Deploy and Manage BIG-IP Access Policy Manager

Published April 5, 2023 | Last modified October 1, 2025

Objective

F5 Distributed Cloud BIG-IP Access Policy Manager (APM) is a secure, flexible, and high-performance access management proxy solution. The APM provides unified global access controls for users, devices, applications, and APIs.

Using the instructions provided in this guide, you can deploy a BIG-IP APM instance on your AWS VPC (associated with your AWS TGW Site) or Bare Metal instance to apply policies for your application.

Prerequisites

Note: BIG-IP APM is a limited availabilty (LA) feature available to MSP's with service subscription request.

BIG-IP APM AWS Deployment Site Prerequisites:

BIG-IP APM Bare Metal Deployment Site Prerequisites:

  • A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • F5 BIG-IP subscription.

  • Bare Metal site must be deployed on following hardware: Dell PowerEdge R640/R650.

  • Bare Metal site must have hellas pod enabled in the cluster.

Note: If you are deploying Bare Metal site with this version of release, Hellas pod must be deployed automatically.

  • Bare Metal site must be deployed with VM support enabled.

Note: Two subnets that are connected to underlay VLAN must be created.

  • Connect to Underlay VLAN.

Note: Reference Steps to Configure VLAN.

  • BIG-IP Image version is BIG-IP 16.1.3.3 Build 0.0.3 Point Release 3.

Note: Testing is validated with above image. Other versions of BIG-IP are expected to work, but not validated.

  • A BIG-IQ license Server, license configured so BIG-IP activates proper license during instantiation.

Design of BIG-IP Deployment on Bare Metal App Stack Site

BIG-IP APM Virtual Edition (VE) edition is deployed as a Virtual Machine (VM) on physical Kubernetes cluster formed on a Bare Metal site. The external interface and internal interface of BIG-IP are connected to underlay VLAN using linux bridge in the host kernel.

The instructions below help you to configure deployment of BIG-IP APM on Bare Metal.

Figure: VLAN Diagram

Figure: VLAN Diagram

Steps to Configure VLAN

Step 1: Setup Network Interface to connect to underlay VLAN.
  • In F5 Distributed Cloud Console > select Multi-Cloud Network Connect > Manage.
Figure: F5 Distributed Cloud Homepage

Figure: F5 Distributed Cloud Homepage

  • Select Networking > Network Interfacing.

  • Select + Add Network Interface.

Figure: VLAN

Figure: VLAN

  • Enter Name.

  • Enter Labels and Description as needed.

Figure: VLAN

Figure: VLAN

  • Select Interface Config Type drop-down menu option:

  • Select Layer2 Interface.

Note: Toggle Show Advanced Fields to show Tunnel Interface if needed.

  • Select Layer2 Interface Type drop-down menu.

  • Select VLAN Interface in Layer2 Interface Type drop-down menu.

  • Enter Ethernet Device.

  • Enter VLAN Id.

  • Select Save and Exit button.

Figure: VLAN

Figure: VLAN

Step 2: Setup Subnet to connect to underlay VLAN.

Note: Associate this Network interface with subnet object, so necessary Network attachment definition is created.

  • Update interface created above inside subnet object as specified in the screenshot.

  • In Multi-Cloud Network Connect > Manage.

Figure: F5 Distributed Cloud Homepage

Figure: F5 Distributed Cloud Homepage

  • Select Networking > Subnets.

  • Select + Add Subnet.

Figure: VLAN

Figure: VLAN

  • Enter Name.

  • Enter Labels and Description as needed.

  • Select Network Connection Type drop-down menu.

  • Select Connect to Layer2 Interface drop-down menu.

  • Select Layer2 Interface.

Figure: VLAN

Figure: VLAN

Step 3: Attach Subject Object to a site.

Note: This step creates a network attachment definition that can be attached to VM in your Kubernetes cluster.

  • Select Configure link in Site Subnet Parameters box.

  • Select Site drop-down menu.

  • Select Apply button.

  • Select Save and Exit button.

Figure: VLAN

Figure: VLAN

Configuration

Perform the instructions presented in the following chapters to deploy and manage the BIG-IP APM service instances.

Setup BIG-IP AWS

Step 1: Obtain F5 Distributed Cloud BIG-IP APM subscription.

  • Open F5 Distributed Cloud Console.

  • Select All Workspaces drop-down menu under service boxes.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Workspaces drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: F5 Console All Services

Figure: F5 Console All Services

  • Select BIG-IP APM.
Figure: F5 Console All Services BIG-IP APM

Figure: F5 Console All Services BIG-IP APM

  • Select Service Info > About to learn more about BIG-IP APM service, and enable service.

  • Request subscription via email provided on BIG-IP APM page.

  • You will get license keys required, and subscription will be enabled by F5.

Figure: F5 Console BIG-IP APM

Figure: F5 Console BIG-IP APM

Step 2: Create APM Service.

Note: For full instructions refer to BIG-IP documentation, see BIG-IP APM Instance Configuration

  • In BIG-IP APM > select Manage > select BIG-IP APM Services.

  • Select + Add BIG-IP APM Service button.

Figure: BIG-IP APM Service

Figure: BIG-IP APM Service

  • Enter Name.

  • Enter Labels and Description as needed.

Figure: BIG-IP APM

Figure: BIG-IP APM

Step 3: Setup Virtual F5 BIG-IP AWS.

  • Select Site Type drop-down menu.

  • Select AWS Transit Gateway Site option.

Figure: BIG-IP APM

Figure: BIG-IP APM

  • Select AMI Choice drop-down menu.

  • Select Configure link in BIG-IP on AWS TGW Site box.

Figure: BIG-IP APM

Figure: BIG-IP APM

  • Select AWS Transit Gateway Site drop-down menu.

  • Enter Admin Username.

  • Enter your SSH key in Public SSH Key box.

  • Select Configure link in Admin Password box.

Figure: BIG-IP APM

Figure: BIG-IP APM

  • Setup Secret Type:

  • Select Secret Type drop-down menu.

  • Select Action drop-down menu if needed.

  • Select Policy Type drop-down menu if needed.

  • Enter Secret to Blindfold or Secret.

  • Select Apply button, and wait for the encryption to complete.

Figure: Encrypted Admin Password

Figure: Encrypted Admin Password

Step 4: Setup Service Type.

  • Select Inside VIP drop-down menu in Endpoint Service box option:

    • Automatic VIP: System automatically selects a VIP as inside VIP. This is also populated by default.

    • Configured VIP: Enter an IP address for the default VIP in the Configured VIP box.

  • Select Outside VIP drop-down menu in Endpoint Service box option:

    • Advertise On Cloud External IP: The cloud provider external IP is set as the VIP. This is default option.

    • Disable outside VIP: No outside VIP is set.

    • Advertise On Outside Network: Site local outside network address is set as VIP.

  • Toggle Show Advanced Fields to show TCP Port Choice and UDP Listen Port Choice options.

Note: For enabling both the East-West and North-South traffic, configure both inside VIP and outside VIP. See the Design section to understand the traffic paths.

Figure: BIG-IP APM Endpoint

Figure: BIG-IP APM Endpoint

Step 5: Setup Service Nodes.
  • Select + Add Item button in Service Nodes.
Figure: BIG-IP APM

Figure: BIG-IP APM

  • Setup Service Nodes:

    • Enter Node Name. This name will be used to form the hostname for the service.

    • Select on AWS AZ Name field, and select an AWS availability zone from the drop-down list. Ensure that you pick the same availability zone as that of the TGW Site.

    • Toggle Show Advanced Fields to show IP Prefix for Tunnel option.

    • Select IP Prefix for Tunnel drop-down menu. Automatic option is default.

    • Select Subnet for BIG-IP Management Interface drop-down menu. Autogenerate Subnet is default.

    • Select Apply to add the service node.

    Note: Use + Add item button in Service Nodes section, and repeat above steps to add more service nodes as needed.

Figure: Service Nodes

Figure: Service Nodes

Step 6: BIG-IP Access Management Setup.

  • Select BIG-IP Console Access Management drop-down menu.

  • Enter Domain Suffix.

  • Toggle Show Advanced Fields to show HTTPS Port Choice drop-down option, add HTTPS Port as needed.

  • Select Access on Site Local Networks drop-down menu.

  • Select Save and Exit button.

Figure: BIG-IP APM

Figure: BIG-IP APM

Note: For full instructions refer to BIG-IP documentation, see BIG-IP APM

Setup BIG-IP Bare Metal

Step 1: Obtain F5 Distributed Cloud BIG-IP APM subscription.

  • Open F5 Distributed Cloud Console.

  • Select All Workspaces drop down menu under service boxes.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Workspaces drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: F5 Console All Services

Figure: F5 Console All Services

  • Select BIG-IP APM.
Figure: F5 Console All Services BIG-IP APM

Figure: F5 Console All Services BIG-IP APM

  • Select Service Info > About to learn more about BIG-IP APM service, and enable service.

  • Request subscription via email provided on BIG-IP APM page.

  • You will get license keys required, and subscription will be enabled by F5.

Figure: F5 Console BIG-IP APM

Figure: F5 Console BIG-IP APM

Step 2: Create APM Service.

Note: For full instructions refer to BIG-IP documentation, see BIG-IP APM Instance Configuration

  • In BIG-IP APM > select Manage > select BIG-IP APM Services.

  • Select + Add BIG-IP APM Service button.

Figure: BIG-IP APM Service

Figure: BIG-IP APM Service

  • Enter Name.

  • Enter Labels and Description as needed.

Figure: BIG-IP APM

Figure: BIG-IP APM

Step 3: Setup Virtual F5 BIG-IP Bare Metal.

Setup Virtual F5 BIG-IP Bare Metal:

  • Select Site Type drop-down menu.

  • Select App Stack Bare Metal Site.

Figure: BIG-IP APM

Figure: BIG-IP APM

  • Select Configure link in Virtual BIG-IP on App Stack Bare Metal Site box.
Figure: BIG-IP APM

Figure: BIG-IP APM

Step 4: Setup Admin Password.
  • Enter Admin Username.

Note Admin username for BIG-IP.

  • Select Configure link in Admin Password box.
Figure: BIG-IP APM

Figure: BIG-IP APM

  • Setup Secret Type:

  • Select Secret Type drop-down menu options Blindfolded Secret or Clear Secret.

Blindfolded Secret.

  • Blindfolded Secret:

    • Select Action drop-down menu if needed.

    • Select Policy Type drop-down menu if needed.

    • Enter Secret to Blindfold.

      • Select Apply button, and wait for the encryption to complete.
Figure: Encrypted Admin Password

Figure: Encrypted Admin Password

Clear Secret.

  • Clear Secret:

    • Select Text or Base64.

    • Enter Secret type in box.

    • Select Apply button, and wait for the encryption to complete.

Figure: Encrypted Admin Password

Figure: Encrypted Admin Password

Step 5: Setup Bare Metal site.
  • Enter your SSH key in Public SSH Key box.

Note Public SSH Key for accessing the BIG-IP nodes.

  • Enter Image URL.

Note: Public URL where BIG-IP VE image (qcow2) is hosted.

  • Select App Stack Bare Metal Site drop-down menu.
Figure: BIG-IP APM

Figure: BIG-IP APM

Step 6: Setup License Server.
  • Select Configure in License Server Details.
Figure: BIG-IP APM License Server

Figure: BIG-IP APM License Server

  • Enter License Serve IP.

  • Enter User Name.

  • Configure Password.

  • Enter License Pool Name.

  • Enter Offering Name.

  • Select Apply button.

Figure: BIG-IP APM License Server

Figure: BIG-IP APM License Server

Step 7: Setup Service Nodes.
  • Select + Add Item button in Service Nodes box.
Figure: BIG-IP APM Service Node

Figure: BIG-IP APM Service Node

  • Enter Node Name.

Note: Toggle Show Advanced Fields to show all options.

Step 8: Setup Internal Interface.
  • In Internal Interface section:

Note: L2 interface on Site to be connected as interface on BIG-IP.

  • Select L2 Interface drop-down menu option.

  • Enter Self IP.

  • Enter Default Gateway as needed.

Figure: BIG-IP APM Service Node

Figure: BIG-IP APM Service Node

Step 9: Setup External Interface.

  • In External Interface section:

    Note: L2 interface on Site to be connected as interface on BIG-IP.

    • Select L2 Interface drop-down menu option:

    • Enter Self IP.

    • Enter Default Gateway as needed.

    • Select Apply button.

  • Select Apply button.

Figure: BIG-IP APM Service Node

Figure: BIG-IP APM Service Node

Step 10: BIG-IP Access Management Setup.

  • Select BIG-IP Console Access Management drop-down menu.

  • Enter Domain Suffix.

  • Select Access on Site Local Networks drop-down menu.

  • Select Save and Exit button.

Figure: BIG-IP APM

Figure: BIG-IP APM

Confirm BIG-IP APM Setup

Step 1: Confirm BIG-IP APM AWS Setup.

Note: AWS BIG-IP Deployment Status is Applied.

  • URL populates in Management Dashboard when Deployment Status shows Applied for BIG-IP instance management.
Figure: BIG-IP APM Service

Figure: BIG-IP APM Service

Step 2: Confirm BIG-IP APM Bare Metal Setup.

Note: Bare Metal BIG-IP Deployment Status is Running.

  • URL populates in Management Dashboard when Deployment Status shows Running for BIG-IP instance management.
Figure: BIG-IP APM Service

Figure: BIG-IP APM Service

Note: For BIG-IP APM service related issues select Other > Contact Support > Service to contact support.

BIG-IP APM Metrics Setup

Bare Metal App Stack deployments use BIG-IP CLP (cloud licensing program). Managed service providers (MSP) use annual true-up billing in BIG-IQ license manager reporting.

AWS TGW BIG-IPs billed as AWS storefront items. Enabled on AWS account used to establish TGW site and BIG-IP VEs.

BIG-IP APM Alerts

  • APMServiceInstanceUnavailable

  • CPU Usage

    • APMCPUThresholdCritical

    • APMCPUThresholdMajor

    • APMCPUThresholdMinor

Step 1: Setup BIG-IP APM Alerts Management.
  • In F5 Distributed Cloud Console homepage > select All Workspaces drop down menu under service boxes.
Figure: F5 Console All Services

Figure: F5 Console All Services

  • Select BIG-IP APM.
Figure: F5 Console All Services BIG-IP APM

Figure: F5 Console All Services BIG-IP APM

  • In BIG-IP APM > Manage > select Alerts Management.
Figure: BIG-IP APM Alerts Management

Figure: BIG-IP APM Alerts Management

Step 2: Setup BIG-IP APM Active Alerts Policies.
  • Select Active Alert Policies > + Select Active Alert Policies button.
Figure: BIG-IP APM

Figure: BIG-IP APM

  • Select + Add Item button.

  • Select Alert Policies drop-down option.

Note: Select + Add Item button to add additional Alert Policies as needed. Select dots in Order column to move order of policies.

Note: Select dots in Actions column to Edit or Delete as needed.

  • Select Save and Exit button.
Step 3: Setup BIG-IP APM Alerts Policies.
  • Select Alert Policies.
Figure: BIG-IP APM

Figure: BIG-IP APM

  • Enter Name.

  • Add Labels and Description as needed.

  • See, Alerts Setup.

  • Select Save and Exit button.

Figure: BIG-IP APM

Figure: BIG-IP APM

Step 4: Setup BIG-IP APM Alerts Receivers.
  • Select Alert Receivers.
Figure: BIG-IP APM

Figure: BIG-IP APM

  • Enter Name.

  • Add Labels and Description as needed.

  • See, Alerts Setup.

  • Select Save and Exit button.

Figure: BIG-IP APM

Figure: BIG-IP APM

Step 5: Confirm BIG-IP APM Alerts Setup.
Figure: BIG-IP APM

Figure: BIG-IP APM

Figure: BIG-IP APM

Figure: BIG-IP APM

Figure: BIG-IP APM

Figure: BIG-IP APM

Concepts

BIG-IP References

API References

On this page: