To deploy the BIG-IQ Virtual Edition (VE) system on EC2, you perform these tasks:
To deploy BIG-IQ Cloud you perform a series of tasks using Amazon Web Services (AWS) to create an elastic compute cloud (EC2) that runs a public cloud virtual machine management service.
When you complete these tasks, your cloud environment will be similar to the basic cloud topology depicted here.
An Amazon Identity Access Management (IAM) user account provides access to specific AWS resources. Creating IAM user access provides you with more granular control of the AWS resources that your users can access.
To create a virtual private cloud (VPC) on which you can deploy the BIG-IQ system, you need a (private-public encryption) key pair to authenticate your sessions. Key pairs are reusable, so if you have a key pair, you do not need to repeat this task.
You need a virtual private cloud (VPC) to deploy the BIG-IQ Cloud system because Amazon Web Services (AWS) only provides multiple network interface card (NIC) support for EC2 instances that reside within a VPC.
When you create a VPC, Amazon Web Services creates two subnets for it. The first subnet is the management subnet (10.0.0.0/24) and the second subnet is external (10.0.1.0/24). Many network topologies require three or more subnets (Management, External, and Internal). You can use this task to create an internal subnet (10.0.2.0/24).
To use your virtual private cloud (VPC) to deploy your virtual machine, the VPC needs two security groups; each with its own set of rules that govern the security behavior for the traffic that routes through it. The table details the rules required for each group to function properly.
|Group Name||Group Description||Rule Name||Source||Rule Type|
|allow-only-ssh-https-ping||Allow only SSH HTTPS or PING||Inbound SSH||0.0.0.0/0|
|Inbound Custom ICMP||0.0.0.0/0||Echo Request|
|Outbound Custom ICMP||0.0.0.0/0||Echo Request|
|Outbound Custom ICMP||0.0.0.0/0||Echo Reply|
|allow-all-traffic||Allow all traffic||Inbound All Traffic||0.0.0.0/0|
|Outbound All Traffic||0.0.0.0/0|
It is a good idea to test connectivity before proceeding. You should be able to communicate with your VPC NAT server at this point.
F5 Networks recommends enhancing your security by using the security group source fields to restrict the subnets to allow only management access; however, we recognize that this does not complete your security solution. For enhanced security, you may want to deploy a topology with limited management network access.
Most network topologies require an Amazon Web Services route to the virtual private cloud (VPC) that makes the external subnet used by the virtual machine accessible to the Internet.
You launch an EC2 Amazon Machine Image (AMI) so that you can deploy the virtual machine.
When you first create a virtual private cloud (VPC), there are typically only two network interfaces associated with it. F5 Networks recommends adding a third network interface to the VPC before you use it to deploy the virtual machine.
The management port for your virtual machine may require accessibility over the Internet. However, there are alternative topologies that do not require exposing the management port to the Internet.
F5 Networks recommends, at a minimum, adding restrictions to your source addresses in the allow-only-ssh-https-ping security group.
Alternatively, you may find the Amazon Web Services EC2 VPN sufficiently effective so that you do not need to associate an Internet-accessible Elastic IP with the management port.
To maintain security, the first time you log in to your EC2 AMI, you should log in as root, and change the Admin password.