Check out the new F5 Distributed Cloud Technical Knowledge Hub

Deploy and Manage BIG-IP Access Policy Manager

Objective
Prerequisites
BIG-IP APM AWS Deployment Site Prerequisites:
BIG-IP APM Bare Metal Deployment Site Prerequisites:
Design of BIG-IP Deployment on Bare Metal App Stack Site
Steps to Configure VLAN
Configuration
Setup BIG-IP AWS
Setup BIG-IP Bare Metal
Confirm BIG-IP APM Setup
BIG-IP APM Metrics Setup
Concepts
BIG-IP References
API References

Objective

F5 Distributed Cloud BIG-IP Access Policy Manager (APM) is a secure, flexible, and high-performance access management proxy solution. The APM provides unified global access controls for users, devices, applications, and APIs. For more information, see F5 BIG-IP Access Policy.

Using the instructions provided in this guide, you can deploy a BIG-IP APM instance on your AWS VPC (associated with your AWS TGW Site) or Bare Metal instance to apply policies for your application.

Prerequisites

Note: BIG-IP APM is a limited availabilty (LA) feature available to MSP's with service subscription request.

BIG-IP APM AWS Deployment Site Prerequisites:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
F5 BIG-IP subscription.
An Amazon Web Services (AWS) TGW Site. See AWS VPC Site Access Policies and AWS TGW Access Policies for required permissions.
A delegated domain. See Domain Delegation for more information.
A valid AWS image subscription for F5 BIG-IP AWS images: F5 BIG-IP PAYG Best Plus (200Mbps), or F5 BIG-IP PAYG Best Plus (1Gbps).
AWS TGW site must have hellas pod enabled.

BIG-IP APM Bare Metal Deployment Site Prerequisites:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
F5 BIG-IP subscription.
Bare Metal site must be deployed on following hardware: Dell PowerEdge R640/R650.
Bare Metal site must have hellas pod enabled in the cluster.

Note: If you are deploying Bare Metal site with this version of release, Hellas pod must be deployed automatically.

Bare Metal site must be deployed with VM support enabled.

Note: Two subnets that are connected to underlay VLAN must be created.

Connect to Underlay VLAN.

Note: Reference Steps to Configure VLAN.

BIG-IP Image version is BIG-IP 16.1.3.3 Build 0.0.3 Point Release 3.

Note: Testing is validated with above image. Other versions of BIG-IP are expected to work, but not validated.

A BIG-IQ license Server, license configured so BIG-IP activates proper license during instantiation.

Design of BIG-IP Deployment on Bare Metal App Stack Site

BIG-IP APM Virtual Edition (VE) edition is deployed as a Virtual Machine (VM) on physical Kubernetes cluster formed on a Bare Metal site. The external interface and internal interface of BIG-IP are connected to underlay VLAN using linux bridge in the host kernel.

The instructions below help you to configure deployment of BIG-IP APM on Bare Metal.

Steps to Configure VLAN

Step 1: Setup Network Interface to connect to underlay VLAN.

In F5 Distributed Cloud Console > select Multi-Cloud Network Connect > Manage.

F5 Distributed Cloud Homepage) — Figure: F5 Distributed Cloud Homepage

Select Networking > Network Interfacing.
Select + Add Network Interface.

Enter Name.
Enter Labels and Description as needed.

Select Interface Config Type drop-down menu option:
Select Layer2 Interface.

Note: Toggle Show Advanced Fields to show Tunnel Interface if needed.

Select Layer2 Interface Type drop-down menu.
Select VLAN Interface in Layer2 Interface Type drop-down menu.
Enter Ethernet Device.
Enter VLAN Id.
Select Save and Exit button.

Step 2: Setup Subnet to connect to underlay VLAN.

Note: Associate this Network interface with subnet object, so necessary Network attachment definition is created.

Update interface created above inside subnet object as specified in the screenshot.
In Multi-Cloud Network Connect > Manage.

Select Networking > Subnets.
Select + Add Subnet.

Enter Name.
Enter Labels and Description as needed.
Select Network Connection Type drop-down menu.
Select Connect to Layer2 Interface drop-down menu.
Select Layer2 Interface.

Step 3: Attach Subject Object to a site.

Note: This step creates a network attachment definition that can be attached to VM in your Kubernetes cluster.

Select Configure link in Site Subnet Parameters box.
Select Site drop-down menu.
Select Apply button.
Select Save and Exit button.

Configuration

Perform the instructions presented in the following chapters to deploy and manage the BIG-IP APM service instances.

Setup BIG-IP AWS

Step 1: Obtain F5 Distributed Cloud BIG-IP APM subscription.

Open F5 Distributed Cloud Console.
Select All Services drop-down menu under service boxes.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Select BIG-IP APM.

Figure: F5 Console All Services BIG-IP APM

Select Service Info > About to learn more about BIG-IP APM service, and enable service.
Request subscription via email provided on BIG-IP APM page.
You will get license keys required, and subscription will be enabled by F5.

Step 2: Create APM Service.

Note: For full instructions refer to BIG-IP documentation, see BIG-IP APM Instance Configuration

In BIG-IP APM > select Manage > select BIG-IP APM Services.
Select + Add BIG-IP APM Service button.

Enter Name.
Enter Labels and Description as needed.

Step 3: Setup Virtual F5 BIG-IP AWS.

Select Site Type drop-down menu.
Select AWS Transit Gateway Site option.

Select AMI Choice drop-down menu.
Select Configure link in BIG-IP on AWS TGW Site box.

Select AWS Transit Gateway Site drop-down menu.
Enter Admin Username.
Enter your SSH key in Public SSH Key box.
Select Configure link in Admin Password box.

Setup Secret Type:
Select Secret Type drop-down menu.
Select Action drop-down menu if needed.
Select Policy Type drop-down menu if needed.
Enter Secret to Blindfold or Secret.
Select Apply button, and wait for the encryption to complete.

AdminPwd — Figure: Encrypted Admin Password

Step 4: Setup Service Type.

Select Inside VIP drop-down menu in Endpoint Service box option:
- Automatic VIP: System automatically selects a VIP as inside VIP. This is also populated by default.
- Configured VIP: Enter an IP address for the default VIP in the Configured VIP box.
Select Outside VIP drop-down menu in Endpoint Service box option:
- Advertise On Cloud External IP: The cloud provider external IP is set as the VIP. This is default option.
- Disable outside VIP: No outside VIP is set.
- Advertise On Outside Network: Site local outside network address is set as VIP.
Toggle Show Advanced Fields to show TCP Port Choice and UDP Listen Port Choice options.

Note: For enabling both the East-West and North-South traffic, configure both inside VIP and outside VIP. See the Design section to understand the traffic paths.

Step 5: Setup Service Nodes.

Select + Add Item button in Service Nodes.

Setup Service Nodes:
- Enter Node Name. This name will be used to form the hostname for the service.
- Select on AWS AZ Name field, and select an AWS availability zone from the drop-down list. Ensure that you pick the same availability zone as that of the TGW Site.
- Toggle Show Advanced Fields to show IP Prefix for Tunnel option.
- Select IP Prefix for Tunnel drop-down menu. Automatic option is default.
- Select Subnet for BIG-IP Management Interface drop-down menu. Autogenerate Subnet is default.
- Select Apply to add the service node.
Note: Use + Add item button in Service Nodes section, and repeat above steps to add more service nodes as needed.

Step 6: BIG-IP Access Management Setup.

Select BIG-IP Console Access Management drop-down menu.
Enter Domain Suffix.
Toggle Show Advanced Fields to show HTTPS Port Choice drop-down option, add HTTPS Port as needed.
Select Access on Site Local Networks drop-down menu.
Select Save and Exit button.

Note: For full instructions refer to BIG-IP documentation, see BIG-IP APM

Setup BIG-IP Bare Metal

Step 1: Obtain F5 Distributed Cloud BIG-IP APM subscription.

Open F5 Distributed Cloud Console.
Select All Services drop down menu under service boxes.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Select BIG-IP APM.

Select Service Info > About to learn more about BIG-IP APM service, and enable service.
Request subscription via email provided on BIG-IP APM page.
You will get license keys required, and subscription will be enabled by F5.

Step 2: Create APM Service.

Note: For full instructions refer to BIG-IP documentation, see BIG-IP APM Instance Configuration

In BIG-IP APM > select Manage > select BIG-IP APM Services.
Select + Add BIG-IP APM Service button.

Enter Name.
Enter Labels and Description as needed.

Step 3: Setup Virtual F5 BIG-IP Bare Metal.

Setup Virtual F5 BIG-IP Bare Metal:

Select Site Type drop-down menu.
Select App Stack Bare Metal Site.

Select Configure link in Virtual BIG-IP on App Stack Bare Metal Site box.

Step 4: Setup Admin Password.

Enter Admin Username.

Note Admin username for BIG-IP.

Select Configure link in Admin Password box.

Setup Secret Type:
Select Secret Type drop-down menu options Blindfolded Secret or Clear Secret.

Blindfolded Secret.

Blindfolded Secret:
- Select Action drop-down menu if needed.
- Select Policy Type drop-down menu if needed.
- Enter Secret to Blindfold.
  - Select Apply button, and wait for the encryption to complete.

Clear Secret.

Clear Secret:
- Select Text or Base64.
- Enter Secret type in box.
- Select Apply button, and wait for the encryption to complete.

Step 5: Setup Bare Metal site.

Enter your SSH key in Public SSH Key box.

Note Public SSH Key for accessing the BIG-IP nodes.

Enter Image URL.

Note: Public URL where BIG-IP VE image (qcow2) is hosted.

Select App Stack Bare Metal Site drop-down menu.

Step 6: Setup License Server.

Select Configure in License Server Details.

BIGIPFORM BAREMETAL2 4 — Figure: BIG-IP APM License Server

Enter License Serve IP.
Enter User Name.
Configure Password.
Enter License Pool Name.
Enter Offering Name.
Select Apply button.

BIGIPAPM LICENSE — Figure: BIG-IP APM License Server

Step 7: Setup Service Nodes.

Select + Add Item button in Service Nodes box.

BIGIPFORM BAREMETAL2 SERVICENODES 4 — Figure: BIG-IP APM Service Node

Enter Node Name.

Note: Toggle Show Advanced Fields to show all options.

Step 8: Setup Internal Interface.

In Internal Interface section:

Note: L2 interface on Site to be connected as interface on BIG-IP.

Select L2 Interface drop-down menu option.
Enter Self IP.
Enter Default Gateway as needed.

BIGIPFORM BAREMETAL2 SERVICENODES 2 — Figure: BIG-IP APM Service Node

Step 9: Setup External Interface.

In External Interface section:

Note: L2 interface on Site to be connected as interface on BIG-IP.
- Select L2 Interface drop-down menu option:
- Enter Self IP.
- Enter Default Gateway as needed.
- Select Apply button.
Select Apply button.

Step 10: BIG-IP Access Management Setup.

Select BIG-IP Console Access Management drop-down menu.
Enter Domain Suffix.
Select Access on Site Local Networks drop-down menu.
Select Save and Exit button.

Confirm BIG-IP APM Setup

Step 1: Confirm BIG-IP APM AWS Setup.

Note: AWS BIG-IP Deployment Status is Applied.

URL populates in Management Dashboard when Deployment Status shows Applied for BIG-IP instance management.

Step 2: Confirm BIG-IP APM Bare Metal Setup.

Note: Bare Metal BIG-IP Deployment Status is Running.

URL populates in Management Dashboard when Deployment Status shows Running for BIG-IP instance management.

Note: For BIG-IP APM service related issues select Other > Contact Support > Service to contact support.

BIG-IP APM Metrics Setup

Bare Metal App Stack deployments use BIG-IP CLP (cloud licensing program). Managed service providers (MSP) use annual true-up billing in BIG-IQ license manager reporting.

AWS TGW BIG-IPs billed as AWS storefront items. Enabled on AWS account used to establish TGW site and BIG-IP VEs.

BIG-IP APM Alerts