Applies To:Show Versions
BIG-IQ Centralized Management
- 6.1.0, 6.0.1
AWS Setup for a Service Scaling Group
Setting up the AWS environment for a service scaling group
You need to set up an AWS environment with the specific characteristics required by a BIG-IQ service scaling group (SSG). This environment houses the resources that power the SSG.
Specify the AWS environment for a service scaling group
To operate a service scaling group (SSG) in an AWS cloud, you need a Virtual Private Cloud (VPC) to host the BIG-IP devices that run your applications. You also need secret keys and a security group to keep the environment safe.
This basic AWS environment is needed whether you house the BIG-IQ system and data collection devices (DCDs) in the AWS cloud, or in a private cloud or on-premises environment. To properly configure your environment, your account requires full access permissions for the following AWS resources: Auto Scale Groups, Instances, SQS, S3, CloudWatch, and CloudFormation. Additionally, you need list, create, and delete permissions for the IAM role/rolePolicy/InstanceProfile.
If you use the AWS cloud for all of your resources, you install the BIG-IQ devices and DCDs that manage the SSG in the AWS environment. When you use AWS for your BIG-IQ and DCDs, you most likely have already created an AWS environment and installed the BIG-IQ VE. If this is the case, be sure to review the AWS requirements here to insure proper support for your SSG.
If you install your BIG-IQ devices and DCDs in a private cloud or on-premises environment, after you create the AWS environment, configure a VPN to support the required communication between the SSG devices and the management components.Note: For the most current instructions for creating a VPC, refer to the VPC Documentation web site, https://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/getting-started-ipv4.html.
Access your AWS account, and create a virtual private
Note: As you configure the VPC, make sure it is in the region you want to work in and contains the following:
- Name tag.
- IPv4 CIDR block.
- 2 subnets, each in separate availability zones and a unique CIDR.
- Internet gateway attached to this VPC.
- Route table that targets the internet gateway (1 for each subnet).
- Create a key pair to allow SSH access.
Create a security group to protect the elastic load
Important: When you configure the security group for the ELB, you must not specify any ingress rules.
Create a classic elastic load balancer (ELB) using the
settings detailed in the table.
ELB Type Classic Load Balancer VPC and subnets Use the objects created in step 1. Health Checks
- Ping protocol:TCP
- Ping port: 22
- Timeout: 5 seconds
- Interval: 30 seconds
EC2 Instances Cross-Zone Load Balancing enabled and Connection Draining Enabled at 300 seconds.Important: When you configure the ELB, note that you can deploy it as either Internet-facing or internal. Internal is fine if all of the application traffic you support is within your AWS VPC. If not, then make sure you deploy it as Internet-facing.
Additionally, the classic ELB and the BIG-IP devices that manage the applications for this SSG must be in the VPC. If they are not in the same VPC, traffic will not reach the BIG-IP devices.
- After the ELB is created successfully, edit the ELB listeners to remove the default listener (Load Balancer Protocol and Instance Protocol of HTTP on port 80).
- Navigate to the AWS marketplace.
- Search for the AMI that best fits your needs.
- When you find the AMI you want, select it and then click Continue to Subscribe and follow the prompts.
Configuration requirements for an AWS VPN
When you manage applications in a service scaling group in AWS and use a BIG-IQ and data collection devices that are housed in a private cloud or on-premises, you need a VPN to facilitate communication. Without a VPN, the devices cannot send the analytic information you need to manage your applications. Also, if you use the BYOL licensing option, when new devices are created they need the VPN so they can contact the BIQ-IQ acting as a license server.
|Requirement||For more information|
|Both ends of the VPN require a gateway. That is, you need a gateway between your BIG-IQ/data collection device cluster and the VPN; and, you need a virtual private gateway between the VPN and the AWS environment.||Refer to the vendor documentation for the gateway you use locally. For details on the AWS end, refer to AWS Managed VPN Connections on docs.aws.amazon.com.|
|You must use a VPN supported by AWS.||For details on the VPN types that AWS supports, refer to Amazon Virtual Private Cloud Documentation on docs.aws.amazon.com.|
|Subnets on your local network must use a different subnet than the subnet used by the VPC you create in the AWS environment. There can be no overlap.||For example, if the BIG-IQ and data collection devices in your local cloud use a subnet such as 172.16.0.0/16, you could use a subnet such as 10.1.0.0/16 on your AWS VPC.|
|There must be a route from your BIG-IQ/data collection device cluster to the AWS environment through your gateway.||Create this route by logging in to the BIG-IQ and DCD in your local cloud and running a
set of tmsh commands. For example, if your setup used the subnets listed
in the previous example (AWS network is 10.1.0.0/16 and your gateway
address is 172.16.0.9, you could run the following sequence of commands:
tmsh create /net route 10.1.10.0/16 gw 172.16.0.9 tmsh list net route tmsh save /sys config