Amazon Web Services: Single NIC config sync across Availability Zones

The following diagram shows a basic deployment of two BIG-IP VE instances in two separate AWS Availability Zones within a VPC.

Each Availability Zone is in a different physical location, which helps ensure that your application remains available if one Availability Zone becomes unavailable.

In this deployment, the two BIG-IP VEs are synchronizing their configurations to one another; they are not communicating for the purpose of failover.


This deployment has the following benefits:

  • The two BIG-IP VEs are on different hardware, because they are in separate AWS Availability Zones, and as such, both servers should not be down at the same time.
  • BIG-IP VE copies changes from one BIG-IP VE to the other through config sync.
  • Both BIG-IP VEs have Active status and are available to process traffic.
  • If one BIG-IP VE fails, the other BIG-IP VE continues to process traffic, though the failed system drops the packets.
  • BIG-IP VE can process more traffic; if each BIG-IP VE has 1 Gbps of throughput, then together they have 2 Gbps.

Configure config sync between AWS Availability Zones

Before you can complete this task:

  • Your AWS VPC must have a subnet in more than one Availability Zone.
  • In AWS, you must associate all subnets with the routing table.
  • In AWS, the security group must have inbound rules open for port 4353 and 6699 (in addition to other ports you’ve enabled).
  • Both BIG-IP VEs must be running the same version of BIG-IP VE system software.
  • The BIG-IP VEs must not have the same device name. To view the name, use the tmsh command: list /cm device. The device name is in the first line of the result, for example cm device bigip1 {. To change the name, use mv cm device <current_device_name> <new_device_name>.

Enable config sync communication when you want to automatically or manually synchronize configuration information.

Note: The following steps apply to a single-NIC configuration only. If you have multiple NICs, use this deployment guide.

  1. Use an SSH tool to connect to each of the BIG-IP VEs.

  2. Ensure you are at the tmsh prompt.


  3. On each BIG-IP VE, disable functionality that enforces single NIC setup.

    modify sys db provision.1nicautoconfig value disable

  4. Confirm that the value is correct by typing list sys db provision.1nicautoconfig.

    The return value should be: value "disable".

  5. Move the route to a different partition.

    1. View the existing route and note the IP address.

      list net route

    2. Delete the route.

      delete net route default

    3. Create a new partition.

      create sys folder /LOCAL_ONLY device-group none traffic-group traffic-group-local-only

    4. Create the route in the new partition.

      create net route /LOCAL_ONLY/default network default gw <route_IP_address>

    5. Save the configuration.

      save sys config

    6. Change to the LOCAL_ONLY partition and confirm the route.

      cd /LOCAL_ONLY list net route

    7. Change back to the Common partition.

      cd /Common

  6. Set up device trust and config sync.

    1. On each BIG-IP VE, specify the static private IP address of the BIG-IP VE itself.

      modify cm device <device_name> configsync-ip <private_ip_address>

    2. Establish device trust: On one BIG-IP VE, enter the static private IP address of the other BIG-IP VE, along with its user name and password.

      modify cm trust-domain add-device { ca-device true device-ip <peer_ip_address> device-name <peer_device_name> username <peer_username> password <peer_password> }

    3. On the same BIG-IP VE as the previous step, create a sync-failover device group with network failover disabled.

      create cm device-group <device_group_name> devices add { <all-bigip-device-names-separated-by-space> } type sync-failover auto-sync enabled network-failover disabled

    4. Sync the BIG-IP VE to the other BIG-IP VE.

      run cm config-sync to-group <device_group_name>