Microsoft Azure: Single NIC BIG-IP VE

Complete these tasks to deploy BIG-IP VE in a single NIC configuration from the Azure Marketplace.

Only the latest version of BIG-IP VE is available in the Azure Marketplace.

If you want to create a single NIC deployment with an older version of BIG-IP VE, or you want a multi-NIC or other deployment, see the F5 templates at

This is a specific example, which you can use to test a single NIC deployment. When done, you should be able to send traffic to your application servers through BIG-IP VE.

Step Task Details
1 Prepare to deploy

Choose an F5 license. You can get a trial license if you need one.

In Azure, create an application server in a resource group. BIG-IP VE will be in the same resource group.

Create a key pair (recommended for production environments).

2 Deploy a BIG-IP VE instance in Resource Manager Find an F5 BIG-IP VE image in the Azure Marketplace and create an instance in the same resource group as your application. For BIG-IP VE, choose an Azure instance type that has at least 2 vCPU, 4 G memory.
3 In Azure, create rules that allow inbound traffic to BIG-IP VE When you deploy BIG-IP VE, Azure creates a network security group. Add an inbound security rule to allow traffic to port 8443 for the BIG-IP Configuration utility and port 443 for your application.
4 Set an admin password for BIG-IP VE

If you used a key when you deployed the instance, use SSH to connect to BIG-IP VE and set a password for the admin account. You will use the admin account to access the BIG-IP Configuration utility.

  • In tmsh, type modify auth password admin
5 License BIG-IP VE

Use the admin account to log in to the BIG-IP Configuration utility (https://<publicIPaddress>:8443).

Note: In BIG-IP VE 13.0, the port is 443 instead.

6 Provision BIG-IP VE Enable the modules you need.
7 Change the Config utility port Prior to BIG-IP VE 13.0 only. Change the Config utility from port 443 to 8443. In BIG-IP VE 13.0 and later, it is port 8443 by default.
8 Create a pool and add members to it Create a pool that contains your application servers. Pool name: web_pool
9 Create a virtual server

Create a virtual server, which provides a destination for your inbound web traffic and points to the pool of web servers.

  • Virtual IP address:, service port: 443

Note: Because IP addresses in Azure may change, use the DNS name of your application server as the pool member.

Sample single-NIC configuration

The following diagram shows a basic single NIC deployment of a BIG-IP VE instance in Microsoft Azure.

When you deploy BIG-IP VE from the Azure Marketplace, only a single NIC is available. All other configurations must use an ARM template.

Follow the steps in this guide to create this deployment.

Note: Alternately, you can use a template to create this deployment. For more information about templates provided by F5, go to


As shown in the diagram, all access to the BIG-IP VE appliance is through the same IP address and virtual network interface (vNIC). When you first boot, BIG-IP VE creates networking objects (vNIC 1.0, a VLAN, and a self IP) and, in BIG-IP VE 13.0 and later, sets the port for the BIG-IP Configuration utility to 8443.

Because only one IP is available in this single-NIC configuration, the BIG-IP VE high availability (HA) feature does not work. If you want to do HA (create an active-standby pair), use the template available on

If you have two or more applications that need access to the same port, you have several options, including:

  • BIG-IP VE supports Server Name Indicator (SNI), which allows a single virtual IP to host multiple domains. For more information, see
  • If you are using Windows/IIS web sites, add a DNS record for each domain name and have them both point to the same IP address. The browser sends the URL in the host header field of the request and serves the correct web site.
  • Use BIG-IP iRules to make pool decisions based on header content.

Follow the steps in this guide, or, if you’d prefer, watch a video of the deploy:

Deploy BIG-IP VE in Azure Resource Manager

In order to create a virtual machine running BIG-IP VE in Azure, you can deploy BIG-IP VE in the Azure Resource Manager deployment model.

  1. Log in to the Microsoft Azure Portal at

  2. On the Dashboard, select Marketplace.

  3. In the Filter field, type F5 and press Enter.

  4. From the Select a deployment model list, select Resource Manager and click Create.


  5. On the Basics page, complete these settings.

    Setting Details
    Name A name for the instance.
    VM disk type Accept the default or change it.
    User name A name for the person who will log in to BIG-IP VE. You can’t change or access this field later.
    Authentication type SSH keys are more secure than passwords.
    Subscription Accept the default or change it.
    Resource group A resource group is a logical container of related resources. Accept the default or change it.
    Location Accept the default or change it.

  6. Click OK.

  7. On the Size page, choose the instance size that meets your needs, and click Select.

  8. On the Settings page, accept the defaults or change them.

  9. Click OK.

  10. On the Summary page, click OK.

  11. On the Purchase page, click Purchase to initiate the deployment. To check the status, click the notifications bell on the top toolbar.

When done, you will have the following resources:

  • A BIG-IP VE instance with one network interface and a public IP address
  • A VLAN named internal
  • A self IP address named self_1nic

Note: You do not need to use the BIG-IP Setup wizard to configure networking, because BIG-IP configured basic networking during deployment.

Azure Classic is an older version of the Azure portal that Microsoft is phasing out. If you need instructions for deploying BIG-IP VE in Classic, see this document.

Create inbound traffic rules

In order to access the BIG-IP Configuration utility, you must open port 8443. In order to connect to your application through BIG-IP VE, you must open port 443 (in this example).

  1. In the Azure portal, click Browse -> Network security groups.

  2. Filter the list to find your group.

  3. On the Settings blade, click Inbound security rules.

  4. By default, port 22 is open, so you can connect to BIG-IP by using SSH.

  5. On the Inbound security rules blade, click Add.

  6. Leave the default settings, but enter a name and for the Destination port range, type 443.

    This allows SSL application traffic for port 443 to reach BIG-IP VE.

  7. Click OK.

Now complete the steps again, using 8443 as the Destination port range. This allows management traffic for port 8443 to reach BIG-IP VE.

Set the admin password for BIG-IP VE

Give BIG-IP VE six to ten minutes to finish deploying before you attempt to connect.

The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin password. You will use the admin account and password to access the BIG-IP Configuration utility.

This management interface may be accessible to the Internet, so ensure the password is secure.

This example shows how to use PuTTy to connect, but you can use any SSH utility.

  1. Open PuTTy and in the Host Name (or IP address) field, enter the external IP address.


  2. In the Category pane on the left, click Connection -> SSH -> Auth.

  3. In the Private key file for authentication field, choose your .ppk file.


  4. Click Open.

  5. If a host key warning appears, click OK.

    The terminal screen displays: login as:.

  6. Type admin and press Enter.

    You are now at the tmsh command prompt.

  7. Modify the admin password:

    modify auth password admin

    The terminal screen displays the message:

    changing password for admin
    new password:
  8. Type the new password and press Enter.

    The terminal screen displays the message:

    confirm password

  9. Re-type the new password and press Enter.

  10. Ensure that the system retains the password change and press Enter.

    save sys config

    The terminal screen displays the message:

    Saving Ethernet mapping...done

License BIG-IP VE

You must enter license information before you can use BIG-IP VE.

  1. Open a web browser and log in to the BIG-IP Configuration utility by using https with the external IP address and port 8443, for example: https://<external-ip-address>:8443. The username is admin and the password is the one you set previously.

  2. On the Setup Utility Welcome page, click Next.

  3. On the General Properties page, click Activate.

  4. In the Base Registration key field, enter the case-sensitive registration key from F5.

    For Activation Method, if you have a production or Eval license, choose Automatic and click Next.

    If you chose Manual, complete these steps:

    1. In the Step 1: Dossier field, copy all of the text and then click Click here to access F5 Licensing Server.


      A separate web page opens.

    2. On the new page, click Activate License.

    3. In the Enter your dossier field, paste the text and click Next.


    4. Accept the agreement and click Next.

    5. On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-IP Configuration utility and paste the text into the Step 3: License field.


    6. Click Next.

The BIG-IP VE system registers the license and logs you out. When the configuration change is successful, click Continue to provision BIG-IP VE.

Provision BIG-IP VE

You must confirm the modules you want to run before you can begin to work in the BIG-IP Configuration utility.

  1. Open a web browser and log in to the BIG-IP Configuration utility.

  2. On the Resource Provisioning screen, change settings if necessary and click Next.

  3. On the Device Certificates screen, click Next.

  4. On the Platform screen, in the Admin Account field, re-enter the password for the admin account and click Next.


    BIG-IP VE logs you out.

  5. When you log back in, on the Setup Utility -> Network screen, in the Advanced Network Configuration area, click Finished.


Change the Configuration utility port

The BIG-IP Configuration utility uses port 443 by default. Change the port to 8443 so you can use 443 for application traffic.

  1. Use a secure shell terminal (SSH), like PuTTy, to access the instance; use the key pair you specified when you deployed the instance.

  2. Type tmsh to ensure you are accessing the tmsh prompt.

  3. Confirm the SSL port. list sys httpd ssl-port

    The result should be ssl-port 443.

  4. Move the port from 443 to 8443.

    modify sys httpd ssl-port 8443

  5. Confirm the move was successful. list sys httpd ssl-port

    The result should be ssl-port 8443.

  6. Add 8443 to the default self allow port list.

    modify net self-allow defaults add { tcp:8443 }

  7. Now that the Configuration utility is no longer using port 443, remove the reference to it.

    modify net self-allow defaults delete { tcp:443 }

  8. Confirm the changes. list net self-allow defaults

    tcp:pcsync-https is for 8443 and should be in the list. tcp:https is for 443 and should not be in the list.

  9. Save the changes to the system configuration.

    save sys config

  10. End the SSH session.

  11. Open a web browser and go to the BIG-IP Configuration utility by using port 8443, for example: https://<public-ip-address>:8443.

Create a pool and add members to it

Traffic goes through BIG-IP VE to a pool. Your application servers should be members of this pool.

  1. Open a web browser and go to the BIG-IP Configuration utility, for example: https://<external-ip-address>:8443.

  2. On the Main tab, click Local Traffic -> Pools.

  3. Click Create.

  4. In the Name field, type web_pool. Names must begin with a letter, be fewer than 63 characters, and can contain only letters, numbers, and the underscore (_) character.

  5. For Health Monitors, move https from the Available to the Active list.

  6. Choose the load balancing method or retain the default setting.

  7. In the New Members section, in the Address field, type the IP address of the application server.

  8. In the Service Port field, type a service port, for example, 443.

  9. Click Add.

    The list now contains the member.

  10. Add additional pool members as needed and click Finished.

Create a virtual server

A virtual server listens for packets destined for the external IP address. You must create a virtual server that points to the pool you created.

  1. In the BIG-IP Configuration utility, on the Main tab, click Local Traffic -> Virtual Servers.

  2. Click Create and populate the following fields.

    Field Value
    Name A unique name
    Destination Address/Mask BIG-IP VE’s private IP address
    Service Port 443
    HTTP Profile http
    SSL Profile (Client) clientssl
    SSL Profile (Server) serverssl
    Source Address Translation Auto Map
    Default Pool web_pool

    Note: These settings are for demonstration only. For details about securing a web application with SSL, see the product documentation at

  3. Click Finished.

Traffic to the BIG-IP VE external IP address will now go to the pool members. To test in a browser, type: https://<external-IP-address>.