Manual Chapter : Deploying BIG-IQ Virtual Edition in Google Cloud Platform

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.2.0, 8.1.0
Manual Chapter

Deploying BIG-IQ Virtual Edition in
Google Cloud Platform

How do I deploy a BIG-IQ VE in
Google Cloud Platform
?

Before you can deploy a BIG-IQ VE in the Google Cloud Platform environment, you must have the following environmental elements in place:
  • A tenant (or admin) user account with virtual machine deployment privileges.
  • Privileges to create images (that is you must be able to upload QCOW2 files). Contact your system administrator for assistance if your account lacks the requisite permissions.
  • Sufficient free remaining computational (CPU, RAM) and disk storage quota for each BIG-IQ VE instance you plan to deploy.
  • At least one network, to be used for management access.
  • Security groups (firewall rule-sets), for control of inbound and outbound network traffic.
  • Pre-defined Flavors (virtual hardware profile definitions).
In addition, you might wish to define the following optional environmental elements:
  • Key-pairs, for SSH access (recommended).
  • Floating IP addresses, for each tenant network interface that will be externally accessible.
  • Additional networks for internal, external, and high-availability traffic as necessary.

Import image from F5

The first step in deploying BIG-IQ Virtual Edition (VE) is to download the tarball file to your local system. Then you use that tarball to create an image file that you can use to install the BIG-IQ VE.
Do not modify the configuration of the Google Cloud Platform (GCP) environment with settings less powerful than the ones recommended in this document. This includes the settings for the CPU, RAM, and network adapters. Doing so might produce unexpected results.
  1. From a browser window, open the F5 Downloads page (
    downloads.f5.com
    ) and log in.
  2. On the Downloads Overview page, click
    Find a Download
    .
  3. Under Product Line, select
    Centralized Management
    .
  4. Under Name, select the
    8.1.0_Cloud-Images
    .
  5. If the End User Software License is displayed, read it and then click
    I Accept
    .
  6. Select the BIG-IQ Virtual Edition file package to download and. The file name ends in
    GCP-byol.tar.gz
    .
    The Download Locations page opens.
  7. Select the download location nearest to your location.
    The installation file tarball downloads to your desktop.
  8. From a browser window, navigate to
    https://console.cloud.google.com
    and log in.
  9. If you are not already in the correct project, from the top of the page, select the project in which you plan to create your BIG-IQ VE instance.
  10. Click
    CREATE BUCKET
    , and then type a name in the
    Name your bucket
    box and click
    CREATE
    .
    GCP creates a bucket that you can use to upload the GCP BIG-IQ VE tarball.
  11. Click
    Upload Files
    and select the tarball you downloaded in step 7.
  12. Create a reusable image that you can use to create a GCP virtual machine instance.
    1. Type a
      Name
      for the image.
      For example
      big-iq-8-1-0-2-byol
      .
    2. For
      Source
      select
      Cloud Storage file
      , and then browse to the file uploaded in step 8.
    3. Optionally, you can now type entries for
      Family
      and
      Description
      .
    4. Click
      Create
      .
The system creates an image file that you can use to create a GCP virtual machine.
Next, you need to create a Google Cloud Platform service account.

Create service account

Use this task to create a new service account for the Google Cloud Platform (GCP) instance on which your BIG-IQ License Manager will run.
  1. Log into the Google Cloud Platform (GCP) and then on the left pane, click
    IAM & Admin
    Service Accounts
    .
  2. On the Service accounts page, select
    CREATE SERVICE ACCOUNT
    .
  3. On the Create service account page, type in a
    Service account name
    and an optional
    Service account description
    , and then click
    DONE
    .
GCP creates your new service account and adds the name to the accounts listed on this page.
Next, you need to create firewall rules for your GCP instance.

Create firewall rules

Use this task to set up firewall rules to control ingress and egress to your GCP instance.
  1. Create an inbound firewall rule to control access from your BIG-IP devices to your BIG-IQ license manager.
    1. Click the switcher icon at the top of the left pane, then click
      VPC network
      VPC networks
      to display the list of networks defined in your GCP environment.
    2. Select the network in which you plan to deploy your BIG-IQ license manager.
      GCP displays the VPC network details page.
    3. On the VPC network details page, select
      FIREWALL RULES
      ADD FIREWALL RULE
      .
    4. on the Create a firewall rule page, type a
      Name
      and an optional
      Description
      for the rule.
    5. For
      Network
      , select the name of the network you plan to use for the BIG-IQ management interface.
      Typically, the BIG-IP management interfaces use this network as well.
    6. For
      Direction of traffic
      , select
      Ingress
      .
    7. For
      Target tags
      , type in the tag name that you will tag your BIG-IQ license manager with.
      For example,
      big-iq
      .
    8. For
      Source tags
      , type in the tag name that you will tag your BIG-IP devices with.
      For example,
      big-ip
      .
    9. For
      Protocols and ports
      , select
      Specified protocols and ports
      , and then select
      TCP
      , and enter
      22, 433
      .
  2. Create an outbound firewall rule to permit access from your BIG-IQ license manager to your BIG-IP devices.
    1. Click the switcher icon at the top of the left pane, then click
      VPC network
      VPC networks
      to display the list of networks defined in your GCP environment.
    2. Select the network in which you plan to deploy your BIG-IQ license manager.
      GCP displays the VPC network details page.
    3. On the VPC network details page, select
      FIREWALL RULES
      ADD FIREWALL RULE
      .
    4. on the Create a firewall rule page, type a
      Name
      and an optional
      Description
      for the rule.
    5. For
      Network
      , select the name of the network you plan to use for the BIG-IQ management interface.
    6. For
      Direction of traffic
      , select
      Ingress
      .
    7. For
      Target tags
      , type in the tag name that you will tag your BIG-IP devices with.
      For example,
      big-ip
      .
    8. For
      Source tags
      , type in the tag name that you will tag your BIG-IQ license manager with.
      For example,
      big-iq
      .
    9. For
      Protocols and ports
      , select
      Specified protocols and ports
      , and then select
      TCP
      , and enter
      22, 433
      .
      If the BIG-IP devices you support use a single network interface card (NIC), use ports
      22
      and
      8443
      instead.
  3. Create another inbound firewall rule to permit access from the device you plan to use to configure your BIG-IQ license manager.
    1. Click the switcher icon at the top of the left pane, then click
      VPC network
      VPC networks
      to display the list of networks defined in your GCP environment.
    2. Select the network in which you plan to deploy your BIG-IQ license manager.
      GCP displays the VPC network details page.
    3. On the VPC network details page, select
      FIREWALL RULES
      ADD FIREWALL RULE
      .
    4. on the Create a firewall rule page, type a
      Name
      and an optional
      Description
      for the rule.
    5. For
      Network
      , select the name of the network you plan to use for the BIG-IQ management interface.
    6. For
      Direction of traffic
      , select
      Ingress
      .
    7. For
      Target tags
      , type in the tag name that you will tag your BIG-IQ license manager with.
      For example,
      big-iq
      .
    8. For
      Source filter
      , select
      IPv4 ranges
      .
    9. For
      Source IPv4 ranges
      , type the IP address (in CIDR format) of the device you plan to use to configure BIG-IQ License Manager.
    10. For
      Protocols and ports
      , select
      Specified protocols and ports
      , and then for
      tcp
      , type in
      22,443
      to provide access to your machine through both of these ports.
Next you need to launch a new instance.

Launch new instance

Before you can create a new instance, you must have imported the GCP image from
downloads.f5.com
.
Use this task to create a new GCP instance on Google Cloud Platform.
  1. Click the switcher icon at the top of the left pane, then click
    Compute Engine
    Images
    to display the list of images defined in your GCP environment.
  2. Select the image that you imported earlier, then select
    CREATE INSTANCE
    .
    You may find it easier to locate the image if you use the
    Filter
    near the top of the page to type in the first few characters of the image name.
  3. On the Create a instance page, type a
    Name
    for the new instance.
  4. For the
    Region
    , select the region in which your VPC network is located.
  5. Under Machine configuration, for the
    Series
    , select
    E2
    and for the
    Machine type
    , select
    e2-standard-8
    .
  6. Under Identity and API access, for the
    Service account
    , select the account you created back at the beginning of this task.
  7. Under Networking, for
    Network tags
    , type the tag that you specified earlier in this task for the BIG-IQ License Manager when you created the ingress rule.
  8. Under
    Edit network interface
    , select the VPC network you are using for the BIG-IQ License Manager.
  9. For
    Primary internal IP
    , select
    Ephemeral (Automatic)
    , and then select
    RESERVE STATIC INTERNAL IP ADDRESS
  10. On the Reserve a static internal IP address pop up window, type a
    Name
    and optional description for this IP address, then, under
    Static IP address
    , select
    Assign automatically
    and click
    RESERVE
    .
    GCP creates a new reserved internal IP address for the new instance's management address.
  11. Click
    Create
    .
You can now log in to the BIG-IQ VE user interface, and license and provision the VE.

Change instance passwords

Before you can change the instance passwords, you must have created a GCP instance.
Use this task to change the root and default passwords for your GCP instance.
  1. Use SSH to log into the BIG-IQ management address as root.
    The system forces you to immediately change the default password.
  2. Follow the prompts to change the password for the virtual machine.
    ssh root@n.n.n.n Password: You are required to change your password immediately (root enforced) Changing password for root. (current) UNIX password: New BIG-IQ password: Retype new BIG-IQ password: The password for the "admin" user ID has been changed to match the new password for the "root" user ID. The password for "admin" user is marked as expired and must be changed the next time the "admin" user logs in. Future changes to the "root" password will not affect the password of the "admin" user ID [root@bigiq1:NO LICENSE:Standalone] config # logout Connection to n.n.n.n closed.
You can now log in to the BIG-IQ VE user interface, and provision the new instance.

Configure Google Cloud Platform for license management

Use this task to set up and configure Google Cloud Platform on a virtual machine for use as a BIG-IP license manager.
  1. Use a browser to log in to BIG-IQ by typing
    https://
    <management_IP_address>
    , where
    <management_IP_address>
    is the address you specified for device management.
  2. The first time you log in to the BIG-IQ, you must change the admin password (again).
    1. For
      Current Password
      , use the admin password you just set.
    2. Type a new password in the
      New Password
      and
      Re-type New Password
      fields.
    3. Click
      Save
      . BIG-IQ changes the admin password and then displays the initial log in page.
    4. Log in to the BIG-IQ user interface using your new password.
    When you change the admin password as part of an initial login, BIG-IQ also resets the root password to match it. During initial setup, you can change them both again.
    When you log in with your new password, BIG-IQ opens the License Information page.
  3. Select
    Skip License
    and click the
    Next
    button.
  4. If you are setting up BIG-IQ for the first time, the Accept User Legal Agreement screen opens. To accept the license agreement, click the
    Agree
    button, and then click the
    Next
    button.
  5. Type a
    Passphrase
    that satisfies the requirements specified on screen, and then type the same phrase for
    Confirm Passphrase
    , and then click the
    Next
    button.
    BIG-IQ uses the passphrase to generate a master key, which BIG-IQ uses to communicate with other BIG-IQ systems in your configuration.
    • It's important to keep track of the passphrase for the master key, because you cannot recover it if you lose it. You can change the master key at any time only if this BIG-IQ is not part of a BIG-IQ high availability or DCD configuration from the
      System
      THIS DEVICE
      General Properties
      screen.
    • You must have the passphrase used to generate the master key before you can change the master key.
    • Finally, when you backup and restore a BIG-IQ, the master key is backed up with the rest of the data, and you cannot restore that data onto a BIG-IQ that has a different master key, so without that key you will be unable to have this BIG-IQ and it's data in an HA or DCD configuration.
  6. On the Update Account Passwords page, you can specify new admin and root passwords or click
    Next
    to skip this step.
  7. For System Personality, select
    BIG-IQ License Manager
    and click the
    Next
    button.
    The Networking screen opens.
  8. In the
    Hostname
    box, type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  9. Type the
    Management Port Route
    .
    The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:
    10.10.10.10/24
    .
  10. Select an option for what you want BIG-IQ to use for the
    Discovery Address
    .
    BIG-IQ uses this address for bi-lateral communication with the BIG-IP devices it manages licenses for.
    • To use the management port, select
      Use Management Address
      .
    • To use the internal self IP address, select
      Self IP Address
      , and type the IP address.
      The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:
      10.10.10.10/24
      .
  11. To create self IP addresses, click the self IP address
    Create
    button and specify the name and self IP address, and then click
    Next
    .
  12. On the DNS Services page, F5 recommends that you use the default values. If you want to specify your own DNS or NTP service addresses you can, but if you do, you return to the Create firewall rules task and create firewall rules for them.
    • To accept the default DNS or NTP service addresses, move to the next step.
    • To set a
      DNS Lookup Servers
      value, type the IP address of your DNS server.
    • To set a
      Time Servers
      value, type the IP addresses of your Network Time Protocol (NTP) server.
  13. From the
    Time Zone
    list, select your local time zone, then click
    Next
    .
  14. After you review the details, click
    Launch
    and then click
    Restart
    to confirm.
    Launching and restarting the new BIG-IQ virtual machine takes a few minutes. Once it completes, you can log back in and start managing licenses.
For information about using this BIG-IQ to manage licenses, refer to:
Deploy BIG-IQ to manage licenses for BIG-IP VE devices
on
support.f5.com
.