Applies To:Show Versions
BIG-IQ Centralized Management
Azure Setup for a Service Scaling Group
Overview of the Azure setup process
- Register the F5 enterprise application.
- Create an Azure virtual network (VNet) in the region in which you want to deploy the SSG.
- Specify the credentials BIG-IQ uses to authenticate on the Azure portal. You need the following Azure credentials:
- Enterprise Application ID
- Azure Active Directory ID
- Service Principal Secret
- Set up the F5 device images for automated deployment.
- If you use the Azure cloud for all of your resources, you install the BIG-IQ devices and DCDs that manage the SSG in the Azure VNet. When you use Azure for your BIG-IQ and DCDs, you most likely have already created an Azure VNet and installed the BIG-IQ VE. If this is the case, be sure to review the Azure requirements here to ensure proper support for your SSG.
- If you install your BIG-IQ devices and DCDs in a private cloud or on-premises environment, after you create the Azure environment, configure a VPN to support the required communication between the Azure VNet and the management components.
Register the F5 enterprise application on your Azure portal
- Access your Azure Subscription, and use your admin privileges to register a new enterprise application.Make sure the application definition includes this information:FieldContent to enterNameThe name of the application you want to create.Application TypeWeb app/API.Sign-on URLThe URL of the web address you plan to advertise.
- Add additional application owners, if needed.
- Grant access control to your application.
- Access your Azure account, and navigate to.
- Click the name of the subscription that you plan to use to host your BIG-IP VE devices.
- SelectAccess control IAMand click+.
- ForRole, selectContributor.
- In theSelectbox, type the name of the application you specified when you registered the application for your BIG-IP VE devices.
- ClickSaveto assign access control to your application.
Create an Azure virtual network
- Access your Azure Subscription, and create a VNet.
- As you configure the VNet, make sure it is in the location you want to work in and contains this information:
- A matching address space and address range with netmask size of 24
- Resource Group Name
- A management subnet, with a name that indicates what it is and includes a prefix and a body (for example:<prefix>-mgmt-subnet)
- Basic DDos protection
- Service endpoints and Firewall disabled
Locate the credentials for BIG-IQ authentication
- In Azure Active Directory under App registrations, create a key and note the value.The key is used as the Service Principal Secret on the New Cloud Provider screen in the BIG-IQ user interface.
- To find the Subscription ID: Open the Azure portal, navigate toSubscriptionsand make a note of the ID for your subscription.
- To find the Tenant ID: Open the Azure Active Directory, navigate toPropertiesand make a note of the Directory ID.
- Find the Client ID: Open the Azure Active Directory, navigate toApp registrationsand make a note of Application ID.
Set Up Azure Marketplace images for automated deployment
- Access your Azure account, and navigate to.
- In theFilterbox, typeF5 BIG-IP, and press Enter.The screen lists all of the BIG-IP products currently published in Azure.
- Set up each BIG-IP product that is required by the applications you plan to deploy BIG-IP VE devices:
- Click the name of the BIG-IP product.A new panel opens on the Azure user interface and displays details about the selected BIG-IP product.
- At the very bottom of the details panel for the selected BIG-IP product, click the link that says:Want to deploy programmatically? Get started.
- On the Configure Programmatic Deployment page, clickEnableand then clickSave.
Requirements for a public BIG-IQ cluster
For these Azure VE parameters
Make these entries
VNet Resource Group
Use the resource group you associated with the Azure VNet for the virtual machines that manage your BIG-IP VE devices.
Virtual Machine name
Specify the name of the BIG-IQ virtual machine that manage your BIG-IP VE devices.
You need at least 8 CPUs and 32 GB of RAM.
Public Inbound Ports
Allow HTTPS(443) and SSH(22) as selected inbound ports.
User Name & Password
OS Disk Type
Specify Premium Select SSD.
Use the VNet you created for the virtual machines that manage your BIG-IP VE devices.
Use the management subnet that you created when you created the VNet for the virtual machines that manage your SSGs.
Requirements for a private BIG-IQ cluster
requirements for an Azure VPN
For more information
Both ends of the VPN require a gateway. That is, you need a gateway between your BIG-IQ/data collection device cluster and the VPN; and, you need a virtual private gateway between the VPN and the Azure environment.
Refer to the vendor documentation for the gateway that you use locally. For details on the Azure end, refer to
Create a Site-to-Site connection in the Azure portalon
You must use a VPN supported by Azure.
For details on the VPN types that Azure supports, refer to
About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connectionson
Subnets on your local network must use a different subnet than the subnet used by the VNet you create in the Azure environment. There can be no overlap.
For example, if the BIG-IQ and data collection devices in your local cloud use a subnet such as
172.16.0.0/16, you could use a subnet such as
10.1.0.0/16on your Azure VNet.
There must be a route from your BIG-IQ/data collection device cluster to the Azure environment through your gateway.
Create this route by logging in to the BIG-IQ and DCD in your local cloud and running a set of
tmshcommands. For example, if your setup used the subnets listed in the previous example (Azure network is
10.1.0.0/16and your gateway address is
172.16.0.9), you could run the following sequence of commands: