18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

 CloudDocs Home (/) > BIG-IP Virtual Edition (../index.html) > Amazon Web Services: Single NIC BIG-IP VE

Amazon Web Services: Single NIC BIG-IP VE¶

 Version notice:
This content applies to BIG-IP VE 11.5.1 and later

The following diagram shows a basic single NIC deployment of BIG-IP VE in an Amazon Virtual
Private Cloud (VPC). Traffic is flowing through BIG-IP VE to application servers. The BIG-IP virtual
server is listening for traffic destined for port 443 . Port 8443 is for management traffic.

Note: Alternately, you can use CloudFormation templates to create this deployment. For more
information about CloudFormation templates provided by F5, go to https://github.com/F5Networks
(https://github.com/F5Networks).

In this configuration, all access to the BIG-IP VE appliance is through the same IP address and
virtual network interface (vNIC). This single NIC deployment has the following benefits:

BIG-IP VE creates networking objects (vNIC 1.0, an internal VLAN, and an internal self IP
address).
In BIG-IP VE 13.0 and later, BIG-IP VE sets the Configuration utility port to 8443 (instead of 443 ).

If you do not need a separate management network, this configuration is less complex than
other configurations.

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 1/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

Watch a video of the deploy process:

BIG-IP VE in Amazon Web Services (AWS)

Step summary¶

This is a specific example, which you can use to test a single NIC deployment. When done, you
should be able to send traffic to your application servers through BIG-IP VE.

Step Task Description

1 Choose an F5 Choose an F5 license (https://f5.com/products/how-to-buy/simplified-
license licensing). You can get a trial license (https://www.f5.com/trial/big-ip-
trial.php) if you need one.
2 Create a VPC Use the AWS VPC wizard to create a VPC with a single subnet.
with one
Subnet: 10.0.0.0/24
subnet
3 Deploy a BIG- From the AWS Marketplace, choose an F5 BIG-IP VE image. When you
IP VE deploy the instance, choose the VPC you created earlier.
instance
Choose an image with 2 boot locations if you expect to upgrade BIG-IP
VE in the future. If you do not need room to upgrade (if you intend to
create a new instance when a new version of BIG-IP VE is released),
choose an image with 1 boot location.

Interface: eth0

Primary Private IP: 10.0.0.200

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 2/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

Step Task Description

4 Create an Create an Elastic IP address and associate it with the BIG-IP VE
Elastic IP instance. You will use this IP address to access the BIG-IP
address Configuration utility and to access your application servers (by way of
the virtual server).

Elastic IP: 52.x.y.x

5 Set an admin Before you can license and provision BIG-IP VE, use SSH and your key
password for pair to connect to the instance and set a strong password.
BIG-IP VE
In tmsh, type modify auth password admin

6 License BIG- Use the admin account to log in to the BIG-IP Configuration utility
IP VE ( https://<ElasticIP:8443> ). If you have trouble accessing the
Configuration utility, check the AWS security groups to ensure that
they allow the appropriate traffic.

Note: Prior to BIG-IP VE 13.0, the port is 443 instead.

7 Provision BIG- Enable the modules you need.

IP VE
8 Change the Prior to BIG-IP VE 13.0 only. Change the Config utility from port 443 to
Config utility 8443 . After BIG-IP VE 13.0, it is on port 8443 by default.
port
9 Create a Prior to BIG-IP VE 12.1, you must create a VLAN and self IP address. In
VLAN and 12.1 and later, BIG-IP VE creates these automatically.
self IP
10 Create a pool Create a pool that contains your application servers.
and add
Pool name: web_pool
members to it
11 Create a Create a virtual server, which provides a destination for your inbound
virtual server web traffic and points to the pool of web servers.

Virtual IP address: 10.0.0.200 , service port: 443

Step details¶

Create a VPC with one subnet¶

A BIG-IP VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to
create a basic VPC.

1. In the AWS Management Console, at the top of the screen expand the Services menu, scroll
down to Networking & Content Delivery section, select VPC.
https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 3/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

2. Click Launch VPC Wizard -> VPC with a Single Public Subnet, and then click Select.

3. For the CIDR block, use the following:

IPv4: 10.0.0.0/24

IPv6: Select the appropriate option.

4. In the VPC name field, type a name.

5. Retain all other default settings and click Create VPC.

6. Click OK to view the list of VPCs.

Deploy a BIG-IP VE instance¶

To create an EC2 instance of BIG-IP VE in AWS, you deploy a BIG-IP VE image from the Amazon
Web Services (AWS) Marketplace.

1. Go to the AWS Marketplace.

2. In the Search AWS Marketplace field, type F5 BIG-IP and then click GO.

3. Click the version you want to deploy and then click Continue.

If you expect to upgrade BIG-IP VE in the future, choose an image with 2 boot locations. If
you do not need room to upgrade (if you intend to create a new instance when a new
version of BIG-IP VE is released), choose an image with 1 boot location.

4. Select the region where you created your VPC, click Launch with EC2 Console.

5. Choose the instance type you need.

6. Click Next: Configure Instance Details.

7. From the Network list, select your VPC. The Subnet field is automatically populated.

8. In the Network interfaces area, in the Primary IP field, type 10.0.0.200 .

9. Click Next: Add Storage and then Next: Tag Instance.

10. In the Value field, type a name for the instance and click Next: Configure Security Group.

Three rules are in the list. 22 is for SSH access, 8443 for BIG-IP management access, and 443 for
application traffic.

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 4/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

For Source, if you select My IP, you can access the BIG-IP VE instance from your computer only.
You can change the source as needed for your environment. For more information about
securing instances in AWS, see this topic
(https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf).

11. Click Review and Launch.

12. Confirm the settings and click Launch.

13. Select your key pair, accept the acknowledgment, and click Launch Instances.

14. Click View Instances to view the new instance.

When the status in the Status Checks column changes from Initializing to 2/2 checks passed, the
instance is ready.

Important: Prior to BIG-IP VE 13.1.0.1, if you chose an hourly instance, you must associate an AWS
Elastic IP address with the instance while it is launching, so that the instance can register the
license with F5. If the instance lacks internet access when it first boots, you must reboot the
instance so it can connect to F5 for licensing.

Create an Elastic IP address¶

A BIG-IP VE instance must be in an Amazon virtual private cloud (VPC). You can use a wizard to
create a basic VPC.

You use the BIG-IP Configuration utility to configure the BIG-IP VE instance. To access the
Configuration utility from the Internet, you use an Elastic IP (EIP) address associated with the BIG-IP
VE instance. You will use this same EIP to access your application servers. Hourly instances of BIG-
IP VE prior to version 13.1.0.2 also use the EIP for internet access so they can get a license from F5.

Note: EIPs are accessible to the Internet. Because of this, later you will set a strong password for
the BIG-IP VE admin account, which you use to log in to the Configuration utility.

1. From the Services menu at the top of the AWS Management Console, select EC2.

2. In the Navigation pane, under NETWORK & SECURITY, select Elastic IPs.

3. Click Allocate new address.

4. Click Allocate and then click Close.

5. Right-click the newly created EIP and select Associate address from the popup menu screen.

6. Select the BIG-IP VE instance and the management subnet’s private IP address, 10.0.0.200 .
https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 5/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

7. Click Associate.

Set the admin password for BIG-IP VE¶

The first time you boot BIG-IP VE, you must connect to the instance and create a strong admin
password. You will use the admin account and password to access the BIG-IP Configuration utility.

This management interface may be accessible to the Internet, so ensure the password is secure.

1. Connect to BIG-IP VE.

At the command prompt, navigate to the folder where you saved your ssh key and type:
ssh -i <private_key_file.pem> admin@<bigip_public_ip_address>

If you prefer, you can open PuTTy and in the Host Name (or IP address) field, enter the
external IP address, for example:

In the Category pane on the left, click Connection -> SSH -> Auth.
In the Private key file for authentication field, choose your .ppk file.

Click Open.
If a host key warning appears, click OK.
The terminal screen displays: login as: .

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 6/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

Type admin and press Enter.

2. To change to the tmsh prompt, type:

tmsh

3. Modify the admin password:

modify auth password admin

The terminal screen displays the message:

changing password for admin

new password:

4. Type the new password and press Enter.

The terminal screen displays the message:

confirm password

5. Re-type the new password and press Enter.

6. Ensure that the system retains the password change and press Enter.

save sys config

The terminal screen displays the message:

Saving Ethernet mapping...done

License BIG-IP VE¶

You must enter license information before you can use BIG-IP VE.

 Version notice:
Prior to BIG-IP VE 13.0, the port is 443, not 8443

1. Open a web browser and log in to the BIG-IP Configuration utility by using https with the
external IP address and port 8443 , for example: https://<external-ip-address>:8443 . The
username is admin and the password is the one you set previously.

2. On the Setup Utility Welcome page, click Next.

3. On the General Properties page, click Activate.

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 7/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

4. In the Base Registration key field, enter the case-sensitive registration key from F5.

For Activation Method, if you have a production or Eval license, choose Automatic and click
Next.

If you chose Manual, complete these steps:

1. In the Step 1: Dossier field, copy all of the text and then click Click here to access F5
Licensing Server.

A separate web page opens.

2. On the new page, click Activate License.

3. In the Enter your dossier field, paste the text and click Next.

4. Accept the agreement and click Next.

5. On the Activate F5 Product page, copy the license text in the box. Now go back to the BIG-
IP Configuration utility and paste the text into the Step 3: License field.

6. Click Next.
https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 8/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

The BIG-IP VE system registers the license and logs you out. When the configuration change is
successful, click Continue to provision BIG-IP VE.

Provision BIG-IP VE¶

You must confirm the modules you want to run before you can begin to work in the BIG-IP
Configuration utility.

1. Open a web browser and log in to the BIG-IP Configuration utility.

2. On the Resource Provisioning screen, change settings if necessary and click Next.

3. On the Device Certificates screen, click Next.

4. On the Platform screen, in the Admin Account field, re-enter the password for the admin
account and click Next.

BIG-IP VE logs you out.

5. When you log back in, on the Setup Utility -> Network screen, in the Advanced Network
Configuration area, click Finished.

Change the Configuration utility port¶

 Version notice:
https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 9/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

In BIG-IP VE 13.0 and later, this task is not required

The BIG-IP Configuration utility uses port 443 by default. Change the port to 8443 so you can use
443 for application traffic.

1. Use a secure shell terminal (SSH), like PuTTy, to access the instance; use the key pair you
specified when you deployed the instance.

2. Type tmsh to ensure you are accessing the tmsh prompt.

3. Confirm the SSL port.

list sys httpd ssl-port

The result should be ssl-port 443 .

4. Move the port from 443 to 8443 .

modify sys httpd ssl-port 8443

5. Confirm the move was successful.

list sys httpd ssl-port

The result should be ssl-port 8443 .

6. Add 8443 to the default self allow port list.

modify net self-allow defaults add { tcp:8443 }

7. Now that the Configuration utility is no longer using port 443, remove the reference to it.

modify net self-allow defaults delete { tcp:443 }

8. Confirm the changes.

list net self-allow defaults

tcp:pcsync-https is for 8443 and should be in the list. tcp:https is for 443 and should not be in
the list.

9. Save the changes to the system configuration.

save sys config

10. End the SSH session.

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 10/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

11. Open a web browser and go to the BIG-IP Configuration utility by using port 8443 , for example:
https://<public-ip-address>:8443 .

Now create a VLAN and self IP address for the NIC.

Create a pool and add members to it¶

Traffic goes through BIG-IP VE to a pool. Your application servers should be members of this pool.

1. Open a web browser and go to the BIG-IP Configuration utility, for example: https://<external-
ip-address>:8443 .

2. On the Main tab, click Local Traffic -> Pools.

3. Click Create.

4. In the Name field, type web_pool . Names must begin with a letter, be fewer than 63 characters,
and can contain only letters, numbers, and the underscore (_) character.

5. For Health Monitors, move https from the Available to the Active list.

6. Choose the load balancing method or retain the default setting.

7. In the New Members section, in the Address field, type the IP address of the application server.

8. In the Service Port field, type a service port, for example, 443 .

9. Click Add.

The list now contains the member.

10. Add additional pool members as needed and click Finished.

Create a virtual server¶

A virtual server listens for packets destined for the external IP address. You must create a virtual
server that points to the pool you created.

1. In the BIG-IP Configuration utility, on the Main tab, click Local Traffic -> Virtual Servers.

2. Click Create and populate the following fields.

Field Value
Name A unique name
Destination Address/Mask BIG-IP VE’s private IP
address
Service Port 443

HTTP Profile http

SSL Profile (Client) clientssl
SSL Profile (Server) serverssl
https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 11/12
18/11/2021 20:43 Amazon Web Services: Single NIC BIG-IP VE

Field Value
Source Address Translation Auto Map
Default Pool web_pool

Note: These settings are for demonstration only. For details about securing a web application
with SSL, see the product documentation at askf5.com (http://askf5.com).

3. Click Finished.

Traffic to the BIG-IP VE external IP address will now go to the pool members. To test in a browser,
type: https://<external-IP-address> .

Failover for single NIC¶

You can implement failover in public clouds using the F5 Cloud Failover Extension
(https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/userguide/overview.html) (for
example, Cloud Failover for AWS (https://clouddocs.f5.com/products/extensions/f5-cloud-
failover/latest/userguide/aws.html)). Failover (https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-
device-service-clustering-administration-14-1-0/managing-failover.html) is also supported for single
NIC VE instances at the BIG-IP network configuration level, using:

gratuitous address resolution protocol (GARP) (https://techdocs.f5.com/kb/en-us/products/big-

ip_ltm/manuals/product/tmos-routing-administration-12-1-1/11.html),

device service cluster (DSC) (https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-device-service-

clustering-administration-14-1-0/working-with-dsc-devices.html),

master control program daemon (MCPD) (https://support.f5.com/csp/article/K13030),

and other validation-level configuration settings.

Other settings used for failover include, Traffic Groups, primarily used in multi-NIC
(../aws_index.html#aws-index-multinic) and HA configurations
(https://clouddocs.f5.com/cloud/public/v1/aws/AWS_ha.html#create-static-self-ip-addresses-for-the-
ha-vlans); therefore, for the virtual IPs, be sure set to Traffic Group to None (see CFE FAQs
(https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/userguide/faq.html#is-active-
active-supported) for details).

Failover works in generic hypervisors, where L2 is supported (such as, VMware ESXi). For
information about other failover options, consult the F5 Cloud Failover Extension (CFE)
(https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/) documentation. See also
the CFE FAQs (https://clouddocs.f5.com/products/extensions/f5-cloud-
failover/latest/userguide/faq.html#faq-tg-none).

https://clouddocs.f5.com/cloud/public/v1/aws/AWS_singleNIC.html 12/12