To deploy the BIG-IP Virtual Edition (VE) system on Amazon® EC2®, you need to perform these tasks:
After you complete these tasks, you can log in to the BIG-IP VE system and run the Setup utility. Using the Setup utility, you can perform basic network configuration tasks, such as assigning VLANs to interfaces.
To create a virtual private cloud (VPC) from which you can deploy BIG-IP Virtual Edition (VE), you need a (private-public encryption) key pair to authenticate your sessions. Key pairs are reusable, so if you have a key pair, you do not need to repeat this task.
You need a virtual private cloud (VPC) to deploy BIG-IP Virtual Edition (VE) because Amazon Web Services (AWS) only provides multiple network interface support for instances that reside within a VPC. At the time of this release, Amazon does not support EC2 instances outside of a VPC.
When you create a VPC, AWS creates two subnets (Management and External) for it. For many network topologies, three or more subnets (Management, External, and Internal) are required.
To use your virtual private cloud (VPC) to deploy BIG-IP Virtual Edition (VE), the VPC needs two security groups. The table details the rules required that govern the security behavior for the traffic routed through each group.
|Group Name||Group Description||Rule Name||Source||Rule Type|
|allow-only-ssh-https-ping||Allow only SSH HTTPS or PING||Inbound SSH||0.0.0.0/0|
|Inbound Custom ICMP||0.0.0.0/0||Echo Request|
|Outbound Custom ICMP||0.0.0.0/0||Echo Request|
|Outbound Custom ICMP||0.0.0.0/0||Echo Reply|
|allow-all-traffic||Allow all traffic||Inbound All Traffic||0.0.0.0/0|
|Outbound All Traffic||0.0.0.0/0|
Most network topologies require an Amazon Web Services route to the VPC that makes the External subnet used by the BIG-IP Virtual Edition (VE) accessible to the Internet.
You need to have an EC2 Amazon Machine Image (AMI) to deploy BIG-IP Virtual Edition (VE).
When you first create a virtual private cloud (VPC), there are typically only two network interfaces associated with it. F5 Networks recommends adding a third network interface to the VPC before you use it to deploy BIG-IP Virtual Edition (VE).
The Management port for your BIG-IP Virtual Edition (VE) may require accessibility over the Internet. Alternative topologies exist that do not require exposing the Management port to the Internet.
F5 Networks recommends, at a minimum, adding restrictions to your source addresses in the allow-only-ssh-https-ping security group.
Alternatively, you may find the AWS EC2 VPN sufficiently effective so that you do not need to associate an Internet accessible Elastic IP with the Management port.
To maintain security, the first time you log in to your EC2 AMI, you should log in as root, and change the Admin password.
Secondary IP addresses are required for each subnet on which a Virtual Server resides. This task documents the process of adding a Secondary IP address to a network interface of a BIG-IP VE instance. This process describes the Amazon Web Services user interface at the time of this release.
You may need to make the external IP address for the virtual server Internet-accessible.