Manual Chapter : Deploying BIG-IQ Virtual Edition in Microsoft Azure
Applies To:Show Versions
BIG-IQ Centralized Management
Deploying BIG-IQ Virtual Edition in Microsoft Azure
How do I deploy a BIG-IQ VE in Microsoft Azure?
Before you can start the tasks to deploy the BIG-IQ Virtual Edition (VE) system on
Microsoft Azure, you must first:
- Establish a Microsoft Azure environment that includes a virtual network to which you will deploy your BIG-IP devices and BIG-IQ Virtual Edition (VE). For details, refer tohttps://azure.microsoft.com/en-us/services/virtual-machines/.
- In your Microsoft Azure environment, deploy the BIG-IP Virtual Edition (VE) machines that you plan to use to manage your application traffic. For details, refer tohttps://support.f5.com/csp/knowledge-center/cloud/Public%20Cloud/Microsoft%20Azure.
- Create a resource group in your Microsoft Azure environment that enables the ports and protocols required by the applications you plan to manage on your BIG-IP VE machines. For details, refer tohttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-portal.
- Create a security group in the resource group in which you plan to deploy your BIG-IQ VE. In addition to the normal inbound and outbound security rules you use in your Azure security groups, you must include an inbound security rule for port 22 (for SSH access to your VE) and port 443 (for HTTPS access).
To deploy the BIG-IQ Virtual Edition (VE) system on
Microsoft Azure, you:
- Use MS Azure PowerShell to load a sequence of PowerShell Cmdlets.
- Assemble a PowerShell script that creates a BIG-IQ VE.
- Run the script to deploy a BIG-IQ VE on Azure.
- Log in to the new VE and use TMSH to enable the root and admin passwords.
Load PowerShell Cmdlets
To create a BIG-IQ VE in the Microsoft Azure cloud, you build and then run a custom PowerShell script composed of a sequence of cmdlets. Before you can assemble the script, you need to load the cmdlets into your Azure environment.
This process describes the steps to load the necessary cmdlets in using the Windows PowerShell user interface. To use the Azure command line interface, refer to the Azure online documentation published by Microsoft.
- Log in to the Microsoft Azure command line interface.
- Set the repository name. You can use an entry similar to:set-psrepository -name PSGallery -InstallationPolicy Trusted
- Use the Microsoft Azure command line interface to load the AZureRM cmdlets to your Azure environment.Your command line entry might read:Install-Module -Name AZ
Assemble a PowerShell script
Before you can assemble the PowerShell script with the correct commands, you must have loaded the required PowerShell cmdlets to your Azure PowerShell environment.
To create a BIG-IQ VE in the Microsoft Azure cloud, you run a custom PowerShell script composed of a sequence of cmdlets. You assemble the script and customize the variables as appropriate for your Azure environment and business requirements.
The example script provided here is designed to use with PowerShell version 7.0.0 and Microsoft Azure PowerShell cmdlets version 4.7.0 (Az 4.7.0). Do not use this script with previous versions of these two resources.
If you are deploying to an environment that uses custom DNS, you might need to revise your script to target a different endpoint. For details about when these revisions are necessary and how to make them, refer to the AskF5 article K57242731 on
- Log in to the Microsoft Azure user interface.
- Use the Microsoft Azure user interface to build a PowerShell script using a sequence of cmdlets from your Azure environment.# Tested with PowerShell 7.0.0 and Az module 4.7.0 # Login to Azure Portal Login-AzAccount # Provide values for the variables # instance name $bigiqInstance = 'ExampleBIG-IQ-CM1' # resource group to use $resourceGroup = 'ExampleResourceGroup' $location = 'ExampleRegion' $vmSize = 'Example-Instance-Type' $diskSizeGB = '95' # Azure Network Info $vnetName = 'Example_Vnet' $subnetNic1name = 'Example_Subnet1' $subnetNic2name = 'Example_Subnet2' # VM specific info $ipName = $bigiqInstance + '_Pip' $nic1Name = $bigiqInstance + '_mgmt' $nic2Name = $bigiqInstance + '_internal' $vmName = $bigiqInstance + '-vm' $computerName = $bigiqInstance # Get the username and password to be used for the administrators account on the VM. # This is used when connecting to the VM using ssh. (do NOT use admin for User, e.g. adminUser) $cred = Get-Credential $vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroup -Name $vnetName $pip = New-AzPublicIpAddress -Name $ipName -ResourceGroupName $resourceGroup -Location $location ` -AllocationMethod Dynamic $subnetNic1 = Get-AzVirtualNetworkSubnetConfig -Name $subnetNic1name -VirtualNetwork $vnet $subnetNic2 = Get-AzVirtualNetworkSubnetConfig -Name $subnetNic2name -VirtualNetwork $vnet $nic1 = New-AzNetworkInterface -Name $nic1Name -ResourceGroupName $resourceGroup -Location $location ` -SubnetId $subnetNic1.Id -PublicIpAddressId $pip.Id $nic2 = New-AzNetworkInterface -Name $nic2Name -ResourceGroupName $resourceGroup -Location $location ` -SubnetId $subnetNic2.Id # Start building the VM configuration $vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize $vm = Set-AzVMOperatingSystem -VM $vm -Linux -ComputerName $computerName -Credential $cred $vm = Set-AzVMOSDisk -VM $vm -DiskSizeInGB $diskSizeGB -CreateOption FromImage -Caching ReadWrite $vm = Set-AzVMSourceImage -VM $vm -PublisherName f5-networks -Offer f5-big-iq -Skus "f5-bigiq-virtual-edition-byol" -Version latest # Finish the VM configuration and add the NIC. $vm = Add-AzVMNetworkInterface -VM $vm -Id $nic1.Id -Primary $vm = Add-AzVMNetworkInterface -VM $vm -Id $nic2.Id # Set the VM image as source image for the new VM Set-AzVMPlan -VM $vm -Name f5-bigiq-virtual-edition-byol -Product f5-big-iq -Publisher f5-networks # Have to accept terms Get-AzMarketplaceTerms -Name f5-bigiq-virtual-edition-byol -Product f5-big-iq -Publisher f5-networks | Set-AzMarketplaceTerms -Accept # Create the VM New-AzVM -VM $vm -ResourceGroupName $resourceGroup -Location $location # Verify that the VM was created $vmList = Get-AzVM -ResourceGroupName $resourceGroup $vmList.Name
- Change the names of the variables as required to meet your needs. The table lists the variables that must be changed and then lists the variables that you can change if you want to.The first table lists the variables that must be changed, and then the second lists the variables that you can change if you want to.Required Variable Name EntriesYou must revise the variables listed here before you run the PowerShell script.Variable NameDescription$bigiqInstance = 'bigiq_name'Name of the BIG-IQ instance you want to create.$resourceGroup = 'resource_groupResource group in which you want the virtual machine to reside$location = 'geographic_zone'Geographic location in USThis might influence what size virtual machines are available to choose from.$vmSize = 'standard_d4_v3'Platform type of host.$vnetName = 'example_vnet'Name of the virtual network defined for your BIG-IP devices in the Azure cloud.$subnetNic1name = 'Example_Subnet1'Name of the subnet to be used for the first NIC interface created for this BIG-IQ VE.$subnetNic2name = 'Example_Subnet2'Name of the subnet to be used for the second NIC interface created for this BIG-IQ VE.Optional Variable Name EntriesYou can revise these entries, or accept the default values.Variable NameDescription$ipName = $bigiqInstance + '_Pip'The public name of the instance created by this script.$nic1Name = $bigiqInstance + '_mgmt'The name of the first NIC interface created for this BIG-IQ VE.$nic2Name = $bigiqInstance + '_internal'The name of the second NIC interface created for this BIG-IQ VE.$vmName = $bigiqInstance + '-vm'The name of the virtual machine created for this BIG-IQ VE.$computerName = $bigiqInstanceThe name of the computer created for this BIG-IQ VE.
- When you finish customizing the variable names in the script, save it to a location you can access and make note of the script name and location.
Run a PowerShell
script to deploy a BIG-IQ VE virtual machine
You must have created a custom PowerShell script and saved it to a location that you can access.
Running the custom PowerShell script that you have assembled creates a new BIG-IQ VE instance in your Microsoft Azure environment.
- From the Microsoft Azure PowerShell command line interface, locate and run the custom PowerShell script that you have prepared.The script prompts you for your Microsoft Azure account credentials.
- Type the Microsoft Azure account credentials and then clickOK.The script prompts you for the credentials that you want to specify for first time access to the BIG-IQ VE you are creating.
- Type the first time access credentials and then clickOK.The rest of the script runs and begins creating the VE image without further prompts. When you see the name of the virtual machine ($vmName = $bigiqInstance + '-vm') specified in the PowerShell script appear in the list of objects in the Microsoft Azure portal, that means that you can move on to the next step. Add your management interface to the security group that controls access to your Azure instances.
Add the management
interface to your security group
Before you can log in and set up your BIG-IQ VE, you must make it accessible. To do this, you add the management interface to the security group that controls access to your Microsoft Azure cloud.
- On the Microsoft Azure Portal All services screen, click theResource groupsicon to display the resource groups defined on your portal.
- Click the name of the resource group specified in your PowerShell script.
- Click the name of the management interface specified in your PowerShell script and note a couple of things:
You can use the filters at the top of the list to show only selected object types. If you filter on Network interface, it is much easier to find the name you are looking for.
- There is no security group specified for this interface.
- The Public IP address value. You will need this address to access the BIG-IQ VE.
- On the left, click theNetwork Security groupicon.
- At the top of the screen, click theEditicon, and then click the right arrow to view the list of security groups defined on your portal.
- From the list of security groups, click the name of the security group you plan to use for your BIG-IQ VE, and then click theSaveicon.
Set the admin and
To perform this task, you must first:
- Run a PowerShell script to create a BIG-IQ VE.
- Use a security group to make the virtual machine management port accessible through the Internet.
- Know the public IP address assigned to the BIG-IQ VE.
To access your BIG-IQ instance with a browser and an admin password, you must create an admin user password. You can specify an admin password using an SSH session and a set of
To access your BIG-IQ instance with root credentials, you must first enable root access and then specify a root password. You can enable and specify a root password using an SSH session and a set of
If you plan to establish a high availability peer for this BIG-IQ VE, both devices must have root access enabled.
With the credentials you specified when you ran the PowerShell script, you do not need a password to gain admin access to this instance using SSH.
If you decide to create an admin or root password, choose the password wisely, bearing in mind that, depending on your Security Group policies, this login might provide external SSH access.
- Use the credentials that you specified for first time access, and the public IP address of your BIG-IQ VE to log in to the new BIG-IQ that you just launched using a command line interface.For example:
Then, when prompted, type the first time access password that you specified when prompted by the PowerShell script.$ ssh <nameoffirstimeaccessuser>@<publicipofbigiq>You can also use a terminal emulator such as PuTTY to test your connectivity.
- At thetmshcommand prompt, typemodify auth password admin.Because this login is visible externally, make sure to use a strong, secure password.The terminal window displays the message:changing password for admin, and then prompts:new password.
- Type your new password and then press Enter.The terminal window displays the message:confirm password.
- Re-type the new password and press Enter.
- At thetmshcommand prompt, typetmsh modify /sys db systemauth.disablerootlogin value false.If the terminal window does not display an error message, then root access is now enabled.
- At thetmshcommand prompt, typemodify auth password root.Because this login is visible externally, make sure to use a strong, secure password.The terminal window displays the message:changing password for root, and then prompts:new password.
- Type your new password and press Enter.The terminal window displays the message:confirm password.
- Re-type the new password and press Enter.
- To ensure that the system retains the password changes, at thetmshcommand prompt, typesave sys config, and then press Enter.
The admin and root passwords are now changed.
Before you can use this new BIG-IQ you must license it. Refer to
How do I license and do the basic setup to start using BIG-IQin the
Planning and Implementing an F5 BIG-IQ Centralized Management Deploymentguide for step by step instruction. You can find this guide on
The last step in the setup and licensing process prompts you to change the admin and root passwords. When you reach that step, do not type in a password. No entry that you provide will be processed successfully. Instead, just click
Nextto complete the process.