Applies To:

Show Versions Show Versions

Manual Chapter: Creating a VPC with Multiple Subnets in AWS
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Checklist: Create an AWS VPC with multiple subnets

To create a multi-NIC configuration, you must first create an Amazon virtual private cloud (VPC). This is the network environment where your instances will reside.

Create a VPC
Use the VPC wizard to create a management subnet for administrative access, an external subnet for application access, and a NAT instance for network translation.
  • Management subnet (called Public in the AWS UI): 10.0.0.0/24
  • External subnet (called Private in the AWS UI): 10.0.1.0/24
  • NAT instance and associated network interface.
Create an internal subnet
This subnet contains your web servers.
  • Internal subnet: 10.0.2.0/24
Add a route to the VPC route table
Add the private IP address of the external subnet as the gateway in a route for outbound traffic.
Create security groups
These groups determine which traffic is allowed in and out of the VPC.
  • Management traffic group
  • Virtual server traffic group

Create a VPC with multiple subnets

A BIG-IP® VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a VPC that has management and external subnets. The internal subnet is created separately.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. Click Start VPC Wizard > VPC with Public and Private Subnets , and then click Select.
  3. Complete the wizard with the following entries.
    The subnet listed as Public in the AWS UI is used for management traffic to the BIG-IP Configuration utility. The subnet listed as Private is used for application traffic to the BIG-IP VE external VLAN.
  4. Leave all other default settings and click Create VPC.

Create an internal subnet

When you used the VPC wizard, two subnets were created: management and external. Note the availability zone for these subnets (for example, us-west-2a).

Now create the internal subnet in that same availability zone. The internal subnet corresponds to the BIG-IP® internal VLAN.

  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Virtual Private Cloud, select Subnets.
  3. Click Create Subnet and populate the appropriate fields.
    Field Value
    Name tag Internal
    VPC Your VPC
    Availability Zone The zone where the other subnets reside
    CIDR block 10.0.2.0/24
  4. Click Yes, Create.
Your VPC should now have three subnets.

Add routes so BIG-IP VE can access the Internet

By default, AWS will not allow traffic from the management and external subnets to leave the VPC. You must add the BIG-IP® external self IP address to the routing table for outbound traffic for the VPC.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Virtual Private Cloud, select Route Tables.
  3. Select the routing table with one subnet.
  4. Click the Subnet Associations tab at the bottom of the screen.
  5. Click Edit.
  6. Select the check box for the external subnet, 10.0.1.0/24.
  7. Click Save.
    The management and external subnets are now explicitly associated with the route table.

Create security groups

Amazon security groups control the inbound and outbound traffic allowed by an EC2 instance.

You can create security groups based on your needs. This specific configuration uses three security groups: one for the BIG-IP® Configuration utility, one for virtual server traffic, and one for internal traffic.

  1. In AWS, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Security, select Security Groups.
  3. Click Create Security Group.
  4. Create three groups associated with the VPC, based on the following information. Leave outbound traffic for each group as the default (all).
    Name tag Inbound rules Source
    ManagementTraffic
    • SSH
    • HTTPS
    • ICMP
    A secure network or, temporarily, 0.0.0.0/0 for Internet access.
    VirtualServerTraffic
    • HTTP
    • HTTPS
    • TCP 4353 (Source = 0.0.0.0/0 *If using GTM™ only
    • ICMP (Source = 0.0.0.0/0) *For troubleshooting (optional)
    For HTTP and HTTPS, use the port that serves the virtual traffic. Or temporarily, 0.0.0.0/0 for Internet access.
    InternalTraffic
    • TCP 4353
    • UDP 1026
    These two ports are used for config sync and failover between BIG-IP VEs.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)