For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alastair_jones_'s avatar
Alastair_jones_
Icon for Nimbostratus rankNimbostratus
Apr 13, 2016

Configuring HA on Azure F5 LTM 'Good'...

Azure F5 is single-arm. One IP, one Vlan, one big fat headache. I've got everything working in my machine including an irule to forward traffic to the correct pool based on host-header but, seeing as we're migrating out production platform into Azure, I need to HA the F5's. I can't find any documentation for this - though I'm prepared to be shot down in flames on this.

 

I've got past the first issue, that configsync and management addresses can't be the same (https://support.f5.com/kb/en-us/solutions/public/17000/400/sol17427.html) but now I'm getting "01070734:3: Configuration error: invalid static route, the dest/netmask pair 0.0.0.0/0.0.0.0 already exists for /Common/default" on the external network configuration screen of the HA wizard. I am using the existing Vlan as my understanding is that I can create a new one. what do I need to do to get past this ?

 

thanks very much Alastair

 

cloud
LTM

12 Replies

  • Alastair_jones_'s avatar
    Alastair_jones_
    Icon for Nimbostratus rankNimbostratus
    Apr 13, 2016
    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-msft-azure-12-0-0/1.html?sr=53069743 "As shown in the diagram, all access to the BIG-IP VE appliance is through the same IP address. Because of this, the BIG-IP VE high availability feature does not work in Azure. (You cannot create an active-standby pair.)" So what's the workaround?!
    • Seth_81884's avatar
      Seth_81884
      Historic F5 Account
      Apr 13, 2016
      Page 8 suggests "BIG-IP high availability is currently not supported in Azure, so you should configure the BIG-IP to reboot if a daemon fails. For details, see the BIG- IP ® System: Essentials guide on AskF5.com .
    • rowanboy2012's avatar
      rowanboy2012
      Icon for Nimbostratus rankNimbostratus
      Aug 16, 2016

      Hi Alastair,

       

      Not sure if you've had any luck so far, but the only method of utilizing an HA pair of F5s in Azure so far is to use the Azure LBs to select the F5 device for the connection.

       

      If the F5s are receiving connections directly from the perimeter this is easy as all you need is a "Public" LB configured. Both F5s share the same public IP (that of the Azure LB) but have different virtual server/self/mgmt. IPs. This basically creates a true Active/Active scenario where either F5 can receive the traffic. The Azure LB does have a client sticky feature (not dissimilar to F5s source address persistence) so one user can persist through one F5 for a given period.

       

      If you are NAT'ing through another perimeter security device through to the F5s in Azure, then you would need to look into creating an internal Azure LB to carry out the same as above. I'm testing this at the moment so will let you know on the success of this once known.

       

      (NOTE: I have heard rumours that full HA may be available in Azure eventually)

       

  • Artiom_Lichtens's avatar
    Artiom_Lichtens
    Historic F5 Account
    Nov 15, 2016

    Hi,

     

    In a regular F5 DSC working in HA mode, cluster members use Gratuitous ARP or MAC Masquerade during normal operation and when cluster failover occurs.

     

    In Microsoft Azure this is implemented by making RESTful API calls to Azure Resource Manager.

     

    The code in this repository is my proposed API-based failover solution for BIG-IP HA in Microsoft Azure:

     

    https://github.com/ArtiomL/f5-azure-ha

     

    • NoamRotter's avatar
      NoamRotter
      Icon for Altostratus rankAltostratus
      Mar 22, 2017

      Hello Artiom,

       

      When following you guide in github and issueing this connand

       

      Code
modify cm trust-domain root ca-devices add { 192.168.x.y } name bigip02 username user password pass

      I get this error:

       

      Unexpected Error: "Timed out while waiting for the device to respond"

       

      In /var/log/ltm I see:

       

      "iControl connection to 192.168.x.y failed"

       

      Any reason why?

       

      Noam.

       

    • Artiom_Lichtens's avatar
      Artiom_Lichtens
      Historic F5 Account
      Mar 22, 2017

      The current TMOS version in Azure Marketplace should be v13.0.

       

      Please check the GitHub repository again - I updated the commands about a week ago.

       

    • NoamRotter's avatar
      NoamRotter
      Icon for Altostratus rankAltostratus
      Mar 23, 2017

      Hi, Thank you for your reply

       

      How do I check the TMOS version?

       

      When I run this command in BIGIP in Azure:

       

      Code
show sys version

      I get this output:

       

      Code
Sys::Version
Main Package
  Product     BIG-IP
  Version     12.1.0
  Build       1.0.1447
  Edition     Hotfix HF1
  Date        Wed Jun  8 13:41:59 PDT 2016

Hotfix List
ID590345-1    ID582374-1  ID581834-5  ID592354    ID591908-2  ID585905-1
ID569121-1    ID569467-5  ID591894-2  ID547053-1  ID594302-1  ID583631-2
ID554713-2    ID592854-1  ID576478    ID588399-1  ID592682-1  ID590795-1
ID590779      ID544477    ID591918-2  ID588140    ID591039    ID590428-1
ID591806-8    ID587791-1  ID590601-2  ID592699-3  ID565137    ID531979-6
ID590993      ID592363    ID591881-1  ID582629-1

      When checking again in the github I see that I need to issue this command:

       

      Code
tmsh modify /cm trust-domain add-device { device-ip 192.168.x.y device-name BIGIP02 username USER password PASS }

      And the result is:

       

      Code
Syntax Error: "device-ip" unknown property

      Any idea?

       

      Regards,

       

      Noam