Applies To:

Show Versions Show Versions

Manual Chapter: Deploying BIG-IP Virtual Edition in AWS
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Creating an SSH key pair

To log in to Amazon EC2 instances, you must have a key pair. In this deployment, you will create an instance for network address translation (NAT) and one for BIG-IP® VE.

Key pairs are reusable, so if you have a key pair, you do not need to repeat these steps.

You can create a key pair by using a third-party tool like PuTTYgen, or by using the AWS web site (for instructions, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).

Important: If you use the AWS web site, note the region where the keys are created. All objects you create must be in the same region. To determine which region is best for you, see the Amazon documentation.
The AWS keys have the .pem file extension. If you plan to use this key pair with the PuTTY terminal emulator application, you must convert the key pair from .pem to .ppk. You can use PuTTYgen to convert your key pair to the required file format.

Creating a VPC

A BIG-IP® VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a VPC that has management and external subnets. The internal subnet is created separately.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. Click Start VPC Wizard > VPC with Public and Private Subnets , and then click Select.
  3. Leave the default IP CIDR block of 10.0.0.0/16.
  4. In the VPC name field, type a name.
  5. For Public subnet, use 10.0.0.0/24 to specify the management subnet.
    For Public subnet name, you may want to use the name Management.
  6. For Private subnet, use 10.0.1.0/24 to specify the external subnet. You will add the internal subnet when you are done with the wizard.
    For Private subnet name, you may want to use the name External.
  7. Choose a NAT instance or gateway. If you choose to create a NAT instance, you will need a key to access the instance.
  8. Click Create VPC.

For more details about creating a VPC, see the Amazon documentation at http://aws.amazon.com/documentation/vpc/.

Creating an internal subnet

When you used the VPC wizard, two subnets were created: management and external. Note the availability zone for these subnets (for example, us-west-2a).

Now create the internal subnet in that same availability zone. The internal subnet corresponds to the BIG-IP® internal VLAN.

  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Virtual Private Cloud, select Subnets.
  3. Click Create Subnet.
  4. In the Name tag field, type a name, such as Internal.
  5. In the VPC field, select the VPC.
  6. In the Availability Zone field, select the zone where the other subnets reside.
  7. To create the internal subnet, in the CIDR block field, type 10.0.2.0/24.
  8. Click Yes, Create.
Your VPC should now have three subnets.
  • A management subnet on 10.0.0.0.
  • An external subnet on 10.0.1.0.
  • An internal subnet on 10.0.2.0.

For more details about creating subnets, see the Amazon documentation at http://aws.amazon.com/documentation/vpc/.

Creating security groups

Amazon security groups control the inbound and outbound traffic allowed by an EC2 instance.

In the network configuration we're building, you can use three security groups: one for management, one for virtual server traffic, and one for internal traffic.

  1. In AWS, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Security, select Security Groups.
  3. Click Create Security Group.
  4. Create three groups, based on the following information. Leave outbound traffic for each group as the default (all).
    Group name Inbound rules Source
    Management traffic group
    • SSH
    • HTTPS
    • ICMP
    A secure network or, temporarily, 0.0.0.0/0 for Internet access.
    Virtual server traffic group
    • HTTP
    • HTTPS
    • TCP 4353 (Source = 0.0.0.0/0) *If using GTM™ only
    • ICMP (Source = 0.0.0.0/0) * For troubleshooting (optional)
    For HTTP and HTTPS, use the port that serves the virtual traffic. Or temporarily, 0.0.0.0/0 for Internet access.
    Internal traffic
    • TCP 4353
    • UDP 1026
    Internal subnet or VPC CIDR.
Important: For the port-allow list for your self IPs, use allow-none or limit to specific ports required for communication between BIG-IP VE instances.

Adding routes so BIG-IP VE can access the Internet

By default, AWS will not allow traffic from the management and external subnets to leave the VPC. You must add the BIG-IP® external self IP address to the routing table for outbound traffic for the VPC.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. In the Navigation pane, under Virtual Private Cloud, select Route Tables.
  3. Select the routing table with one subnet.
  4. Click the Subnet Associations tab at the bottom of the screen.
  5. Click Edit.
  6. Select the check box for the 10.0.1.0/24 subnet (the external subnet).
  7. Click Save.

Deploying a BIG-IP VE instance

To create an EC2 instance of BIG-IP® Virtual Edition (VE), you will deploy a version of it from the Amazon Web Services (AWS) Marketplace.
  1. Log in to the AWS Marketplace.
  2. In the Search AWS Marketplace bar, type F5 BIG-IP and then click GO.
  3. Click the version you want to deploy and then click Continue.
    Tip: Confirm that the region where you created your VPC (and keys, if you used AWS for them) provide the resources you need.
  4. By the appropriate region, click Launch with EC2 Console.
  5. Select an Instance Type and click Next: Configure Instance Details.
  6. In the Number of Network Instances field, type 1.
  7. From the Network list, select your VPC.
  8. From the Subnet list, select the management subnet: 10.0.0.0/24.
  9. On the lower part of the screen, expand Network interfaces and click Add Device.
  10. For eth1, select the external subnet: 10.0.1.0/24.
    Important: You must set a value for the second interface or BIG-IP VE will not install properly.
  11. Click Next: Add Storage.
  12. Click Next: Tag instance.
  13. In the Value field, type an intuitive name that identifies this instance (for example, BIG-IP VE <version>).
  14. Click Next: Configure Security Group.
  15. For Assign a Security Group, select Select an existing security group and choose Management traffic group.
  16. Click Review and Launch.
  17. Confirm that all settings are correct, and then click Launch.
    The Select an existing key pair or create a new key pair screen opens.
  18. From Select a key pair, select the key pair you created and select the acknowledgement field.
  19. Click Launch Instances.
    The Launch Status screen displays a message to let you know your instance is launching.
  20. Click View Instances.
    The new instance appears in the list of instances.

Adding an internal network interface

When you created the BIG-IP® VE instance, you associated two network interfaces with it (one for management and one for external). To connect BIG-IP VE with your internal servers, create an internal network interface, and attach it to your BIG-IP VE instance.

  1. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Network Interfaces.
  3. Click the Create Network Interface button (at top left).
  4. In the Description field, type Internal 10.0.2.0-24 (or a similarly mnemonic name).
  5. From the Subnet list, select 10.0.2.0/24.
  6. From the Security groups list, select Internal traffic.
  7. Click Yes, Create.
    AWS adds the network interface to the list.
  8. Right-click the new network interface, and then select Attach.
    The Attach Network Interface popup screen opens.
  9. From the Instance ID list, select the VE instance that you created and click Attach.
Now reboot the BIG-IP VE so that it can register the new NIC.

Configuring access to the BIG-IP VE user interface

In order to access the BIG-IP® VE user interface, the management subnet must have a public IP or Elastic IP associated with it.
Note: Accessing the BIG-IP VE user interface (UI) over the Internet is not secure.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.
  3. Click Allocate New Address.
    The Allocate New Address popup screen opens.
  4. From the EIP used in list, select VPC.
  5. Click Yes, Allocate.
  6. In the Address column, right-click the newly created Elastic IP and select Associate Address from the popup menu screen.
  7. From the Instance list, select the BIG-IP VE instance.
  8. From the Private IP Address list, select an address in the 10.0.0.0/24 range. This is the management subnet.
  9. Click Associate.

Setting an admin password for BIG-IP VE

The first time you log in to your BIG-IP® VE instance, you should log in as admin to create a strong password. This password is now available to the Internet, so ensure it is secure.

  1. Connect to the BIG-IP instance.
    • To connect by using ssh, use your key pair (the .pem file) and the elastic IP address, for example: $ ssh -i <username>-aws-keypair.pem admin@<elastic IP address of EC2 instance>
    • To use terminal emulator like PuTTY, your keys must have a .ppk file extension.
  2. Ensure you are at the tmsh prompt. If you logged in as admin, the bash prompt is displayed by default.
  3. Type modify auth password admin.
    The terminal screen displays: changing password for admin, and then prompts: new password.
  4. Type the new password and press Enter.
    The terminal screen displays: confirm password.
  5. Re-type the new password and press Enter.
  6. To ensure that the system retains the password change, type save sys config and press Enter.
    The terminal screen displays the message: Saving Ethernet mapping...done.
The admin password is changed.

Creating BIG-IP internal and external VLANs

Log in to the BIG-IP® user interface and use the Setup utility to license the BIG-IP® VE and provision modules.
Then create an external and internal VLAN that correspond to the VPC subnets. The external VLAN will use interface 1.1 and the internal VLAN will use 1.2.
  1. In the BIG-IP VE system, on the Setup Utility Network page, under Advanced Network Configuration, click Finished.
  2. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  3. Click Create.
    The New VLAN screen opens.
  4. In the Name field, type external.
  5. From the Interface list, select an interface number.
  6. From the Tagging list, select Untagged.
  7. Click Add.
    You can use the same interface for other VLANs later, if you always assign the interface as a tagged interface.
  8. You can leave the remaining controls as is. The system will use default settings.
  9. Click Finished.
  10. Repeat steps 3 through 7, but type internal for the name and select 1.2 for the interface number.
  11. Click Finished.
    The screen refreshes, and displays the two new VLANs in the list.

Creating BIG-IP internal and external self IPs

Before starting these steps, in AWS, note the Primary private IP for the external network interface (device index 1 in AWS) and for the internal network interface (device index 2 in AWS).
Then in the BIG-IP® VE system, create an external and internal self IP address, based on the private IPs from AWS.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the IP Address field, type the private IP address that is assigned to the ETH1 network interface.
  4. From the VLAN/Tunnel list, select external.
  5. Click Repeat.
  6. In the IP Address field, type the private IP address that is assigned to the ETH2 network interface.
  7. From the VLAN/Tunnel list, select internal.
  8. Click Finished.
One self IP address is assigned to the external VLAN and the other is assigned to the internal VLAN.

Adding an IP address for the virtual server

Before you can create a virtual server, you must assign a secondary IP address to the external network interface. This secondary IP will be associated with the BIG-IP® VE virtual server address.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Network Interfaces.
  3. Identify the external network interface (the NIC that uses the 10.0.1.0 subnet).
  4. Right-click the external network interface and click Manage Private IP Addresses.
  5. Below the existing address, select Assign new IP.
  6. Click Yes, Update.
    AWS adds a new IP address to the 10.0.1.0 subnet.
  7. Click Cancel.
The IP address you just added is displayed in the Secondary private IPs column of the Network Interfaces screen.
Now log in to the BIG-IP VE management user interface and create a virtual server that uses this IP address.

Making the virtual server IP address accessible

Before you begin, note the secondary private IP address assigned to the external network interface.
Now make the virtual server IP (the secondary private address) accessible to the Internet by associating an Elastic IP with it.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.
  3. Click Allocate New Address.
  4. From the EIP used in list, select VPC.
  5. Click Yes, Allocate, and then click Close.
  6. From the list of elastic IP addresses, right-click the newly created address, and select Associate Address from the popup menu screen.
  7. From the Network Interface list, select the external interface.
  8. From the Private IP Address list, select the secondary IP address.
  9. Click Associate.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)