Last updated on: 2024-03-26 06:01:13.

Amazon Web Services: Single NIC config sync across Availability Zones

The following diagram shows a basic deployment of two F5 BIG-IP Virtual Edition (VE) instances in two separate AWS Availability Zones within a VPC.

Each Availability Zone is in a different physical location, which helps ensure that your application remains available if one Availability Zone becomes unavailable.

In this deployment, the two BIG-IP VEs are synchronizing their configurations to one another; they are not communicating for the purpose of failover.


This deployment has the following benefits:

  • The two BIG-IP VEs are on different hardware, because they are in separate AWS Availability Zones, and as such, both servers should not be down at the same time.
  • BIG-IP VE copies changes from one BIG-IP VE to the other through config sync.
  • Both BIG-IP VEs have Active status and are available to process traffic.
  • If one BIG-IP VE fails, the other BIG-IP VE continues to process traffic, though the failed system drops the packets.
  • BIG-IP VE can process more traffic; if each BIG-IP VE has 1 Gbps of throughput, then together they have 2 Gbps.

Configure config sync between AWS Availability Zones

Before you can complete this task:

  • Your AWS VPC must have a subnet in more than one Availability Zone.
  • In AWS, you must associate all subnets with the routing table.
  • In AWS, the security group must have inbound rules open for port 4353 and 6699 (in addition to other ports you’ve enabled).
  • Both BIG-IP VEs must be running the same version of BIG-IP VE system software.
  • The BIG-IP VEs must not use the same device name. To view the name, use the tmsh command: list /cm device. The device name is in the first line of the result, for example cm device bigip1 {. To change the name, use mv cm device <current_device_name> <new_device_name>.

Enable config sync communication when you want to automatically or manually synchronize configuration information.

Note: The following steps apply to a single-NIC configuration only. If you have multiple NICs, use this deployment guide.

  1. Use an SSH tool to connect to each of the BIG-IP VEs.

  2. Ensure you are at the tmsh prompt.

  3. On each BIG-IP VE, disable functionality that enforces single NIC setup.

    modify sys db provision.1nicautoconfig value disable
  4. Confirm that the value is correct by typing:

    list sys db provision.1nicautoconfig

    The return value should be: value "disable".

  5. Move the route to a different partition.

    1. View the existing route and note the IP address.

      list net route
    2. Delete the route.

      delete net route default
    3. Create a new partition.

      create sys folder /LOCAL_ONLY device-group none traffic-group traffic-group-local-only
    4. Create the route in the new partition.

      create net route /LOCAL_ONLY/default network default gw <route_IP_address>
    5. Save the configuration.

      save sys config
    6. Change to the LOCAL_ONLY partition and confirm the route.

      cd /LOCAL_ONLY
      list net route
    7. Change back to the Common partition.

      cd /Common
  6. Set up device trust and config sync.

    1. On each BIG-IP VE, specify the static private IP address of the BIG-IP VE itself.

      modify cm device <device_name> configsync-ip <private_ip_address>
    2. Establish device trust: On one BIG-IP VE, enter the static private IP address of the other BIG-IP VE, along with its user name and password.

      modify cm trust-domain add-device { ca-device true device-ip <peer_ip_address> device-name <peer_device_name> username <peer_username> password <peer_password> }
    3. On the same BIG-IP VE as the previous step, create a sync-failover device group with network failover disabled.

      create cm device-group <device_group_name> devices add { <all-bigip-device-names-separated-by-space> } type sync-failover auto-sync enabled network-failover disabled
    4. Sync the BIG-IP VE to the other BIG-IP VE.

      run cm config-sync to-group <device_group_name>