Manual Chapter : Adding and Configuring BIG-IP VE Devices in an Azure Cloud

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Adding and Configuring BIG-IP VE Devices in an Azure Cloud

How do I create and configure BIG-IP VE devices in an Azure environment?

BIG-IQ Centralized Management makes it easy for you to create, configure, and manage BIG-IP VE devices in an Azure environment.
To start managing a BIG-IP VE device in a cloud environment, you'll need to complete the following workflows.
Specify your cloud provider details
Specify the cloud provider's credentials so you can access the cloud environment from BIG-IQ.
Configure your Azure cloud environment on BIG-IQ
Configure your cloud environment on BIG-IQ by specifying the cloud-specific properties for that environment. This consists of completing four tasks: 1) Register the F5 enterprise application on your Azure portal. 2) Create an Azure virtual network (VNet). 3) Specify the credentials BIG-IQ uses to authenticate on the Azure portal.4) Set up Azure Marketplace images for automated deployment.
Create a BIG-IP VE device
Create a BIG-IP VE device from BIG-IQ in the cloud environment you configured.
Onboard your BIG-IP VE device and BIG-IP VE device cluster
Provide the configuration details for the BIG-IP VE device or BIG-IP VE device cluster, and provision the services you want BIG-IQ to import through the onboarding process. BIG-IQ applies the configuration to the BIG-IP VE devices through a declarative onboarding API call. For more information about declaration onboarding API specific to BIG-IP VE devices, see
https://github.com/F5Networks/f5-declarative-onboarding
After you save the configuration for the BIG-IP VE devices you created, BIG-IQ sends an API call to apply that configuration to the targeted BIG-IP VE devices. After BIG-IQ successfully applies the configuration, it then discovers and imports the services the device is licensed for. This means you don't have to discover and import services in a separate step. When the onboarding process is complete, you can start managing the BIG-IP VE devices from the
Devices
BIG-IP DEVICES
screen.

Setting up Azure to host BIG-IP VE devices

There are four main tasks to set up Azure to host BIG-IP VE devices deployed from BIG-IQ.
  1. Register the F5 enterprise application on your Azure portal.
  2. Create an Azure virtual network (VNet) in the region in which you want to deploy BIG-IP VE devices.
  3. Specify the credentials BIG-IQ uses to authenticate on the Azure portal. You need the following Azure credentials:
    • Enterprise Application ID
    • Azure Active Directory ID
    • Service Principal Secret
  4. Set up Azure Marketplace images for automated deployment.
You need these Azure essentials whether you house the BIG-IQ system and data collection devices (DCDs) in the Azure cloud, or in a private cloud, or on-premises environment.
  • If you use the Azure cloud for all of your resources, you install the BIG-IQ devices and DCDs that manage the BIG-IP VE devices in the Azure VNet. When you use Azure for your BIG-IQ and DCDs, you most likely have already created an Azure VNet and installed the BIG-IQ VE. If this is the case, be sure to review the Azure requirements here to ensure proper support for your BIG-IP VE devices.
  • If you install your BIG-IQ devices and DCDs in a private cloud or on-premises environment, after you create the Azure environment, configure a VPN to support the required communication between the Azure VNet and the management components.
Because the BIG-IP VE devices you create will reside in a VNet, the public or private cloud accommodations you make for that VNet must also be made for each region in which you operate the BIG-IP VE devices.

Register the F5 enterprise application on your Azure portal

You create and register an enterprise application, and make sure it has access control, so you can manage BIG-IP VE devices in an Azure cloud.
  1. Access your Azure Subscription, and use your admin privileges to register a new enterprise application.
    Make sure the application definition includes this information:
    Field
    Content to enter
    Name
    The name of the application you want to create.
    Application Type
    Web app/API.
    Sign-on URL
    The URL of the web address you plan to advertise.
  2. Add additional application owners, if needed.
  3. Grant access control to your application.
    1. Access your Azure account, and navigate to
      All Services
      Subscriptions
      .
    2. Click the name of the subscription that you plan to use to host your BIG-IP VE devices.
    3. Select
      Access control IAM
      and click
      +
      .
    4. For
      Role
      , select
      Contributor
      .
    5. In the
      Select
      box, type the name of the application you specified when you registered the application for your BIG-IP VE devices.
    6. Click
      Save
      to assign access control to your application.

Create an Azure virtual network

You need to set up the Azure virtual network (VNet) that hosts your BIG-IP VE devices. If you use the public cloud option, this VNet hosts your BIG-IQ, as well.
  1. Access your Azure Subscription, and create a VNet.
    For the most current instructions for creating a virtual network in Azure, refer to the Microsoft Quick Start web site, quick-create-portal.
  2. As you configure the VNet, make sure it is in the location you want to work in and contains this information:
    1. A matching address space and address range with netmask size of 24
    2. Resource Group Name
    3. A management subnet, with a name that indicates what it is and includes a prefix and a body (for example:
      <prefix>-mgmt-subnet
      )
    4. Basic DDos protection
    5. Service endpoints and Firewall disabled

Locate the credentials for BIG-IQ authentication

You need to gather the credentials required to configure the Azure provider in the BIG-IQ user interface.
  1. In Azure Active Directory under App registrations, create a key and note the value.
    The key is used as the Service Principal Secret on the New Cloud Provider screen in the BIG-IQ user interface.
  2. To find the Subscription ID: Open the Azure portal, navigate to
    Subscriptions
    and make a note of the ID for your subscription.
  3. To find the Tenant ID: Open the Azure Active Directory, navigate to
    Properties
    and make a note of the Directory ID.
  4. Find the Client ID: Open the Azure Active Directory, navigate to
    App registrations
    and make a note of Application ID.

Set Up Azure Marketplace images for automated deployment

When the BIG-IQ needs to deploy a BIG-IP instance to meet the needs of an application on your BIG-IP VE device, the image that Azure uses to deploy that instance must be set up for automated deployment. To set this up, you enable programmatic deployment in the Azure environment for the required image types.
  1. Access your Azure account, and navigate to
    All Services
    Marketplace
    .
  2. In the
    Filter
    box, type
    F5 BIG-IP
    , and press Enter.
    The screen lists all of the BIG-IP products currently published in Azure.
  3. Set up each BIG-IP product that is required by the applications you plan to deploy BIG-IP VE devices:
    1. Click the name of the BIG-IP product.
      A new panel opens on the Azure user interface and displays details about the selected BIG-IP product.
    2. At the very bottom of the details panel for the selected BIG-IP product, click the link that says:
      Want to deploy programmatically? Get started
      .
    3. On the Configure Programmatic Deployment page, click
      Enable
      and then click
      Save
      .

Specify credentials required to connect to an Azure cloud

You create a new Azure cloud provider to tell BIG-IQ how to connect to your Azure environment.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    ENVIRONMENTS
    Cloud Providers
    .
  2. Click
    Create
    .
    The New Cloud Provider screen opens.
  3. Type a
    Name
    and optional
    Description
    for the cloud provider you are creating, to help identify it when you want to use it later.
  4. From the
    Provider Type
    list, select
    Azure
    .
    The screen refreshes, and displays settings (under Provider Details) that you use to specify your Azure credentials.
  5. Type or paste in the
    Tenant ID
    ,
    Client ID
    , and
    Service Principal Secret
    for your Azure environment.
  6. Click
    Test
    to confirm that the account details that you just provided are correct.
    The system checks with the Azure interface to confirm that the credentials and account details you provided are valid, and then fills in the
    Subscription ID
    that Azure uses to track all of the metrics for the account associated with these credentials.
  7. Click
    Save & Close
    .
The system creates the new provider, which is now ready to be used in a cloud environment.
Before you can create a service scaling group, you need to specify the cloud environment details. But if you are going to use a license pool instead of the Azure marketplace licensing option, you need to activate a pool of licenses before you can define your cloud environment.

Configure your Azure cloud environment on BIG-IQ

You create a cloud environment that describes the details of the Azure virtual network in which you want to create BIG-IP VE devices from BIG-IQ.
  1. At the top of the screen, click
    Applications
    then, on the left, click
    ENVIRONMENTS
    Cloud Environments
    .
  2. Click
    Create
    .
    The New Cloud Environment screen opens.
  3. Give this environment a
    Name
    and an optional
    Description
    .
  4. Leave the
    Device Template
    option as
    None
    .
    You'll be specifying device configuration details when you configure the BIG-IP VE device through the onboarding process.
  5. From the
    Cloud Provider
    list, select the name of the Azure provider you want to use for this environment.
    The screen displays the Azure Properties settings.
  6. From the
    Location
    list, select the region in which the private cloud you created for this environment resides.
  7. For
    License Type
    , select
    Utility
    .
    From your cloud provider marketplace, you'll need to select
    F5 BIG-IP Virtual Edition - GOOD (PAYG)
    .
  8. For
    Services to Deploy
    , select the F5 service you want to use for this environment.
  9. For
    Instance Type
    , select the Azure instance type that provides the resources needed for this environment.
  10. For
    Restricted Source Address
    , using the CIDR format, specify the addresses that you want to be able to access this environment.
    For example
    12.12.0.0/16
    .
    Only addresses that match your entry will have access (IP addresses that use
    12.12.xxx.xxx
    in the example above).
  11. For
    VNet Name
    , select the VNet name that you created in your Azure environment.
  12. For
    Management Subnet
    , select the management address that you created in your Azure environment.
  13. Click
    Save & Close
    .

Create a BIG-IP VE device in an Azure cloud environment

You'll need to have a cloud environment configured before you can create a BIG-IP VE device in it.
You create a BIG-IP VE device so that you can then configure it and start managing it from BIG-IQ Centralized Management.
In an Azure cloud environment, you must create only one BIG-IP VE device at a time.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP VE CREATION
    .
  3. Click
    Create
    .
  4. For
    Task Name
    , type a name for this onboarding task.
  5. For
    BIG-IP VE Name
    , type a name to identify this BIG-IP VE you are creating.
  6. From the
    Cloud Environment
    list, select your Azure environment.
  7. Type the
    Admin Password
    for the BIG-IP VE you are creating.
  8. Click the
    Create
    button at the bottom of the screen.
When BIG-IQ successfully completes a BIG-IP VE creation task, the task displays on the BIG-IP VE creation screen. The BIG-IP VE creation process can take up to 10 minutes, depending on the cloud environment and the BIG-IP VE configuration.
You can now configure this BIG-IP VE device through the onboarding process.

API example of onboarding a BIG-IP VE device in an Azure cloud environment

This is an example of what you'll see when you specify the details for an onboard declaration and click the
View Sample API Request
button from the Create Onboard Declaration screen. API REST URL:
/mgmt/shared/declarative-onboarding
For more information about declarative onboarding, refer to the API REST documentation:
https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_do_onboarding.html
{ "class": "DO", "declaration": { "schemaVersion": "1.5.0", "class": "Device", "async": true, "Common": { "class": "Tenant", "myLicense": { "class": "License", "licenseType": "regKey", "regKey": "xxx-xxx-xxx-xx" }, "myProvision": { "class": "Provision", "ltm": "nominal" }, "myNtp": { "class": "NTP", "servers": [ "time.nist.gov" ], "timezone": "UTC" }, "admin": { "class": "User", "userType": "regular", "partitionAccess": { "all-partitions": { "role": "admin" } }, "shell": "tmsh", "password": "adminpassword" }, "root": { "class": "User", "userType": "root", "newPassword": "rootpassword", "oldPassword": "adminpassword" } } }, "targetHost": "54.10.10.10", "targetUsername": "admin", "targetPassphrase": "admin", }, "bigIqSettings": { "failImportOnConflict": false, "conflictPolicy": "USE_BIGIQ", "deviceConflictPolicy": "USE_BIGIP", "versionedConflictPolicy": "KEEP_VERSION", "statsConfig": { "enabled": true, "zone": "default" }, "snapshotWorkingConfig": false } }

Configure a cluster of BIG-IP VE devices in an Azure cloud environment through onboarding

You must configure your cloud environment and create BIG-IP VE devices in it before you can configure the BIG-IP VE devices.
You can configure BIG-IP VE devices through a process called
declarative onboarding
declarative onboarding (DO), also referred to as just, onboarding. Onboarding BIG-IP VE clusters makes it easy for you to configure more than one BIG-IP VE at one time.When you
onboard
a cluster of BIG-IP VE devices, you specify all of the details of their configuration, and discover and import their services in one procedure. After you onboard the BIG-IP VE devices, you can start managing them from the BIG-IQ
Devices
BIG-IP DEVICES
screen.
Only BIG-IP v14.1 images are supported for new Azure BIG-IP VE devices with only one NIC.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP VE CREATION
    .
    Alternatively, you can click
    BIG-IQ ONBOARDING
    on the left and onboard the BIG-IP VE from that screen.
  3. Select the check mark next to two or more BIG-IP VE creation task that is successful and then click the
    Onboard Cluster
    button.
    BIG-IQ allows you to simultaneously onboard the BIG-IP VE devices you select as a cluster.
  4. Type a name and optional description to help you identify this task.
  5. Select the onboarding classes you want to use to configure the BIG-IP VE devices, and when you're done, click the
    Onboard
    button at the bottom of the screen.
    Following is a list of the minimally required and highly recommended parameters you should specify for onboarding BIG-IP VE devices. Every environment is different, so, in addition to the classes and parameters here, consider additional configuration options you might need for your network and applications. For example, you might want to set up DNS, or add a route.
    You can view the API call that BIG-IQ makes to onboard BIG-IP devices at any time by clicking
    View Sample API Request
    at the upper right.
    DNS settings are automatically specified by your cloud environment.
    You can use parameter values written as in-place references to other DO classes only from the API. For example, using a parameter value of "
    /Common/failoverGroup/members/0
    " (pointer to a different class in the same declaration) for an address, instead of the actual remote address. Do not use parameters with references to other DO classes in the user interface from the
    BIG-IQ
    Devices
    BIG-IP ONBOARDING
    Create
    screen; instead, use the actual value for the field.
    You can view the API call that BIG-IQ makes to onboard BIG-IP devices at any time by clicking
    View Sample API Request
    at the upper right.
    DNS settings are automatically specified by your cloud environment.
    Class and Parameter
    API Parameter Example
    Description
    Notes
    Onboard Class:
    BIG-IQ Settings: Cluster Name
    "bigIqSettings": {"clusterName": "My_cluster_name"}
    Cluster name.
    Onboard Class:
    Device Group
    "myDeviceGroup": { "class": "DeviceGroup", "type": "sync-only", "members": [ "bigip1.example.com", "bigip2.example.com" ], "owner": "bigip1.example.com", "autoSync": true, "networkFailover": true, "asmSync": true }
    This is the BIG-IP sync group.
    These must be the same on every BIG-IP device in the group.
    For ASM sync, make sure ASM is provisioned on all BIG-IP devices in the cluster.
    DNS sync groups are not supported in BIG-IP version 7.0.
    You must select
    sync-only
    . which is the only option supported for a newly-created BIG-IP VE with a single NIC.
    Onboard Class:
    Device Trust
    On BIG-IP1
    "myDeviceTrust": { "class": "DeviceTrust", "localUsername": "admin1", "localPassword": "Admin1Passwd", "remoteHost": "bigip1.example.com", "remoteUsername": "admin1", "remotePassword": "Admin1Passwd" }
    On BIG-IP2
    "myDeviceTrust": { "class": "DeviceTrust", "localUsername": "admin2", "localPassword": "Admin2Passwd", "remoteHost": "bigip1.example.com", "remoteUsername": "admin1", "remotePassword": "Admin1Passwd" }
    These are the BIG-IP Device Trust settings.
    The
    Remote UserName
    and
    Remote Password
    must be the same on all BIG-IP devices in the cluster.
BIG-IQ configures the BIG-IP VE devices in this cluster and automatically imports its provisioned services based on the
BIG-IQ Settings Onboard Classes
. When the BIG-IP VE devices are successfully onboarded, the status displays as
Onboard Finished
and the BIG-IP VE devices displays on the BIG-IP Devices screen where you can start managing them. This onboarding task remains in the list until you delete it. You can use existing onboard tasks for the basis of new onboard tasks.

API example of onboarding a cluster of BIG-IP VE devices

This is an example of what you'll see when you specify the details for an BIG-IP VE cluster onboard declaration for a BIG-IP VE cluster and click the
View Sample API Request
button from the Create Onboard Declaration screen. API REST URL:
/mgmt/shared/declarative-onboarding
For more information about declarative onboarding, refer to the API REST documentation:
https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_do_onboarding.html
API for BIG-IP 1
{ "class": "DO", "declaration": { "schemaVersion": "1.5.0", "class": "Device", "async": true, "Common": { "class": "Tenant", "myDeviceGroup": { "class": "DeviceGroup", "type": "sync-only", "members": [ "bigip1.example.com", "bigip2.example.com" ], "owner": "bigip1.example.com", "autoSync": true, "networkFailover": true, "asmSync": true }, "myDeviceTrust": { "class": "DeviceTrust", "localUsername": "admin1", "localPassword": "Admin1Passwd", "remoteHost": "bigip1.example.com", "remoteUsername": "admin1", "remotePassword": "Admin1Passwd" } } }, "targetUsername": "Admin", "targetHost": "2.24.176.244", "targetSshKey": { "path": "/var/ssh/restnoded/my_awsve_1_2_3_111.pem" }, "bigIqSettings": { "failImportOnConflict": false, "conflictPolicy": "USE_BIGIQ", "deviceConflictPolicy": "USE_BIGIP", "versionedConflictPolicy": "KEEP_VERSION", "clusterName": "my_cluster_name" } }
API for BIG-IP 2
{ "class": "DO", "declaration": { "schemaVersion": "1.5.0", "class": "Device", "async": true, "Common": { "class": "Tenant", "myDeviceGroup": { "class": "DeviceGroup", "type": "sync-only", "members": [ "bigip1.example.com", "bigip2.example.com" ], "owner": "bigip1.example.com", "autoSync": true, "networkFailover": true, "asmSync": true }, "myDeviceTrust": { "class": "DeviceTrust", "localUsername": "admin2", "localPassword": "Admin2Passwd", "remoteHost": "bigip1.example.com", "remoteUsername": "admin1", "remotePassword": "Admin1Passwd" } } }, "targetUsername": "Admin", "targetHost": "2.22.29.148", "targetSshKey": { "path": "/var/ssh/restnoded/my_awsve_1_2_3_2525.pem" }, "bigIqSettings": { "failImportOnConflict": false, "conflictPolicy": "USE_BIGIQ", "deviceConflictPolicy": "USE_BIGIP", "versionedConflictPolicy": "KEEP_VERSION", "clusterName": "my_cluster_name" } }