F5 in Cloud: Compliant Blue-Green Delivery

(A Day in the Life of a PaaS Automation Team)

As a PaaS automation lead, I know some deliverables are bigger than others. A while ago, I was tasked with implementing a Blue-Green Deployment model using F5 in my automation workstream, a foundational component we needed for all future projects onboarding our PaaS platform in the federal cloud.

No pressure, right?

This wasn't just another box to check. We're talking about a system meant to serve critical applications, some touching tax systems, secure government workflows, and citizen services. One slip-up could have a huge ripple effect. So, we had to get it right and ensure it was repeatable, compliant, and automated.

Let me explain what we built and learned through the lens of something more familiar: an airport runway.

Blue-Green Deployment: Think Runways, Not Risk

Imagine you're at a busy international airport. Flights are taking off and landing nonstop on Runway Blue. Meanwhile, the airport crew is quietly preparing Runway Green, resurfacing the tarmac, updating lighting, and running safety checks. When everything's good to go, the air traffic controller switches all planes to the newly upgraded Runway Green, and operations continue like nothing ever happened.

If something does go wrong? No problem, they flip back to Runway Blue.

This, my friends, is the essence of Blue-Green Deployment.

• Blue is your current live application.

• Green is the updated version waiting in the wings.

• Once Green passes all health checks, you route user traffic there.

• If issues pop up, you revert to Blue.

No user impacts. No downtime. No panic at the gate.

Where F5 Steps In: The Air Traffic Controller of Apps

In our tech stack, F5 BIG-IP plays the air traffic controller role. It coordinates who lands where, ensuring the traffic flows smartly, securely, and with zero turbulence.

Here's how F5 supported our compliant Blue-Green architecture:

1. Smart Traffic Management

Using F5 LTM (Local Traffic Manager), we defined traffic policies to:

• Route users to the active (Blue or Green) environment.

• Instantly failover traffic in case of issues (think rollback in seconds).

• Slowly phase in traffic (Canary style) if needed.

This was controlled by iRules or traffic policies, which meant automation-friendly, auditable config.

2. Web App Firewall: Don't Let the Bots In

Security wasn't a bolt-on. It was baked in. We used F5 Advanced WAF to shield both environments from:

• OWASP Top 10 threats

• Botnets

• API fuzzing and abuse

The best part? Thanks to centralized policy enforcement, the WAF config stayed consistent whether users were hitting Blue or Green.

3. SSL Offloading: Make It Fast, Make It Safe

We didn't want our app servers choking on SSL decryption. F5 handled SSL offloading at the edge, freeing up compute resources and keeping performance smooth even during heavy rollout windows.

4. IaC-Driven Orchestration with AS3 + Terraform

https://github.com/saisravan909/f5-bluegreen-deployment

https://github.com/saisravan909/f5-bluegreen-deployment?tab=readme-ov-file#f5-blue-green-deployment-with-observability-hooks

This was our favorite part. Using F5's Application Services 3 Extension (AS3) with Terraform, we turned the F5 configuration into Infrastructure as Code.

Here's a simplified snippet of what that looked like in Terraform:

resource "bigip_as3" "blue_green" {

  as3_json = <<EOF

  {

    "class": "AS3",

    "action": "deploy",

    "declaration": {

      "class": "ADC",

      "schemaVersion": "3.24.0",

      "id": "blue-green-app",

      "Tenant": {

        "class": "Tenant",

        "App": {

          "class": "Application",

          "template": "http",

          "blue_pool": {

            "class": "Pool",

            "members": [

              {

                "servicePort": 80,

                "serverAddresses": ["10.0.0.10"]

              }

            ]

          },

          "green_pool": {

            "class": "Pool",

            "members": [

              {

                "servicePort": 80,

                "serverAddresses": ["10.0.0.20"]

              }

            ]

          },

          "app_vs": {

            "class": "Service_HTTP",

            "virtualAddresses": ["10.0.0.100"],

            "pool": "blue_pool" // or "green_pool"

          }

        }

      }

    }

  }

EOF

}

Want to switch from Blue to Green? Just update the pool reference in app_vs. That's it. Version-controlled, testable, and CI/CD friendly.

5. Real-World Case: Portal Upgrade

Here's what happened:

1. Green environment spun up with the new UI.

2. F5 monitored health, WAF logs, and latency metrics in real time.

3. Once everything was clear, we updated the route to Green with a simple policy change.

4. Traffic shifted instantly, with no user disruption.

5. We left Blue live (but idle) for 48 hours, just in case.

Nothing broke. Nothing rolled back. Everything was secure and fast.

Final Thoughts

Delivering a robust, compliant Blue-Green deployment model wasn't just a technical challenge but a commitment to uptime, security, and user trust. With F5 as the backbone, I was able to deliver a reusable automation pattern for projects across our PaaS ecosystem.

So, whether you're managing infrastructure for federal services, financial systems, or critical healthcare platforms, F5 isn't just a load balancer. It's your air traffic control tower in the cloud.

And when that next project comes in hot with a zero-downtime mandate, you'll be ready to clear them for takeoff runway Green at full throttle.