Define the following networks and one subnet for each, with sufficient IP address space in each network:
- Management network (mgmt) – Configure the VNF Manager and BIG-IP VE management interfaces on this network, specifying at least one DNS server in the subnet configuration.
- Provider gateway network (pgw_net) – Network used for the internal-facing DAG data plane interfaces.
- Provider data network (pdn_net) – Network used for the external-facing DAG data plane interfaces.
- DAG to provider gateway network (pgw_dag_net) – Network used for the internal-facing VNF data plane interfaces. VNFM creates this network automatically, during the launch process.
- DAG to provider data network (pdn_dag_net) – Network used for the external-facing VNF data plane interfaces. VNFM creates this network automatically, during the launch process.
- Control network (control_net) – Network used for communication with control and value-added services.
- HA network (ha_net) – Network used for internal HA communication between clustered VNF BIG-IP VE instances.
- External network (external_net) - Network used for accessing the VNFM externally. You assign this network when attaching a floating IP to the VNFM instance.
Security groups are required for versions 1.2.1 and earlier, but are OPTIONAL for version 1.3.0 and later for ALL blueprint solutions.
To set up security groups, consider the following:
- SNMP security group (snmp_sg) – Allow UDP ports 161/162.
- Control security group (control_sg) – Configure as needed for your environment.
- Management security group (mgmt_sg) – Allow TCP port 443, and add an Ingress rule for ALL ICMP.
- Provider data network security group (pdn_sg) – Configure as needed for your environment.
- Provider gateway security group (pgw_sg) – Configure as needed for your environment.
Default behavior for VIO is to create a default security group for every instance. If you are not using security groups, then in VNFM version 1.3.0 and later
inputs files, set the
security_groups input to disable, and for VNFM version 1.4.0 and later set the VNF-BIG-IQ solution blueprint,
security_groups input to 0 (disable).