For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jparri2323's avatar
jparri2323
Icon for Nimbostratus rankNimbostratus
Nov 19, 2025
Solved

Big-IP LTM integration with Big-IP DNS in Azure

We are deploying Big-IPs to Azure. We are going with 3 NICs(mgmt/client/server) Big-IP LTM/APM nodes. They will integrate with existing Big-IP DNS nodes. What is the NIC to use for not only the initial bigip_add (port 22), but for also iquery 4353? Best practice? I understand big3d will listen on self ips and mgmt.

Per https://clouddocs.f5.com/cloud/public/v1/azure/Azure_multiNIC.html, it mentions 4353 comms on internal network for config sync, etc. What about for F5 DNS integration and iquery comms?

Does anybody have any experience with this configuration and/or best practice recommendations?

application delivery
cloud
deployment
  • Jeff_Granieri's avatar
    Jeff_Granieri
    Nov 22, 2025

    Hi jparri2323​ ,

     

    With a 3-NIC deployment for your LTM/APM VE's in Azure its best to keep MGT-NIC for admin/control plane operations only.. Typical 443/22 access.  Protect with a MGT NSG and use a jump host/bastion host for access.  HA between Active-Standby LTM's should use the internal NIC.  iQuery  should also flow over the internal NIC if possible. If DNS is only reachable via external NIC then you can use that.  iQuery should use the data-plane NIC's when possible.  Hope this helps

3 Replies

  • Jeff_Granieri's avatar
    Jeff_Granieri
    Icon for Employee rankEmployee
    Nov 22, 2025

    Hi jparri2323​ ,

     

    With a 3-NIC deployment for your LTM/APM VE's in Azure its best to keep MGT-NIC for admin/control plane operations only.. Typical 443/22 access.  Protect with a MGT NSG and use a jump host/bastion host for access.  HA between Active-Standby LTM's should use the internal NIC.  iQuery  should also flow over the internal NIC if possible. If DNS is only reachable via external NIC then you can use that.  iQuery should use the data-plane NIC's when possible.  Hope this helps

    • jparri2323's avatar
      jparri2323
      Icon for Nimbostratus rankNimbostratus
      Nov 22, 2025

      I appreciate the response. Depending how we set it up, the Big-IP DNS devices(already built) can reach the client/external self-ips and also the internal/server self-ips on the new LTM/APM nodes. We can setup the access via firewall/NSGs. However, per your response, I will look to using the internal/server nic's for that specific communication between those devices. OR at least have that flow on the data plane as you mentioned. I appreciate the input.