Manual Chapter : AWS Setup for a Service Scaling Group
Applies To:Show Versions
BIG-IQ Centralized Management
AWS Setup for a Service Scaling Group
Setting up the AWS environment for a service scaling group
You need to set up an AWS environment with the specific characteristics required by a BIG-IQ service scaling group (SSG). This environment houses the resources that power the SSG.
Configure your AWS Virtual Private Cloud
To deploy BIG-IP VE devices in an AWS cloud, you need a Virtual Private Cloud (VPC). You also need secret keys and a security group to keep the environment safe.
To properly configure your environment, your account requires full access permissions for the following AWS resources: Auto Scale Groups, Instances, SQS, S3, CloudWatch, and CloudFormation. Additionally, you need list, create, and delete permissions for the IAM
- If you use the AWS cloud for all of your resources, you install the BIG-IP VE devices and DCDs in the AWS environment. When you use AWS for your BIG-IQ and DCDs, you most likely have already created an AWS environment and deployed the BIG-IP VE devices. If this is the case, be sure to review the AWS requirements here to ensureproper support.
- If you deployed your BIG-IP VE devices and DCDs in a private cloud or on-premises environment, after you create the AWS environment, configure a VPN to support the required communication between the BIG-IP VE devices and the management components.For the most current instructions for creating a VPC, refer to the VPC Documentation web site,https://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/getting-started-ipv4.html.
- Access your AWS account, and create a virtual private cloud (VPC).As you configure the VPC, make sure it is in the region you want to work in and contains the following elements:
- Name tag
- IPv4 CIDR block
- Only 1 subnet,is supported for BIG-IP VE creation. If you want more subnets, you must configure them manually in your AWS environment after you create your BIG-IP VE.
- Internet gateway attached to this VPC
- Route table that targets the internet gateway (1 for each subnet)
- Create a key pair to allow SSH access.For more information, refer to: ec2-key-pairs.html and id_credentials_access-keys.html#Using_CreateAccessKey
- Create a security group to protect the elastic load balancer (ELB).When you configure the security group for the ELB, you must not specify any ingress rules.
- Create a classic elastic load balancer (ELB) using the settings detailed in the table.ELB TypeClassic Load BalancerVPC and subnetsUse the objects created in step 1.Health Checks
EC2 InstancesCross-Zone Load Balancing enabled and Connection Draining Enabled at 300 seconds.When you configure the ELB, note that you can deploy it as either Internet-facing or internal. Internal is fine if all of the application traffic you support is within your AWS VPC. If not, then make sure you deploy it as Internet-facing.For more information, refer to: VPC_SecurityGroups.html.Additionally, the classic ELB and the BIG-IP VE devices that manage your applications must be in the VPC. If they are not in the same VPC, traffic will not reach the BIG-IP VE devices.
- Ping protocol:TCP
- Ping port: 22
- Timeout: 5 seconds
- Interval: 30 seconds
- After the ELB is created successfully, edit the ELB listeners to remove the default listener (Load Balancer Protocol and Instance Protocol of HTTP on port 80).
Before AWS can create the BIG-IP VE instances, you must subscribe and agree to the software terms for the Amazon machine image (AMI) you plan to use.
- Navigate to the AWS marketplace.
- Search for the AMI that best fits your needs.
- When you find the AMI you want, select it and then clickContinue to Subscribeand follow the prompts.
Configuration requirements for an AWS VPN
When you manage BIG-IP VE devices running applications in AWS environment, and use a BIG-IQ and data collection devices that are housed in a private cloud or on-premises, you need a VPN to facilitate communication. Without a VPN, the devices cannot send the analytic information you need to manage your applications. Also, if you use the BYOL licensing option, when new devices are created, they need the VPN so they can contact the BIQ-IQ acting as a license server.
For more information
Both ends of the VPN require a gateway. That is, you need a gateway between your BIG-IQ/data collection device cluster and the VPN; and, you need a virtual private gateway between the VPN and the AWS environment.
Refer to the vendor documentation for the gateway you use locally. For details on the AWS end, refer to
AWS Managed VPN Connectionson
You must use a VPN supported by AWS.
For details on the VPN types that AWS supports, refer to
Amazon Virtual Private Cloud Documentationon
Subnets on your local network must use a different subnet than the subnet used by the VPC you create in the AWS environment. There can be no overlap.
For example, if the BIG-IQ and data collection devices in your local cloud use a subnet such as 172.16.0.0/16, you could use a subnet such as
There must be a route from your BIG-IQ/data collection device cluster to the AWS environment through your gateway.
Create this route by logging in to the BIG-IQ and DCD in your local cloud and running a set of
tmshcommands. For example, if your setup used the subnets listed in the previous example (AWS network is
10.1.0.0/16and your gateway address is
172.16.0.9, you could run the following sequence of commands: