Amazon Web Services: Single NIC F5 BIG-IP Virtual Edition¶
The following diagram shows a basic single NIC deployment of F5 BIG-IP Virtual Edition (VE) in an Amazon Virtual Private Cloud (VPC).
Traffic is flowing through BIG-IP VE to application servers. The BIG-IP virtual server is listening for traffic destined
for port 443
. Port 8443
is for management traffic.
Note: Alternatively, you can use F5 BIG-IP Cloud Formation Templates (CFT) to create this deployment. For more information about F5 BIG-IP CFTs, visit https://github.com/F5Networks.
In this configuration, all access to the BIG-IP VE appliance is through the same IP address and virtual network interface (vNIC). This single NIC deployment has the following benefits:
- BIG-IP VE creates networking objects (vNIC 1.0, an internal VLAN, and an internal self IP address).
- In BIG-IP VE 13.0 and later, BIG-IP VE sets the Configuration utility port to
8443
(instead of443
). - If you do not need a separate management network, this configuration is less complex than other configurations.
Watch a video of the deploy process:
Step summary¶
This is a specific example, which you can use to test a single NIC deployment. When done, you should be able to send traffic to your application servers through BIG-IP VE.
Step | Task | Description |
---|---|---|
1 | Choose an F5 license | Choose an F5 license. You can get a trial license if you need one. |
2 | Create a VPC with one subnet | Use the AWS VPC wizard to create a VPC with a single subnet.
|
3 | Deploy a BIG-IP VE instance | From the AWS Marketplace, choose an F5 BIG-IP VE image. When you deploy the instance, choose the VPC you created earlier. Choose an image with 2 boot locations if you expect to upgrade BIG-IP VE in the future. If you do not need room to upgrade (if you intend to create a new instance when a new version of BIG-IP VE is released), choose an image with 1 boot location.
|
4 | Create an Elastic IP address | Create an Elastic IP address and associate it with the BIG-IP VE instance. You will use this IP address to access the BIG-IP Configuration utility and to access your application servers (by way of the virtual server).
|
5 | Set an admin password for BIG-IP VE | Before you can license and provision BIG-IP VE, use SSH and your key pair to connect to the instance and set a strong password.
|
6 | License BIG-IP VE | Use the admin account to log in to the BIG-IP Configuration utility ( Note: Prior to BIG-IP VE 13.0, the port is |
7 | Provision BIG-IP VE | Enable the modules you need. |
8 | Change the Config utility port | Prior to BIG-IP VE 13.0 only. Change the Config utility from port 443 to 8443 . After BIG-IP VE 13.0, it is on port 8443 by default. |
9 | Create a VLAN and self IP | Prior to BIG-IP VE 12.1, you must create a VLAN and self IP address. In 12.1 and later, BIG-IP VE creates these automatically. |
10 | Create a pool and add members to it | Create a pool that contains your application servers.
|
11 | Create a virtual server | Create a virtual server, which provides a destination for your inbound web traffic and points to the pool of web servers.
|
Step details¶
Create a VPC with one subnet¶
A BIG-IP VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a basic VPC.
- In the AWS Management Console, at the top of the screen expand the Services menu, scroll down to Networking & Content Delivery section, select VPC.
- Click Select. , and then click
- For the CIDR block, use the following:
- IPv4:
10.0.0.0/24
- IPv6: Select the appropriate option.
- IPv4:
- In the VPC name field, type a name.
- Retain all other default settings and click Create VPC.
- Click OK to view the list of VPCs.
Deploy a BIG-IP VE instance¶
To create an EC2 instance of BIG-IP VE in AWS, you deploy a BIG-IP VE image from the Amazon Web Services (AWS) Marketplace.
- Go to the AWS Marketplace.
- In the Search AWS Marketplace field, type
F5 BIG-IP
and then click GO. - Click the version you want to deploy and then click Continue.
- If you expect to upgrade BIG-IP VE in the future, choose an image with 2 boot locations. If you do not need room to upgrade (if you intend to create a new instance when a new version of BIG-IP VE is released), choose an image with 1 boot location.
Select the region where you created your VPC, click Launch with EC2 Console.
Choose the instance type you need.
Click Next: Configure Instance Details.
From the Network list, select your VPC. The Subnet field is automatically populated.
In the Network interfaces area, in the Primary IP field, type
10.0.0.200
.Click Next: Add Storage and then Next: Tag Instance.
In the Value field, type a name for the instance and click Next: Configure Security Group.
Three rules are in the list.
22
is for SSH access,8443
for BIG-IP management access, and443
for application traffic.For Source, if you select My IP, you can access the BIG-IP VE instance from your computer only. You can change the source as needed for your environment. For more information about securing instances in AWS, see this topic.
Click Review and Launch.
Confirm the settings and click Launch.
Select your key pair, accept the acknowledgment, and click Launch Instances.
Click View Instances to view the new instance.
When the status in the Status Checks column changes from Initializing to 2/2 checks passed, the instance is ready.
Important: Prior to BIG-IP VE 13.1.0.1, if you chose an hourly instance, you must associate an AWS Elastic IP address with the instance while it is launching, so that the instance can register the license with F5. If the instance lacks internet access when it first boots, you must reboot the instance so it can connect to F5 for licensing.
Create an Elastic IP address¶
A BIG-IP VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a basic VPC.
You use the BIG-IP Configuration utility to configure the BIG-IP VE instance. To access the Configuration utility from the Internet, you use an Elastic IP (EIP) address associated with the BIG-IP VE instance. You will use this same EIP to access your application servers. Hourly instances of BIG-IP VE prior to version 13.1.0.2 also use the EIP for internet access so they can get a license from F5.
Note: EIPs are accessible to the Internet. Because of this, later you will set a strong password for the BIG-IP VE admin account, which you use to log in to the Configuration utility.
From the Services menu at the top of the AWS Management Console, select EC2.
In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.
Click Allocate new address.
Click Allocate and then click Close.
Right-click the newly created EIP and select Associate address from the popup menu screen.
Select the BIG-IP VE instance and the management subnet’s private IP address,
10.0.0.200
.Click Associate.
Set the admin password for BIG-IP VE¶
The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.
This management interface may be accessible to the Internet, so ensure the password is secure.
Connect to BIG-IP VE.
At the command prompt, navigate to the folder where you saved your ssh key and type:
ssh -i <private_key_file.pem> admin@<bigip_public_ip_address>
If you prefer, you can open PuTTy and in the Host Name (or IP address) field, enter the external IP address, for example:
In the Category pane on the left, click
.In the Private key file for authentication field, choose your .ppk file.
Click Open.
If a host key warning appears, click OK.
The terminal screen displays:
login as:
.Type
admin
and press Enter.
To change to the
tmsh
prompt, type:tmsh
Modify the admin password:
modify auth password admin
The terminal screen displays the message:
changing password for admin new password:
Type the new password and press Enter.
The terminal screen displays the message:
confirm password
Re-type the new password and press Enter.
Ensure that the system retains the password change and press Enter.
save sys config
The terminal screen displays the message:
Saving Ethernet mapping...done
License BIG-IP VE¶
You must enter license information before you can use BIG-IP VE.
Open a web browser and log in to the BIG-IP Configuration utility by using
https
with the external IP address and port8443
, for example:https://<external-ip-address>:8443
. The username isadmin
and the password is the one you set previously.On the Setup Utility Welcome page, click Next.
On the General Properties page, click Activate.
In the Base Registration key field, enter the case-sensitive registration key from F5.
For Activation Method, if you have a production or Eval license, choose Automatic and click Next.
If you chose Manual, complete these steps:
In the Step 1: Dossier field, copy all of the text and then click Click here to access F5 Licensing Server.
A separate web page opens.
On the new page, click Activate License.
In the Enter your dossier field, paste the text and click Next.
Accept the agreement and click Next.
On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-IP Configuration utility and paste the text into the Step 3: License field.
Click Next.
The BIG-IP VE system registers the license and logs you out. When the configuration change is successful, click Continue to provision BIG-IP VE.
Provision BIG-IP VE¶
You must confirm the modules you want to run before you can begin to work in the BIG-IP Configuration utility.
Open a web browser and log in to the BIG-IP Configuration utility.
On the Resource Provisioning screen, change settings if necessary and click Next.
On the Device Certificates screen, click Next.
On the Platform screen, in the Admin Account field, re-enter the password for the admin account and click Next.
BIG-IP VE logs you out.
When you log back in, on the Advanced Network Configuration area, click Finished.
screen, in the
Change the Configuration utility port¶
The BIG-IP Configuration utility uses port 443
by default. Change the port to 8443
so you can use 443
for application traffic.
Use a secure shell terminal (SSH), like PuTTy, to access the instance; use the key pair you specified when you deployed the instance.
Type
tmsh
to ensure you are accessing the tmsh prompt.Confirm the SSL port.
list sys httpd ssl-port
The result should be ssl-port
443
.Move the port from
443
to8443
.modify sys httpd ssl-port 8443
Confirm the move was successful.
list sys httpd ssl-port
The result should be ssl-port
8443
.Add
8443
to the default self allow port list.modify net self-allow defaults add { tcp:8443 }
Now that the Configuration utility is no longer using port 443, remove the reference to it.
modify net self-allow defaults delete { tcp:443 }
Confirm the changes.
list net self-allow defaults
tcp:pcsync-https
is for8443
and should be in the list.tcp:https
is for443
and should not be in the list.Save the changes to the system configuration.
save sys config
End the SSH session.
Open a web browser and go to the BIG-IP Configuration utility by using port
8443
, for example:https://<public-ip-address>:8443
.
Now create a VLAN and self IP address for the NIC.
Create a pool and add members to it¶
Traffic goes through BIG-IP VE to a pool. You must add your application servers to this pool.
Open a web browser and go to the BIG-IP Configuration utility, for example:
https://<external-ip-address>:8443
.On the Main tab, click
.Click Create.
In the Name field, type
web_pool
. Names must begin with a letter, be fewer than 63 characters, and can contain only letters, numbers, and the underscore (_) character.For Health Monitors, move
https
from the Available to the Active list.Choose the load balancing method or retain the default setting.
In the New Members section, in the Address field, type the IP address of the application server.
In the Service Port field, type a service port, for example,
443
.Click Add.
The list now contains the member.
Add additional pool members as needed and click Finished.
Create a virtual server¶
A virtual server listens for packets destined for the external IP address. You must create a virtual server that points to the pool you created.
In the BIG-IP Configuration utility, click the Main tab, and then click .
Click Create and complete the following information.
Field Value Name A unique name Destination Address/Mask BIG-IP VE’s private IP address Service Port 443
HTTP Profile http SSL Profile (Client) clientssl SSL Profile (Server) serverssl Source Address Translation Auto Map Default Pool web_pool
Note
These values are for demonstration only. For details about securing a web application with SSL, see the product documentation at askf5.com.
Click Finished.
Traffic to the BIG-IP VE external IP address will now go to the pool members. To test in a browser, type: https://<external-IP-address>
.
Failover for single NIC¶
You can implement failover in public clouds using the F5® BIG-IP® Cloud Failover Extension (CFE) (for example, BIG-IP CFE for AWS). Failover is also supported for single NIC VE instances at the BIG-IP network configuration level, using:
- gratuitous address resolution protocol (GARP),
- device service cluster (DSC),
- master control program daemon (MCPD),
and other validation-level configuration settings.
Other settings used for failover include, Traffic Groups, primarily used in multi-NIC and HA configurations; therefore, for the virtual IPs, be sure set to Traffic Group to None (see CFE FAQs for details).
Failover works in generic hypervisors, where L2 is supported (such as, VMware ESXi). For information about other failover options, consult the F5 BIG-IP Cloud Failover Extension (CFE) documentation. See also the CFE FAQs.