Applies To:

Show Versions Show Versions

Manual Chapter: Deploying Single NIC BIG-IP VE in AWS
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Checklist: Deploy BIG-IP VE in a single NIC AWS environment

This checklist summarizes the tasks required to deploy a single NIC configuration of BIG-IP® VE and to configure HTTPS web traffic to flow through BIG-IP VE. Each of these tasks is documented in detail later in this guide.

Create a virtual private cloud (VPC)
Use the AWS VPC wizard to create a VPC with a single subnet.
  • Subnet: 10.0.0.0/24
Deploy a BIG-IP VE instance
From the Amazon Marketplace, choose an F5® BIG-IP image (with hourly/annual license if you plan to use Auto Scaling) and deploy the VE instance. For the network, choose the VPC.
  • Interface: eth0, Primary Private IP: 10.0.0.200
Important: If you choose an hourly instance, you must associate an AWS Elastic IP address with the instance while it is launching so the instance can get a license from F5. (See the next task for details.) If the instance does not have internet access when it first boots, you must reboot the instance so it can connect to F5 for licensing.
Create an Elastic IP (EIP) address
Create an Elastic IP address and associate it with the BIG-IP VE instance. You will use this IP address to access the BIG-IP Configuration utility and to access your application servers (by way of the virtual server).
  • Elastic IP: 52.x.y.x
Connect to the BIG-IP VE instance and set the admin password
Before you can license and provision BIG-IP VE, use SSH and your key pair to connect to the instance and set a strong password.
  • In tmsh, type modify auth password admin
Log in and license and provision BIG-IP VE
Connect to the Configuration utility (https://<ElasticIP>) and license and provision BIG-IP VE. If you have trouble accessing the Configuration utility, check the AWS security groups to ensure that they allow the appropriate traffic.
Optional: Change the Configuration utility port
By default, management traffic (traffic for the Configuration utility) goes through port 443. Change this to 8443, so you can use 443 for application traffic. If you do not plan to use 443 for application traffic, you can skip this task, but you must use a different port when you create a virtual server.
In BIG-IP VE, create a pool and virtual server
The virtual server provides a destination for your inbound web traffic, and points to the pool of web servers.
  • Pool name: web_pool
  • Virtual IP address: 10.0.0.200, service port: 443

Create a VPC with one subnet

A BIG-IP® VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a basic VPC.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. Click Start VPC Wizard > VPC with a Single Public Subnet , and then click Select.
  3. For the CIDR block, use 10.0.0.0/24.
  4. In the VPC name field, type a name.
  5. Retain all other default settings and click Create VPC.
  6. Click OK to view the list of VPCs.

Deploy a BIG-IP VE instance in a single NIC environment

To create an EC2 instance of BIG-IP® VE, you deploy a version of it from the Amazon Web Services (AWS) Marketplace.
  1. Go to the AWS Marketplace.
  2. In the Search AWS Marketplace field, type F5 BIG-IP and then click GO.
  3. Click the version you want to deploy and then click Continue.
    Important: If you are going to use Auto Scaling with BIG-IP VEs, choose an hourly/annual image.
  4. By the region where you created your VPC, click Launch with EC2 Console.
  5. Choose the instance type based on the information in the Amazon EC2 instances for BIG-IP VE topic in this guide.
  6. Click Next: Configure Instance Details.
  7. From the Network list, select your VPC.
    The Subnet field is automatically populated.
  8. In the Network interfaces area, in the Primary IP field, type 10.0.0.200.
  9. Click Next: Add Storage and then Next: Tag Instance.
  10. In the Value field, type a name for the instance and click Next: Configure Security Group.
  11. For security groups, SSH traffic is allowed to port 22 by default. Add these additional rules.

    You can make these rules more secure by listing ranges of IP addresses as the source that will have access to BIG-IP VE.

  12. Click Review and Launch.
  13. Confirm the settings and click Launch.
  14. Select your key pair, accept the acknowledgment, and click Launch Instances.
  15. Click View Instances to view the new instance.
When the status in the Status Checks column has changed from Initializing to 2/2 checks passed, the instance is ready.
Important: If you chose an hourly instance, you must associate an AWS Elastic IP address with the instance while it is launching, so that the instance can register the license with F5. If the instance does not have internet access when it first boots, you must reboot the instance so it can connect to F5 for licensing.

Create an Elastic IP address

You use the BIG-IP® Configuration utility to configure the BIG-IP VE instance. To access the Configuration utility from the Internet, you use an Elastic IP (EIP) address that is associated with the BIG-IP VE instance. This same EIP will also be used to access your application servers.

Hourly instances of BIG-IP VE also use the EIP for internet access so they can get a license from F5.

Note: EIPs are accessible to the Internet. Because of this, later you will set a strong password for the BIG-IP VE admin account, which is used to log in to the Configuration utility.
  1. From the Services menu at the top of the AWS Management Console, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.
  3. Click Allocate New Address.
  4. From the EIP used in list, select VPC.
  5. Click Yes, Allocate and then click Close.
  6. Right-click the newly created EIP and select Associate Address from the popup menu screen.
  7. Select the BIG-IP VE instance and the management subnet's private IP address, 10.0.0.200.
  8. Click Associate.

Set an admin password for BIG-IP VE

The first time you boot the BIG-IP® VE instance, you must log in as admin and create a strong password. This password is available to the Internet through the Elastic IP (EIP), so ensure it is secure.

This example shows how to use PuTTy to connect, but you can use any SSH utility.

  1. Open PuTTy and in the Host Name (or IP address) field, enter the EIP; for example 52.9.202.37.
  2. In the Category pane on the left, click Connection>SSH>Auth.
  3. In the Private key file for authentication field, choose your .ppk file.
  4. Click Open.
  5. If a host key warning appears, click OK.
    The terminal screen displays: login as:.
  6. Type admin and press Enter.
    You are now at the tmsh command prompt.
  7. To modify the admin password, type modify auth password admin.
    The terminal screen displays: changing password for admin, and then prompts: new password.
  8. Type the new password and press Enter.
    The terminal screen displays: confirm password.
  9. Re-type the new password and press Enter.
  10. To ensure that the system retains the password change, type save sys config and press Enter.
    The terminal screen displays the message: Saving Ethernet mapping...done.
The admin password is changed.

License BIG-IP VE

If you chose a Bring Your Own License (BYOL) image of BIG-IP® VE, you will have to enter license information before you can use BIG-IP VE. If you chose an hourly/annual license, you can skip these steps.
  1. Open a web browser and log in to the BIG-IP Configuration utility by using the Elastic IP (EIP) address associated with the management network interface. For example, https://52.9.187.41.
    The username is admin and the password is the one you set previously.
  2. On the Setup Utility Welcome page, click Next.
  3. On the General Properties page, click Activate.
  4. In the Base Registration key field, enter the case-sensitive registration key from F5®. For Activation Method, if you have a production or Eval license, choose Automatic and click Next.
  5. If you chose Manual, complete these steps:
    1. In the Step 1: Dossier field, copy all of the text and then click Click here to access F5 Licensing Server.

      A separate web page opens.

    2. On the new page, click Activate License.
    3. In the Enter your dossier field, paste the text and click Next.
    4. Accept the agreement and click Next.
    5. On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-IP Configuration utility and paste the text into the Step 3: License field.
    6. Click Next.
The BIG-IP VE system registers the license and logs you out. When the configuration change is successful, click Continue to provision BIG-IP VE.

Provision BIG-IP VE

You can't begin to work in the BIG-IP® Configuration utility until you've confirmed the modules you want to provision, as well as other initial configuration information.
  1. Open a web browser and log in to the Configuration utility by using the Elastic IP address associated with the management network interface. For example, https://52.9.187.41.
  2. On the Resource Provisioning screen, change settings if necessary and click Next.
  3. On the Device Certificates screen, click Next.
  4. On the Platform screen, in the Admin Account field, re-enter the password for the admin account and click Next.

    BIG-IP VE logs you out.

  5. When you log back in, on the Setup Utility > Network screen, in the Advanced Network Configuration area, click Finished.

Change the Configuration utility port

Before completing these steps, the BIG-IP® VE must be licensed and provisioned.
The BIG-IP Configuration utility uses port 443 by default. Change the port to 8443 so you can use 443 for application traffic.
  1. Use a secure shell terminal (SSH), like PuTTy, to access the instance; use the key pair you specified when you deployed the instance.
  2. Type tmsh to ensure you are accessing the tmsh prompt.
  3. Confirm the port being used for SSL.
    list sys httpd ssl-port
    The result should be ssl-port 443.
  4. Move the port from 443 to 8443.
    modify sys httpd ssl-port 8443
  5. Confirm the move was successful.
    list sys httpd ssl-port

    The result should be ssl-port 8443.

  6. Add 8443 to the default self allow port list.
    modify net self-allow defaults add { tcp:8443 }
  7. Now that the Configuration utility is no longer using port 443, remove the reference to it.
    modify net self-allow defaults delete { tcp:443 }
  8. Confirm the changes.
    list net self-allow defaults
    tcp:pcsync-https is for 8443 and should be in the list. tcp:https is for 443 and should not be in the list.
  9. Save the changes to the system configuration.
    save sys config
  10. End the SSH session.
  11. Open a web browser and go to the BIG-IP Configuration utility by using port 8443, for example: https://<ElasticIP>:8443.

Create a pool and add members to it

Traffic from BIG-IP® VE is sent to a pool. Your application servers should be members of this pool.
  1. In the BIG-IP Configuration utility, on the Main tab, click Local Traffic > Pools .
  2. Click Create.
  3. In the Name field, type web_pool.
    Names must begin with a letter, be fewer than 63 characters, and can contain only letters, numbers, and the underscore (_) character.
  4. For Health Monitors, move https from the Available to the Active list.
  5. Choose the load balancing method or retain the default setting.
  6. In the New Members section, in the Address field, type the primary private IP address of a pool member.
  7. In the Service Port field, type a service port, for example, 443.
  8. Click Add.
    The member is displayed in the list.
  9. Add additional pool members as needed and click Finished.

Create a virtual server

A virtual server listens for packets destined for the Elastic IP (EIP) address. You must create a virtual server that points to the pool you created.
  1. In the BIG-IP® Configuration utility, on the Main tab, click Local Traffic > Virtual Servers .
  2. Click Create and populate the following fields.
    Field Value
    Name A unique name
    Destination Address/Mask 10.0.0.200
    Service Port 443
    HTTP Profile http
    SSL Profile (Client) clientssl
    SSL Profile (Server) serverssl
    Source Address Translation Auto Map
    Default Pool web_pool
    Note: These settings are for demonstration only. For details about securing a web application with SSL, see the product documentation at f5.com.
  3. Click Finished.
Traffic to the virtual server EIP address will now go to the pool members. To test in a browser, type: https://<ElasticIP>.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)