Applies To:

Show Versions Show Versions

Manual Chapter: Deploying BIG-IP Virtual Edition
Manual Chapter
Table of Contents   |   << Previous Chapter

About BIG-IP VE EC2 deployment

To deploy the BIG-IP Virtual Edition (VE) system on Amazon® EC2®, you need to perform these tasks:

  • Create a key pair (if none exists)
  • Create a VPC (if none exists)
  • Launch a new AMI

After you complete these tasks, you can log in to the BIG-IP VE system and run the Setup utility. Using the Setup utility, you can perform basic network configuration tasks, such as assigning VLANs to interfaces.

This illustration describes the basic configuration these tasks deploy.


EC2 diagram
Basic Amazon Elastic Cloud Computing diagram

Creating a key pair

To create a virtual private cloud (VPC) from which you can deploy BIG-IP Virtual Edition (VE), you need a (private-public encryption) key pair to authenticate your sessions. Key pairs are reusable, so if you have a key pair, you do not need to repeat this task.

For the most current instructions for creating a key pair, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site http://aws.amazon.com/documentation/vpc/.
Important: It is crucial to your success that you be consistent in the Region that you choose throughout the configuration process. Objects configured in one region are not visible within other regions, so they cannot function together. There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail.
The file that downloads from Amazon Web Services uses the extension .pem. If you plan to use this key pair with the PuTTY terminal emulator application, you will need to convert the key pair from a .pem to a .ppk file. At the time of this release, PuTTY does not support the extension .pem. PuTTY does have a tool (called PuTTYgen) that converts your key pair to the required PuTTY format.

Creating a new virtual private cloud

You need a virtual private cloud (VPC) to deploy BIG-IP Virtual Edition (VE) because Amazon Web Services (AWS) only provides multiple network interface support for instances that reside within a VPC. At the time of this release, Amazon does not support EC2 instances outside of a VPC.

For the most current instructions for creating a Virtual Private Cloud, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site http://aws.amazon.com/documentation/vpc/.
Important: It is crucial to your success that you be consistent in the Availability Zone that you choose throughout the configuration process. Objects configured in one zone are not visible within other zones, so they cannot function together.
Important: The first choice you have when creating a VPC is to select a VPC configuration. Choose the VPC with Public and Private Subnets option.

Adding an additional subnet

When you create a VPC, Amazon Web Services creates two subnets (Management and External) for it. For many network topologies, three or more subnets (Management, External, and Internal) are required.

For the most current instructions for creating an internal subnet, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site http://aws.amazon.com/documentation/vpc/.
If you are following a typical deployment strategy, when you finish adding the Internal subnet, your VPC will have three subnets.
  • a Management subnet on 10.0.0.0
  • an External subnet on 10.0.1.0
  • an Internal subnet on 10.0.2.0

Creating new security groups

To use your virtual private cloud (VPC) to deploy BIG-IP Virtual Edition (VE), the VPC needs two security groups. The table details the rules required that govern the security behavior for the traffic routed through each group.

Group Name Group Description Rule Name Source Rule Type
allow-only-ssh-https-ping Allow only SSH HTTPS or PING Inbound SSH 0.0.0.0/0  
    Inbound HTTP 0.0.0.0/0  
    Inbound Custom ICMP 0.0.0.0/0 Echo Request
    Outbound Custom ICMP 0.0.0.0/0 Echo Request
    Outbound Custom ICMP 0.0.0.0/0 Echo Reply
allow-all-traffic Allow all traffic Inbound All Traffic 0.0.0.0/0  
    Outbound All Traffic 0.0.0.0/0  
Tip: The "Outbound All Traffic" rule is only necessary if you need to pass SNAT traffic with your outbound connection.
For the most current instructions for creating security groups, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site http://aws.amazon.com/documentation/vpc/.
When you finish adding the two groups and their associated rules, your VPC should be ready to go with three subnets and two security groups. It is a good idea to test connectivity before proceeding.
Important: F5 Networks recommends enhancing your security by using the security group source fields to allow subnets only restricted management access; however, we recognize that this does not complete your security solution. For enhanced security, you may want to deploy a topology with limited management network access. For example, you could restrict source addresses to an Amazon Web Services VPN circuit, or to a fixed IP address block unique to your organization.

Adding a route for external subnet accessibility

Most network topologies require an Amazon Web Services route to the VPC that makes the External subnet used by the BIG-IP Virtual Edition (VE) accessible to the Internet.

  1. From the Services tab at the top of the Amazon Web Services Management Console screen, select VPC.
  2. In the Navigation pane, select Route Tables. The Route Tables screen opens.
  3. Select the routing table with one subnet.
  4. Click the Associations tab at the bottom of the window.
  5. From the Select a subnet list, select the 10.0.1.0/24 subnet.
  6. Click Associate. The Associate Route Table dialog box opens.
  7. Click Yes, Associate.

Launching a new BIG-IP Virtual Edition Amazon Machine Image

You need to know the name of your key pair and the Availability Zone from which they were created before you can complete this task.

You need to have an EC2 Amazon Machine Image (AMI) to deploy BIG-IP Virtual Edition (VE).

Important: At publication, this task illustrates the Amazon web interface. However, F5 recommends that you refer to Amazon user documentation for the latest documentation.
  1. Log in to your account on Amazon Web Services (AWS) marketplace.
  2. In the Search AWS Marketplace bar, type F5 BIG-IP and then click GO. The F5 BIG-IP Virtual Edition for AWS option is displayed.
  3. Click F5 BIG-IP Virtual Edition for AWS and then click CONTINUE.
    Tip: You may want to take a moment here to browse the pricing details to confirm that the region in which you created your security key pair provides the resources you require. If you determine that the resouces you need are provided in a region other than the one in which you created your key pair, create a new key pair in the correct region before proceeding.
    The Launch on EC2 page is displayed.
  4. Click the Launch with EC2 Console tab.
    Important: At the time of this publishing, BIG-IP VE requires launch in a VPC so that NICs can be attached. This configuration is supported from the Launch with EC2 Console option, but not the 1-Click Launch option.
    Launching Options for your EC2 AMI are displayed.
  5. Select the BIG-IP software version appropriate for your installation and then click the Launch with EC2 button that corresponds to the Region that provides the resources you plan to use.
    Important: There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail. Bear in mind though that the region you choose must match the region in which you created your security key pair.
    The Request Instances Wizard opens.
  6. Select an Instance Type appropriate for your use.
  7. From the Launch Instances list, select VPC.
  8. From the Subnet list, select the 10.0.0.0/24 subnet.
  9. Click Continue The Advanced Instance Options view of the Request Instances Wizard opens.
  10. From the Number of Network Interfaces list, select 2.
  11. Click the horizontal eth1 tab to set values for the second network interface adapter, and then from the Subnet list, select the 10.0.1.0/24 subnet.
  12. Click Continue. The Storage Device Configuration view of the Request Instances Wizard opens.
  13. Click Continue The Instance Details view of the Request Instances Wizard opens.
  14. In the Value field, type in an intuitive name that identifies this AMI (for example, BIG-IP VE <version>.
  15. Click Continue. The Create Key Pair view of the Request Instances Wizard opens.
  16. From Your existing Key Pairs, select the key pair you created for this AMI.
  17. Click Continue. The Configure Firewall view of the Request Instances Wizard opens.
  18. Under Choose one or more of your existing Security Groups, select the allow-all-traffic security group.
  19. Click Continue. The Review view of the Request Instances Wizard opens.
  20. Confirm that all settings are correct, and then click Launch. The Launch Instance Wizard displays a message to let you know your instance is launching.
  21. Click Close. Your new AMI will appear in the list of instances when it is fully launched.

Adding a third network interface

When you first create a virtual private cloud (VPC), there are typically only two network interfaces associated with it. F5 Networks recommends adding a third network interface to the VPC before you use it to deploy BIG-IP Virtual Edition (VE).

  1. From the Services tab at the top of the Amazon Web Services (AWS) Management Console screen, select EC2.
  2. In the Navigation pane, select Network Interfaces. The Network Interfaces screen opens.
  3. Click the Create Network Interface button (at top left). The Create Network Interface dialog box opens.
  4. In the Description field, type Internal 10.0.2.0-24 (or a similarly mnemonic name).
  5. In the Subnet field, select 10.0.2.0/24.
  6. From the Security Groups list, select allow-all-traffic.
  7. Click Yes, Create AWS adds your network interface to the list.
  8. Right-click the new network interface, and then select Attach. The Attach Network Interface dialog box opens.
  9. From the Instance list, select the VE AMI that you created.
  10. Click Yes, Attach AWS updates the Status column from available to in-use.

Making the BIG-IP Virtual Edition management port accessible

The Management port for your BIG-IP Virtual Edition (VE) may require accessibility over the Internet. Alternative topologies exist that do not require exposing the Management port to the Internet.

F5 Networks recommends, at a minimum, adding restrictions to your source addresses in the allow-only-ssh-https-ping security group.

Alternatively, you may find the Amazon Web Services EC2 VPN sufficiently effective so that you do not need to associate an Internet accessible Elastic IP with the Management port.

  1. From the Services tab at the top of the Amazon Web Services Management Console screen, select EC2.
  2. In the Navigation pane, select Elastic IPs. The Addresses screen opens.
  3. Click Allocate New Address. The Allocate New Address dialog box opens.
  4. From the EIP used in list, select VPC.
  5. Click Yes, Allocate.
  6. In the Address column, right-click the newly created Elastic IP and select Associate from the popup menu. The Associate Address dialog box opens.
  7. From the Instance list, select the VE AMI that you created as an EC2 hypervisor.
  8. From the Private IP Address list, select 10.0.0.0/24 (the Management subnet).
  9. Click Yes, Associate.

Logging in and setting the Admin password

To perform this task, you must have completed the following tasks:
  • Created a key pair
  • Created and configured a VPC
  • Instantiated and launched a BIG-IP VE AMI
  • Made the BIG-IP VE Management port accessible via the Internet

To maintain security, the first time you log in to your EC2 AMI, you should log in as root, and change the Admin password.

  1. Log in to the new AMI that you just launched. Use the name of the key pair (.pem file), and the elastic IP address of your EC2 instance. $ ssh -i <username>-aws-keypair.pem root@<elastic IP address of EC2 instance>
    Tip: You can also use a terminal emulator such as PuTTY to test your connectivity. At publication, PuTTY does not support the extension .pem, so remember that you will also need to convert the key pair .pem file to a .ppk file before you can use it with PuTTY.
  2. At the command prompt, type tmsh modify auth password admin.
    CAUTION:
    Because this login is visible externally, make sure to use a strong, secure password.
    The terminal window displays the message: changing password for admin, and then prompts: new password .
  3. Type in your new password and then press Enter. The terminal window displays the message: confirm password.
  4. Re-type the new password and then press Enter.
  5. To ensure that the system retains the password change, type tmsh save sys config, and then press Enter.
    Important: Without your security key pair, you cannot access this AMI. Once you login with your key pair, you could create a root password. However, if you decide to do this, choose the root password wisely, bearing in mind that depending on your Security Group policies, this login may provide external SSH access.
The Admin password is now changed.

Adding a secondary IP address

Secondary IP addresses are required for each subnet on which a Virtual Server resides. This task documents the process of adding a Secondary IP address to a network interface of a BIG-IP VE instance. This process describes the Amazon Web Services (AWS) user interface at the time of this release.

Important: If you plan to setup high availability, you must perform this task twice, the first secondary IP address you create is used by the BIG-IP device as the virtual server address. The second time perform this task, you create the floating IP address for high availability fast failover.
  1. From the Services tab at the top of the Amazon Web Services Management Console screen, select EC2.
  2. In the Navigation pane, select Network Interfaces. The Network Interfaces screen opens.
  3. Identify the External network interface (that is the NIC that uses the 10.0.1.0 subnet).
  4. Right-click the external NIC, and select Manage Private IP Addresses. The Manage Private IP Addresses dialog box opens.
  5. Below the list of existing addresses and the corresponding subnets, select Assign a secondary private address.
  6. Click Yes, Update. AWS adds a new IP address to the 10.0.1.0 subnet.
  7. Click Close.
The IP address you just added is displayed in the Secondary Private IPs column of the Network Interfaces screen.
Important: Make a note of the new IP address so that you will have it readily available when you want to access your VPC. Inside Amazon Web Services, this new secondary IP address is used to access the BIG-IP VE virtual server in the Amazon EC2 configuration.
Tip: Before these IP addresses can be used with the BIG-IP VE system, they must be configured within TMOS.
Important: Before proceeding, verify that your allow-only-ssh-https-ping security group rule is functioning properly. That is, confirm that you can successfully access the BIG-IP VE using SSH, HTTPS, and PING, but other protocols (such as HTTP) are blocked.

Making the secondary IP address accessible

You may need to make the external IP address for the virtual server Internet-accessible.

  1. From the Services tab at the top of the Amazon Web Services Management Console screen, select EC2.
  2. In the Navigation pane, select Elastic IPs. The Addresses screen opens.
  3. Click Allocate New Address. The Allocate New Address dialog box opens.
  4. From the EIP used in list, select VPC.
  5. Click Yes, Allocate, and then click Close.
  6. Right-click the just-created address, and select Associate from the popup menu. The Associate Address dialog box opens.
  7. From the Network Interface box, use the Network Interface ID to select the virtual server's just-created external interface.
Now you must license the BIG-IP Virtual Edition (VE) and add your configuration objects. For information on performing these tasks, see AskF5.com (www.askf5.com)

Creating VLANs mapped to external and internal interfaces

Before you can configure VLANs, you must license the BIG-IP VE and set up the root and admin passwords. Use the Setup Utility to perform these tasks.
You will create two VLANs (an external and an internal). You map the external VLAN to the 1.1 interface and the internal VLAN to the 1.2 interface.
Important: When you complete the licensing tasks, you'll need to log in again with the admin password. At this point, you'll have the option between the Standard and Advanced Network configuration. The standard option uses the Setup Utility to step you through each setting. Because you only to need to set up a couple items, it's better to choose advanced options and configure them manually.
  1. Under Advanced Network Configuration on the Setup Utility Network page, click Finished to close the Setup Utility.
  2. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  3. Click Create. The New VLAN screen opens.
  4. In the Name field, type external.
  5. For the Interfaces setting, click interface 1.1 from the Available list, and use the Move button to add the selected interface to the Untagged list.
  6. You can leave the remaining controls as is. The system will use default settings.
  7. Click Repeat.
  8. Repeat steps 4 and 5, but this time type Internal for the Name and select 1.2 for the interface number.
    Tip: You may have to select the 1.1 interface and use the Move button to remove it from the Untagged list, so that when you are finished, only the 1.2 interface is listed.
  9. Click Finished. The screen refreshes, and displays the two new VLANs in the list.

Creating self IP addresses for external and internal VLANs

You must assign one self IP address to the external VLAN and another self IP address to the internal VLAN.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. Click Create. The New Self IP screen opens.
  3. In the IP Address field, type the private IP address that is assigned to the ETH1 network interface.
  4. From the VLAN/Tunnel list, select external.
  5. Click Repeat.
  6. In the IP Address field, type the private IP address that is assigned to the ETH2 network interface.
  7. From the VLAN/Tunnel list, select internal.
  8. Click Finished.
One self IP address is assigned to the external VLAN and the other is assigned to the internal VLAN.
Now that you have your VLANs configured and associated with the EC2 self IPs, you can proceed with configuring configuration objects such as pools and servers normally. Recall that the Amazon EC2 configuration uses the secondary private IP created earlier in this process to access the BIG-IP VE virtual server.

About failover for EC2 instances

Active standby sync failover for EC2 makes it possible for you to configure a second BIG-IP instance that can process traffic if the first instance goes offline.

Important: You may also need to add management and external subnet routes to your Amazon virtual private network so that those two networks can be accessed using an elastic IP address. For the most current instructions for creating subnet routes, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site http://aws.amazon.com/documentation/vpc/

Supplying EC2 credentials for failover

You must supply the access key and secret key for both members of the active-standby pair so that your Amazon Web Services account will accept the F5 API calls that facilitate the failover process.

  1. Log in to your Amazon Web Services account and find your Access Key ID and Secret Access Key.
  2. Use your cursor to highlight the Access Key ID that you want to use, and then copy the key to your clipboard.
  3. On the Main tab of the active-standby pair's primary BIG-IP device, click System > Configuration > AWS. The Global Settings page opens.
  4. On the BIG-IP system Global Settings page, for Access Key paste in the Access Key ID that you copied previously.
  5. On the AWS interface, access your Secret Access Key, and then copy the key to your clipboard.
  6. On the BIG-IP system Global Settings page, for Secret Key, paste in the Secret Access Key that you copied previously.
  7. Click Update .
  8. Repeat the previous steps, but this time paste the credentials into the Global Settings page for the active-standby pair's standby BIG-IP device.
Active-standby failover is referred to as Device Service Clustering (DSC). Configuration for DSC is detailed in product guides available from the AskF5 Knowledge Base web site, http://support.f5.com.

The following list provides a high-level overview of the tasks to complete for completing your DSC configuration.

  1. Specify config sync local addresses for each instance.
  2. Establish device trust between the instances. To do this, you create a peer list on one instance that identifies its failover peer and then you perform a sync.
  3. Create a device group on one instance that contains both instances.
  4. Modify the default traffic group on one instance to define the failover method.
  5. Perform one more sync. The configuration objects you created on one instance will be shared so that both instances have the same configuration.
Important: One thing to keep in mind when you work between the AWS and F5 interfaces, is that the IP addresses that AWS refers to as "public" and "private" are called "external" and "internal in the F5 Networks user interface.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)