Lab 4.1: Prepare your AWS deployment

Warning

Skip lab 1 and go directly to lab 2 if you are using the UDF Cloud Account.

In module1/Lab 1.1, we saw the different components to setup a SSG:

  • License Pool
  • IP Pools
  • Device Template
  • Cloud Provider
  • Cloud Environment

When you want to deploy a SSG in AWS, you don’t need to provide the same amount of information:

  • A License Pool is not mandatory. We are free to use Utility Billing (pay-per-use) in AWS
  • IP Pools are not needed. When we deploy a SSG in AWS, the deployed Virtual Edition(s) will be using our single NIC deployment. It means that we use one interface for management and traffic processing. In this case, the IP Address assigned to the device will be picked automatically by AWS

To deploy our SSG in AWS, we will need to do a few things:

  • Pick an AWS Region
  • Setup an IAM resource (Identity and Access Management) that will allow us to setup our SSG via the AWS API
  • Setup a Key Pair in the selected AWS Region

Once this is done, we will be able to deploy our SSG. We will rely on some ansible scripts to:

  • Create a VPC, subnets, security groups, …
  • Deploy an APP in AWS
  • Setup an AWS VPN connection between our lab environment and this newly deployed AWS VPC

Note

in this lab, we consider that you have access to AWS. We won’t cover this topic.

Create a new IAM Resource

To create a new IAM in AWS, go to your AWS Console and go to Services > IAM

../../_images/img_module4_lab1_1.png

Click on Users > Add user

../../_images/img_module4_lab1_2.png

Set the following information:

  • User Name: CE-Lab-IAM-<YOUR NAME>. For example: CE-Lab-IAM-MENANT
  • Access type: Check Programmatic access

Warning

we need something unique for the User name since other student will do the lab and you may use same AWS corporate account.

../../_images/img_module4_lab1_3.png

Click on the button Next: Permissions

On the Permissions page, click on the button Create group

../../_images/img_module4_lab1_4.png

  • Group name: CE-Lab-MENANT-Admin-GRP
  • Policy : Check the box for Administrator Access
../../_images/img_module4_lab1_5.png

Click on Create group. You will be back on the Add user page.

Note

this is not the best suited group for BIG-IQ access but this lab is not about covering IAM setup. We could just create a policy that allows us to run CFT, Setup VPC/VPN and launch EC2 instances

../../_images/img_module4_lab1_6.png

Make sure your new group BIG-IQ-LAB-Admin-GRP is selected, SCROLL DOWN and click on the button Next: Review. You should see a page like this:

../../_images/img_module4_lab1_7.png

Click on the button Create user.

Warning

DON’T leave this summary page until you’ve taken note of your credentials ! You can’t get those back once you’ll leave this page

../../_images/img_module4_lab1_8.png

You need to store your Access key ID and your Secret Access key. 2 methods:

  • You click on the button Download .csv
  • You click on Show in the Secret Access key column and then you store yourself somewhere your Access key ID and your Secret Access key

Click on the Close button once you’ve saved your credentials.

../../_images/img_module4_lab1_9.png

Now that our IAM resource is created, we can create our AWS key pair.

Create a new AWS key pair

Before creating our key pair, we need to select a region where we will deploy our SSG. For this lab, we will use the region US-East.

In the AWS UI, click on Services > EC2

../../_images/img_module4_lab1_10.png

Select your region: on the top right , click on the selected AWS Region and select US East (N. Virginia)

../../_images/img_module4_lab1_11.png

Now that we picked the AWS Region where we will deploy our SSG, we can create our Key Pair (it is only valid for a region)

Go to Network & Security , Key Pairs.

../../_images/img_module4_lab1_12.png

Click on Create Key Pair. The Key Pair has to be unique for this lab so use CE-Lab-<YOURNAME>

For example: CE-Lab-MENANT

Warning

whatever you pick for the key pair name, make sure it will be fairly unique so that it doesn’t overlap with another student’s lab.

../../_images/img_module4_lab1_13.png

We have now setup everything our IAM resource and our Key Pair. We can work on deploying our SSG.

Subscribe to the BIG-IP instance in the AWS MArketplace

Before being able to deploy an instance in AWS, you’ll have to subscribe to this license agreement

Go here to subscribe to the right F5 instance we will use in this lab:

F5 BIG-IP VE - ALL (BYOL, 1 Boot Location)

F5 BIG-IQ Virtual Edition - (BYOL)

Once you’ve subscribed, you should see something like this:

../../_images/img_module4_lab1_14.png