Cloud Docs Home > F5 Public Cloud Integrations Index

Microsoft Azure: Multi-NIC BIG-IP VE

When you deploy BIG-IP VE from the Azure Marketplace, BIG-IP VE has a single NIC and only one available IP address.

If you prefer a configuration with multiple NICs and/or IP addresses, you can deploy BIG-IP VE by using:

  • An Azure template
  • PowerShell
  • The Azure command-line interface (CLI)

For more information about multiple NICs in Azure, see https://azure.microsoft.com/en-gb/updates/ga-multiple-ips-per-nic.

When you create a multi-NIC configuration of BIG-IP VE in Azure, you can specify which NIC to use for which traffic.

You may want to have management and data (application) traffic on the same NIC. If you do:

  • You can use a smaller Azure instance type (one that supports fewer NICs)
  • The configuration is simpler and has only one external facing IP address

A configuration with separate NICs and IP addresses is more of a traditional BIG-IP VE setup, with a management, internal, and external subnet, for example.

F5 maintains templates that you can use to create a multi-NIC deployments. For more information, see https://github.com/F5Networks.

About management and data traffic on a shared NIC

When you deploy BIG-IP VE with multiple NICs, your management and data (application) traffic can share the external NIC and use the same IP address (with different ports). The internal NIC is for internal traffic.

../_images/data_shared.png

In this example, eth0 is for the external VLAN, and eth1 for the internal VLAN.

Caution: This solution has some limitations.

Azure has service limits.

Though you may have more than one NIC, Azure limits each NIC’s throughput. You should read and understand these limitations.

https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/#networking-limits

You are changing the default behavior of BIG-IP VE in Azure.

When you deploy BIG-IP VE in Azure with one NIC, BIG-IP VE automatically creates an internal VLAN and self IP address. When you deploy BIG-IP VE with more than one NIC, you are changing the settings that enforce this default behavior.

Share a NIC for management and data traffic

To use multiple NICs in Azure and share a NIC for management and data traffic, you must change the default single-NIC launch behavior. You can do this as part of your deployment or afterwards.

  1. Use SSH to connect to BIG-IP VE, and ensure that you are at the tmsh prompt.

  2. Set this variable so that when BIG-IP VE finds multiple NICs, it automatically provisions the primary NIC.

    modify sys db provision.1nic value forced_enable

  3. Confirm that the value is correct.

    list sys db provision.1nic

    The result should be value “forced_enable”.

  4. BIG-IP VE automatically creates a VLAN named internal and an associated self IP address. Disable this functionality so you can create the VLAN and self IP address with the names you want. (For example, you can name the VLAN external.)

    modify sys db provision.1nicautoconfig value disable

  5. Confirm that the value is correct.

    list sys db provision.1nicautoconfig

    The result should be value “disable”.

  6. Restart BIG-IP VE.

    bigstart restart

  7. Create the VLAN. You must do this step in tmsh.

    create net vlan external interfaces add { 1.0 { untagged }}

  8. Create the self IP address. You must do this step in tmsh.

    create net self external_ip address 10.9.0.10/24 vlan external allow-service default

    In this example, the IP address is an address on your external subnet.

  9. Create a gateway. You must do this step in tmsh.

    create net route default gw 10.9.0.1

    In this example, the IP address is an address on your external subnet. This address usually ends in 1.

  10. Save the configuration.

    save sys config

  11. Reboot BIG-IP VE.

    reboot

When BIG-IP VE is available, you can open the Configuration utility and view the interfaces, self IP address, and VLAN you created. If you have more than two NICs, you can now create them. In this example, you would create an internal VLAN for the second NIC. You can also enable config sync now. You should not change the provision.1nic database variable value when you do.

BIG-IP VE uses port 443 for management traffic by default. You should change the port if you want to use 443 for other traffic.

About management and data traffic on separate NICs

When you deploy BIG-IP VE with multiple NICs, you can use a separate NIC for management, data (application), and internal traffic.

In this configuration, each NIC can have one or more IP addresses associated with it. For example, your external NIC can now have multiple IP addresses, each of which you can use as a virtual server.

../_images/data_separate.png

This deployment shows three subnets:

  • An external, public subnet, where you’ll create a virtual server to accept Internet traffic.
  • An internal, private subnet, where your application servers live.
  • A management subnet, where you can access the BIG-IP Configuration utility; you use the Configuration utility to configure BIG-IP VE.

Traffic flows from clients through BIG-IP VE to application servers.

Note: This example shows a single, standalone BIG-IP VE. To use config sync with two or more BIG-IP VEs in the same availability set, add all virtual server IP addresses to traffic group none.

Use separate NICs for management and data traffic

When you deploy BIG-IP VE with multiple NICs, you can separate your management, data (application), and internal traffic so that each has its own NIC.

To create this multi-NIC configuration in Azure, you need the following resources:

  • An Azure instance type that supports more than one NIC. For more information, see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general.
  • A VNET with multiple subnets (for example, management, internal, and external).
  • Three NICs, each on a unique subnet. The first NIC is for management.
  • A public IP address, associated with the external NIC, for the virtual server.
  • An availability set, if you plan to do add more BIG-IP VE instances.

Depending on your region and the version of BIG-IP VE you want to deploy, you must choose a BIG-IP VE image. To view the list of available images:

The publisher is f5-networks.

Then you can deploy an instance of BIG-IP VE. If necessary, select the availability set during deployment.

After you deploy BIG-IP VE, you must:

  • Ensure that the network security group (NSG) allows traffic through port 443. The BIG-IP Configuration utility is accessible through this port.
  • If you used an SSH key, use an SSH tool to connect to BIG-IP VE and set the admin password by using the tmsh command modify auth password admin.
  • In BIG-IP VE, configure a self IP for each private IP address assigned to a NIC in Azure. Then create a corresponding VLAN. Finally, create a pool and virtual server.