Applies To:

Show Versions Show Versions

Manual Chapter: Configuring High Availability in AWS
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Checklist: Configure high availability in AWS

To set up high availability (HA), start by creating these HA objects in AWS.

Note: Create all objects in the same availability zone as the BIG-IP® VEs.
Create a subnet for HA communication
You need a separate subnet in the VPC for all HA communication between BIG-IP VE instances.
Subnet name: HA
Create network interfaces (NICs) for the HA subnet
Each BIG-IP VE instance needs a NIC that's associated with the HA subnet and has a primary private IP address assigned to it.
Interface name: eth3
Create an IAM policy for high availability
You must create an IAM policy that grants access to specific commands. You assign this policy to an IAM user.
Create an administrative user account
You must create an IAM administrative user account in the VPC that includes access keys, secret keys, and a permissions policy.

Create a subnet for HA communication

Each BIG-IP® VE instance uses three VPC subnets, for management, external, and internal traffic. Note the availability zone for these subnets (for example, us-west-2a).

Now, in the same availability zone, create a subnet for high availability (HA) communication between the two instances. This subnet corresponds to the BIG-IP VLAN named HA that you will create later on each BIG-IP VE.

  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Virtual Private Cloud, select Subnets.
  3. Click Create Subnet.
  4. In the Name tag field, type HA.
  5. In the VPC field, select the VPC.
  6. In the Availability Zone field, select the zone where the other subnets reside.
  7. In the CIDR block field, type 10.0.3.0/24.
  8. Click Yes, Create.
Your VPC should now have four subnets:
  • management: 10.0.0.0
  • external: 10.0.1.0
  • internal: 10.0.2.0
  • HA: 10.0.3.0

Create HA network interfaces

Each of your BIG-IP® VE instances should have three network interfaces, one per subnet (management, external, and internal). Now create another network interface for each instance and associate it with the HA subnet.

  1. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Network Interfaces.
  3. Click Create Network Interface and populate the appropriate fields.
    Field Value
    Description HA_A
    Subnet 10.0.3.0/24
    Private IP 10.0.3.96
    Security groups InternalTraffic
    Note: You do not need to create a separate security group for the HA network interfaces.
  4. Click Yes, Create.
    AWS adds the network interface to the list.
  5. Update the name in the list to HA.
  6. Right-click the new network interface and select Attach.
  7. From the Instance ID list, select the instance for BIG-IP A and click Attach.
  8. Repeat this task for BIG-IP B, using these values and attaching the NIC to the BIG-IP B instance:
    Field Value
    Description HA_B
    Subnet 10.0.3.0/24
    Private IP 10.0.3.185
    Security groups InternalTraffic
  9. Reboot both BIG-IP VEs so that they can register the new NICs. To do this, right-click each instance in the Instances list and choose Instance State > Reboot.

Create an IAM policy for high availability

AWS and BIG-IP® VE communicate with each other by using a set of AWS Identity and Access Management (IAM) credentials. The user who has these credentials must have specific permissions, which are defined in a policy.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select IAM.
  2. In the Navigation pane, under Details, select Policies.
  3. Click Create Policy.
  4. By Create Your Own Policy, click Select.
  5. Enter this text in the Policy Document field.
    {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Action": [
                 "ec2:describeinstancestatus",
                 "ec2:describenetworkinterfaces",
                 "ec2:assignprivateipaddresses"
                 ],
                 "Resource": "*"
             }
         ]
     }
  6. Click Create Policy.
You now have a policy you can assign to a user account.

Create an IAM user and assign an HA policy

AWS and BIG-IP® VE communicate with each other by using a set of AWS Identity and Access Management (IAM) credentials.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select IAM.
  2. In the Navigation pane, under Details, select Users.
  3. Click Create New Users.
  4. Type a user name, select Generate an access key for each user and then click Create.
  5. Click Download Credentials.
    An access key ID and a Secret Access Key pair are downloaded in a file named credentials.csv.
    Important: AWS downloads these credentials only once, so keep track of where they are stored.
  6. Click Close.
  7. In the list of users, click the row for the user.
  8. On the Permissions tab, click Attach Policy.
  9. Select the check box for the policy you created previously.
  10. Click Attach Policy.
The IAM user now has permissions needed to communicate between BIG-IP VE and AWS.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)