Amazon Web Services: Single NIC F5 BIG-IP Virtual Edition

The following diagram shows a basic single NIC deployment of F5 BIG-IP Virtual Edition (VE) in an Amazon Virtual Private Cloud (VPC). Traffic is flowing through BIG-IP VE to application servers. The BIG-IP virtual server is listening for traffic destined for port 443. Port 8443 is for management traffic.

Note: Alternatively, you can use F5 BIG-IP Cloud Formation Templates (CFT) to create this deployment. For more information about F5 BIG-IP CFTs, visit https://github.com/F5Networks.

../_images/diagram_singlenic.png

In this configuration, all access to the BIG-IP VE appliance is through the same IP address and virtual network interface (vNIC). This single NIC deployment has the following benefits:

  • BIG-IP VE creates networking objects (vNIC 1.0, an internal VLAN, and an internal self IP address).
  • In BIG-IP VE 13.0 and later, BIG-IP VE sets the Configuration utility port to 8443 (instead of 443).
  • If you do not need a separate management network, this configuration is less complex than other configurations.

Watch a video of the deploy process:

Step summary

This is a specific example, which you can use to test a single NIC deployment. When done, you should be able to send traffic to your application servers through BIG-IP VE.

Step Task Description
1 Choose an F5 license Choose an F5 license. You can get a trial license if you need one.
2 Create a VPC with one subnet

Use the AWS VPC wizard to create a VPC with a single subnet.

  • Subnet: 10.0.0.0/24
3 Deploy a BIG-IP VE instance

From the AWS Marketplace, choose an F5 BIG-IP VE image. When you deploy the instance, choose the VPC you created earlier.

Choose an image with 2 boot locations if you expect to upgrade BIG-IP VE in the future. If you do not need room to upgrade (if you intend to create a new instance when a new version of BIG-IP VE is released), choose an image with 1 boot location.

  • Interface: eth0
  • Primary Private IP: 10.0.0.200
4 Create an Elastic IP address

Create an Elastic IP address and associate it with the BIG-IP VE instance. You will use this IP address to access the BIG-IP Configuration utility and to access your application servers (by way of the virtual server).

  • Elastic IP: 52.x.y.x
5 Set an admin password for BIG-IP VE

Before you can license and provision BIG-IP VE, use SSH and your key pair to connect to the instance and set a strong password.

  • In tmsh, type modify auth password admin
6 License BIG-IP VE

Use the admin account to log in to the BIG-IP Configuration utility (https://<ElasticIP:8443>). If you have trouble accessing the Configuration utility, check the AWS security groups to ensure that they allow the appropriate traffic.

Note: Prior to BIG-IP VE 13.0, the port is 443 instead.

7 Provision BIG-IP VE Enable the modules you need.
8 Change the Config utility port Prior to BIG-IP VE 13.0 only. Change the Config utility from port 443 to 8443. After BIG-IP VE 13.0, it is on port 8443 by default.
9 Create a VLAN and self IP Prior to BIG-IP VE 12.1, you must create a VLAN and self IP address. In 12.1 and later, BIG-IP VE creates these automatically.
10 Create a pool and add members to it

Create a pool that contains your application servers.

  • Pool name: web_pool
11 Create a virtual server

Create a virtual server, which provides a destination for your inbound web traffic and points to the pool of web servers.

  • Virtual IP address: 10.0.0.200, service port: 443

Step details

Create a VPC with one subnet

A BIG-IP VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a basic VPC.

  1. In the AWS Management Console, at the top of the screen expand the Services menu, scroll down to Networking & Content Delivery section, select VPC.
  2. Click Launch VPC Wizard -> VPC with a Single Public Subnet, and then click Select.
  3. For the CIDR block, use the following:
    • IPv4: 10.0.0.0/24
    • IPv6: Select the appropriate option.
  4. In the VPC name field, type a name.
  5. Retain all other default settings and click Create VPC.
  6. Click OK to view the list of VPCs.

Deploy a BIG-IP VE instance

To create an EC2 instance of BIG-IP VE in AWS, you deploy a BIG-IP VE image from the Amazon Web Services (AWS) Marketplace.

  1. Go to the AWS Marketplace.
  2. In the Search AWS Marketplace field, type F5 BIG-IP and then click GO.
  3. Click the version you want to deploy and then click Continue.
    • If you expect to upgrade BIG-IP VE in the future, choose an image with 2 boot locations. If you do not need room to upgrade (if you intend to create a new instance when a new version of BIG-IP VE is released), choose an image with 1 boot location.
  1. Select the region where you created your VPC, click Launch with EC2 Console.

  2. Choose the instance type you need.

  3. Click Next: Configure Instance Details.

  4. From the Network list, select your VPC. The Subnet field is automatically populated.

  5. In the Network interfaces area, in the Primary IP field, type 10.0.0.200.

    ../_images/single_deploy1.png
  6. Click Next: Add Storage and then Next: Tag Instance.

  7. In the Value field, type a name for the instance and click Next: Configure Security Group.

    Three rules are in the list. 22 is for SSH access, 8443 for BIG-IP management access, and 443 for application traffic.

    For Source, if you select My IP, you can access the BIG-IP VE instance from your computer only. You can change the source as needed for your environment. For more information about securing instances in AWS, see this topic.

    ../_images/single_deploy2.png
  8. Click Review and Launch.

  9. Confirm the settings and click Launch.

  10. Select your key pair, accept the acknowledgment, and click Launch Instances.

  11. Click View Instances to view the new instance.

When the status in the Status Checks column changes from Initializing to 2/2 checks passed, the instance is ready.

Important: Prior to BIG-IP VE 13.1.0.1, if you chose an hourly instance, you must associate an AWS Elastic IP address with the instance while it is launching, so that the instance can register the license with F5. If the instance lacks internet access when it first boots, you must reboot the instance so it can connect to F5 for licensing.

Create an Elastic IP address

A BIG-IP VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a basic VPC.

You use the BIG-IP Configuration utility to configure the BIG-IP VE instance. To access the Configuration utility from the Internet, you use an Elastic IP (EIP) address associated with the BIG-IP VE instance. You will use this same EIP to access your application servers. Hourly instances of BIG-IP VE prior to version 13.1.0.2 also use the EIP for internet access so they can get a license from F5.

Note: EIPs are accessible to the Internet. Because of this, later you will set a strong password for the BIG-IP VE admin account, which you use to log in to the Configuration utility.

  1. From the Services menu at the top of the AWS Management Console, select EC2.

  2. In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.

  3. Click Allocate new address.

  4. Click Allocate and then click Close.

  5. Right-click the newly created EIP and select Associate address from the popup menu screen.

  6. Select the BIG-IP VE instance and the management subnet’s private IP address, 10.0.0.200.

    ../_images/elasticip1.png
  7. Click Associate.

Set the admin password for BIG-IP VE

The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.

This management interface may be accessible to the Internet, so ensure the password is secure.

  1. Connect to BIG-IP VE.

    • At the command prompt, navigate to the folder where you saved your ssh key and type: ssh -i <private_key_file.pem> admin@<bigip_public_ip_address>

    • If you prefer, you can open PuTTy and in the Host Name (or IP address) field, enter the external IP address, for example:

      ../_images/admin_password11.png

      In the Category pane on the left, click Connection -> SSH -> Auth.

      In the Private key file for authentication field, choose your .ppk file.

      ../_images/admin_password21.png

      Click Open.

      If a host key warning appears, click OK.

      The terminal screen displays: login as:.

      Type admin and press Enter.

  2. To change to the tmsh prompt, type:

    tmsh
    
  3. Modify the admin password:

    modify auth password admin
    

    The terminal screen displays the message:

    changing password for admin
    new password:
    
  4. Type the new password and press Enter.

    The terminal screen displays the message:

    confirm password
    
  5. Re-type the new password and press Enter.

  6. Ensure that the system retains the password change and press Enter.

    save sys config
    

    The terminal screen displays the message:

    Saving Ethernet mapping...done
    

License BIG-IP VE

You must enter license information before you can use BIG-IP VE.

  1. Open a web browser and log in to the BIG-IP Configuration utility by using https with the external IP address and port 8443, for example: https://<external-ip-address>:8443. The username is admin and the password is the one you set previously.

  2. On the Setup Utility Welcome page, click Next.

  3. On the General Properties page, click Activate.

  4. In the Base Registration key field, enter the case-sensitive registration key from F5.

    For Activation Method, if you have a production or Eval license, choose Automatic and click Next.

    If you chose Manual, complete these steps:

    1. In the Step 1: Dossier field, copy all of the text and then click Click here to access F5 Licensing Server.

      ../_images/license11.png

      A separate web page opens.

    2. On the new page, click Activate License.

    3. In the Enter your dossier field, paste the text and click Next.

      ../_images/license21.png
    4. Accept the agreement and click Next.

    5. On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-IP Configuration utility and paste the text into the Step 3: License field.

      ../_images/license31.png
    6. Click Next.

The BIG-IP VE system registers the license and logs you out. When the configuration change is successful, click Continue to provision BIG-IP VE.

Provision BIG-IP VE

You must confirm the modules you want to run before you can begin to work in the BIG-IP Configuration utility.

  1. Open a web browser and log in to the BIG-IP Configuration utility.

  2. On the Resource Provisioning screen, change settings if necessary and click Next.

  3. On the Device Certificates screen, click Next.

  4. On the Platform screen, in the Admin Account field, re-enter the password for the admin account and click Next.

    ../_images/provision11.png

    BIG-IP VE logs you out.

  5. When you log back in, on the Setup Utility -> Network screen, in the Advanced Network Configuration area, click Finished.

    ../_images/provision2.png

Change the Configuration utility port

The BIG-IP Configuration utility uses port 443 by default. Change the port to 8443 so you can use 443 for application traffic.

  1. Use a secure shell terminal (SSH), like PuTTy, to access the instance; use the key pair you specified when you deployed the instance.

  2. Type tmsh to ensure you are accessing the tmsh prompt.

  3. Confirm the SSL port.

    list sys httpd ssl-port
    

    The result should be ssl-port 443.

  4. Move the port from 443 to 8443.

    modify sys httpd ssl-port 8443
    
  5. Confirm the move was successful.

    list sys httpd ssl-port
    

    The result should be ssl-port 8443.

  6. Add 8443 to the default self allow port list.

    modify net self-allow defaults add { tcp:8443 }
    
  7. Now that the Configuration utility is no longer using port 443, remove the reference to it.

    modify net self-allow defaults delete { tcp:443 }
    
  8. Confirm the changes.

    list net self-allow defaults
    

    tcp:pcsync-https is for 8443 and should be in the list. tcp:https is for 443 and should not be in the list.

  9. Save the changes to the system configuration.

    save sys config
    
  10. End the SSH session.

  11. Open a web browser and go to the BIG-IP Configuration utility by using port 8443, for example: https://<public-ip-address>:8443.

Now create a VLAN and self IP address for the NIC.

Create a pool and add members to it

Traffic goes through BIG-IP VE to a pool. You must add your application servers to this pool.

  1. Open a web browser and go to the BIG-IP Configuration utility, for example: https://<external-ip-address>:8443.

  2. On the Main tab, click Local Traffic -> Pools.

  3. Click Create.

  4. In the Name field, type web_pool. Names must begin with a letter, be fewer than 63 characters, and can contain only letters, numbers, and the underscore (_) character.

  5. For Health Monitors, move https from the Available to the Active list.

  6. Choose the load balancing method or retain the default setting.

  7. In the New Members section, in the Address field, type the IP address of the application server.

  8. In the Service Port field, type a service port, for example, 443.

  9. Click Add.

    The list now contains the member.

  10. Add additional pool members as needed and click Finished.

Create a virtual server

A virtual server listens for packets destined for the external IP address. You must create a virtual server that points to the pool you created.

  1. In the BIG-IP Configuration utility, click the Main tab, and then click Local Traffic -> Virtual Servers.

  2. Click Create and complete the following information.

    Field Value
    Name A unique name
    Destination Address/Mask BIG-IP VE’s private IP address
    Service Port 443
    HTTP Profile http
    SSL Profile (Client) clientssl
    SSL Profile (Server) serverssl
    Source Address Translation Auto Map
    Default Pool web_pool

    Note

    These values are for demonstration only. For details about securing a web application with SSL, see the product documentation at askf5.com.

  3. Click Finished.

Traffic to the BIG-IP VE external IP address will now go to the pool members. To test in a browser, type: https://<external-IP-address>.

Failover for single NIC

You can implement failover in public clouds using the F5® BIG-IP® Cloud Failover Extension (CFE) (for example, BIG-IP CFE for AWS). Failover is also supported for single NIC VE instances at the BIG-IP network configuration level, using:

and other validation-level configuration settings.

Other settings used for failover include, Traffic Groups, primarily used in multi-NIC and HA configurations; therefore, for the virtual IPs, be sure set to Traffic Group to None (see CFE FAQs for details).

Failover works in generic hypervisors, where L2 is supported (such as, VMware ESXi). For information about other failover options, consult the F5 BIG-IP Cloud Failover Extension (CFE) documentation. See also the CFE FAQs.