Manual Chapter : Integrating Amazon Web Services

Applies To:

Show Versions Show Versions

BIG-IQ Device

  • 4.4.0
Manual Chapter

About Amazon Web Services (AWS) integration

BIG-IQ Cloud provides you with the tools to manage Amazon EC2 and CloudWatch resources required to perform application delivery. Management tasks include discovering and creating BIG-IP VE virtual machines located in Amazon Virtual Private Cloud (VPC), application pool servers, and deploying applications. You can use these features to accommodate application traffic fluctuations by periodically adding and retracting devices and application servers, as needed. Additionally, you can provide tenants access to self-deployable iApps through Amazon EC2 integration.

To provide access to these services for Amazon EC2 tenants, you configure communication between Amazon EC2 products, and BIG-IQ Cloud. Then, you associate a Amazon EC2 cloud connector with a device, and create a catalog entry for a corresponding Amazon EC2 service profile. The tenants to whom you give access to the catalog entry see it in their applications panel. From there, they can use it to self-deploy their own iApps.

Network requirements for AWS integration communication

BIG-IQ Cloud integrates with three different Amazon Web Services: Amazon EC2, Amazon CloudWatch, and BIG-IP Virtual Edition deployed in managed Amazon Virtual Private Cloud (VPC).

For proper communication to devices located in an Amazon web service, BIG-IQ Cloud you must configure an outbound self IP address to DNS and NTP, and you must define a network route between the BIG-IQ Cloud internal VLAN and the public Internet, or the Amazon web services endpoint. For specific instructions, refer to BIG-IQ System: Licensing and Initial Setup and your Amazon documentation .

Creating a Virtual Private Cloud

You need an Amazon Virtual Private Cloud (VPC) to deploy the BIG-IQ Cloud system, because AWS provides only multiple network interface card (NIC) support for instances that reside within a VPC.

You create a virtual network topology according to your networking needs. The standard network topology used for BIG-IQ Cloud integration includes three subnets. These subnets provide virtual private address spaces used to interconnect your machines and applications. You can use elastic self IP addresses for public internet accessibility.

For the most current instructions for creating a VPC, refer to the VPC Documentation web site, http://aws.amazon.com/documentation/vpc/.

  1. Navigate to https://console.aws.amazon.com/vpc and select the AWS Region in which you want to manage resources. For example, Oregon.
  2. From the VPC Wizard's VPC with Public and Private Subnets option, set the IP CIDR Block to 10.0.0.0/16.
  3. Set the public subnet to 10.0.0.0/24. This is the management network.
  4. Select an availability zone. For example, us-west-2c. It is crucial that you use this availability zone throughout the configuration process. Objects configured in one zone are not visible within other zones, so they cannot function together. This availability zone is required when you create a BIG-IQ Cloud connection.
  5. Set the private subnet to 10.0.1.0/24. This is the external data network.
  6. Create subnet 10.0.2.0/24. This is the internal network.
  7. Create a security group named, allow-all-traffic, and associate it with the VPC you created. You must use this exact name.
  8. Set the Inbound Rules ALL Traffic Source to 0.0.0.0/0.
  9. Set the Outbound Rules ALL Traffic Destination to 0.0.0.0/0.
  10. Create a Route Table for the external data network to reach the Internet.
  11. Add a route to Destination 0.0.0.0/0 through Target igw-<xxxx>.

    <xxxx> is the Internet Gateway that the VPC Wizard created automatically.

  12. Allocate two Elastic IP Addresses.
You now should create a BIG-IQ Cloud connector to associate with this VCP.

Launching a virtual server with an Amazon Machine Image (AMI)

Before you can complete this task, you need to know the name of your key pair and the Availability Zone from which it was created.

You launch an EC2 Amazon Machine Image (AMI) so that you can deploy the virtual machine.

Important: At publication, this task illustrates the Amazon web interface. However, F5 recommends that you refer to Amazon user documentation for the latest documentation.
  1. Log in to your account on Amazon Web Services (AWS) marketplace.
  2. In the Search AWS Marketplace bar, type F5 BIG-IQ and then click GO. The F5 BIG-IQ Virtual Edition for AWS option is displayed.
  3. Click F5 BIG-IQ Virtual Edition for AWS and then click CONTINUE.
    Tip: You might want to take a moment here to browse the pricing details to confirm that the region in which you created your security key pair provides the resources you require. If you determine that the resources you need are provided in a region other than the one in which you created your key pair, create a new key pair in the correct region before proceeding.
    The Launch on EC2 page is displayed.
  4. Click the Launch with EC2 Console tab. Launching Options for your EC2 AMI are displayed.
  5. Select the software version appropriate for your installation, and then click the Launch with EC2 button that corresponds to the Region that provides the resources you plan to use.
    Important: The first time you perform this task, you need to accept the terms of the end user license agreement before you can proceed, so the Launch with EC2 button reads Accept Terms and Launch with EC2.
    Important: There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail. Bear in mind that the region you choose must match the region in which you created your security key pair.
    The Request Instances Wizard opens.
  6. Select an Instance Type appropriate for your use.
  7. From the Launch Instances list, select EC2-VPC.
  8. From the Subnet list, select the 10.0.0.0/24 subnet and click CONTINUE. The Advanced Instance Options view of the wizard opens.
  9. From the Number of Network Interfaces list, select 2.
  10. Click the horizontal eth1 tab to set values for the second network interface adapter, and then from the Subnet list, select the 10.0.1.0/24 subnet and click CONTINUE The Storage Device Configuration view of the wizard opens.
  11. In the Value field, type in an intuitive name that identifies this AMI and click CONTINUE (for example, BIG-IQ VE <version>). The Create Key Pair view of the wizard opens.
  12. From Your existing Key Pairs, select the key pair you created for this AMI and click CONTINUE. The Configure Firewall view of the wizard opens.
  13. Under Choose one or more of your existing Security Groups, select the allow-all-traffic security group, and then click CONTINUE. The Review view of the wizard opens.
  14. Confirm that all settings are correct, and then click Launch. The Launch Instance Wizard displays a message to let you know your instance is launching.
  15. Click Close.
Your new instance appears in the list of instances when it is fully launched.

Creating an Amazon Identity and Access Management (IAM) user account

An Amazon Identity and Access Management (IAM) user account provides access to specific Amazon Web Services (AWS) resources. Creating an IAM account provides you with more granular control of the AWS resources your users access.

Important: This task is optional; you can create a virtual machine without creating an IAM user account to control access, but it is best practice to use an IAM account. F5 recommends that you do not use the AWS root account and access keys. Instead, use IAM to create identities you can more easily manage and revoke in the case of a security breach.
Tip: When you manually deploy a virtual machine on AWS EC2, you must create an administrator password in addition to the IAM access keys. If you use the automated process to deploy a virtual server, only the access keys are required.

For this task, you must create a group and two IAM user accounts. For the most current instructions for performing these steps, refer to the IAM documentation web site, http://aws.amazon.com/documentation/iam/.

  1. From https://console.aws.amazon.com/iam, create a group with aws-full-access (Administrator Access).
  2. Create an AWS-Admin user and add that user to the aws-full-access group.
  3. Create a BIG-IQ Connector user and add that user to the aws-full-access group. For this user, you must download or copy an access key that you use to connect BIG-IQ Cloud to your AWS account
  4. From the AWS dashboard, set up an account alias. Note the IAM user login link. For example, https://my-account-alias.signin.aws.amazon.com/console
  5. Log out of the AWS dashboard as the root user.
  6. Navigate back to the user login link and sign in as the AWS-Admin user.
You can now create a new Virtual Private Cloud (VPC).

Creating a BIG-IP VE version 11.5 or later in the Amazon EC2 cloud

After you license and perform the initial configuration for the BIG-IQ system, you can create devices in the Amazon EC2 cloud. For proper communication, you must configure a route between each instance to the BIG-IQ system. If you do not specify the required network communication route between the devices, then creation fails.

Before you perform this task you must first open specific ports on your EC2 AMI BIG-IQ instance and on any associated EC2 BIG-IP instances. To open these ports, you need additional security group rules in your allow-only-ssh-https-ping security group, and you need to associate these rules with the management interface.

You need to create three rules: two outbound rules for the BIG-IQ instance, and one inbound rule for the BIG-IP instance.

Group Name Group Description Rule Name Source Port
allow-only-ssh-https-ping Allow only SSH, HTTPS, or PING Outbound SSH 0.0.0.0/0 22 (SSH)
    Outbound HTTPS 443 0.0.0.0/0 443 (HTTPS)
    Inbound HTTPS 0.0.0.0/0 443 (HTTPS)
To create a BIG-IP VE instance in Amazon EC2 cloud, you associate the EC2 Cloud connector you configured with that device.
  1. Log in to BIG-IQ Cloud with your administrator user name and password.
  2. Hover over the Devices header, and click the + icon when it appears.
  3. Select the Create a Device option.
  4. From the Cloud Connector list, select the EC2 cloud connector you created.
  5. From the Device Image list, select the AMI you created for this device.
  6. Select the Auto Update Framework check box to direct the BIG-IQ system to perform any required REST framework updates on the BIG-IP device. For the BIG-IQ system to properly manage a BIG-IP device, the BIG-IP device must be running the most recent REST framework. If you do not select the Auto Update Framework check box before you click the Add button, a message displays prompting you do update the framework or cancel the task.
  7. To prompt BIG-IQ Cloud to assign the default user admin and a randomly-selected password, select the Use "admin" check box.
  8. To assign a specific user name and password, deselect the Use "admin" check box. The screen refreshes to display additional settings.
  9. In the User Name and Password fields, type a user name and password for the user of this devices.
  10. Click the Add button.
BIG-IQ System populates the properties of the device that you added, and displays the device in the Devices panel.

Configuring an EC2 cloud connector

Before you can create an EC2 cloud connector, you must first discover devices in the Amazon EC2 cloud and create an Amazon Identity and Access Management (IAM) user account. If you want BIG-IQ Cloud to automatically provision additional BIG-IP VE servers and devices for your tenant when more resources are needed, you must also purchase and activate a license pool to associate with this connector.

To enable integration between a third-party cloud provider and the BIG-IQ device, you must configure a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.
  1. Log in to BIG-IQ Cloud with your administrator user name and password.
  2. Hover over the Connectors header and click the + icon when it appears.
  3. In the Name and Description fields, type a name and description. You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  4. From the Cloud Provider list, select Amazon EC2.
  5. In the Region Endpoint field, type the entry point URL. For example, ec2.us-east-1.amazonaws.com is the region end point for the Amazon EC2 US East (Northern Virginia) Region. Refer to the AWS documentation for a list of all regional end points at http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region
  6. In the Key ID and Secret Key fields, type the credentials of the BIG-IQ-Connector IAM user. For security purposes, it is important to specify a user that has Amazon EC2 Full Control Access.
  7. In the Availability Zone field, type the location of the region in which the instances are located. For example, type us-west-2c for the availability zone for Oregon state.
  8. In the Virtual Private Cloud field, you may type the identification for the EC2 Virtual Private Cloud (VCP) network topology inside the Availability Zone. This step is optional. If you do not specify the identification for a VCP, BIG-IQ Cloud uses the first one it discovers in the Availability Zone.
  9. Click the arrow next to Device & Server Provisioning to display associated options. The screen refreshes to display the options.
  10. To prompt BIG-IQ Cloud to automatically provision additional BIG-IP VE devices when more resources are needed for application traffic, for the Device Elasticity setting, select Enable.
  11. From the Device License list, select a rate at which you want Amazon to direct-bill for additional devices, or select a license pool from which to grant a license. You must activate a license pool before you can select it.
  12. To automatically prompt BIG-IQ Cloud to provision additional servers when more resources are needed to manage an influx in application traffic, for the Server Elasticity setting, select Enable.
  13. Review the network settings populated when you selected a connector, verifying that the proper CIDR blocks display for management, external, and internal.
  14. Click the Save button.
  15. If the system discovered devices, you must expand the device's properties panel, and provide the device's credentials to finalize the discovery process.
  16. Review the network settings populated when you selected a connector, verifying that the proper CIDR blocks display for management, external, and internal.
You now create a device associated with this EC2 cloud connector.

Setting up tenant access using IAM

You might want your tenants to have access to all or part of the EC2 cloud you are provisioning so that they are able to configure resources required by their applications. You can provide full access by simply providing the account information (user name and password) that you created previously. More typically, you can provide more limited access by setting up separate user accounts for the tenant, and then configuring the access for those users as best suits your needs.

Important: If you decide to grant full tenant access to the IAM account, bear in mind that restricting this account to a single tenant becomes even more prudent.

The following step-sequence provides an outline of the tasks you perform using the AWS EC2 user interface. For the most current instructions for performing each of these tasks, refer to the Amazon Web Services EC2 Management Console web site https://console.aws.amazon.com/ec2/v2/home.

  1. Log in to the AWS IAM console.
  2. Create a user role to encapsulate relevant permissions for this tenant. If a user needs to create key pairs, make certain that they have sufficient permissions.
  3. Configure password policies for this tenant.
  4. Create user accounts and set passwords for this tenant.
  5. Create the user(s).
  6. Specify the IAM AWS Management URL that you will provide to your tenants so that they can log in to this IAM account and directly manage their resources.

Viewing activity for cloud resources

Before you can view dynamic cloud resource activity, you must have an EC2 cloud connector with the Device Elasticity setting enabled.
Viewing activity for dynamic cloud resources gives you insight into how cloud resources are expanding to address increased traffic to applications.
  1. To view the resource associated with a particular activity, click the activity located on the Activities panel. The associated objects are highlighted in the relevant panels.
  2. To view specific activity details, place your cursor on an activity. A popup window opens to display further details about the selected activity.