Applies To:

Show Versions Show Versions

Manual Chapter: Configuring High Availability in BIG-IP VE
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Task List: Configure BIG-IP VE high availability in AWS

To set up high availability (HA), create these resources. These tasks are detailed later in this guide.

Step Task Description Details
1 Create a subnet for HA communication In AWS, the VPC needs a separate subnet for HA communication between BIG-IP VE instances. Subnet: HA
2 Create network interfaces (NICs) for the HA subnet In AWS, create two NICs for HA and attach one to each BIG-IP VE instance. Interface: eth3
3 Create a VLAN for HA communication On each BIG-IP VE, create a VLAN that corresponds to the HA subnet. VLAN: HA
4 Create a static self IP address for each HA VLAN On each BIG-IP VE, create a static self IP address used for failover communication. These IP addresses must match the private IP addresses assigned to the HA subnet in AWS.
  • Self IP on BIG-IP A: 10.0.3.96
  • Self IP on BIG-IP B: 10.0.3.185
5 Establish device trust The BIG-IP VEs must establish trust by exchanging certificates. Use management IP addresses to do this.
  • Management IP on BIG-IP A: 10.0.0.200
  • Management IP on BIG-IP B: 10.0.0.201
6 Specify config sync and failover addresses These are the static self IP addresses that you want the BIG-IP VEs to use for config sync and failover operations to one another. Config sync static self IP for internal VLAN:
  • BIG-IP A: 10.0.2.200
  • BIG-IP B: 10.0.2.201
Static self IP for the HA VLAN:
  • BIG-IP A: 10.0.3.96
  • BIG-IP B: 10.0.3.185
7 Create a BIG-IP Sync-Failover device group BIG-IP VEs in a Sync-Failover device group can sync their configurations and fail over to one another. bigip_ve_dg
8 Synchronize the BIG-IP configuration Log into BIG-IP A and sync its configuration to BIG-IP B.  

Create a subnet for HA communication

Each BIG-IP® VE instance uses three VPC subnets, for management, external, and internal traffic. Note the availability zone for these subnets (for example, us-west-2a).

Now, in the same availability zone, create a subnet for high availability (HA) communication between the two instances. This subnet corresponds to the BIG-IP VLAN named HA that you will create later on each BIG-IP VE.

  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Virtual Private Cloud, select Subnets.
  3. Click Create Subnet.
  4. In the Name tag field, type HA.
  5. In the VPC field, select the VPC.
  6. In the Availability Zone field, select the zone where the other subnets reside.
  7. In the CIDR block field, type 10.0.3.0/24.
  8. Click Yes, Create.
Your VPC should now have four subnets:
  • management: 10.0.0.0
  • external: 10.0.1.0
  • internal: 10.0.2.0
  • HA: 10.0.3.0

Create HA network interfaces

Each of your BIG-IP® VE instances should have three network interfaces, one per subnet (management, external, and internal). Now create another network interface for each instance and associate it with the HA subnet.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Network Interfaces.
  3. Click Create Network Interface and populate the appropriate fields.
    Field Value
    Description HA-A
    Subnet 10.0.3.0/24
    Private IP 10.0.3.96
    Security groups InternalTraffic
    Note: You do not need to create a separate security group for the HA network interfaces.
  4. Click Yes, Create.
    AWS adds the network interface to the list.
  5. Update the name in the list to HA-A.
  6. Right-click the new network interface and select Attach.
  7. From the Instance ID list, select the instance for BIG-IP A and click Attach.
  8. Repeat this task for BIG-IP B, using these values and attaching the NIC to the BIG-IP B instance:
    Field Value
    Description HA-B
    Subnet 10.0.3.0/24
    Private IP 10.0.3.185
    Security groups InternalTraffic
  9. Reboot both BIG-IP VEs so that they can register the new NICs. To do this, right-click each instance in the Instances list and choose Instance State > Reboot.

Create VLANs for HA communication

You must create a VLAN on each BIG-IP® VE. The two BIG-IP VEs will use this VLAN for high availability communication with each other.
  1. Log in to the BIG-IP Configuration utility on BIG-IP A.
  2. On the Main tab, click Network > VLANs . The VLAN List screen opens.
  3. Click Create and fill in the appropriate fields for the HA VLAN.
    Field Value
    Name HA
    Interface 1.3
    Tagging Untagged
  4. Click Finished.
  5. Now log in to the BIG-IP Configuration utility on BIG-IP B.
  6. Repeat this task, using the same name for the VLAN:
    Field Value
    Name HA
    Interface 1.3
    Tagging Untagged
After you complete this task, each BIG-IP VE has a VLAN for high availability communications that corresponds to the HA subnet in your Amazon Virtual Private Cloud (VPC).

Create static self IP addresses for the HA VLANs

Each BIG-IP® VE needs a static self IP address to send failover communications to the other BIG-IP VE. This self IP address must match the primary private IP address of the instance's network interface for the HA subnet.
  1. Log in to the BIG-IP Configuration utility on BIG-IP A.
  2. On the Main tab, click Network > Self IPs .
  3. Click Create and populate the appropriate fields:
    Field Value
    Name HAselfIP_A
    IP Address 10.0.3.96
    Netmask 255.255.255.0
    VLAN/Tunnel HA
    Port Lockdown Allow All
    Traffic Group traffic-group-local-only
  4. Click Finished.
  5. Now log in to the BIG-IP Configuration utility on BIG-IP B.
  6. Repeat this task, specifying these values:
    Field Value
    Name HAselfIP_B
    IP Address 10.0.3.185
    Netmask 255.255.255.0
    VLAN/Tunnel HA
    Port Lockdown Allow All
    Traffic Group traffic-group-local-only
The two BIG-IP VEs can now monitor each other's availability status through the HA VLAN.

Establish trust between the BIG-IP VEs

Before joining a Sync-Failover device group, both BIG-IP® VEs must authenticate each others' certificates to create trust.
Note: Do this task on BIG-IP A only.
  1. Log in to the BIG-IP Configuration utility on BIG-IP A.
  2. On the Main tab, click Device Management > Device Trust , and then select Peer List.
  3. Click Add.
  4. For the IP address, type the management address for BIG-IP B, 10.0.0.201.
    This is the primary private IP address associated with BIG-IP B's management subnet.
  5. Type the administrative user name (admin).
  6. Click Retrieve Device Information.
    BIG-IP A discovers BIG-IP B and displays information about it.
  7. Confirm that BIG-IP B's certificate is correct.
  8. Confirm that the management IP address and name of BIG-IP B are correct.
  9. Click Finished.
BIG-IP A and BIG-IP B now trust each other.

Specify config sync, failover, and mirroring addresses

Each BIG-IP VE needs to synchronize its configuration with and assess the health of the other BIG-IP VE.
  1. Log in to the BIG-IP® Configuration utility on BIG-IP A.
  2. On the Main tab, click Device Management > Devices
  3. In the Name column, click BIG-IP A.
  4. From the Device Connectivity menu, choose ConfigSync.
  5. For the Local Address setting, select the static self IP address for BIG-IP A's internal VLAN, 10.0.2.200, and click Update.
  6. From the Device Connectivity menu, choose Failover Network.
  7. For the Failover Unicast Configuration settings, click Add and specify the static self IP address for BIG-IP A's HA VLAN, 10.0.3.96.
  8. Click Finished.
  9. Now log in to BIG-IP B.
  10. On the Main tab, click Device Management > Devices
  11. In the Name column, click BIG-IP B.
  12. From the Device Connectivity menu, choose ConfigSync.
  13. For the Local Address setting, select the static self IP address for BIG-IP B's internal VLAN, 10.0.2.201, and click Update.
  14. From the Device Connectivity menu, choose Failover Network.
  15. For the Failover Unicast Configuration settings, click Add and specify the static self IP address for BIG-IP B's HA VLAN, 10.0.3.185.
  16. Click Finished.
Now each BIG-IP VE can use the IP addresses of the other BIG-IP VE to sync its configuration and fail over.

Create a Sync-Failover device group

You must put the two BIG-IP-IP® VEs into a Sync-Failover device group. If an active BIG-IP VE in the Sync-Failover device group becomes unavailable, its configuration objects fail over to the other BIG-IP VE and traffic processing resumes.

Note: Do this task on BIG-IP A only.
  1. Log in to the BIG-IP Configuration utility on BIG-IP A.
  2. On the Main tab, click Device Management > Device Groups .
  3. On the Device Groups list screen, click Create.
  4. Type a name for the device group, such as bigip_ve_dg.
  5. Select the device group type Sync-Failover.
  6. In the Configuration area of the screen, select both BIG-IP VEs from the Available list and click the Move button.
    The BIG-IP VEs are now in the Includes list.
  7. Select the Network Failover check box.
  8. Click Finished.
You now have a Sync-Failover device group that contains both BIG-IP VEs.

Sync the BIG-IP configuration to the device group

You must synchronize the BIG-IP® configuration data from BIG-IP A to BIG-IP B. This data includes the floating virtual IP address, 10.0.1.202.
Note: Do this task on BIG-IP A only.
  1. Log in to the BIG-IP Configuration utility on BIG-IP A.
  2. On the Main tab, click Device Management > Overview .
  3. In the Device Groups area of the screen, from the Name column, select the device group you created earlier, such as bigip_ve_dg.
    The screen expands to show a summary and details of the sync status of the device group, as well as a list of the two BIG-IP VEs within the device group.
  4. In the Devices area of the screen, from the Sync Status column, select the device that shows a sync status of Changes Pending.
  5. In the Sync Options area of the screen, select Sync Device to Group.
    This syncs the most recent changes on BIG-IP A to the other member of bigip_ve_dg, BIG-IP B.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)