Connect to management plane
To monitor and manage all your F5 NGINX Agent instances from a central management plane server, you first need to connect your instances and the server. You can configure the connection by making the required changes to the NGINX Agent configuration file.
There are three types of connections you can establish between the NGINX Agent and the management plane server:
- Mutual Transport Layer Security (mTLS) connection
- Transport Layer Security (TLS) connection
- Insecure connection
To establish a mTLS connection between the NGINX Agent and the management plane server, follow these steps:
- Edit the /etc/nginx-agent/nginx-agent.conffile to enable mTLS for NGINX Agent. Replace the example values with your own:
command:
 server:
     # the server host to connect to in order to send
     # and receive commands e.g. config apply instructions
     host: example.com
     # the server port to connect to in order to send and receive commands
     # e.g. config apply instructions
     port: 443
     # the type of connection. Currently only "grpc" is supported.
     type: grpc
 auth:
     # the token to be used in the authorization header
     # for the Agent initiated requests
     token: ...
 tls:
     # The client key to be used in the TLS/mTLS connection
     key: /etc/ssl/certs/key.pem
     # The client certificate to be used in the TLS/mTLS connection
     cert: /etc/ssl/certs/cert.pem
     # The certificate authority certificate to be used in the mTLS connection
     ca: /etc/ssl/certs/ca.pem
     # controls whether the server certificate chain and host name are verified
     skip_verify: false
     # A hostname value specified in the Subject Alternative Name extension
     server_name: example.com- 
Restart the NGINX Agent service: sudo systemctl restart nginx-agent
To establish a TLS connection between the NGINX Agent and the management plane server, follow these steps:
- 
Edit the /etc/nginx-agent/nginx-agent.conffile to enable TLS for NGINX Agent. Replace the example values with your own:command: server: # the server host to connect to in order to send and receive commands # e.g. config apply instructions host: example.com # the server port to connect to in order to send and receive commands # e.g. config apply instructions port: 443 # the type of connection. Currently only "grpc" is supported. type: grpc auth: # the token to be used in the authorization header for the # Agent initiated requests token: ... tls: # controls whether the server certificate chain and host name are verified skip_verify: falseNote: To enable server-side TLS with a self-signed certificate, you must have TLS enabled and setskip_verifytotrue, which disables hostname validation. Settingskip_verifycan be done only by updating the configuration file. This is not recommended for production environments.
- 
Restart the NGINX Agent service: sudo systemctl restart nginx-agent
Warning Insecure connections are not recommended for production environments.
To establish an insecure connection between the NGINX Agent and the management plane server, follow these steps:
- 
Edit the /etc/nginx-agent/nginx-agent.conffile to enable an insecure connection for NGINX Agent. Replace the example values with your own:command: server: # the server host to connect to in order to send and receive commands e.g. config apply instructions host: example.com # the server port to connect to in order to send and receive commands e.g. config apply instructions port: 443 # the type of connection. Currently only "grpc" is supported. type: grpc
- 
Restart the NGINX Agent service: sudo systemctl restart nginx-agent