simplicity’s sake so you can get started using NGINX Controller right away. For production environments, we recommend using an external volume for the databases for resiliency.
Local Storage
When using local storage for the analytics and/or config database, we recommend the following specs:
- 100 IOPS
- 155–255 GB free disk space. 255 GB of free space is recommended if NGINX Controller App Security is enabled. See the Storage Requirements section for a categorized list of the storage requirements.
Tip:
To conserve IO and/or disk space, you can use a separate disk for the local storage directory/opt/nginx-controller/clickhouse_data.
NFS
To use NFS for external storage for the analytics and/or config database, consider the following:
- Make certain that the NFS version used by the server is supported by the client system where you’re installing NGINX Controller.
- If you’re using NFS v4 file locking or Network Lock Manager (NLM) on the NFS server, make sure that the client system that’s running your NGINX Controller has access to the mount point.
- Install the
nfs-common(on Ubuntu/Debian) ornfs-utils(on CentOS/RedHat) package on all hosts on which NGINX Controller will be installed. - The
no_root_squashoption must be set for the mount point on the NFS server. If this is not allowed, the owner of the path used for the analytics database must be set to101:101and owner of the path for config database must be set to70:70. - The config database should support a throughput of 2 MiB/s or greater.
AWS EBS
Important:
If you plan to run NGINX Controller on AWS EC2 instances, we recommend using NFS shares for the external volumes. Using EBS shares for multi-node clusters is not recommended because of the EBS Availability Zone limitations; for example, the requirement to have EC2 instances and EBS volumes in the same Availability Zone.
If you are installing NGINX Controller on AWS EC2 instances and plan to use EBS volumes for the analytics and/or config database, consider the following:
You will need add an IAM role like that shown below.
-
IAM Role for Single-Node Installation
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress", "ec2:DescribeVpcs", "iam:CreateServiceLinkedRole", "kms:DescribeKey" ], "Resource": [ "*" ] } ] } -
IAM Role for Multi-Node Installation
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress", "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "iam:CreateServiceLinkedRole", "kms:DescribeKey" ], "Resource": [ "*" ] } ] }
Supported PostgreSQL Versions
NGINX Controller supports the following versions of PostgreSQL:
- PostgreSQL 12.x – works with NGINX Controller 3.9 and later.
- PostgreSQL 9.5 – works with NGINX Controller 3.0 and later.
For a system monitoring 100 NGINX Plus instances, we recommend at least 32 GB of database storage. Database storage requirements can vary, depending on the number of NGINX Plus instances, components, published API specs, and the churn rate for configuration changes. For monitor-only implementations, the database storage needs are small; for API Management (APIM) and/or App Delivery Controller (ADC) implementations in production, the storage needs are greater.
Important:
If you use PostgreSQL 12, we recommend disabling Just-in-Time (JIT) compilation to improve NGINX Controller’s performance. To disable JIT, edit thepostgresql.conffile and setjit=off.
Firewall/IP Settings
Configure NGINX Controller with the following firewall settings:
| Port | Used by | Used for |
|---|---|---|
| 5432 TCP | NGINX Controller database | Incoming connections to the NGINX Controller database from the NGINX Controller host. This is the default PostgreSQL port. |
| 443 TCP | • NGINX Controller • NGINX Controller licensing |
• Incoming connections to NGINX Controller from a browser; for example, from an internal network and NGINX Plus instances • Incoming and outgoing connections used to used to validate the entitlements for your NGINX Controller license |
| 8443 TCP | NGINX Controller | Incoming connections from NGINX Plus instances You need to open port 8443 TCP if you’re running NGINX Controller v3.18.2 or earlier |
| 8883 TCP | NGINX Controller licensing | Incoming and outgoing connections used to validate the entitlements for your NGINX Controller license Port 8883 TCP needs to be opened only if you’re running NGINX Controller v3.15 or earlier |
If you have a firewall running on the NGINX Controller host, enable NAT (masquerade) and open the following ports. These ports are used for internal traffic only and don’t need to be open to the outside:
| Port | Used by | Used for |
|---|---|---|
| 2379 TCP2380 TCP 6443 TCP |
NGINX Controller | Incoming requests to the Kubernetes control plane; used for the Kubernetes API server and etcd |
| 10250 TCP | NGINX Controller | Incoming requests to the Kubernetes worker node; used for the Kubelet API |
| 10251 TCP | NGINX Controller | Incoming requests to the Kubernetes kube-scheduler; used for the pod scheduling |
| 10252 TCP | NGINX Controller | Incoming requests to the Kubernetes kube-controller-manager; used for regulating the state of the system |
| 8472 UDP | NGINX Controller | Used for pod-to-pod communication in multi-node resilient clusters |
For more information about these ports, see the Kubernetes guide Installing kubeadm.
Supported Python Versions
NGINX Controller and the NGINX Controller Agent versions 3.6 and earlier require Python 2.6 or 2.7. Python is not needed for NGINX Controller or the NGINX Controller Agent versions 3.7 and later.
Open-Source Licenses
The list of open-source packages and their licenses used by NGINX Controller can be found in the downloaded file that is part of the NGINX Controller package. On your NGINX Controller host, see controller-installer/files/license-controller.md.
In addition, see the AskF5 KB article Third-party software for NGINX Controller controller-datacollection-components for third-party software packages that may be used by or distributed with controller-datacollection-components. This information is not included in the license-controller.md that’s mentioned above.