Manual Chapter : Integrating Amazon Web Services

Applies To:

Show Versions Show Versions

BIG-IQ Cloud

  • 4.5.0
Manual Chapter

About Amazon Web Services (AWS) integration

BIG-IQ Cloud provides you with the tools to manage Amazon EC2 and CloudWatch resources required to perform application delivery. Management tasks include discovering and creating BIG-IP VE virtual machines located in Amazon Virtual Private Cloud (VPC), application pool servers, and deploying applications. You can use these features to accommodate application traffic fluctuations by periodically adding and retracting devices and application servers, as needed. Additionally, you can provide tenants access to self-deployable iApps through Amazon EC2 integration.

To provide access to these services for Amazon EC2 tenants, you configure communication between Amazon EC2 products, and BIG-IQ Cloud. Then, you associate a Amazon EC2 cloud connector with a device, and create a catalog entry for a corresponding Amazon EC2 service profile. The tenants to whom you give access to the catalog entry see it in their applications panel. From there, they can use it to self-deploy their own iApps.

Network requirements for AWS integration communication

BIG-IQ Cloud integrates with three different Amazon Web Services: Amazon EC2, Amazon CloudWatch, and BIG-IP Virtual Edition deployed in managed Amazon Virtual Private Cloud (VPC).

For proper communication to devices located in an Amazon web service, BIG-IQ Cloud you must configure an outbound self IP address to DNS and NTP, and you must define a network route between the BIG-IQ Cloud internal VLAN and the public Internet, or the Amazon web services endpoint. For specific instructions, refer to BIG-IQ System: Licensing and Initial Setup and your Amazon documentation .

Creating an Amazon Identity and Access Management (IAM) user account

An Amazon Identity and Access Management (IAM) user account provides access to specific Amazon Web Services (AWS) resources. Creating an IAM account provides you with more granular control of the AWS resources that your users access.

Important: This task is optional; you can create a virtual machine without creating an IAM user account to control access, but it is best practice to use an IAM account. F5 recommends that you do not use the AWS root account and access keys. Instead, use IAM to create identities you can more easily manage and revoke in the case of a security breach.
Tip: When you manually deploy a virtual machine on AWS EC2, you must create an administrator password in addition to the IAM access keys. If you use the automated process to deploy a virtual server, only the access keys are required.

For this task, you must create a group and two IAM user accounts. For the most current instructions for performing these steps, refer to the IAM documentation web site, http://aws.amazon.com/documentation/iam/.

  1. From https://console.aws.amazon.com/iam, create a new group named aws-full-access and assign the group access rights by attaching the AdministratorAccess policy.
  2. Create an AWS Admin user, and add that user to the aws-full-access group.
  3. Create a BIG-IQ Connector user and add that user to the AmazonEC2FullAccess group.
    Important: The user requires only EC2 Full Access privileges (not AWS Full Access). IAM policy arn:aws:iam::aws:policy/AmazonEC2FullAccess represents the EC2 Full Access privileges set.
    Important: For this user, you must download or copy an access key that you use to connect BIG-IQ Cloud to your AWS account
  4. From the AWS dashboard, set up an account alias. Note the IAM user login link. For example, https://my-account-alias.signin.aws.amazon.com/console
  5. Log out of the AWS dashboard as the root user.
  6. Navigate back to the user login link, and sign in as the AWS-Admin user.
You can now create a new Virtual Private Cloud (VPC).

Creating a Virtual Private Cloud

You need an Amazon Virtual Private Cloud (VPC) to deploy the BIG-IQ Cloud system, because AWS provides only multiple network interface card (NIC) support for instances that reside within a VPC.

You create a virtual network topology according to your networking needs. The standard network topology used for BIG-IQ Cloud integration includes three subnets. These subnets provide virtual private address spaces used to interconnect your machines and applications. You can use elastic self IP addresses for public internet accessibility.

For the most current instructions for creating a VPC, refer to the VPC Documentation web site, http://aws.amazon.com/documentation/vpc/.

  1. Navigate to https://console.aws.amazon.com/vpc and select the AWS Region in which you want to manage resources. For example, Oregon.
  2. Click Start VPC Wizard. The Select a VPC Configuration screen opens.
  3. Select the VPC Wizard's VPC with a Single Public Subnet option, and then click Select. The VPC with a Single Public Subnet screen opens.
  4. Set the IP CIDR Block to 10.0.0.0/16.
  5. Set the public subnet to 10.0.0.0/24. This is the management network.
  6. Select an availability zone. For example, us-west-2c. It is crucial that you use this availability zone throughout the configuration process. Objects configured in one zone are not visible within other zones, so they cannot function together. This availability zone is required when you create a BIG-IQ Cloud connection.
  7. Click Create VPC to create the new VPC.
    Important: Now you need to create another public subnet in the same availability zone as 10.0.1.0/24 and make sure it uses a route table with internet gateway connectivity
  8. On the VPC Dashboard, click Subnets.
  9. Click Create Subnet. The Create Subnet screen opens.

    1. For the Name tag, type a name for this subnet.
    2. For the VPC, select the just created VPC.
    3. For the Availability Zone, select the zone you specified for the public subnet.
    4. For the CIDR block type 10.0.1.0/24.
    5. Click Yes, Create.
    AWS creates the new subnet, now you need to make sure it is publically accessible.
  10. Select the new subnet, select the Route Table tab on the lower half of the screen, and then click Edit.
  11. From the Change to list, select the route table that has internet gateway connectivity. and click Save.
  12. Create a security group named, allow-all-traffic, and associate it with the VPC you created. You must use this exact name.
  13. Set the Inbound Rules ALL Traffic Source to 0.0.0.0/0.
  14. Set the Outbound Rules ALL Traffic Destination to 0.0.0.0/0.
  15. Create a Route Table for the external data network to reach the Internet.
  16. Add a route to Destination 0.0.0.0/0 through Target igw-<xxxx>.

    <xxxx> is the Internet Gateway that the VPC Wizard created automatically.

  17. Allocate two Elastic IP Addresses.
You now should create a BIG-IQ Cloud connector to associate with this VCP.

Launching a virtual server with an Amazon Machine Image (AMI)

Before you can complete this task, you need to know the name of your key pair and the Availability Zone from which it was created.

You launch an EC2 Amazon Machine Image (AMI) so that you can deploy the virtual machine.

Important: At publication, this task illustrates the Amazon web interface. However, F5 recommends that you refer to Amazon user documentation for the latest documentation.
  1. Log in to your account on Amazon Web Services (AWS) marketplace.
  2. In the Search AWS Marketplace bar, type F5 BIG-IQ and then click GO. The F5 BIG-IQ Virtual Edition for AWS option is displayed.
  3. Click F5 BIG-IQ Virtual Edition for AWS and then click CONTINUE.
    Tip: You might want to take a moment here to browse the pricing details to confirm that the region in which you created your security key pair provides the resources you require. If you determine that the resources you need are provided in a region other than the one in which you created your key pair, create a new key pair in the correct region before proceeding.
    The Launch on EC2 page is displayed.
  4. Click the Launch with EC2 Console tab. Launching Options for your EC2 AMI are displayed.
  5. Select the software version appropriate for your installation, and then click the Launch with EC2 button that corresponds to the Region that provides the resources you plan to use.
    Important: The first time you perform this task, you need to accept the terms of the end user license agreement before you can proceed, so the Launch with EC2 button reads Accept Terms and Launch with EC2.
    Important: There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail. Bear in mind that the region you choose must match the region in which you created your security key pair.
    The Request Instances Wizard opens.
  6. Select an Instance Type appropriate for your use.
  7. From the Launch Instances list, select EC2-VPC.
  8. From the Subnet list, select the 10.0.0.0/24 subnet and click CONTINUE. The Advanced Instance Options view of the wizard opens.
  9. From the Number of Network Interfaces list, select 2.
  10. Click the horizontal eth1 tab to set values for the second network interface adapter, and then from the Subnet list, select the 10.0.1.0/24 subnet and click CONTINUE The Storage Device Configuration view of the wizard opens.
  11. In the Value field, type in an intuitive name that identifies this AMI and click CONTINUE (for example, BIG-IQ VE <version>). The Create Key Pair view of the wizard opens.
  12. From Your existing Key Pairs, select the key pair you created for this AMI and click CONTINUE. The Configure Firewall view of the wizard opens.
  13. Under Choose one or more of your existing Security Groups, select the allow-all-traffic security group, and then click CONTINUE. The Review view of the wizard opens.
  14. Confirm that all settings are correct, and then click Launch. The Launch Instance Wizard displays a message to let you know your instance is launching.
  15. Click Close.
Your new instance appears in the list of instances when it is fully launched.

Configuring an EC2 cloud connector

Before you can create an EC2 cloud connector, you must first discover devices in the Amazon EC2 cloud and create an Amazon Identity and Access Management (IAM) user account. If you want BIG-IQ Cloud to automatically provision additional BIG-IP VE servers and devices for your tenant when more resources are needed, you must also purchase and activate a license pool to associate with this connector.

To enable integration between a third-party cloud provider and BIG-IQ Cloud, you must configure a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.
  1. Log in to BIG-IQ Cloud with your administrator user name and password.
  2. Hover over the Connectors header, click the + icon when it appears, and then click New Connector.
  3. In the Name and Description fields, type a name and description. You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  4. From the Cloud Provider list, select Amazon EC2.
  5. In the Region Endpoint field, type the entry point URL. For example, ec2.us-east-1.amazonaws.com is the region end point for the Amazon EC2 US East (Northern Virginia) Region. Refer to the AWS documentation for a list of all regional end points at http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region.
  6. In the Key ID and Secret Key fields, type the credentials of the BIG-IQ-Connector IAM user. For security purposes, it is important to specify a user that has Amazon EC2 Full Control Access.
  7. In the Availability Zone field, type the location of the region in which the instances are located. For example, type us-west-2c for the availability zone for Oregon state.
  8. In the Virtual Private Cloud field, you may type the identification for the EC2 Virtual Private Cloud (VCP) network topology inside the Availability Zone. This step is optional. If you do not specify the identification for a VCP, BIG-IQ Cloud uses the first one it discovers in the Availability Zone.
  9. Click the arrow next to Device & Server Provisioning to display associated options.
  10. To prompt BIG-IQ Cloud to automatically provision additional BIG-IP VE devices when more resources are needed for application traffic, for the Device Elasticity setting, select Enable.
  11. From the Device License list, select a rate at which you want Amazon to direct-bill for additional devices, or select a license pool from which to grant a license. You must activate a license pool before you can select it.
  12. To automatically prompt BIG-IQ Cloud to provision additional servers when more resources are needed to manage an influx in application traffic, for the Server Elasticity setting, select Enable.
  13. Review the network settings populated when you selected a connector, verifying that the proper CIDR blocks display for management, external, and internal.
  14. Click the Save button.
  15. If the system discovered devices, you must expand the device's properties panel, and provide the device's credentials to finalize the discovery process.
  16. Review the network settings populated when you selected a connector, verifying that the proper CIDR blocks display for management, external, and internal.
You now create a device associated with this EC2 cloud connector.

Creating a BIG-IP VE version 11.5 or later in the Amazon EC2 cloud

After you license and perform the initial configuration for the BIG-IQ system, you can create devices in the Amazon EC2 cloud. For proper communication, you must configure a route between each instance to the BIG-IQ system. If you do not specify the required network communication route between the devices, then creation fails.

Before you perform this task you must first open specific ports on your EC2 AMI BIG-IQ instance and on any associated EC2 BIG-IP instances. To open these ports, you need additional security group rules in your allow-only-ssh-https-ping security group, and you need to associate these rules with the management interface.

You need to create three rules: two outbound rules for the BIG-IQ instance, and one inbound rule for the BIG-IP instance.

Group Name Group Description Rule Name Source Port
allow-only-ssh-https-ping Allow only SSH, HTTPS, or PING Outbound SSH 0.0.0.0/0 22 (SSH)
    Outbound HTTPS 443 0.0.0.0/0 443 (HTTPS)
    Inbound HTTPS 0.0.0.0/0 443 (HTTPS)
To create a BIG-IP VE instance in Amazon EC2 cloud, you associate the EC2 Cloud connector you configured with that device.
  1. Log in to BIG-IQ Cloud with your administrator user name and password.
  2. Hover over the Devices header and click the + icon when it appears.
  3. Select the Create a Device option.
  4. From the Cloud Connector list, select the EC2 cloud connector you created.
  5. From the Device Image list, select the AMI you created for this device.
  6. For the Auto Update Framework setting, select the Update Automatically check box to direct the BIG-IQ system to perform any required REST framework updates on the BIG-IP device. For the BIG-IQ system to properly manage a BIG-IP device, the BIG-IP device must be running the most recent REST framework.
    Important: When you update the REST framework for BIG-IP devices running version 11.6 or earlier, the traffic management interface (TMM) restarts. Before you update the REST framework on a BIG-IP device, verify that no critical network traffic is targeted to that device. Additionally, In any system upgrade scenario, the potential exists for unexpected errors. Because there is not currently an automatic recovery and rollback feature, if an upgrade fails, it is conceivable that a BIG-IP device would not be left in the pre-discovery state. If you want to roll back the upgrade due to an error or any other reason, the recommended recovery for this situation is to perform a partition restore (restoring both the pre-discovery management components and any related configuration).
  7. To prompt BIG-IQ Cloud to assign the default user admin and a randomly-selected password, select the Use "admin" check box.
  8. To assign a specific user name and password, deselect the Use "admin" check box. The screen refreshes to display additional settings.
  9. In the User Name and Password fields, type a user name and password for the user of this devices.
  10. Click the Add button.
The BIG-IQ system populates the properties of the device that you added, and displays the device in the Devices panel. Its configuration files display in the Configuration panel.

Creating a BIG-IP VE version 11.3 or 11.4 in the Amazon EC2 cloud

You can perform this task only after you have licensed and installed the BIG-IQ system and at least one BIG-IP device running version 11.3 or 11.4.

Before you perform this task you must first open specific ports on your EC2 AMI BIG-IQ instance and on any associated EC2 BIG-IP instances. To open these ports, you need additional security group rules in your allow-only-ssh-https-ping security group, and you need to associate these rules with the management interface.

You need to create three rules: two outbound rules for the BIG-IQ instance, and one inbound rule for the BIG-IP instance.

Group Name Group Description Rule Name Source Port
allow-only-ssh-https-ping Allow only SSH, HTTPS, or PING Outbound SSH 0.0.0.0/0 22 (SSH)
    Outbound HTTPS 443 0.0.0.0/0 443 (HTTPS)
    Inbound HTTPS 0.0.0.0/0 443 (HTTPS)

To create a BIG-IP VE version 11.3 or 11.4 instance in Amazon EC2 cloud, you must update the BIG-IP VE REST framework that supports the required BIG-IQ Cloud Java-based management services, and then associate the EC2 Cloud connector you configured with that device.

Warning: When you perform this task, the traffic management interface (TMM) on the BIG-IP VE restarts. Before you perform this task, verify that no critical network traffic is targeted to the BIG-IP VE device.
  1. Log in to the BIG-IQ system terminal as the root user.
  2. Optionally, establish SSH trust between the BIG-IQ system and the managed BIG-IP device. ssh-copy-id root@<BIG-IP Management IP Address> If you do not establish trust, you will be required to provide the BIG-IP device's root password multiple times.
  3. Navigate to the folder in which the files reside. cd /usr/lib/dco/packages/upd-adc
  4. Run the installation script.
    • For devices installed in an Amazon EC2 environment: ./update_bigip.sh -a admin -p <password> -i /<path_to_PEM_file> <BIG-IP Management IP Address>
    • For devices installed in any other environment: ./update_bigip.sh –a admin –p <password> <BIG-IP Management IP Address>
    Where <password> is the administrator password for the BIG-IP device.
  5. If you established trust in step 2, revoke SSH trust between the BIG-IQ system and the managed BIG-IP device. root@<BIG-IP Management IP address>grep -v '<username>@<computername>' /root/.ssh/authorized_keys > /tmp/authorized_keys.tmp; mv -f /tmp/authorized_keys.tmp /root/.ssh/authorized_keys This step is not required if you did not establish trust in step 2.
  6. Log in to BIG-IQ Cloud with your administrator user name and password.
  7. In the Device panel, click the gear icon next to the legacy device with a yellow triangle next to it and displaying the message, Discovery is incomplete.
  8. In the User Name and Password fields, type the administrator user name and password for the managed device.
  9. For the Auto Update Framework setting, select the Update Automatically check box to direct the BIG-IQ system to perform any required REST framework updates on the BIG-IP device. For the BIG-IQ system to properly manage a BIG-IP device, the BIG-IP device must be running the most recent REST framework.
    Important: When you update the REST framework for BIG-IP devices running version 11.6 or earlier, the traffic management interface (TMM) restarts. Before you update the REST framework on a BIG-IP device, verify that no critical network traffic is targeted to that device. Additionally, In any system upgrade scenario, the potential exists for unexpected errors. Because there is not currently an automatic recovery and rollback feature, if an upgrade fails, it is conceivable that a BIG-IP device would not be left in the pre-discovery state. If you want to roll back the upgrade due to an error or any other reason, the recommended recovery for this situation is to perform a partition restore (restoring both the pre-discovery management components and any related configuration).
  10. Click the Save button.
Important: Before you begin using this BIG-IQ system in a production capacity, depending on your security policies, you will likely want to stop using the security group rules that you added as prerequisite to this task.

Creating a customized application template

Before you can customize an application template for a tenant, you must discover at least one F5 device that contains iApps templates.
As a cloud provider, you modify iApps templates to customize network settings, levels of services, and so forth, for tenants. You can create variations of the same application, offering different types of access (LAN or WAN), or providing a specific limit of connections.
Note: Once you customize and save an application as a catalog entry, you cannot modify it.
  1. Hover over the Catalog header, click the + icon when it appears. The panel expands to display the application template properties.
  2. In the Name field, type a name for this new application.
  3. Unless you want to restrict this application template to a specific cloud connector, leave the Cloud Connector setting as Tenant Selectable so tenants are allowed to select the appropriate cloud connector when they deploy this application.
  4. From the Application Type list, select an application.
  5. If the Application Tiers settings are displayed (expanded), select the options that match the properties for this application; otherwise, keep the default settings.
    Important: If you must specify the options for these settings, select the Tenant Editable check box for the virtual server and pool members.
  6. To allow cloud tenants to specify certificates with SSL encryption when self-deploying applications, select options from the SSL Cert and SSL Key lists. BIG-IQ Cloud uses these options to provide the appropriate certificate and key when the tenant self-deploys this application to a BIG-IP device. These options are not available for all application templates.
  7. Finish making modifications by specifying the Application Properties and Customize Application Template variables. To allow a tenant to modify a particular setting, select the Tenant Editable check box for that setting. For further details about template variables and settings, refer to the BIG-IP iApps Developer's Guide.
  8. If you selected f5.http, f5.microsoft_sharepoint_2010, or f5.microsoft_iss and you want to specify a load balancing option other than the default, Least Connection Member, perform the following steps:
    1. Click the arrow next to Advanced Properties.
    2. In the Which load balancing method do you want to use? field, type the value for the option you want to use.
  9. Click the Save button. You can now send the cloud IP addresses to the tenant and use this IP address range in configuring server tiers and pool members, within certain application services. The tenant can self-deploy the application from the catalog.
The customized application displays as an entry in the catalog.

Deploying applications

Before you can deploy and use an application, your cloud service provider must add you as a user and a tenant, and associate you with at least one cloud connector.

When a cloud administrator adds you as a cloud tenant user, they contact you with the details about the resources to which you have access. These resources are provided to you in the form of an application template. As a cloud tenant user, you can customize these application templates and deploy them.

  1. Log in to the BIG-IQ Cloud with your tenant user name and password.
  2. Hover over the Applications header, and click the + icon when it appears.
  3. Hover over the Applications header, and click the + icon when it appears.
  4. In the Name field, type a name for this new application.
  5. From the Application Type list, select an application.
  6. From the Cloud Connector list, select the cloud connector associated with where you want to deploy your application. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.
  7. For the Provision Virtual Server IP setting, select Enable and specify the FQDNs for the virtual servers to prompt BIG-IQ Cloud to automatically provision additional resources when traffic to your application increases.
  8. To define a new SSL certificate and private key for this application, for the SSL Certificate Options, paste the PEM (CRT or CER) text representation of the certificate and private key. The SSL certificate and private key must be unbundled Base64 encoded ASCII text with PEM header and footer. This option is not available for all applications.
  9. Alternatively, select the Use Existing option to use a SSL certificate and private key already stored on the device.
  10. You can further customize this application by specifying an IP address for the virtual server and adding pool hosts. If your cloud service provider assigned IP addresses for the Servers, Pool Hosts, and Pool Members for this application, the addresses display. If these addresses were specified as not editable, you cannot change them.
  11. When you are finished, click the Deploy button located at the top of the New Application panel.
You can now use this new application, and any application server associated with this new application displays in the Server panel.

Setting up tenant access using IAM

You might want your tenants to have access to all or part of the EC2 cloud you are provisioning so that they are able to configure resources required by their applications. You can provide full access by simply providing the account information (user name and password) that you created previously. More typically, you can provide more limited access by setting up separate user accounts for the tenant, and then configuring the access for those users as best suits your needs.

Important: If you decide to grant full tenant access to the IAM account, bear in mind that restricting this account to a single tenant becomes even more prudent.

The following step-sequence provides an outline of the tasks you perform using the AWS EC2 user interface. For the most current instructions for performing each of these tasks, refer to the Amazon Web Services EC2 Management Console web site https://console.aws.amazon.com/ec2/v2/home.

  1. Log in to the AWS IAM console.
  2. Create a user role to encapsulate relevant permissions for this tenant. If a user needs to create key pairs, make certain that they have sufficient permissions.
  3. Configure password policies for this tenant.
  4. Create user accounts and set passwords for this tenant.
  5. Create the user(s).
  6. Specify the IAM AWS Management URL that you will provide to your tenants so that they can log in to this IAM account and directly manage their resources.

Viewing activity for cloud resources

Before you can view dynamic cloud resource activity, you must have an EC2 cloud connector with the Device Elasticity setting enabled.
Viewing activity for dynamic cloud resources gives you insight into how cloud resources are expanding to address increased traffic to applications.
  1. To view the resource associated with a particular activity, click the activity located on the Activities panel. The associated objects are highlighted in the relevant panels.
  2. To view specific activity details, place your cursor on an activity. A popup window opens to display further details about the selected activity.