For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Enfield303's avatar
Enfield303
Icon for Nimbostratus rankNimbostratus
Nov 19, 2020

Azure Big IP F5 template with HA via LB

Hello All, I have deployed two Big IP virtual appliances into Micosoft Azure using the following template: https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/failover/same-net/via-lb/3nic/existing-stack/payg

I ran accross the problem detailed here (https://github.com/F5Networks/f5-azure-arm-templates/issues/198) but once I manually set the failover network and mirroring network IP address both devices synced in an Active/Sandby configuration.

 

My question now is how does the Azure loadbalancer in front of these F5 devices pass traffic / manage failover for them? The Azure loadbalancer as deployed from the template has the F5 external addresses in a back-end pool but there are no health probes, loadbalancing rules or inbound NAT rules defined - does all this have to be done manually similar to what is documented here? : - https://azure-f5-lab-days.readthedocs.io/en/latest/class1/module3/lab1.html

 

Thanks for any help

Azure
BIG-IP
cloud
template

4 Replies

  • Enfield303's avatar
    Enfield303
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2020

    On a related note, the advice for using an Azure LB for failover seems to be to use a wildcard, network range or different ports for the VIP - but what if I have multiple *seperate* apps that use the *same* port? - if the secondary IP addresses are on a /24 subnet do I need to further subnet that to differentiate between different apps? - or should I use DSR instead?

    DSR does seem to simplify a lot of this but Jeff Giroux seems to not recommend it generally.

  • Enfield303's avatar
    Enfield303
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2020

    So it look like for more virtual servers the advice is to add more secondary IP configurations to the ext interface on the F5s: https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/failover/same-net/via-lb/3nic/existing-stack/payg#creating-virtual-servers-on-the-big-ip-ve

    • Jim_M's avatar
      Jim_M
      Icon for Cirrus rankCirrus
      Dec 17, 2020

      The 'adding more secondary IP' approach is working well for me. However, each F5 in the HA cluster will have differing IPs for their VIPs. So how can i keep config in sync if the 2 configs have to differ?

      • Enfield303's avatar
        Enfield303
        Icon for Nimbostratus rankNimbostratus
        Dec 31, 2020

        Hello Jim I created a shared object that contained both F5 IPs and used that shared object for the VIP