Microsoft Azure: Multi-NIC BIG-IP VE

When you deploy BIG-IP VE from the Azure Marketplace, BIG-IP VE has a single NIC and only one available IP address. All traffic shares the single NIC.

If you prefer a configuration with multiple NICs and/or IP addresses, you can deploy BIG-IP VE by using:

  • An Azure template
  • PowerShell
  • The Azure command-line interface (CLI)

F5 maintains Azure templates that you can use to create a multi-NIC deployments. For more information, see

For more information about multiple NICs in Azure, see

About management and data traffic on a shared NIC

You may want to have management and data (application) traffic on the same NIC, with the same IP address (and different ports). If you do:

  • You can use a smaller Azure instance type (one that supports fewer NICs)
  • The configuration is simpler and has only one external facing IP address

In this example, eth0 is for the external VLAN, and eth1 for the internal VLAN.

Caution: This solution has some limitations.

Azure has service limits.

Azure limits each NIC’s throughput. You should read and understand these limitations.

You are changing the default behavior of BIG-IP VE in Azure.

When you deploy BIG-IP VE in Azure from the Marketplace, BIG-IP VE automatically creates an internal VLAN and self IP address. When you add a second NIC, you are changing the settings that enforce this default behavior.

Share a NIC for management and data traffic

To use multiple NICs in Azure and share a NIC for management and data traffic, you must change the default single-NIC launch behavior.

  1. Use SSH to connect to BIG-IP VE, and ensure that you are at the tmsh prompt.

  2. Set this variable so that when BIG-IP VE finds multiple NICs, it automatically provisions the primary NIC.

    modify sys db provision.1nic value forced_enable
  3. Confirm that the value is correct.

    list sys db provision.1nic

    The result should be value "forced_enable".

  4. BIG-IP VE automatically creates a VLAN named internal and an associated self IP address. Disable this functionality so you can create the VLAN and self IP address with the names you want. (For example, you can name the VLAN external.)

    modify sys db provision.1nicautoconfig value disable
  5. Confirm that the value is correct.

    list sys db provision.1nicautoconfig

    The result should be value "disable".

  6. Restart BIG-IP VE.

    bigstart restart
  7. Create the VLAN. You must do this step in tmsh.

    create net vlan external interfaces add { 1.0 { untagged }}
  8. Create the self IP address. You must do this step in tmsh.

    create net self external_ip address vlan external allow-service default

    In this example, the IP address is an address on your external subnet.

  9. Create a gateway. You must do this step in tmsh.

    create net route default gw

    In this example, the IP address is an address on your external subnet. Typically, this address ends in 1.

  10. Save the configuration.

    save sys config
  11. Reboot BIG-IP VE.


When BIG-IP VE is available, you can open the Configuration utility and view the interfaces, self IP address, and VLAN you created. If you have more than two NICs, you can now create them. In this example, you would create an internal VLAN for the second NIC. You can also enable config sync now. You should not change the provision.1nic database variable value when you do.

In versions prior to 13.0, BIG-IP VE uses port 443 for management traffic by default. You should change the port if you want to use 443 for other traffic.

About management and data traffic on separate NICs

When you deploy BIG-IP VE with multiple NICs, you can use a separate NIC for management, data (application), and internal traffic.

In this configuration, each NIC can have one or more IP addresses associated with it. For example, your external NIC can now have multiple IP addresses, each of which you can use as a virtual server.


This deployment shows three subnets:

  • An external, public subnet, where you’ll create a virtual server to accept Internet traffic.
  • An internal, private subnet, where your application servers live.
  • A management subnet, where you can access the BIG-IP Configuration utility; you use the Configuration utility to configure BIG-IP VE.

Traffic flows from clients through BIG-IP VE to application servers.

Note: This example shows a single, standalone BIG-IP VE. To use config sync with two or more BIG-IP VEs in the same availability set, add all virtual server IP addresses to traffic group none.

Use separate NICs for management and data traffic

When you deploy BIG-IP VE with multiple NICs, you can separate your management, data (application), and internal traffic so that each has its own NIC.

To create this multi-NIC configuration in Azure, you need the following resources:

  • An Azure instance type that supports more than one NIC. For more information, see
  • A VNET with multiple subnets (for example, management, internal, and external).
  • Three NICs, each on a unique subnet. The first NIC is for management.
  • A public IP address, associated with the external NIC, for the virtual server.
  • An availability set, if you plan to do add more BIG-IP VE instances.

Depending on your region and the version of BIG-IP VE you want to deploy, you must choose a BIG-IP VE image. To view the list of available images:

The publisher is f5-networks.

Then you can deploy an instance of BIG-IP VE. If necessary, select the availability set during deployment.

After you deploy BIG-IP VE, you must:

  • Ensure that the network security group (NSG) allows traffic through port 443. The BIG-IP Configuration utility is accessible through this port.
  • If you used an SSH key, use an SSH tool to connect to BIG-IP VE and set the admin password by using the tmsh command modify auth password admin.
  • In BIG-IP VE, configure a self IP for each private IP address assigned to a NIC in Azure. Then create a corresponding VLAN. Finally, create a pool and virtual server.