Manual Chapter : AWS Setup for a Service Scaling Group

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

AWS Setup for a Service Scaling Group

Setting up the AWS environment for a service scaling group

workflow graphic, set up AWS environment step
You need to set up an AWS environment with the specific characteristics required by a BIG-IQ service scaling group (SSG). This environment houses the resources that power the SSG.

Configure your AWS Virtual Private Cloud

To deploy BIG-IP VE devices in an AWS cloud, you need a Virtual Private Cloud (VPC). You also need secret keys and a security group to keep the environment safe.
To properly configure your environment, your account requires full access permissions for the following AWS resources: Auto Scale Groups, Instances, SQS, S3, CloudWatch, and CloudFormation. Additionally, you need list, create, and delete permissions for the IAM
  • If you use the AWS cloud for all of your resources, you install the BIG-IP VE devices and DCDs in the AWS environment. When you use AWS for your BIG-IQ and DCDs, you most likely have already created an AWS environment and deployed the BIG-IP VE devices. If this is the case, be sure to review the AWS requirements here to ensureproper support.
  • If you deployed your BIG-IP VE devices and DCDs in a private cloud or on-premises environment, after you create the AWS environment, configure a VPN to support the required communication between the BIG-IP VE devices and the management components.
    For the most current instructions for creating a VPC, refer to the VPC Documentation web site,
  1. Access your AWS account, and create a virtual private cloud (VPC).
    As you configure the VPC, make sure it is in the region you want to work in and contains the following elements:
    • Name tag
    • IPv4 CIDR block
    • Only 1 subnet,is supported for BIG-IP VE creation. If you want more subnets, you must configure them manually in your AWS environment after you create your BIG-IP VE.
    • Internet gateway attached to this VPC
    • Route table that targets the internet gateway (1 for each subnet)
  2. Create a key pair to allow SSH access.
  3. Create a security group to protect the elastic load balancer (ELB).
    When you configure the security group for the ELB, you must not specify any ingress rules.
  4. Create a classic elastic load balancer (ELB) using the settings detailed in the table.
    ELB Type
    Classic Load Balancer
    VPC and subnets
    Use the objects created in step 1.
    Health Checks
    • Ping protocol:TCP
    • Ping port: 22
    • Timeout: 5 seconds
    • Interval: 30 seconds
    EC2 Instances
    Cross-Zone Load Balancing enabled and Connection Draining Enabled at 300 seconds.
    When you configure the ELB, note that you can deploy it as either Internet-facing or internal. Internal is fine if all of the application traffic you support is within your AWS VPC. If not, then make sure you deploy it as Internet-facing.
    Additionally, the classic ELB and the BIG-IP VE devices that manage your applications must be in the VPC. If they are not in the same VPC, traffic will not reach the BIG-IP VE devices.
    For more information, refer to: VPC_SecurityGroups.html.
  5. After the ELB is created successfully, edit the ELB listeners to remove the default listener (Load Balancer Protocol and Instance Protocol of HTTP on port 80).
Before AWS can create the BIG-IP VE instances, you must subscribe and agree to the software terms for the Amazon machine image (AMI) you plan to use.
  • Navigate to the AWS marketplace.
  • Search for the AMI that best fits your needs.
  • When you find the AMI you want, select it and then click
    Continue to Subscribe
    and follow the prompts.

Configuration requirements for an AWS VPN

When you manage BIG-IP VE devices running applications in AWS environment, and use a BIG-IQ and data collection devices that are housed in a private cloud or on-premises, you need a VPN to facilitate communication. Without a VPN, the devices cannot send the analytic information you need to manage your applications. Also, if you use the BYOL licensing option, when new devices are created, they need the VPN so they can contact the BIQ-IQ acting as a license server.
For more information
Both ends of the VPN require a gateway. That is, you need a gateway between your BIG-IQ/data collection device cluster and the VPN; and, you need a virtual private gateway between the VPN and the AWS environment.
Refer to the vendor documentation for the gateway you use locally. For details on the AWS end, refer to
AWS Managed VPN Connections
You must use a VPN supported by AWS.
For details on the VPN types that AWS supports, refer to
Amazon Virtual Private Cloud Documentation
Subnets on your local network must use a different subnet than the subnet used by the VPC you create in the AWS environment. There can be no overlap.
For example, if the BIG-IQ and data collection devices in your local cloud use a subnet such as, you could use a subnet such as
There must be a route from your BIG-IQ/data collection device cluster to the AWS environment through your gateway.
Create this route by logging in to the BIG-IQ and DCD in your local cloud and running a set of
commands. For example, if your setup used the subnets listed in the previous example (AWS network is
and your gateway address is
, you could run the following sequence of commands:
tmsh create /net route gw tmsh list net route tmsh save /sys config