Deploy & Manage BIG-IP Service

Objective

This guide provides instructions on how to deploy and manage the F5 BIG-IP Virtual Edition (VE) service on your AWS TGW Site using F5® Distributed Cloud Services. For more information on the F5® Distributed Cloud Services Sites, see Site.

The F5 BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions. The instructions provided in this document cover deploying the BIG-IP software appliance acting as an application delivery controller using the F5 Distributed Cloud Services. For more information on BIG-IP products, see BIG-IP Products.

Using the instructions provided in this guide, you can deploy a BIG-IP virtual appliance on your AWS VPC, associate it with your AWS TGW Site, and set the VE appliance to control your application delivery.

Note: The external service is supported only for the BIG-IP VE appliance on AWS TGW Site.


Design

Deploying the BIG-IP virtual appliances in AWS VPC requires deploying AWS TGW site with the VPC attachments, services VPC, and subnet configurations. Next, create BIG-IP VE service object, associated with a TGW site and launched as per the service node settings.

Note: Service node is an abstract term that takes the characteristics of the service that gets deployed in it. In this case, it is the BIG-IP service.

The images in the following sections show the reference topology for the BIG-IP deployment where BIG-IP service nodes deployed in AWS VPC provide Advanced Web Application Firewall (AWAF) functionality to workloads routed via TGW. More specifically as depicted in the images, requests made from an application in VPC (named – Shared) to an application in VPC (named - Dev) are processed by the BIG-IP service if the requests match the external service configuration. Similarly, requests from internet to an application in VPC are routed through the AWS network load balancer and through the TGW to BIG-IP service if requests match the external service configuration. The BIG-IP service then routes the request to the endpoint in VPC.

Note: Not all requests from Dev-VPC to Shared-VPC are processed by BIG-IP. Only the requests directed to the inside VIP as per external service configuration are processed by BIG-IP.

The hub, spoke, and services VPC route tables are programmed with the entries that define the traffic path for request and response.

Note: The AWS TGW workload subnet setting is different from the workload subnets in the attached VPC (shared VPC in the reference diagram). The workloads in the attached VPC represent applications that are routed via the BIG-IP service node. In this guide, the term workload subnets refer to the subnets in the attached VPC.

East-West Traffic

In this reference topology, an interface from TGW site is connected to the BIG-IP management interface and requests to the BIG-IP management address are routed through the same TGW Site interface. Here, the BIG-IP management interface is similar to a workload subnet interface from the point of view of TGW Site. The BIG-IP external interface is connected to the inside interface of the TGW site. Requests to the application are first forwarded to the TGW site inside interface using the spoke route table entries. The inside interface then forwards the traffic to the BIG-IP external interface over an IP-in-IP tunnel. The BIG-IP appliance then forwards the traffic to the origin server as per the programmed entries of services VPC route table. This is internally handled by the BIG-IP and routed to the subnets where the workloads are running.

The response from the workload subnet then received by BIG-IP is sent through BIG-IP external interface to the inside interface of the TGW site over the same IP-in-IP tunnel. The traffic is then forwarded to the requestor subnet using the programmed hub route table.

NFVEastWest
Figure: East-West Traffic in External Service Deployment

The following list presents the traffic flow for request and response:

  1. Request from Shared-VPC to destination in Dev-VPC lands at AWS TGW.

  2. TGW internally routes to the F5 AWS TGW Site's inside interface which in turn sends to BIG-IP external interface.

  3. BIG-IP internally routes to inside interface and in turn sends the request to Dev-VPC.

  4. Response from Dev-VPC to BIG-IP internal interface is in turn sent to external interface of BIG-IP.

  5. Response then flows from BIG-IP external interface to TGW internal interface which in turn sends to Dev-VPC workload subnet attachment circuit.

  6. TGW workload interface towards Shared-VPC sends the response to the requesting subnet in Shared-VPC to the requestor.

North-South Traffic

The AWS network load balancer receives the requests/traffic from internet and routes the traffic to the outside interface of the TGW Site. Based on the destination, the system checks the main route table and forwards the traffic to the inside interface of the Site. The traffic then is sent over an IP-in-IP tunnel between the Site inside interface and BIG-IP external interface. Using the services VPC route table, the next-hop is marked to the appropriate VPC attachment and propagated to the destination.

The response traffic forwarded to the BIG-IP instance internally using the spoke route table with the service VPC attachment as the destination. The BIG-IP then internally steers the traffic to its external interface and then sends over IP-in-IP tunnel to the Site's inside interface. The Site then performs SNAT based on the route table entries and sends the traffic to internet over the outside interface.

NFVNorthSouth
Figure: North-South Traffic in External Service Deployment

  1. Request from Internet to destination in Dev-VPC lands at AWS Network Load Balancer which in turn routes it to the TGW.

  2. TGW internally routes to the F5 AWS TGW Site's inside interface.

  3. The request is then sent to BIG-IP external interface over IP-in-IP tunnel.

  4. BIG-IP internally routes to inside interface and in turn sends the request to Dev-VPC.

  5. Response from Dev-VPC is sent to BIG-IP internal interface which is internally routed to external interface of BIG-IP.

  6. Response then flows from BIG-IP external interface to F5 AWS TGW Site's internal interface over IP-in-IP tunnel.

  7. The response is then forwarded to the TGW which in turn sends it to the F5 AWS TGW Site's outside interface.

  8. The F5 AWS TGW Site Outside interface sends the response to the AWS Network load balancer which in turn sends response to requestor over internet.

Note: For detailed information on BIG-IP configurations, see BIG-IP Documentation.


Prerequisites

The following prerequisites apply:


Configuration

Deploying the external service requires first creating an external service object in the F5® Distributed Cloud Console, obtaining the management address of the external service instance from the Console, log into the external service instance, and configuring the origin servers where your application workloads are running.

Perform the instructions presented in the following chapters to deploy and manage the external service instances.

Create External Service Object

Log into the Console and do the following:

Step 1: Start creating external service object.
  • On the Console home page, select the Cloud and Edge Sites service.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: Console Homepage
Figure: Console Homepage

  • Click Manage > Site Management > External Services.

  • Click Add External Service option to open the external service object creation form.

  • In the Metadata section, set Name, Labels, and Description as needed.

Step 2: Configure external service provider settings.

In the Select NFV Service Provider section, perform the following:

  • Select Virtual F5 BigIP for AWS for the Select NFV Service Provider field.

  • Click Configure under the Virtual F5 BigIP for AWS field. This opens BIG-IP service specification form.

  • In the Image section, select BigIp Pay as You Go Image for the Image field. This is populated by default.

    • Select an option for the AMI Choice field. The BIG-IP advanced WAF 200 Mbps is selected by default.
  • Click Configure in the Admin Password section. In the opened Secret page, enter the password in the secret form and click Blindfold.

AdminPwd
Figure: Encrypted Admin Password

  • Wait for the encryption to complete and click Apply.

  • Enter the admin username in the Admin Username section.

  • Enter your SSH key in the Public SSH key section.

BigIPConfig
Figure: BIG-IP Service Configurtion

  • Select AWS Transit Gateway Site for the Site Type field. Click on the AWS Transit Gateway Site field and select your AWS TGW site from the drop-down list.

  • Click Add item in the Service Nodes section and do the following in the service nodes form:

    • Enter a name in the Node Name field. This name will be used to form the hostname for the service.
    • Click on AWS AZ Name field and select an AWS availability zone from the drop-down list. Ensure that you pick the same availability zone as that of the TGW Site.
    • Click Add item to add the service node.

Note: Use the Add item option in the Service Nodes section and repeat above steps to add more service nodes.

TGW
Figure: TGW and Service Nodes

  • Click Apply.
Step 3: Set node management based on HTTP.
  • In the HTTPS based Management of nodes section, enable the HTTPS Based Management option for the HTTPS based Management of nodes.

  • Enter a domain suffix in the Domain Suffix field. This will be used along with the Node Name set in the previous step to form the management URL for the node.

Note: Ensure that the domain is delegated to F5 Distributed Cloud Services.

HTTPManagement
Figure: HTTP Based Node Management Settings

Note: Default HTTPS port is 443 and internet access is enabled by default.

Step 4: Configure service type and complete creating the external service.

In the Select Service Type section, do the following:

  • Select one of the following for the Inside VIP field:

    • Automatic VIP - System automatically selects a VIP as inside VIP. This is also populated by default.
    • Configured VIP - Enter an IP address for the default VIP in the Configured VIP field.
  • Select one of the following for the Outside VIP field:

    • Disable outside VIP - No outside VIP is set. This is default option.
    • Advertise On Outside Network - Site local outside network address is set as VIP.
    • Advertise On Cloud External IP - The cloud provider external IP is set as the VIP.

Note: For enabling both the East-West and North-South traffic, configure both inside VIP and outside VIP. See the Design section to understand the traffic paths.

Click Save and Exit to complete creating the external service object. The external service object gets created and shows up on the External Services page.

Note: It may take a few minutes for health of external service object to reach 100%.

Step 5: Obtain management address for the service nodes.
  • Click on the external service object created in the previous step. The Dashboard page is displayed.
  • Check the Service Instances section.

MgmtURL
Figure: BIG-IP Management URL

  • The Management Dashboard field shows the service node management URLs.

Configure BIG-IP Instances

This chapter shows sample configuration for the BIG-IP service instance. For full instruction set, refer to BIG-IP documentation.

Step 1: Log into the BIG-IP service instance.
  • Open a browser window and enter the instance management URL obtained in the previous chapter.
  • Enter the admin username and password you configured in the previous chapter.
Step 2: Configure pool where the application workloads are running.
  • On the BIG-IP management portal, go to Main > Local Traffic and click Pools under Virtual Servers section on the left menu.
  • Click Create on the pools list page to start creating a pool.
  • Enter a name for your pool in the Configuration section.
  • Enter an IP address for the Address field in the Resources section.
  • Enter a port number in the Service Port field.

Pool
Figure: BIG-IP Pool Creation

  • Click Finished at the bottom of the window to complete creating the pool.
Step 3: Configure virtual servers.
  • On the BIG-IP management portal, go to Main > Local Traffic and click Virtual Servers on the left menu.
  • Click Create on the virtual servers list page to start creating a virtual server.
  • Do the following in the General Properties section:
    • Enter a name for your virtual server.
    • Select Host in the Source Address field and enter 0.0.0.0/0.
    • Select Host in the Destination Address/Mask field and enter IP address for your host.
    • Enter a port number in the Service Port field.
  • Select Automap in the Source Address Translation field.
  • In the Resources section, select the pools created in previous step.

VirtServer
Figure: BIG-IP Virtual Server Creation

  • Click Finished at the bottom of the window to complete creating the pool.

Verify Traffic

You can check the east-west TCP traffic flow by establishing an HTTP server on one VM on a subnet of any attached spoke VPC and an HTTP client from another VM of another spoke VPC. For example, you can run Apache HTTP server on spoke VPC 1 and send an HTTP request. Verify the traffic flow using tools such as tcpdump. Similarly, you can check UDP traffic by running UDP server on a spoke VPC and UDP client on another spoke VPC using tools such as netcat.

You can also check the north-south traffic by sending request from a spoke VPC to any internet destination. You can check that SNAT happens from inside network to outside network on the AWS Site using the tools such as traceroute.

This chapter shows how to monitor the external service using the Console. Log into the Console and do the following:

Step 1: Navigate to external services monitoring page.
  • Log into the Console and click on the Cloud and Edge Services service in the home page.
  • Select Manage > Site Management > External Services on the left menu. A list of external services objects is displayed on the right side.
  • Click on your external services object from the list of displayed objects. Dashboard view is displayed by default.

ExtSrvDB
Figure: External Service Monitoring Dashboard View

The dashboard shows snapshot information for entities such as service details, alerts, traffic, connections, top sources (IP addresses), and details about service instances.

Step 2: Inspect external service metrics and top talkers.

The metrics show historical information for CPU usage, throughput, and disk operation statistics.

  • From within the dashboard, click on the value on the Node Name column in the Service Instances section. The Metrics view is displayed showing the CPU usage graph by default.

  • Click on any metrics options located on the right side to display graphical view for that metric.

ExtSrvMetrics
Figure: External Service Metrics View

  • Click on the Top Talkers tab to view the top 10 sources, destinations, applications, flows, and the associated data statistics.

ExtSrvTopTalkers
Figure: External Service Top Talkers View

Step 3: Navigate to site monitoring page.
  • Select Cloud and Edge Sites service from the home page.
  • Go to Sites > Site List. Click on your site from the list of displayed sites. This opens Site dashboard.
Step 4: Inspect interfaces and requests for your site.
  • Click on the Interfaces tab to view the list of interfaces and associated metrics.
  • Click on the Connections tab to view the list of connection requests and information for each request.
  • Click on the Top Talkers tab to view the list of top 10 sources, destinations, applications, flows, and the associated data statistics.

SiteTopTalkers
Figure: AWS TGW Site Top Talkers

  • Click on the Flow Table tab to view the packet flow information.

TGWFlow
Figure: AWS TGW Site Flow Table Entries

Step 5: Inspect site connectivity map and route tables.
  • Go to Sites > Site Connectivity > PoP (RE) Connectivity.
  • Click on your Site from the list of displayed Sites or select your Site from the Select site drop-down on the top. This opens the full connectivity map showing RE Sites, AWS Site, TGW, subnets, and the VMs in the attached VPCs.

ExtSrvTopology
Figure: External Service Topology View

  • Click on any VPC to load its connectivity map with Site or TGW and subnets. This also opens a modeless window with VPC information such as VM instances and route tables.

VPCTopology
Figure: External Service VPC Topology View

  • Click on any subnet or VM to view its information in the modeless window. In case of VMs, the view also displays network interface information.

Concepts


BIG-IP References

API References