Manual Chapter : Deploying BIG-IQ Virtual Edition in Amazon Web Services

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Deploying BIG-IQ Virtual Edition in
Amazon Web Services

Deploying a BIG-IQ VE virtual machine in AWS

To deploy BIG-IQ Centralized Management, you perform a series of tasks using Amazon Web Services (AWS) to create an elastic compute cloud (EC2) that runs a public cloud virtual machine management service.
When you complete these tasks, your cloud environment will be similar to the basic cloud topology depicted here.
Basic Cloud Topology
Basic Cloud Topology

How do I deploy a BIG-IQ VE in
Amazon Web Services
?

The tasks you perform to deploy the BIG-IQ Virtual Edition (VE) system on
Amazon Web Services
, depend on what you plan to do with the
Amazon Web Services
:
If you plan to manage BIG-IP devices with the BIG-IQ system
If you plan to manage applications in a service scaling group housed in the AWS cloud
  • Verify that the host machine requirements are satisfied.
  • Deploy a BIG-IQ system as a virtual machine.
  • Deploy the BIG-IP systems you intend to manage.
  • After you have deployed the virtual machines, log in to the BIG-IQ VE system and run the Setup utility. Using the Setup utility, you perform basic network configuration tasks, such as assigning VLANs to interfaces.
  • Configure secure communication between the BIG-IQ system and the BIG-IP device.
  • Verify that the host machine requirements are satisfied.
  • Deploy a BIG-IQ system in the AWS cloud as a virtual machine.
    You can also manage devices in a service scaling group (SSG) from a BIG-IQ deployed outside of AWS. If you choose this option, use the hypervisor setup guide appropriate for your private cloud environment.
  • After you have deployed the virtual machines, log in to the BIG-IQ VE system and run the Setup utility. Using the Setup utility, you perform basic network configuration tasks, such as assigning VLANs to interfaces.
  • Configure an SSG to manage your applications. For detailed instructions, refer to
    F5 BIG-IQ Centralized Management: Managing Applications in an Auto-Scaled AWS Cloud
    on
    support.f5.com
    .
When you deploy a VE for managing applications in an SSG, some parameter settings you specify are different. These settings are noted where appropriate.

Create an Amazon Identity and Access Management (IAM) user account

An Amazon Identity and Access Management (IAM) user account provides access to specific Amazon Web Services (AWS) resources. Creating an IAM account provides you with more granular control of the AWS resources your users access.
This task is optional; you can create a virtual machine without creating an IAM user account to control access, but it is best practice to use an IAM account. F5 recommends that you do not use the AWS root account and access keys. Instead, use IAM to create identities you can more easily manage and revoke in the case of a security breach.
When you manually deploy a virtual machine on AWS EC2, you must create an administrator password in addition to the IAM access keys. If you use the automated process to deploy a virtual server, only the access keys are required.
For this task, you must create a group and two IAM user accounts. For the most current instructions for performing these steps, refer to the IAM documentation web site,
http://aws.amazon.com/documentation/iam/
.
  1. From
    https://console.aws.amazon.com/iam
    , create a group with aws-full-access (Administrator Access).
  2. Create an AWS-Admin user and add that user to the
    aws-full-access
    group.
  3. Create a BIG-IQ Connector user and add that user to the
    aws-full-access
    group.
    For this user, you must download or copy an access key that you use to connect BIG-IQ Cloud to your AWS account
  4. From the AWS dashboard, set up an account alias.
    Note the IAM user login link. For example,
    https://my-account-alias.signin.aws.amazon.com/console
  5. Log out of the AWS dashboard as the root user.
  6. Navigate back to the user login link and sign in as the
    AWS-Admin
    user.
You can now create a new Virtual Private Cloud (VPC).

Create a key pair

Before you can deploy a virtual machine on Amazon Web Services (AWS) Elastic Cloud Computing, you need an AWS account.
To create a virtual private cloud (VPC) on which you can deploy the BIG-IQ system, you need a (private-public encryption) key pair to authenticate your sessions. Key pairs are reusable, so if you have a key pair, you do not need to repeat this task.
  1. For the most current instructions for creating a key pair, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site,
    http://aws.amazon.com/documentation/vpc/
    .
    It is crucial to your success that you be consistent in the region that you choose throughout the configuration process. Objects configured in one region are not visible within other regions, so they cannot function together. There are a number of factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional details.
The file that downloads from Amazon Web Services uses the extension
.pem
. If you plan to use this key pair with the PuTTY terminal emulator application, you will need to convert the key pair from a
.pem
to a
.ppk
file. At the time of this release, PuTTY does not support the extension
.pem
. PuTTY does have a tool (called PuTTYgen) that converts your key pair to the required PuTTY format.

Create a Virtual Private Cloud

You need an Amazon Virtual Private Cloud (VPC) to deploy the BIG-IQ Cloud system, because AWS provides only multiple network interface card (NIC) support for instances that reside within a VPC.
You create a virtual network topology according to your networking needs. The standard network topology used for BIG-IQ Cloud integration includes three subnets. These subnets provide virtual private address spaces used to interconnect your machines and applications. You can use elastic self IP addresses for public internet accessibility.
For the most current instructions for creating a VPC, refer to the VPC Documentation web site,
http://aws.amazon.com/documentation/vpc/
.
  1. Navigate to
    https://console.aws.amazon.com/vpc
    and select the AWS Region in which you want to manage resources.
    For example,
    Oregon
    .
  2. From the VPC Wizard's
    VPC with Public and Private Subnets
    option, set the IP CIDR Block to
    10.0.0.0/16
    .
  3. Set the public subnet to
    10.0.0.0/24
    .
    This is the management network.
  4. Select an availability zone.
    For example,
    us-west-2c
    . It is crucial that you use this availability zone throughout the configuration process. Objects configured in one zone are not visible within other zones, so they cannot function together. This availability zone is required when you create a BIG-IQ Cloud connection.
  5. Set the private subnet to
    10.0.1.0/24
    .
    This is the external data network.
  6. Create subnet
    10.0.2.0/24
    .
    This is the internal network.
  7. Create a security group named
    allow-all-traffic
    , and associate it with the VPC you created.
    You must use this exact name.
  8. Set the
    Inbound Rules ALL Traffic Source
    to
    0.0.0.0/0
    .
  9. Set the
    Outbound Rules ALL Traffic Destination
    to
    0.0.0.0/0
    .
  10. Create a Route Table for the external data network to reach the Internet.
  11. Add a route to Destination
    0.0.0.0/0
    through Target
    igw-<xxxx>
    .
    <xxxx>
    is the Internet Gateway that the VPC Wizard created automatically.
  12. Allocate two Elastic IP Addresses.
You can now create an EC2 cloud connector.
If you want BIG-IQ Cloud to automatically provision and license BIG-IP VE devices (elasticity), you must activate a pool license before you create an EC2 cloud connector.

Add an additional subnet

When you create a VPC, Amazon Web Services creates two subnets for it. The first subnet is the management subnet (
10.0.0.0/24
) and the second subnet is external (
10.0.1.0/24
). Many network topologies require three or more subnets (Management, External, and Internal). You can use this task to create an internal subnet (
10.0.2.0/24
).
  1. For the most current instructions for creating an internal subnet, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site
    http://aws.amazon.com/documentation/vpc/
    .
If you are following a typical deployment strategy, when you finish adding the Internal subnet, your VPC will have three subnets.
  • a Management subnet on
    10.0.0.0/24
  • an External subnet on
    10.0.1.0/24
  • an Internal subnet on
    10.0.2.0/24

Create new security groups

To use your virtual private cloud (VPC) to deploy your virtual machine, the VPC needs two security groups; each with its own set of rules that govern the security behavior for the traffic that routes through it. The table details the rules required for each group to function properly.
Group Name
Group Description
Rule Name
Source*
Rule Type
allow-only-ssh-https-ping
Allow only SSH HTTPS or PING
Inbound SSH
0.0.0.0/0
Inbound HTTPS
0.0.0.0/0
Inbound Custom ICMP
0.0.0.0/0
Echo Request
Outbound Custom ICMP
0.0.0.0/0
Echo Request
Outbound Custom ICMP
0.0.0.0/0
Echo Reply
allow-all-traffic
Allow all traffic
Inbound All Traffic
0.0.0.0/0
Outbound All Traffic
0.0.0.0/0
allow-es-traffic
Allow TCP traffic
Inbound Port 9200
0.0.0.0/0
Allow TCP traffic
Inbound Port 9300
0.0.0.0/0
Allow TCP traffic
Outbound Port 9200
0.0.0.0/0
Allow TCP traffic
Outbound Port 9300
0.0.0.0/0
To meet your business security requirements, you may need to revise the Source settings to make it more restrictive. If you do need to revise the Source settings for your security group rules, make sure that these settings allow all of the HA peers and DCDs in your cluster to communicate.
  1. Create the three security groups defined in the table.
    1. Name the first one
      allow-only-ssh-https-ping
    2. Name the second one
      allow-all traffic
    3. Name the third one
      allow-es-traffic
    For the most current instructions for creating security groups, refer to the Amazon Virtual Private Cloud (VPC) Documentation web site
    http://aws.amazon.com/documentation/vpc/
    .
    The
    allow-all-traffic
    security group is critically important for successful operation of the BIG-IP VE on Amazon EC2.
  2. For each security group, create the rules described in the preceding table. For each rule, define the Group Description, Rule Name, Source, and Rule Type as shown in the table.
    No punctuation is permitted in the text of the Group Description that you type in.
When you finish adding the two groups and their associated rules, your VPC should be ready to go with three subnets and two security groups.
It is a good idea to test connectivity before proceeding. You should be able to communicate with your VPC NAT server at this point.
F5 recommends enhancing your security by using the security group source fields to restrict the subnets to allow only management access; however, we recognize that this does not complete your security solution. For enhanced security, you might want to deploy a topology with limited management network access.

Add a route for external subnet accessibility

Most network topologies require an Amazon Web Services route to the virtual private cloud (VPC) that makes the external subnet used by the virtual machine accessible to the Internet.
  1. From the Services tab at the top of the Amazon Web Services Management Console screen, select
    VPC
    .
  2. In the navigation pane, select
    Route Tables
    .
    The Route Tables screen opens.
  3. Select the routing table with one subnet.
  4. Click the Associations tab at the bottom of the window.
  5. From the
    Select a subnet
    list, select the
    10.0.1.0/24
    subnet.
  6. Click
    Associate
    .
    The Associate Route Table popup screen opens.
  7. Click
    Yes, Associate
    .

Launch a virtual server with an Amazon Machine Image (AMI)

Before you can complete this task, you need to know the name of your key pair and the Availability Zone from which it was created.
You launch an EC2 Amazon Machine Image (AMI) so that you can deploy the virtual machine.
At publication, this task illustrates the Amazon web interface. However, F5 recommends that you refer to Amazon user documentation for the latest documentation.
  1. Log in to your account on Amazon Web Services (AWS) marketplace.
  2. In the Search AWS Marketplace bar, type
    F5 BIG-IQ
    and then click
    GO
    .
    The F5 BIG-IQ Virtual Edition for AWS option is displayed.
  3. Click
    F5 BIG-IQ Virtual Edition for AWS
    and then click
    CONTINUE
    .
    You might want to take a moment here to browse the pricing details to confirm that the region in which you created your security key pair provides the resources you require. If you determine that the resources you need are provided in a region other than the one in which you created your key pair, create a new key pair in the correct region before proceeding.
    The Launch on EC2 page is displayed.
  4. Click the
    Launch with EC2 Console
    tab.
    At the time this was written, the virtual machine must be launched in a VPC so that NICs can be attached. This configuration is supported from the
    Launch with EC2 Console
    option, but not the
    1-Click Launch
    option.
    Launching Options for your EC2 AMI are displayed.
  5. Select the software version appropriate for your installation, and then click the
    Launch with EC2
    button that corresponds to the Region that provides the resources you plan to use.
    The first time you perform this task, you need to accept the terms of the end user license agreement before you can proceed, so the
    Launch with EC2
    button reads
    Accept Terms and Launch with EC2
    .
    There are a number factors that determine which region will best suit your requirements. Refer to Amazon user documentation for additional detail. Bear in mind that the region you choose must match the region in which you created your security key pair.
    The Request Instances Wizard opens.
  6. Select an
    Instance Type
    appropriate for your use.
  7. From the
    Launch Instances
    list, select
    EC2-VPC
    .
  8. From the
    Subnet
    list, select the
    10.0.0.0/24
    subnet and click
    CONTINUE
    .
    The Advanced Instance Options view of the wizard opens.
  9. From the
    Number of Network Interfaces
    list, select
    2
    .
  10. Click the horizontal
    eth1
    tab to set values for the second network interface adapter, and then from the
    Subnet
    list, select the
    10.0.1.0/24
    subnet and click
    CONTINUE
    The Storage Device Configuration view of the wizard opens.
  11. In the
    Value
    field, type in an intuitive name that identifies this AMI and click
    CONTINUE
    (for example,
    BIG-IQ VE <version>
    ).
    The Create Key Pair view of the wizard opens.
  12. From
    Your existing Key Pairs
    , select the key pair you created for this AMI and click
    CONTINUE
    .
    The Configure Firewall view of the wizard opens.
  13. Under Choose one or more of your existing Security Groups, select the
    allow-all-traffic
    security group, and then click
    CONTINUE
    .
    The Review view of the wizard opens.
  14. Confirm that all settings are correct, and then click
    Launch
    .
    The Launch Instance Wizard displays a message to let you know your instance is launching.
  15. Click
    Close
    .
Your new instance appears in the list of instances when it is fully launched.

Add a third network interface

When you first create a virtual private cloud (VPC), there are typically only two network interfaces associated with it. F5 Networks recommends adding a third network interface to the VPC before you use it to deploy the virtual machine.
  1. From the Services tab at the top of the Amazon Web Services (AWS) Management Console screen, select
    EC2
    .
  2. In the navigation pane, select
    Network Interfaces
    .
    The Network Interfaces screen opens.
  3. Click the
    Create Network Interface
    button (at top left).
    The Create Network Interface popup screen opens.
  4. In the
    Description
    field, type
    Internal 10.0.2.0-24
    (or a similarly mnemonic name).
  5. In the
    Subnet
    field, select
    10.0.2.0/24
    .
  6. From the
    Security Groups
    list, select
    allow-all-traffic
    .
  7. Click
    Yes, Create
    AWS adds your network interface to the list.
  8. Right-click the new network interface, and then select
    Attach
    .
    The Attach Network Interface popup screen opens.
  9. From the
    Instance
    list, select the VE AMI that you created.

Make the virtual machine management port accessible

The management port for your virtual machine might require accessibility over the Internet. However, there are alternative topologies that do not require exposing the management port to the Internet.
F5 Networks recommends, at a minimum, adding restrictions to your source addresses in the
allow-only-ssh-https-ping
security group.
Alternatively, you might find the Amazon Web Services EC2 VPN sufficiently effective so that you do not need to associate an Internet-accessible Elastic IP with the management port.
  1. From the Services tab at the top of the Amazon Web Services Management Console screen, select
    EC2
    .
  2. In the navigation pane, select
    Elastic IPs
    .
    The Addresses screen opens.
  3. Click
    Allocate New Address
    .
    The Allocate New Address popup screen opens.
  4. From the
    EIP used in
    list, select
    VPC
    .
  5. Click
    Yes, Allocate
    .
  6. In the Address column, right-click the newly created Elastic IP and select
    Associate
    from the popup menu.
    The Associate Address popup screen opens.
  7. From the
    Instance
    list, select the VE AMI that you created as an EC2 hypervisor.
  8. From the
    Private IP Address
    list, select
    10.0.0.0/24
    (the Management subnet).
  9. Click
    Yes, Associate
    .

Log in and set the admin and root passwords

To perform this task, you must have completed the following tasks:
  • Created a key pair.
  • Created and configured a VPC.
  • Instantiated and launched a BIG-IQ Virtual Edition (VE) AMI.
  • Made the virtual machine management port accessible through the Internet.
To access your BIG-IQ instance with a browser, you must create an admin user password. You can create an admin password using an SSH session and a set of
tmsh
commands.
If you decide to create admin or root passwords, choose the passwords wisely. Bear in mind that depending on your Security Group policies, this login might provide external SSH access to the BIG-IQ.
If you plan on setting this BIG-IQ up in a high availability configuration, both the active and the standby BIG-IQ systems must have root access enabled.
You do not need a password to gain admin access to this instance using SSH. Instead, you use the previously created security key pair.
  1. Use the name of the key pair and the elastic IP address of your BIG-IQ to log in to the new BIG-IQ that you just launched using a command line interface.
    For example:
    $ ssh -i <
    username
    >-aws-keypair.pem admin@<
    elastic IP address of BIG-IQ
    >
    You can also use a terminal emulator such as PuTTY to test your connectivity. At publication, PuTTY does not support the extension
    .pem
    , so remember that you will also need to convert the key pair
    .pem
    file to a
    .ppk
    file before you can use it with PuTTY.
  2. At the
    tmsh
    command prompt, type
    modify auth password admin
    .
    Because this login is visible externally, make sure to use a strong, secure password.
    The terminal window displays the message:
    changing password for admin
    , and then prompts:
    new password
    .
  3. Type in your new password and then press
    Enter
    .
    The terminal window displays the message:
    confirm password
    .
  4. If you plan on setting this BIG-IQ up in a high availability configuration, perform this step to enable root access on this BIG-IQ VE. Otherwise, proceed to the next step to save your password changes.
    1. At the
      tmsh
      command prompt, type
      tmsh modify /sys db systemauth.disablerootlogin value false
      .
      If the terminal window does not display an error message, then root access is now enabled.
    2. At the
      tmsh
      command prompt, type
      modify auth password root
      .
      Because this login is visible externally, make sure to use a strong, secure password.
      The terminal window displays the message:
      changing password for root
      , and then prompts:
      new password
      .
    3. Type your new password and press
      Enter
      .
      The terminal window displays the message:
      confirm password
      .
    4. Re-type the new password and then press
      Enter
      .
  5. To ensure that the system retains the password change, at the
    tmsh
    command prompt type
    save sys config
    , and then press
    Enter
    .
Before you can use this new BIG-IQ, you must license it. Refer to
Deploying a BIG-IQ for Centralized Management
in the
Setting up and Configuring a BIG-IQ Centralized Management Solution
guide for step by step instructions. You can find this guide on
support.F5.com
.