Manual Chapter : Azure Setup for a Service Scaling Group

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Azure Setup for a Service Scaling Group

Overview of the Azure setup process

workflow graphic, set up Azure environment
               step
There are four primary configuration tasks to complete in your Azure portal before you can create an Azure service scaling group (SSG) on your BIG-IQ.
  1. Register the F5 enterprise application.
  2. Create an Azure virtual network (VNet) in the region in which you want to deploy the SSG.
  3. Specify the credentials BIG-IQ uses to authenticate on the Azure portal. You need the following Azure credentials:
    • Enterprise Application ID
    • Azure Active Directory ID
    • Service Principal Secret
  4. Set up the F5 device images for automated deployment.
These Azure essentials are needed whether you house the BIG-IQ system and data collection devices (DCDs) in the Azure cloud, or in a private cloud or on-premises environment.
  • If you use the Azure cloud for all of your resources, you install the BIG-IQ devices and DCDs that manage the SSG in the Azure VNet. When you use Azure for your BIG-IQ and DCDs, you most likely have already created an Azure VNet and installed the BIG-IQ VE. If this is the case, be sure to review the Azure requirements here to ensure proper support for your SSG.
  • If you install your BIG-IQ devices and DCDs in a private cloud or on-premises environment, after you create the Azure environment, configure a VPN to support the required communication between the Azure VNet and the management components.
Because the SSG resides in a VNet, the public or private cloud accommodations you make for that VNet must also be made for each region in which you operate an SSG.

Register the F5 enterprise application on your Azure portal

You create and register an enterprise application, and make sure it has access control, so you can manage BIG-IP VE devices in an Azure cloud.
  1. Access your Azure Subscription, and use your admin privileges to register a new enterprise application.
    Make sure the application definition includes this information:
    Field
    Content to enter
    Name
    The name of the application you want to create.
    Application Type
    Web app/API.
    Sign-on URL
    The URL of the web address you plan to advertise.
  2. Add additional application owners, if needed.
  3. Grant access control to your application.
    1. Access your Azure account, and navigate to
      All Services
      Subscriptions
      .
    2. Click the name of the subscription that you plan to use to host your BIG-IP VE devices.
    3. Select
      Access control IAM
      and click
      +
      .
    4. For
      Role
      , select
      Contributor
      .
    5. In the
      Select
      box, type the name of the application you specified when you registered the application for your BIG-IP VE devices.
    6. Click
      Save
      to assign access control to your application.

Create an Azure virtual network

You need to set up the Azure virtual network (VNet) that hosts your BIG-IP VE devices. If you use the public cloud option, this VNet hosts your BIG-IQ, as well.
  1. Access your Azure Subscription, and create a VNet.
    For the most current instructions for creating a virtual network in Azure, refer to the Microsoft Quick Start web site, quick-create-portal.
  2. As you configure the VNet, make sure it is in the location you want to work in and contains this information:
    1. A matching address space and address range with netmask size of 24
    2. Resource Group Name
    3. A management subnet, with a name that indicates what it is and includes a prefix and a body (for example:
      <prefix>-mgmt-subnet
      )
    4. Basic DDos protection
    5. Service endpoints and Firewall disabled

Locate the credentials for BIG-IQ authentication

You need to gather the credentials required to configure the Azure provider in the BIG-IQ user interface.
  1. In Azure Active Directory under App registrations, create a key and note the value.
    The key is used as the Service Principal Secret on the New Cloud Provider screen in the BIG-IQ user interface.
  2. To find the Subscription ID: Open the Azure portal, navigate to
    Subscriptions
    and make a note of the ID for your subscription.
  3. To find the Tenant ID: Open the Azure Active Directory, navigate to
    Properties
    and make a note of the Directory ID.
  4. Find the Client ID: Open the Azure Active Directory, navigate to
    App registrations
    and make a note of Application ID.

Set Up Azure Marketplace images for automated deployment

When the BIG-IQ needs to deploy a BIG-IP instance to meet the needs of an application on your BIG-IP VE device, the image that Azure uses to deploy that instance must be set up for automated deployment. To set this up, you enable programmatic deployment in the Azure environment for the required image types.
  1. Access your Azure account, and navigate to
    All Services
    Marketplace
    .
  2. In the
    Filter
    box, type
    F5 BIG-IP
    , and press
    Enter
    .
    The screen lists all of the BIG-IP products currently published in Azure.
  3. Set up each BIG-IP product that is required by the applications you plan to deploy BIG-IP VE devices:
    1. Click the name of the BIG-IP product.
      A new panel opens on the Azure user interface and displays details about the selected BIG-IP product.
    2. At the very bottom of the details panel for the selected BIG-IP product, click the link that says:
      Want to deploy programmatically? Get started
      .
    3. On the Configure Programmatic Deployment page, click
      Enable
      and then click
      Save
      .

Requirements for a public BIG-IQ cluster

If you are using Azure cloud to house your BIG-IQ cluster, you most likely have already created an Azure environment and installed the BIG-IQ VE and data collection devices. If this is the case, be sure to review the Azure requirements here to ensure proper support for your BIG-IP VE devices.
If you have configured an Azure portal network, but have not yet deployed BIG-IQ virtual edition and data collection devices in it, refer to the
BIG-IQ Centralized Management and Microsoft Azure: Setup
guide on
support.f5.com
for the step-by-step process for deploying a BIG-IQ system and data collection device cluster in Azure. As you follow that process, make sure that the parameters you specify conform to the standards detailed here.
Important considerations in setting up BIG-IQ VE devices
For these Azure VE parameters
Make these entries
VNet Resource Group
Use the resource group you associated with the Azure VNet for the virtual machines that manage your BIG-IP VE devices.
Virtual Machine name
Specify the name of the BIG-IQ virtual machine that manage your BIG-IP VE devices.
Instance Size
You need at least 8 CPUs and 32 GB of RAM.
Public Inbound Ports
Allow HTTPS(443) and SSH(22) as selected inbound ports.
User Name & Password
  • Specify password as the authentication type.
  • Specify a user name other than
    admin
    .
  • Specify a password that complies with your internal password policies.
OS Disk Type
Specify Premium Select SSD.
Virtual Network
Use the VNet you created for the virtual machines that manage your BIG-IP VE devices.
Management Subnet
Use the management subnet that you created when you created the VNet for the virtual machines that manage your SSGs.

Requirements for a private BIG-IQ cluster

When you manage BIG-IP VE devices in Azure and use a BIG-IQ and data collection devices that are housed in a private cloud or on-premises, you need a VPN to facilitate communication. Without a VPN, the devices cannot send the analytic information you need to manage your applications. Also, if you use the bring your own license (BYOL) option, when new devices are created, they need the VPN so that they can contact the BIQ-IQ acting as a license server.

Configuration requirements for an Azure VPN

The VPN you use to facilitate communication between the devices in your BIG-IP VE devices and the BIQ-IQ that manages them, and acts as the license server, must meet the requirements defined in this table.
Requirement
For more information
Both ends of the VPN require a gateway. That is, you need a gateway between your BIG-IQ/data collection device cluster and the VPN; and, you need a virtual private gateway between the VPN and the Azure environment.
Refer to the vendor documentation for the gateway that you use locally. For details on the Azure end, refer to
Create a Site-to-Site connection in the Azure portal
on
docs.microsoft.com
.
You must use a VPN supported by Azure.
For details on the VPN types that Azure supports, refer to
About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections
on
docs.microsoft.com
.
Subnets on your local network must use a different subnet than the subnet used by the VNet you create in the Azure environment. There can be no overlap.
For example, if the BIG-IQ and data collection devices in your local cloud use a subnet such as
172.16.0.0/16
, you could use a subnet such as
10.1.0.0/16
on your Azure VNet.
There must be a route from your BIG-IQ/data collection device cluster to the Azure environment through your gateway.
Create this route by logging in to the BIG-IQ and DCD in your local cloud and running a set of
tmsh
commands. For example, if your setup used the subnets listed in the previous example (Azure network is
10.1.0.0/16
and your gateway address is
172.16.0.9
), you could run the following sequence of commands:
tmsh create /net route 10.1.10.0/16 gw 172.16.0.9 tmsh list net route tmsh save /sys config