BIP-IP HA on Azure Cloud

Question

i have been going through some article on implementing BIG-IP (LTM) HA on Azure cloud,  however i am stumbled upon contradictory statements where one says Azure loadbalancer  is required to achieve BIG-IP HA, where as some other implementation without Azure Loadbalancer. Can someone please clarify which one is correct.

kai_wilke · Answer

Hi Dabance,&nbsp;F5 provides different Azure deployment designs which can be found here...&nbsp;https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported The "Autoscale" templates are covering a setup of two or more standalone VEs in a load balances configuration and does not utilize session state replication between those VEs. The load can be distributed via RR-DNS or front ending Azure LBs which are distributing the load between the individual VEs.&nbsp;The "Failover" templates are covering a traditional Sync-Failover F5 setup including session state replication. The active/passive network integration is either handled by your VEs via Azure API calls (aka. dynamically assign the public IP to the currently active unit) or via front-ending Azure LBs.&nbsp;Personally I don't use any of the provided templates, since they are not flexible enough (aka. no 2-arm setup available and way too many pre-configured settings). Because of that I usually install two standalone 2-nic VEs from the scratch (aka. MGMT and Production interfaces). Created a LTM Sync-Failover cluster as usual (via Self-IPs of the Production Network) and ended up to deploy a Azure-LB in front of the units to provide network failover (aka. L2 failover/clustering does not work in Azure). In this setup each Virtual Server is simply configured with an /31 network mask (aka. two subsequent IPs for each VS) and each of the VE units is listening to just one of those /31 IPs (via additional Virtual Machine IPs). If VE unit A is currently active, the Azure load balancer will mark IP A as active and IP B as inactive and then forward the traffic via IP A to unit A. If VE unit B is currently active, the Azure load balancer will mark IP A as inactive and B as active and then forward the traffic via IP B to unit B. The outcome of this setup is a fully functional Sync-Failover cluster with fail-over delays of 5-10 seconds....&nbsp;Cheers, Kai&nbsp;

jeff_giroux_f5 · Answer

Review the supported tree:https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported&nbsp;As well as the experimental tree which has a few more options:https://github.com/F5Networks/f5-azure-arm-templates/tree/master/experimental&nbsp;You can also look into terraform examples to build out the components via that tooling method. Here are examples of using other orchestration methods (terraform, ansible).https://github.com/f5devcentral/Ansible-Terraform-Cloud-Templates

jim_m · Answer

Hi Kai. You mention"&nbsp;In this setup each Virtual Server is simply configured with an /31 network mask (aka. two subsequent IPs for each VS) and each of the VE units is listening to just one of those /31 IPs (via additional Virtual Machine IPs)"&nbsp;Is there a good document that details best practice about how to do this? Including config of any required load balancer or traffic manager?

kai_wilke · Answer

Hi Jim,&nbsp;afaik there is no such a guide available from F5. &nbsp;You have basically to see the Azure based VEs the same way you would create a cluster on On-Prem Environments. Just the missing L2 capabilities of Azure are getting replaced with those /31 bit VS instances (in Azure IP-1 gets assigned to Unit-A and IP-2 gets assigned to Unit-B) and a Azure-LB in front of those IP-Pairs to perform Health-Monitoring which system is active and finally failover if needed.&nbsp;Once a got it up an running you simply operate a usual and fully featured Active-Passive VE cluster with config and session state sync. There is basically no difference between OnPrem and Azure anymore…&nbsp;Cheers, Kai&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

jeff_giroux_f5 · Answer

Review my articles please that show various HA patterns as well as what the BIG-IP virtual server should look like.&nbsp;https://devcentral.f5.com/s/articles/Lightboard-Lessons-BIG-IP-Deployments-in-Azure-Cloud&nbsp;And overall HA guidance in the 3 major cloud providers with recommendations:https://devcentral.f5.com/s/articles/F5-High-Availability-Public-Cloud-Guidance&nbsp;&nbsp;

Forum Discussion

BIP-IP HA on Azure Cloud

Recent Discussions

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

iRule for client certificate verification and inserting CN

Related Content

Public Cloud Simplified with F5 NGINXaaS for Azure

SSLO in public cloud: Azure inbound L3 use case

Securely Scale RAG - Azure OpenAI Service, F5 Distributed Cloud and NetApp

Creating a Credential in F5 Distributed Cloud for Azure

Lightboard Lessons: BIG-IP Deployments in Azure Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS