Manual Chapter :
Deploying BIG-IQ Virtual Edition in Google Cloud Platform
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Deploying BIG-IQ Virtual Edition in Google Cloud Platform
Google Cloud Platform
How do I deploy a BIG-IQ VE in Google Cloud Platform?
Google Cloud Platform
?Before you can deploy a BIG-IQ VE in the Google Cloud Platform
environment, you must have the following environmental elements in place:
- A tenant (or admin) user account with virtual machine deployment privileges.
- Privileges to create images (that is you must be able to upload QCOW2 files). Contact your system administrator for assistance if your account lacks the requisite permissions.
- Sufficient free remaining computational (CPU, RAM) and disk storage quota for each BIG-IQ VE instance you plan to deploy.
- At least one network, to be used for management access.
- Security groups (firewall rule-sets), for control of inbound and outbound network traffic.
- Pre-defined Flavors (virtual hardware profile definitions).
In addition, you might wish to define the following optional
environmental elements:
- Key-pairs, for SSH access (recommended).
- Floating IP addresses, for each tenant network interface that will be externally accessible.
- Additional networks for internal, external, and high-availability traffic as necessary.
Import image from F5
The first step in deploying BIG-IQ Virtual Edition (VE) is to
download the tarball file to your local system. Then you use that tarball to create an
image file that you can use to install the BIG-IQ VE.
Do not modify the configuration of the Google Cloud Platform (GCP) environment with
settings less powerful than the ones recommended in this document. This includes the
settings for the CPU, RAM, and network adapters. Doing so might produce unexpected
results.
- From a browser window, open the F5 Downloads page (downloads.f5.com) and log in.
- On the Downloads Overview page, clickFind a Download.
- Under Product Line, selectCentralized Management.
- Under Name, select the8.1.0_Cloud-Images.
- If the End User Software License is displayed, read it and then clickI Accept.
- Select the BIG-IQ Virtual Edition file package to download and. The file name ends inGCP-byol.tar.gz.The Download Locations page opens.
- Select the download location nearest to your location.The installation file tarball downloads to your desktop.
- From a browser window, navigate tohttps://console.cloud.google.comand log in.
- If you are not already in the correct project, from the top of the page, select the project in which you plan to create your BIG-IQ VE instance.
- ClickCREATE BUCKET, and then type a name in theName your bucketbox and clickCREATE.GCP creates a bucket that you can use to upload the GCP BIG-IQ VE tarball.
- ClickUpload Filesand select the tarball you downloaded in step 7.
- Create a reusable image that you can use to create a GCP virtual machine instance.
- Type aNamefor the image.For examplebig-iq-8-1-0-2-byol.
- ForSourceselectCloud Storage file, and then browse to the file uploaded in step 8.
- Optionally, you can now type entries forFamilyandDescription.
- ClickCreate.
The system creates an image file that you can
use to create a GCP virtual machine.
Next, you need to create a Google Cloud
Platform service account.
Create service account
Use this task to create a new service account
for the Google Cloud Platform (GCP) instance on which your BIG-IQ License Manager will
run.
- Log into the Google Cloud Platform (GCP) and then on the left pane, click.
- On the Service accounts page, selectCREATE SERVICE ACCOUNT.
- On the Create service account page, type in aService account nameand an optionalService account description, and then clickDONE.
GCP creates your new service account and adds
the name to the accounts listed on this page.
Next, you need to create firewall rules for
your GCP instance.
Create firewall rules
Use this task to set up firewall rules to
control ingress and egress to your GCP instance.
- Create an inbound firewall rule to control access from your BIG-IP devices to your BIG-IQ license manager.
- Click the switcher icon at the top of the left pane, then clickto display the list of networks defined in your GCP environment.
- Select the network in which you plan to deploy your BIG-IQ license manager.GCP displays the VPC network details page.
- On the VPC network details page, select.
- on the Create a firewall rule page, type aNameand an optionalDescriptionfor the rule.
- ForNetwork, select the name of the network you plan to use for the BIG-IQ management interface.Typically, the BIG-IP management interfaces use this network as well.
- ForDirection of traffic, selectIngress.
- ForTarget tags, type in the tag name that you will tag your BIG-IQ license manager with.For example,big-iq.
- ForSource tags, type in the tag name that you will tag your BIG-IP devices with.For example,big-ip.
- ForProtocols and ports, selectSpecified protocols and ports, and then selectTCP, and enter22, 433.
- Create an outbound firewall rule to permit access from your BIG-IQ license manager to your BIG-IP devices.
- Click the switcher icon at the top of the left pane, then clickto display the list of networks defined in your GCP environment.
- Select the network in which you plan to deploy your BIG-IQ license manager.GCP displays the VPC network details page.
- On the VPC network details page, select.
- on the Create a firewall rule page, type aNameand an optionalDescriptionfor the rule.
- ForNetwork, select the name of the network you plan to use for the BIG-IQ management interface.
- ForDirection of traffic, selectIngress.
- ForTarget tags, type in the tag name that you will tag your BIG-IP devices with.For example,big-ip.
- ForSource tags, type in the tag name that you will tag your BIG-IQ license manager with.For example,big-iq.
- ForProtocols and ports, selectSpecified protocols and ports, and then selectTCP, and enter22, 433.If the BIG-IP devices you support use a single network interface card (NIC), use ports22and8443instead.
- Create another inbound firewall rule to permit access from the device you plan to use to configure your BIG-IQ license manager.
- Click the switcher icon at the top of the left pane, then clickto display the list of networks defined in your GCP environment.
- Select the network in which you plan to deploy your BIG-IQ license manager.GCP displays the VPC network details page.
- On the VPC network details page, select.
- on the Create a firewall rule page, type aNameand an optionalDescriptionfor the rule.
- ForNetwork, select the name of the network you plan to use for the BIG-IQ management interface.
- ForDirection of traffic, selectIngress.
- ForTarget tags, type in the tag name that you will tag your BIG-IQ license manager with.For example,big-iq.
- ForSource filter, selectIPv4 ranges.
- ForSource IPv4 ranges, type the IP address (in CIDR format) of the device you plan to use to configure BIG-IQ License Manager.
- ForProtocols and ports, selectSpecified protocols and ports, and then fortcp, type in22,443to provide access to your machine through both of these ports.
Next you need to launch a new
instance.
Launch new instance
Before you can create a new instance, you must
have imported the GCP image from
downloads.f5.com
. Use this task to create a new GCP instance on
Google Cloud Platform.
- Click the switcher icon at the top of the left pane, then clickto display the list of images defined in your GCP environment.
- Select the image that you imported earlier, then selectCREATE INSTANCE.You may find it easier to locate the image if you use theFilternear the top of the page to type in the first few characters of the image name.
- On the Create a instance page, type aNamefor the new instance.
- For theRegion, select the region in which your VPC network is located.
- Under Machine configuration, for theSeries, selectE2and for theMachine type, selecte2-standard-8.
- Under Identity and API access, for theService account, select the account you created back at the beginning of this task.
- Under Networking, forNetwork tags, type the tag that you specified earlier in this task for the BIG-IQ License Manager when you created the ingress rule.
- UnderEdit network interface, select the VPC network you are using for the BIG-IQ License Manager.
- ForPrimary internal IP, selectEphemeral (Automatic), and then selectRESERVE STATIC INTERNAL IP ADDRESS
- On the Reserve a static internal IP address pop up window, type aNameand optional description for this IP address, then, underStatic IP address, selectAssign automaticallyand clickRESERVE.GCP creates a new reserved internal IP address for the new instance's management address.
- ClickCreate.
You can now log in to the BIG-IQ VE user
interface, and license and provision the VE.
Change instance passwords
Before you can change the instance passwords,
you must have created a GCP instance.
Use this task to change the root and default
passwords for your GCP instance.
- Use SSH to log into the BIG-IQ management address as root.The system forces you to immediately change the default password.
- Follow the prompts to change the password for the virtual machine.ssh root@n.n.n.n Password: You are required to change your password immediately (root enforced) Changing password for root. (current) UNIX password: New BIG-IQ password: Retype new BIG-IQ password: The password for the "admin" user ID has been changed to match the new password for the "root" user ID. The password for "admin" user is marked as expired and must be changed the next time the "admin" user logs in. Future changes to the "root" password will not affect the password of the "admin" user ID [root@bigiq1:NO LICENSE:Standalone] config # logout Connection to n.n.n.n closed.
You can now log in to the BIG-IQ VE user
interface, and provision the new instance.
Configure Google Cloud Platform for license management
Use this task to set up and configure Google
Cloud Platform on a virtual machine for use as a BIG-IP license manager.
- Use a browser to log in to BIG-IQ by typinghttps://, where<management_IP_address><management_IP_address>is the address you specified for device management.
- The first time you log in to the BIG-IQ, you must change the admin password (again).
- ForCurrent Password, use the admin password you just set.
- Type a new password in theNew PasswordandRe-type New Passwordfields.
- ClickSave. BIG-IQ changes the admin password and then displays the initial log in page.
- Log in to the BIG-IQ user interface using your new password.
When you log in with your new password, BIG-IQ opens the License Information page.When you change the admin password as part of an initial login, BIG-IQ also resets the root password to match it. During initial setup, you can change them both again. - SelectSkip Licenseand click theNextbutton.
- If you are setting up BIG-IQ for the first time, the Accept User Legal Agreement screen opens. To accept the license agreement, click theAgreebutton, and then click theNextbutton.
- Type aPassphrasethat satisfies the requirements specified on screen, and then type the same phrase forConfirm Passphrase, and then click theNextbutton.BIG-IQ uses the passphrase to generate a master key, which BIG-IQ uses to communicate with other BIG-IQ systems in your configuration.
- It's important to keep track of the passphrase for the master key, because you cannot recover it if you lose it. You can change the master key at any time only if this BIG-IQ is not part of a BIG-IQ high availability or DCD configuration from thescreen.
- You must have the passphrase used to generate the master key before you can change the master key.
- Finally, when you backup and restore a BIG-IQ, the master key is backed up with the rest of the data, and you cannot restore that data onto a BIG-IQ that has a different master key, so without that key you will be unable to have this BIG-IQ and it's data in an HA or DCD configuration.
- On the Update Account Passwords page, you can specify new admin and root passwords or clickNextto skip this step.
- For System Personality, selectBIG-IQ License Managerand click theNextbutton.The Networking screen opens.
- In theHostnamebox, type a fully-qualified domain name (FQDN) for the system.The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
- Type theManagement Port Route.The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:10.10.10.10/24.
- Select an option for what you want BIG-IQ to use for theDiscovery Address.BIG-IQ uses this address for bi-lateral communication with the BIG-IP devices it manages licenses for.
- To use the management port, selectUse Management Address.
- To use the internal self IP address, selectSelf IP Address, and type the IP address.The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:10.10.10.10/24.
- To create self IP addresses, click the self IP addressCreatebutton and specify the name and self IP address, and then clickNext.
- On the DNS Services page, F5 recommends that you use the default values. If you want to specify your own DNS or NTP service addresses you can, but if you do, you return to the Create firewall rules task and create firewall rules for them.
- To accept the default DNS or NTP service addresses, move to the next step.
- To set aDNS Lookup Serversvalue, type the IP address of your DNS server.
- To set aTime Serversvalue, type the IP addresses of your Network Time Protocol (NTP) server.
- From theTime Zonelist, select your local time zone, then clickNext.
- After you review the details, clickLaunchand then clickRestartto confirm.Launching and restarting the new BIG-IQ virtual machine takes a few minutes. Once it completes, you can log back in and start managing licenses.
For information about using this BIG-IQ to
manage licenses, refer to:
Deploy BIG-IQ to manage licenses for
BIG-IP VE devices
on support.f5.com
.