Applies To:Show Versions
BIG-IQ Centralized Management
Deploying BIG-IQ Virtual Edition in Amazon Web Services
Deploying a BIG-IQ VE virtual machine in AWS
How do I deploy a BIG-IQ VE in Amazon Web Services ?
If you plan to manage BIG-IP devices with the BIG-IQ system
If you plan to manage applications in a service scaling group housed in the AWS cloud
Create an Amazon Identity and Access Management (IAM) user account
- Fromhttps://console.aws.amazon.com/iam, create a group with aws-full-access (Administrator Access).
- Create an AWS-Admin user and add that user to theaws-full-accessgroup.
- Create a BIG-IQ Connector user and add that user to theaws-full-accessgroup.For this user, you must download or copy an access key that you use to connect BIG-IQ Cloud to your AWS account
- From the AWS dashboard, set up an account alias.Note the IAM user login link. For example,https://my-account-alias.signin.aws.amazon.com/console
- Log out of the AWS dashboard as the root user.
- Navigate back to the user login link and sign in as theAWS-Adminuser.
Create a key pair
- For the most current instructions for creating a key pair, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site,http://aws.amazon.com/documentation/vpc/.It is crucial to your success that you be consistent in the region that you choose throughout the configuration process. Objects configured in one region are not visible within other regions, so they cannot function together. There are a number of factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional details.
Create a Virtual Private Cloud
- Navigate tohttps://console.aws.amazon.com/vpcand select the AWS Region in which you want to manage resources.For example,Oregon.
- From the VPC Wizard'sVPC with Public and Private Subnetsoption, set the IP CIDR Block to10.0.0.0/16.
- Set the public subnet to10.0.0.0/24.This is the management network.
- Select an availability zone.For example,us-west-2c. It is crucial that you use this availability zone throughout the configuration process. Objects configured in one zone are not visible within other zones, so they cannot function together. This availability zone is required when you create a BIG-IQ Cloud connection.
- Set the private subnet to10.0.1.0/24.This is the external data network.
- Create subnet10.0.2.0/24.This is the internal network.
- Create a security group namedallow-all-traffic, and associate it with the VPC you created.You must use this exact name.
- Set theInbound Rules ALL Traffic Sourceto0.0.0.0/0.
- Set theOutbound Rules ALL Traffic Destinationto0.0.0.0/0.
- Create a Route Table for the external data network to reach the Internet.
- Add a route to Destination0.0.0.0/0through Targetigw-<xxxx>.<xxxx>is the Internet Gateway that the VPC Wizard created automatically.
- Allocate two Elastic IP Addresses.
Add an additional subnet
- For the most current instructions for creating an internal subnet, refer to the Amazon Virtual Private Cloud (VPC) Documentation web sitehttp://aws.amazon.com/documentation/vpc/.
- a Management subnet on10.0.0.0/24
- an External subnet on10.0.1.0/24
- an Internal subnet on10.0.2.0/24
Create new security groups
Allow only SSH HTTPS or PING
Inbound Custom ICMP
Outbound Custom ICMP
Outbound Custom ICMP
Allow all traffic
Inbound All Traffic
Outbound All Traffic
Allow TCP traffic
Inbound Port 9200
Allow TCP traffic
Inbound Port 9300
Allow TCP traffic
Outbound Port 9200
Allow TCP traffic
Outbound Port 9300
- Create the three security groups defined in the table.
For the most current instructions for creating security groups, refer to the Amazon Virtual Private Cloud (VPC) Documentation web sitehttp://aws.amazon.com/documentation/vpc/.Theallow-all-trafficsecurity group is critically important for successful operation of the BIG-IP VE on Amazon EC2.
- Name the first oneallow-only-ssh-https-ping
- Name the second oneallow-all traffic
- Name the third oneallow-es-traffic
- For each security group, create the rules described in the preceding table. For each rule, define the Group Description, Rule Name, Source, and Rule Type as shown in the table.No punctuation is permitted in the text of the Group Description that you type in.
Add a route for external subnet accessibility
- From the Services tab at the top of the Amazon Web Services Management Console screen, selectVPC.
- In the navigation pane, selectRoute Tables.The Route Tables screen opens.
- Select the routing table with one subnet.
- Click the Associations tab at the bottom of the window.
- From theSelect a subnetlist, select the10.0.1.0/24subnet.
- ClickAssociate.The Associate Route Table popup screen opens.
- ClickYes, Associate.
Launch a virtual server with an Amazon Machine Image (AMI)
- Log in to your account on Amazon Web Services (AWS) marketplace.
- In the Search AWS Marketplace bar, typeF5 BIG-IQand then clickGO.The F5 BIG-IQ Virtual Edition for AWS option is displayed.
- ClickF5 BIG-IQ Virtual Edition for AWSand then clickCONTINUE.You might want to take a moment here to browse the pricing details to confirm that the region in which you created your security key pair provides the resources you require. If you determine that the resources you need are provided in a region other than the one in which you created your key pair, create a new key pair in the correct region before proceeding.The Launch on EC2 page is displayed.
- Click theLaunch with EC2 Consoletab.At the time this was written, the virtual machine must be launched in a VPC so that NICs can be attached. This configuration is supported from theLaunch with EC2 Consoleoption, but not the1-Click Launchoption.Launching Options for your EC2 AMI are displayed.
- Select the software version appropriate for your installation, and then click theLaunch with EC2button that corresponds to the Region that provides the resources you plan to use.The first time you perform this task, you need to accept the terms of the end user license agreement before you can proceed, so theLaunch with EC2button readsAccept Terms and Launch with EC2.There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail. Bear in mind that the region you choose must match the region in which you created your security key pair.The Request Instances Wizard opens.
- Select anInstance Typeappropriate for your use.
- From theLaunch Instanceslist, selectEC2-VPC.
- From theSubnetlist, select the10.0.0.0/24subnet and clickCONTINUE.The Advanced Instance Options view of the wizard opens.
- From theNumber of Network Interfaceslist, select2.
- Click the horizontaleth1tab to set values for the second network interface adapter, and then from theSubnetlist, select the10.0.1.0/24subnet and clickCONTINUEThe Storage Device Configuration view of the wizard opens.
- In theValuefield, type in an intuitive name that identifies this AMI and clickCONTINUE(for example,BIG-IQ VE <version>).The Create Key Pair view of the wizard opens.
- FromYour existing Key Pairs, select the key pair you created for this AMI and clickCONTINUE.The Configure Firewall view of the wizard opens.
- Under Choose one or more of your existing Security Groups, select theallow-all-trafficsecurity group, and then clickCONTINUE.The Review view of the wizard opens.
- Confirm that all settings are correct, and then clickLaunch.The Launch Instance Wizard displays a message to let you know your instance is launching.
Add a third network interface
- From the Services tab at the top of the Amazon Web Services (AWS) Management Console screen, selectEC2.
- In the navigation pane, selectNetwork Interfaces.The Network Interfaces screen opens.
- Click theCreate Network Interfacebutton (at top left).The Create Network Interface popup screen opens.
- In theDescriptionfield, typeInternal 10.0.2.0-24(or a similarly mnemonic name).
- In theSubnetfield, select10.0.2.0/24.
- From theSecurity Groupslist, selectallow-all-traffic.
- ClickYes, CreateAWS adds your network interface to the list.
- Right-click the new network interface, and then selectAttach.The Attach Network Interface popup screen opens.
- From theInstancelist, select the VE AMI that you created.
Make the virtual
machine management port accessible
- From the Services tab at the top of the Amazon Web Services Management Console screen, selectEC2.
- In the navigation pane, selectElastic IPs.The Addresses screen opens.
- ClickAllocate New Address.The Allocate New Address popup screen opens.
- From theEIP used inlist, selectVPC.
- ClickYes, Allocate.
- In the Address column, right-click the newly created Elastic IP and selectAssociatefrom the popup menu.The Associate Address popup screen opens.
- From theInstancelist, select the VE AMI that you created as an EC2 hypervisor.
- From thePrivate IP Addresslist, select10.0.0.0/24(the Management subnet).
- ClickYes, Associate.
Log in and set the admin and root passwords
- Created a key pair.
- Created and configured a VPC.
- Instantiated and launched a BIG-IQ Virtual Edition (VE) AMI.
- Made the virtual machine management port accessible through the Internet.
- Use the name of the key pair and the elastic IP address of your BIG-IQ to log in to the new BIG-IQ that you just launched using a command line interface.For example:$ ssh -i <username>-aws-keypair.pem admin@<elastic IP address of BIG-IQ>You can also use a terminal emulator such as PuTTY to test your connectivity. At publication, PuTTY does not support the extension.pem, so remember that you will also need to convert the key pair.pemfile to a.ppkfile before you can use it with PuTTY.
- At thetmshcommand prompt, typemodify auth password admin.Because this login is visible externally, make sure to use a strong, secure password.The terminal window displays the message:changing password for admin, and then prompts:new password.
- Type in your new password and then pressEnter.The terminal window displays the message:confirm password.
- If you plan on setting this BIG-IQ up in a high availability configuration, perform this step to enable root access on this BIG-IQ VE. Otherwise, proceed to the next step to save your password changes.
- At thetmshcommand prompt, typetmsh modify /sys db systemauth.disablerootlogin value false.If the terminal window does not display an error message, then root access is now enabled.
- At thetmshcommand prompt, typemodify auth password root.The terminal window displays the message:Because this login is visible externally, make sure to use a strong, secure password.changing password for root, and then prompts:new password.
- Type your new password and pressEnter.The terminal window displays the message:confirm password.
- Re-type the new password and then pressEnter.
- To ensure that the system retains the password change, at thetmshcommand prompt typesave sys config, and then pressEnter.