Applies To:

Show Versions Show Versions

Manual Chapter: Amazon EC2 Cloud Integration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About Amazon EC2 integration

Using Amazon Web Services (AWS) is less expensive and more flexible than building and maintaining a physical computer infrastructure. BIG-IQ Cloud provides you with a seamless way to manage Amazon's elastic cloud services (Amazon EC2). To support communication between BIG-IQ Cloud and an AWS account, you use the BIG-IQ Cloud's Amazon EC2 Cloud Connector. This EC2 Cloud Connector enables you to discover BIG-IP VE virtual machines and application servers running in an AWS account.

You can use this feature to coordinate management-plane changes to a private, public, or hybrid cloud environment. For example, to accommodate seasonal traffic fluctuations, you might need to periodically add devices or application servers in the EC2 environment (referred to as, cloud bursting) or retract devices or application servers.

Task summary

Network requirements for communication Amazon EC2 cloud services

For proper communication to devices located in an Amazon EC2 cloud, BIG-IQ Cloud must have network access to those resources. Before you can manage cloud resources, you must define a network route between the BIG-IQ Cloud internal VLAN and the public Internet, or the Amazon EC2 endpoint, for proper communication to devices located in a public cloud. For specific instructions, refer to your Amazon EC2 documentation.

Creating a new virtual private cloud

You need a virtual private cloud (VPC) to deploy the BIG-IQ Cloud system because Amazon Web Services (AWS) only provides multiple network interface card (NIC) support for EC2 instances that reside within a VPC.

For the most current instructions for creating a Virtual Private Cloud, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site,
Important: It is crucial to your success that you be consistent in the availability zone that you choose throughout the configuration process. Objects configured in one zone are not visible within other zones, so they cannot function together.
Important: The first choice you have when creating a VPC is to select a VPC configuration. Choose the VPC with Public and Private Subnets option.

Launching a new virtual machine

Before you can complete this task, you need to know the name of your key pair and the Availability Zone from which it was created.

You launch an EC2 Amazon Machine Image (AMI) so that you can deploy the virtual machine.

Important: At publication, this task illustrates the Amazon web interface. However, F5 recommends that you refer to Amazon user documentation for the latest documentation.
  1. Log in to your account on Amazon Web Services (AWS) marketplace.
  2. In the Search AWS Marketplace bar, type F5 BIG-IQ and then click GO. The F5 BIG-IQ Virtual Edition for AWS option is displayed.
  3. Click F5 BIG-IQ Virtual Edition for AWS and then click CONTINUE.
    Tip: You might want to take a moment here to browse the pricing details to confirm that the region in which you created your security key pair provides the resources you require. If you determine that the resources you need are provided in a region other than the one in which you created your key pair, create a new key pair in the correct region before proceeding.
    The Launch on EC2 page is displayed.
  4. Click the Launch with EC2 Console tab. Launching Options for your EC2 AMI are displayed.
  5. Select the software version appropriate for your installation, and then click the Launch with EC2 button that corresponds to the Region that provides the resources you plan to use.
    Important: The first time you perform this task, you need to accept the terms of the end user license agreement before you can proceed, so the Launch with EC2 button reads Accept Terms and Launch with EC2.
    Important: There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail. Bear in mind that the region you choose must match the region in which you created your security key pair.
    The Request Instances Wizard opens.
  6. Select an Instance Type appropriate for your use.
  7. From the Launch Instances list, select EC2-VPC.
  8. From the Subnet list, select the subnet and click CONTINUE. The Advanced Instance Options view of the wizard opens.
  9. From the Number of Network Interfaces list, select 2.
  10. Click the horizontal eth1 tab to set values for the second network interface adapter, and then from the Subnet list, select the subnet and click CONTINUE The Storage Device Configuration view of the wizard opens.
  11. In the Value field, type in an intuitive name that identifies this AMI and click CONTINUE (for example, BIG-IQ VE <version>). The Create Key Pair view of the wizard opens.
  12. From Your existing Key Pairs, select the key pair you created for this AMI and click CONTINUE. The Configure Firewall view of the wizard opens.
  13. Under Choose one or more of your existing Security Groups, select the allow-all-traffic security group, and then click CONTINUE. The Review view of the wizard opens.
  14. Confirm that all settings are correct, and then click Launch. The Launch Instance Wizard displays a message to let you know your instance is launching.
  15. Click Close.
Your new instance appears in the list of instances when it is fully launched.

Creating a new IAM user account

An Amazon Identity Access Management (IAM) user account provides access to specific AWS resources. Creating IAM user access provides you with more granular control of the AWS resources that your users can access.

Tip: This task is optional; you can create a virtual machine without creating an IAM user account to control access, but using IAM is considered to be best practice.
Tip: When you manually deploy a virtual machine on AWS EC2, you need to create an administrator password in addition to the IAM access keys. If you use the automated process to deploy a VM, only the access keys are required.
For the most current instructions for creating a new IAM user, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site,
When you complete this task, you will have created a new IAM user and downloaded the credentials (an access key ID and secret access key) that provide access to AWS resources for that new user.

Associating an EC2 cloud connector with a device and discovering application servers

If you want BIG-IQ Cloud to automatically provision additional BIG-IP VE servers and devices for your tenant when more resources are needed, you must first purchase and activate a license pool to associate with this connector.
To provide cloud tenant users with access to resources, you must configure a cloud connector. A cloud connector provides two services. First, you can use it to identify a specific set of resources, much like a virtual container, and second, it provides integration with third-party cloud services.
  1. Hover on the Connectors header and click the + icon when it appears.
  2. In the Name and Description fields, type a name and description. You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  3. From the Cloud Provider list, select Amazon EC2.
  4. In the Region Endpoint field, type the entry point URL. For example, is the region end point for the Amazon EC2 US East (Northern Virginia) Region. Refer to the AWS documentation for a list of all regional end points.
  5. In the Key ID and Secret Key fields, type the credentials of an EC2 user that can access your account. For security purposes, it is important to specify a user that has Amazon EC2 Full Control Access.
  6. In the Availability Zone field, type the location of the region in which the instances are located. For example, type us-west-2c for the availability zone for Oregon state.
  7. In the Virtual Private Cloud field, you may type the identification for the EC2 Virtual Private Cloud (VCP) network topology inside the Availability Zone. This step is optional. If you do not specify the identification for a VCP, BIG-IQ uses the first one it discovers in the Availability Zone.
  8. Click the arrow next to Device & Server Provisioning to display associated options.
  9. If you do not want to automatically provision additional BIG-IP VE servers and devices when more resources are needed, for the Device Elasticity setting, select Disable.
  10. For the Licensing setting, select the license pool associated with this Amazon EC2 connector. If there is no license pool associated with this Amazon EC2 connector and you enabled elasticity, Amazon will charge for additional resources on a per-instance basis. Refer to Amazon for their EC2 instance purchasing options.
  11. If you do not want to automatically provision additional application servers when more resources are needed, for the Server Elasticity setting, select Disable..
  12. Review network settings populated when you selected a connector and make any necessary corrections.
  13. Click the Save button at the top of the New Connector panel. BIG-IQ discovers application servers associated with this connector and populates them in the Server panel. If it discovers F5 devices, it populates them in the Device panel.
  14. If the system discovered devices, you must expand the device's properties panel, and provide the device's credentials to finalize the discovery process.
  15. Review network settings populated when you selected a connector and make any necessary corrections.
You can now add a cloud tenant using this connector and its associated devices.

Setting up tenant access using IAM

You may want your tenants to have access to all or part of the EC2 cloud you are provisioning so that they are able to configure resources required by their applications. You can provide full access by simply providing the account information (user name and password) that you created previously. More typically, you can provide more limited access by setting up separate user accounts for the tenant, and then configuring the access for those users as best suits your needs.

Important: If you decide to grant full tenant access to the IAM account, bear in mind that restricting this account to a single tenant becomes even more prudent.

The following step-sequence provides an outline of the tasks you perform using the AWS EC2 user interface. For the most current instructions for performing each of these tasks, refer to the Amazon Web Services EC2 Management Console web site

  1. Log in to the AWS IAM console.
  2. Create a user role to encapsulate relevant permissions for this tenant. If a user needs to create key pairs, make certain that they have sufficient permissions.
  3. Configure password policies for this tenant.
  4. Create user accounts and set passwords for this tenant.
  5. Create the user(s).
  6. Specify the IAM AWS Management URL that you will provide to your tenants so that they can log in to this IAM account and directly manage their resources.

Viewing activity for elastic cloud resources

Before you can view dynamic cloud resource activity, you must have an EC2 cloud connector with the Device Elasticity setting enabled.
Viewing activity for dynamic cloud resources gives you insight into how tenants are expanding cloud resources to address increased traffic to applications.
  1. To view the resource and tenant association with a particular activity, click the activity and then click the Apply button located next to the filter field. The screen refreshes to display only items associated with the selected activity.
  2. To remove the filter, click the x located below the filter field.
  3. To view specific activity details, place your cursor on an activity. A popup window opens to display further details about the selected activity.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)