Manual Chapter : AWS Setup for a Service Scaling Group

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.0
Manual Chapter

AWS Setup for a Service Scaling Group

Setting up the AWS environment for a service scaling group

You need to set up an AWS environment with the specific characteristics required by a BIG-IQ service scaling group (SSG). This environment houses the resources that power the SSG.

Specify the AWS environment for a service scaling group

To operate a service scaling group (SSG) in an AWS cloud, you need a Virtual Private Cloud (VPC) to host the BIG-IP devices that run your applications. You also need secret keys and a security group to keep the environment safe.

This basic AWS environment is needed whether you house the BIG-IQ system and data collection devices (DCDs) in the AWS cloud, or in a private cloud or on-premises environment. To properly configure your environment, your account requires full access permissions for the following AWS resources: Auto Scale Groups, Instances, SQS, S3, CloudWatch, and CloudFormation. Additionally, you need list, create, and delete permissions for the IAM role/rolePolicy/InstanceProfile.

  • If you use the AWS cloud for all of your resources, you install the BIG-IQ devices and DCDs that manage the SSG in the AWS environment. When you use AWS for your BIG-IQ and DCDs, you most likely have already created an AWS environment and installed the BIG-IQ VE. If this is the case, be sure to review the AWS requirements here to insure proper support for your SSG.

  • If you install your BIG-IQ devices and DCDs in a private cloud or on-premises environment, after you create the AWS environment, configure a VPN to support the required communication between the SSG devices and the management components.
    Note: For the most current instructions for creating a VPC, refer to the VPC Documentation web site,
  1. Access your AWS account, and create a virtual private cloud (VPC).
    Note: As you configure the VPC, make sure it is in the region you want to work in and contains the following:
    • Name tag.
    • IPv4 CIDR block.
    • 2 subnets, each in separate availability zones and a unique CIDR.
    • Internet gateway attached to this VPC.
    • Route table that targets the internet gateway (1 for each subnet).
  2. Create a key pair to allow SSH access.
  3. Create a security group to protect the elastic load balancer.
  4. Create a classic elastic load balancer (ELB) using the settings detailed in the table.
    ELB Type Classic Load Balancer
    VPC and subnets Use the objects created in step 1.
    Health Checks
    • Ping protocol:TCP
    • Ping port: 22
    • Timeout: 5 seconds
    • Interval: 30 seconds
    EC2 Instances Cross-Zone Load Balancing enabled and Connection Draining Enabled at 300 seconds.
    Important: When you configure the ELB, note that you can deploy it as either Internet-facing or internal. Internal is fine if all of the application traffic you support is within your AWS VPC. If not, then make sure you deploy it as Internet-facing.

    Additionally, the classic ELB and the BIG-IP devices that manage the applications for this SSG must be in the VPC. If they are not in the same VPC, traffic will not reach the BIG-IP devices.

  5. After the ELB is created successfully, edit the ELB listeners to remove the default listener (Load Balancer Protocol and Instance Protocol of HTTP on port 80).
Important: Before AWS can create the BIG-IP instances that manage applications for this SSG, you must subscribe and agree to the software terms for the Amazon machine image (AMI) you plan to use.
  • Navigate to the AWS marketplace.
  • Search for the AMI that best fits your needs.
  • When you find the AMI you want, select it and then click Continue to Subscribe and follow the prompts.

Configuration requirements for an AWS VPN

When you manage applications in a service scaling group in AWS and use a BIG-IQ and data collection devices that are housed in a private cloud or on-premises, you need a VPN to facilitate communication. Without a VPN, the devices cannot send the analytic information you need to manage your applications. Also, if you use the BYOL licensing option, when new devices are created they need the VPN so they can contact the BIQ-IQ acting as a license server.

Requirement For more information
Both ends of the VPN require a gateway. That is, you need a gateway between your BIG-IQ/data collection device cluster and the VPN; and, you need a virtual private gateway between the VPN and the AWS environment. Refer to the vendor documentation for the gateway you use locally. For details on the AWS end, refer to AWS Managed VPN Connections on
You must use a VPN supported by AWS. For details on the VPN types that AWS supports, refer to Amazon Virtual Private Cloud Documentation on
Subnets on your local network must use a different subnet than the subnet used by the VPC you create in the AWS environment. There can be no overlap. For example, if the BIG-IQ and data collection devices in your local cloud use a subnet such as, you could use a subnet such as on your AWS VPC.
There must be a route from your BIG-IQ/data collection device cluster to the AWS environment through your gateway. Create this route by logging in to the BIG-IQ and DCD in your local cloud and running a set of tmsh commands. For example, if your setup used the subnets listed in the previous example (AWS network is and your gateway address is, you could run the following sequence of commands:
tmsh create /net route gw
tmsh list net route
tmsh save /sys config