Cloud Docs Home > F5 Public Cloud Integrations Index

Microsoft Azure: Single NIC BIG-IP VE

Complete these tasks to deploy BIG-IP VE in a single NIC configuration in the Azure environment.

This is a specific example, which you can use to test a single NIC deployment. When done, you should be able to send traffic to your application servers through BIG-IP VE.

Step Task Details
1 Prepare to deploy

Choose an F5 license. You can get a trial license if you need one.

In Azure, create an application server in a resource group. BIG-IP VE will be in the same resource group.

Create a key pair (recommended for production environments).

2 Deploy a BIG-IP VE instance in Resource Manager or Classic Find an F5 BIG-IP VE image in the Azure Marketplace and create an instance in the same resource group as your application. For BIG-IP VE, choose an Azure instance type that has at least 2 vCPU, 4 G memory.
3 In Azure, create rules that allow inbound traffic to BIG-IP VE When you deploy BIG-IP VE, Azure creates a network security group. Add an inbound security rule to allow traffic to port 8443 for the BIG-IP Configuration utility and port 443 for your application.
4 Set an admin password for BIG-IP VE

If you used a key when you deployed the instance, use SSH to connect to BIG-IP VE and set a password for the admin account. You will use the admin account to access the BIG-IP Configuration utility.

  • In tmsh, type modify auth password admin
5 License BIG-IP VE Use the admin account to log in to the BIG-IP Configuration utility (https://<publicIPaddress>:8443).
6 Provision BIG-IP VE Enable the modules you need.
7 Create a pool and add members to it Create a pool that contains your application servers. Pool name: web_pool
8 Create a virtual server

Create a virtual server, which provides a destination for your inbound web traffic and points to the pool of web servers.

  • Virtual IP address: 10.0.0.200, service port: 443

Note: Because IP addresses in Azure may change, use the DNS name of your application server as the pool member.

Sample single-NIC configuration

The following diagram shows a basic single NIC deployment of a BIG-IP VE instance in Microsoft Azure.

When you deploy BIG-IP VE from the Azure Marketplace, only a single NIC is available. All other configurations must use an ARM template.

Follow the steps in this guide to create this deployment.

Note: Alternately, you can use a CloudFormation template to create this deployment. For more information about CloudFormation templates provided by F5, go to https://github.com/F5Networks.

../_images/diagram_singlenic1.png

As shown in the diagram, all access to the BIG-IP VE appliance is through the same IP address and virtual network interface (vNIC). When you first boot, BIG-IP VE creates networking objects (vNIC 1.0, a VLAN, and a self IP) and sets the port for the BIG-IP Configuration utility to 8443.

Because only one IP is available in this single-NIC configuration, the BIG-IP VE high availability (HA) feature does not work. If you want to do HA (create an active-standby pair), use the template available on https://github.com/F5Networks.

If you have two or more applications that need access to the same port, you have several options, including:

  • BIG-IP VE supports Server Name Indicator (SNI), which allows a single virtual IP to host multiple domains. For more information, see https://support.f5.com/csp/#/article/K13452.
  • If you are using Windows/IIS web sites, add a DNS record for each domain name and have them both point to the same IP address. The browser sends the URL in the host header field of the request and serves the correct web site.
  • Use BIG-IP iRules to make pool decisions based on header content.

Follow the steps in this guide, or, if you’d prefer, watch a video of the deploy:

Deploy BIG-IP VE in Azure Resource Manager

In order to create a virtual machine running BIG-IP VE in Azure, you can deploy BIG-IP VE in the Azure Resource Manager deployment model.

For Azure Classic instructions, see Deploy BIG-IP VE in Azure Classic.

  1. Log in to the Microsoft Azure Portal at https://portal.azure.com.

  2. On the Dashboard, select Marketplace.

  3. In the Filter field, type F5 and press Enter.

  4. From the Select a deployment model list, select Resource Manager and click Create.

    ../_images/deploy_arm.png

  5. On the Basics page, complete these settings.

    Setting Details
    Name A name for the instance.
    VM disk type Accept the default or change it.
    User name A name for the person who will log in to BIG-IP VE. You can’t change or access this field later.
    Authentication type SSH keys are more secure than passwords.
    Subscription Accept the default or change it.
    Resource group A resource group is a logical container of related resources. Accept the default or change it.
    Location Accept the default or change it.

  6. Click OK.

  7. On the Size page, choose the instance size that meets your needs, and click Select.

  8. On the Settings page, accept the defaults or change them.

  9. Click OK.

  10. On the Summary page, click OK.

  11. On the Purchase page, click Purchase to initiate the deployment. To check the status, click the notifications bell on the top toolbar.

When done, you will have the following resources:

  • A BIG-IP VE instance with one network interface and a public IP address
  • A VLAN named internal
  • A self IP address named self_1nic

Note: You do not need to use the BIG-IP Setup wizard to configure networking, because BIG-IP configured basic networking during deployment.

Deploy BIG-IP VE in Azure Classic

Follow these steps to deploy BIG-IP VE in the Azure Classic deployment model. Even though you are using Classic resources, you perform these steps in the new Resource Manager portal.

For Azure Resource Manager instructions, see Deploy BIG-IP VE in Azure Resource Manager.

  1. Log in to the Microsoft Azure Portal at https://portal.azure.com.

  2. On the Start pane, select Marketplace.

  3. In the Filter field, type F5 and press Enter.

  4. From the list of options, select the F5 image of your choice.

  5. From the Select a deployment model`* list, select :guilabel:`Classic and then click Create.

    ../_images/deploy_classic.png

  6. On the Create VM page:

    Setting Details
    Host Name A name for the virtual appliance.
    User name A name for the person who will log in. You can’t change or access this field later.
    Authentication Type SSH keys are more secure than passwords.
    Pricing Tier Accept the default or change it.

  7. For Pricing Tier, leave the default or choose the instance size that meets your needs and click Select.

  8. For Optional Configuration, note the following details.

    Setting Details
    Availability set
    • All instances in an availability set must have the same subnets.
    • BIG-IP high availability is currently not supported in Azure Classic, so you should configure the BIG-IP to reboot if a daemon fails. For details, see the BIG-IP System: Essentials guide on askf5.com.
    Network Select the Classic virtual network of your choice. If you accept the default, Azure creates a new virtual network under the Resource Manager deployment model.
    Storage Select existing Classic storage or create new Classic storage.
    Endpoints
    ../_images/endpoints.png
    • Create an endpoint for port 443. This allows you to access the BIG-IP Configuration utility.
    • Create additional endpoints for any other ports that need external access. For example, port 80 if the BIG-IP VE will process HTTP traffic.
    • If you choose SSH and do not specify a public port, Azure provides a port number for you. Port numbers can’t be re-used unless you remove or reconfigure the endpoint.

  9. For Resource Group, either accept the default or click the right arrow (>) to change it. A resource group is a logical container of related resources.

    Important: If you choose an existing resource group, you will be choosing from a list of Azure Classic Cloud Services. If you create a new group, you are creating a new resource group.

  10. Confirm that the subscription and location are correct, and agree to the legal terms.

  11. Click Create.

When done, you will have the following resources:

  • A BIG-IP VE instance with one network interface
  • A VLAN named internal
  • A self IP address named self_1nic

Note: You do not need to use the BIG-IP Setup wizard to configure networking, because BIG-IP configured basic networking during deployment.

Create inbound traffic rules

In order to access the BIG-IP Configuration utility, you must open port 8443. In order to connect to your application through BIG-IP VE, you must open port 443 (in this example).

  1. In the Azure portal, click Browse -> Network security groups.

  2. Filter the list to find your group.

  3. On the Settings blade, click Inbound security rules.

  4. By default, port 22 is open, so you can connect to BIG-IP by using SSH.

  5. On the Inbound security rules blade, click Add.

  6. Leave the default settings, but enter a name and for the Destination port range, type 443.

    This allows SSL application traffic for port 443 to reach BIG-IP VE.

  7. Click OK.

Now complete the steps again, using 8443 as the Destination port range. This allows management traffic for port 8443 to reach BIG-IP VE.

Set the admin password for BIG-IP VE

The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.

This management interface may be accessible to the Internet, so ensure the password is secure.

This example shows how to use PuTTy to connect, but you can use any SSH utility.

  1. Open PuTTy and in the Host Name (or IP address) field, enter the external IP address.

    ../_images/admin_password11.png

  2. In the Category pane on the left, click Connection -> SSH -> Auth.

  3. In the Private key file for authentication field, choose your .ppk file.

    ../_images/admin_password21.png

  4. Click Open.

  5. If a host key warning appears, click OK.

    The terminal screen displays: login as:.

  6. Type admin and press Enter.

    You are now at the tmsh command prompt.

  7. Modify the admin password:

    modify auth password admin

    The terminal screen displays the message:

    changing password for admin
    new password:
    
  8. Type the new password and press Enter.

    The terminal screen displays the message:

    confirm password

  9. Re-type the new password and press Enter.

  10. Ensure that the system retains the password change and press Enter.

    save sys config

    The terminal screen displays the message:

    Saving Ethernet mapping...done

License BIG-IP VE

You must enter license information before you can use BIG-IP VE.

  1. Open a web browser and log in to the BIG-IP Configuration utility by using https with the external IP address and port 8443, for example: https://<external-ip-address>:8443. The username is admin and the password is the one you set previously.

  2. On the Setup Utility Welcome page, click Next.

  3. On the General Properties page, click Activate.

  4. In the Base Registration key field, enter the case-sensitive registration key from F5.

    For Activation Method, if you have a production or Eval license, choose Automatic and click Next.

    If you chose Manual, complete these steps:

    1. In the Step 1: Dossier field, copy all of the text and then click Click here to access F5 Licensing Server.

      ../_images/license11.png

      A separate web page opens.

    2. On the new page, click Activate License.

    3. In the Enter your dossier field, paste the text and click Next.

      ../_images/license21.png

    4. Accept the agreement and click Next.

    5. On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-IP Configuration utility and paste the text into the Step 3: License field.

      ../_images/license31.png

    6. Click Next.

The BIG-IP VE system registers the license and logs you out. When the configuration change is successful, click Continue to provision BIG-IP VE.

Provision BIG-IP VE

You must confirm the modules you want to run before you can begin to work in the BIG-IP Configuration utility.

  1. Open a web browser and log in to the BIG-IP Configuration utility.

  2. On the Resource Provisioning screen, change settings if necessary and click Next.

  3. On the Device Certificates screen, click Next.

  4. On the Platform screen, in the Admin Account field, re-enter the password for the admin account and click Next.

    ../_images/provision11.png

    BIG-IP VE logs you out.

  5. When you log back in, on the Setup Utility -> Network screen, in the Advanced Network Configuration area, click Finished.

    ../_images/provision2.png

Change the configuration utility port

The BIG-IP Configuration utility uses port 443 by default. Change the port to 8443 so you can use 443 for application traffic.

Note: These steps are for the Resource Manager deployment model only.

  1. Use a secure shell terminal (SSH), like PuTTy, to access the instance; use either the private key or user name for authentication (depending on what you specified when you created the instance). You cannot use the root login.

  2. Type tmsh to ensure you are accessing the tmsh prompt.

  3. Confirm the SSL port. list sys httpd ssl-port

    The result should be ssl-port 443.

  1. Move the port from 443 to 8443.

    modify sys httpd ssl-port 8443

  2. Confirm the move was successful. list sys httpd ssl-port

    The result should be ssl-port 8443.

  3. Add 8443 to the default self allow port list.

    modify net self-allow defaults add { tcp:8443 }

  4. Now that the Configuration utility is no longer using port 443, remove the reference to it.

    modify net self-allow defaults delete { tcp:443 }

  5. Confirm the changes. list net self-allow defaults

    tcp:pcsync-https is for 8443 and should be in the list. tcp:https is for 443 and should not be in the list.

  6. Save the changes to the system configuration.

    save sys config

  7. End the SSH session.

  8. Open a web browser and go to the BIG-IP Configuration utility by using port 8443, for example: https://<public-ip-address>:8443.

Create a pool and add members to it

Traffic goes through BIG-IP VE to a pool. Your application servers should be members of this pool.

  1. Open a web browser and go to the BIG-IP Configuration utility, for example: https://<external-ip-address>:8443.

  2. On the Main tab, click Local Traffic -> Pools.

  3. Click Create.

  4. In the Name field, type web_pool. Names must begin with a letter, be fewer than 63 characters, and can contain only letters, numbers, and the underscore (_) character.

  5. For Health Monitors, move https from the Available to the Active list.

  6. Choose the load balancing method or retain the default setting.

  7. In the New Members section, in the Address field, type the IP address of the application server.

  8. In the Service Port field, type a service port, for example, 443.

  9. Click Add.

    The list now contains the member.

  10. Add additional pool members as needed and click Finished.

Create a virtual server

A virtual server listens for packets destined for the external IP address. You must create a virtual server that points to the pool you created.

  1. In the BIG-IP Configuration utility, on the Main tab, click Local Traffic -> Virtual Servers.

  2. Click Create and populate the following fields.

    Field Value
    Name A unique name
    Destination Address/Mask BIG-IP VE’s private IP address
    Service Port 443
    HTTP Profile http
    SSL Profile (Client) clientssl
    SSL Profile (Server) serverssl
    Source Address Translation Auto Map
    Default Pool web_pool

    Note: These settings are for demonstration only. For details about securing a web application with SSL, see the product documentation at askf5.com.

  3. Click Finished.

Traffic to the BIG-IP VE external IP address will now go to the pool members. To test in a browser, type: https://<external-IP-address>.

Azure instances for BIG-IP VE

Choose the Microsoft Azure instance based on the F5 license you need. For more information about F5 licenses, see https://f5.com/products/how-to-buy/simplified-licensing.

F5 recommends the following Azure instances for this release of BIG-IP VE.

Note: Instance types with similar vCPU and memory are also supported.

Azure instance Good Better Best
Standard_A1 X    
Standard_D11 X    
Standard_DS1_v2 X    
Standard_DS2_v2 X    
Standard_DS11_v2 X    
Standard_A4 X X  
Standard_A6 X X  
Standard_D4 X X  
Standard_DS3 X X  
Standard_DS3_v2 X X  
Standard_DS12_v2 X X  
Standard_A7 X X X
Standard_DS4_v2 X X X
Standard_DS13_v2 X X X

Note: The minimum storage required for BIG-IP VE running all modules is 139GB. If you want to use Application Acceleration Manage (AAM), you need an additional 20GB of storage dedicated to AAM only. For more information, see Disk Management for Datastore in the AskF5 Knowledge Base at askf5.com.