Forum Discussion

Torijori_Yamamada's avatar
Dec 08, 2022

F5 HA Cluster on Azure without Public IPs


I'd like to ask a couple of question about F5 running on Azure Public Cloud.

  •  Is that possible to use CFE without Public IP (aka elastic ip) and just with secondary ip addresses?
  • Is that possible to use CFE for just manipulating the routes?

These question comes into my mind when i need to figured out a solution for a pair of F5 running on Azure Public Cloud. Because, all public IP addresses bound on a Firewall which currently sitting in between Internet and F5 cluster. Since there won't be any public ip addresses on F5s, i could not find a way to send traffic to the active F5. CFE comes into play here but CFE needs two ip addresses which first one is public and the other is secondary. Clearly, without public ips, CFE won't help much.

The schenario in my mind, when traffic came to public ip address on firewall, it sends the traffic to the secondary ip address which is currently attached on active F5 device. But when a failover occurred, i have to send traffic to the current active device, but how? Could i use CFE to manage just route tables? If yes, so i can point to traffic where should be sent, even if there is no public ip addresses. When a failover occurred, i can point to other secondary ip on curent active unit for whole subnet that F5 uses as virtual ip addresses, or this is just a dream?

2 Replies

  • Hi Torijori,

    CEF basically swaps the assigned IPs used for VIPs/Floating from unit-a to unit-b in the case of an failover via Azure API calls.

    If your assigned VIPs in Azure having a public IP attached then those will be swapped too. But you dont have to use public IPs - they are optional. 

    Personally I dont like the CEF approach, too complex and the latency of the Azure API is causing sometime headaches during Failover events. If you can effort the monthly fees for a Azure LB frontending your F5 then try this route, it feels almost On-Prem with this setup. 

    Cheers, Kai


    • Paulius's avatar
      Icon for MVP rankMVP

      Torijori_YamamadaI would go with what Kai_Wilke has stated. I have worked on HA F5s in Azure and the headache of how Azure actually does failover on F5s is not worth it. You are better off deploying a single F5 with the Azure LB frontending the F5 because it's a giant mess otherwise. Or the alternative which would be 2 individual F5s and having an environment deployed in a Primary/Secondary method with the 2 F5s in different regions and a GTM or GTM service balancing to each to cover yourself for a region going down.