Applies To:

Show Versions Show Versions

Manual Chapter: Deploying Single NIC BIG-IP VE in AWS
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Task List: Deploy BIG-IP VE in a single NIC AWS environment

These tasks are required to deploy a single NIC configuration of BIG-IP® VE and to configure HTTPS web traffic to flow through it. Each of these tasks is documented in detail later in this guide.

Step Task Description Details
1 Create a virtual private cloud (VPC) Use the AWS VPC wizard to create a VPC with a single subnet. Subnet:
2 Deploy a BIG-IP VE instance From the AWS Marketplace, choose an F5® BIG-IP VE image (with hourly/annual license if you plan to use Auto Scaling). When you deploy the instance, choose the VPC you created earlier. Interface: eth0

Primary Private IP:

3 Create an Elastic IP (EIP) address Create an Elastic IP address and associate it with the BIG-IP VE instance. You will use this IP address to access the BIG-IP Configuration utility and to access your application servers (by way of the virtual server). Elastic IP: 52.x.y.x
4 Connect to the BIG-IP VE instance and set the admin password Before you can license and provision BIG-IP VE, use SSH and your key pair to connect to the instance and set a strong password. In tmsh, type modify auth password admin
5 Log in and license and provision BIG-IP VE Connect to the Configuration utility (https://<ElasticIP>:8443) and license and provision BIG-IP VE. If you have trouble accessing the Configuration utility, check the AWS security groups to ensure that they allow the appropriate traffic.  
6 In BIG-IP VE, create a pool and virtual server The virtual server provides a destination for your inbound web traffic, and points to the pool of web servers. Pool name: web_pool

Virtual IP address:, service port: 443

Create a VPC with one subnet

A BIG-IP® VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to create a basic VPC.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select VPC.
  2. Click Start VPC Wizard > VPC with a Single Public Subnet , and then click Select.
  3. For the CIDR block, use
  4. In the VPC name field, type a name.
  5. Retain all other default settings and click Create VPC.
  6. Click OK to view the list of VPCs.

Deploy a BIG-IP VE instance in a single NIC environment

To create an EC2 instance of BIG-IP® VE, you deploy a version of it from the Amazon Web Services (AWS) Marketplace.
  1. Go to the AWS Marketplace.
  2. In the Search AWS Marketplace field, type F5 BIG-IP and then click GO.
  3. Click the version you want to deploy and then click Continue.
    Important: If you are going to use Auto Scaling with BIG-IP VEs, choose an hourly/annual image.
  4. By the region where you created your VPC, click Launch with EC2 Console.
  5. Choose the instance type based on the information in the Amazon EC2 instances for BIG-IP VE topic in this guide.
  6. Click Next: Configure Instance Details.
  7. From the Network list, select your VPC.
    The Subnet field is automatically populated.
  8. In the Network interfaces area, in the Primary IP field, type
  9. Click Next: Add Storage and then Next: Tag Instance.
  10. In the Value field, type a name for the instance and click Next: Configure Security Group.
  11. For security groups, SSH traffic is allowed to port 22 by default. Add these additional rules.

    You can make these rules more secure by listing ranges of IP addresses as the source that will have access to BIG-IP VE.

  12. Click Review and Launch.
  13. Confirm the settings and click Launch.
  14. Select your key pair, accept the acknowledgment, and click Launch Instances.
  15. Click View Instances to view the new instance.
When the status in the Status Checks column has changed from Initializing to 2/2 checks passed, the instance is ready.
Important: If you chose an hourly instance, you must associate an AWS Elastic IP address with the instance while it is launching, so that the instance can register the license with F5. If the instance does not have internet access when it first boots, you must reboot the instance so it can connect to F5 for licensing.

Create an Elastic IP address

You use the BIG-IP® Configuration utility to configure the BIG-IP VE instance. To access the Configuration utility from the Internet, you use an Elastic IP (EIP) address that is associated with the BIG-IP VE instance. This same EIP will also be used to access your application servers.

Hourly instances of BIG-IP VE also use the EIP for internet access so they can get a license from F5.

Note: EIPs are accessible to the Internet. Because of this, later you will set a strong password for the BIG-IP VE admin account, which is used to log in to the Configuration utility.
  1. From the Services menu at the top of the AWS Management Console, select EC2.
  2. In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.
  3. Click Allocate New Address.
  4. From the EIP used in list, select VPC.
  5. Click Yes, Allocate and then click Close.
  6. Right-click the newly created EIP and select Associate Address from the popup menu screen.
  7. Select the BIG-IP VE instance and the management subnet's private IP address,
  8. Click Associate.

Set an admin password for BIG-IP VE

The first time you boot the BIG-IP® VE instance, you must connect to BIG-IP VE and create a strong admin password. This user name and password will be used to access the BIG-IP Configuration utility. This password is available to the Internet through the Elastic IP (EIP), so ensure it is secure.

This example shows how to use PuTTy to connect, but you can use any SSH utility.

  1. Open PuTTy and in the Host Name (or IP address) field, enter the EIP; for example
  2. In the Category pane on the left, click Connection>SSH>Auth.
  3. In the Private key file for authentication field, choose your .ppk file.
  4. Click Open.
  5. If a host key warning appears, click OK.
    The terminal screen displays: login as:.
  6. Type admin and press Enter.
    You are now at the tmsh command prompt.
  7. To modify the admin password, type modify auth password admin.
    The terminal screen displays: changing password for admin, and then prompts: new password.
  8. Type the new password and press Enter.
    The terminal screen displays: confirm password.
  9. Re-type the new password and press Enter.
  10. To ensure that the system retains the password change, type save sys config and press Enter.
    The terminal screen displays the message: Saving Ethernet mapping...done.
The admin password is changed.

License BIG-IP VE

If you chose a Bring Your Own License (BYOL) image of BIG-IP® VE, you will have to enter license information before you can use BIG-IP VE. If you chose an hourly/annual license, you can skip these steps.
  1. Open a web browser and log in to the BIG-IP Configuration utility by using the Elastic IP (EIP) address associated with the management network interface. For example,
    The username is admin and the password is the one you set previously.
  2. On the Setup Utility Welcome page, click Next.
  3. On the General Properties page, click Activate.
  4. In the Base Registration key field, enter the case-sensitive registration key from F5®. For Activation Method, if you have a production or Eval license, choose Automatic and click Next.
  5. If you chose Manual, complete these steps:
    1. In the Step 1: Dossier field, copy all of the text and then click Click here to access F5 Licensing Server.

      A separate web page opens.

    2. On the new page, click Activate License.
    3. In the Enter your dossier field, paste the text and click Next.
    4. Accept the agreement and click Next.
    5. On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-IP Configuration utility and paste the text into the Step 3: License field.
    6. Click Next.
The BIG-IP VE system registers the license and logs you out. When the configuration change is successful, click Continue to provision BIG-IP VE.

Provision BIG-IP VE

You can't begin to work in the BIG-IP® Configuration utility until you've confirmed the modules you want to provision, as well as other initial configuration information.
  1. Open a web browser and log in to the Configuration utility by using the Elastic IP address associated with the management network interface. For example,
  2. On the Resource Provisioning screen, change settings if necessary and click Next.
  3. On the Device Certificates screen, click Next.
  4. On the Platform screen, in the Admin Account field, re-enter the password for the admin account and click Next.

    BIG-IP VE logs you out.

  5. When you log back in, on the Setup Utility > Network screen, in the Advanced Network Configuration area, click Finished.

Create a pool and add members to it

Traffic from BIG-IP® VE is sent to a pool. Your application servers should be members of this pool.
  1. In the BIG-IP Configuration utility, on the Main tab, click Local Traffic > Pools .
  2. Click Create.
  3. In the Name field, type web_pool.
    Names must begin with a letter, be fewer than 63 characters, and can contain only letters, numbers, and the underscore (_) character.
  4. For Health Monitors, move https from the Available to the Active list.
  5. Choose the load balancing method or retain the default setting.
  6. In the New Members section, in the Address field, type the primary private IP address of a pool member.
  7. In the Service Port field, type a service port, for example, 443.
  8. Click Add.
    The member is displayed in the list.
  9. Add additional pool members as needed and click Finished.

Create a virtual server

A virtual server listens for packets destined for the Elastic IP (EIP) address. You must create a virtual server that points to the pool you created.
  1. In the BIG-IP® Configuration utility, on the Main tab, click Local Traffic > Virtual Servers .
  2. Click Create and populate the following fields.
    Field Value
    Name A unique name
    Destination Address/Mask
    Service Port 443
    HTTP Profile http
    SSL Profile (Client) clientssl
    SSL Profile (Server) serverssl
    Source Address Translation Auto Map
    Default Pool web_pool
    Note: These settings are for demonstration only. For details about securing a web application with SSL, see the product documentation at
  3. Click Finished.
Traffic to the virtual server EIP address will now go to the pool members. To test in a browser, type: https://<ElasticIP>.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)