Forum Discussion

PowerRangers's avatar
PowerRangers
Icon for Cirrostratus rankCirrostratus
1 day ago

F5 in AZ

We are building F5 BIG-IP in Azure. Our long term intention is Active-Active or Active-Standby HA, but to kick start we are deploying a single standalone instance first.

 

The F5 is not exposed to the internet directly. We have a Palo Alto firewall performing DNAT to convert the public IP to a private IP, and that private IP is the F5 VIP. We are using Azure basic Load Balancer to send traffic to F5.

 

Our example external subnet is 10.1.1.0/24 and the IPs are configured as follows on the Azure NIC and F5. The Primary Self IP is 10.1.1.10, the first Secondary IP is 10.1.1.11 which is VIP for App1, and the second Secondary IP is 10.1.1.12 which is VIP for App2 and follows.

 

My questions are as follows.

First, in the ALB backend pool, should we use the Primary Self IP 10.1.1.10 or the Secondary VIP IPs 10.1.1.11 and 10.1.1.12? If we use Secondary IPs, do we need a separate ALB for each VIP? We have seen some older videos suggesting Secondary IPs should be used in the backend pool but we want to confirm the correct approach.

 

Second, when we expand to HA in the future by adding a second F5 device, can both devices be configured with the same VIP IPs such as 10.1.1.11 and 10.1.1.12? And since Azure does not support floating IPs moving between VMs, we understand ALB health probes handle failover, so in that case should the ALB backend pool contain the Primary Self IPs of both devices?

 

Please advise on the correct design for both standalone and HA scenarios.

application delivery
cloud
deployment

1 Reply

  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    Icon for MVP rankMVP
    4 hours ago

    Hi PowerRangers​ ,

     

    Here are some pointers you can follow:

     

    Standalone deployment:

     

    1. Backend pool should reference the F5’s Primary Self‑IP (10.1.1.10), NOT the VIP secondary IPs.
    2. DO NOT put the VIPs (10.1.1.11 / 10.1.1.12) in the Azure Load Balancer backend pool.
    3. One ALB can handle multiple VIPs == > YES — A single Azure Load Balancer can forward to multiple VIPs on the same F5.

     

    Future Active/Standby HA:

     

    1. Both F5 devices will have the same VIP secondary IPs on their NICs (Azure requirement).
    2. F5 Cloud Failover Extension (CFE) or Azure LB health probes will determine which is active.
    3. Backend pool of Azure LB should contain Primary Self‑IPs of BOTH devices.
    4. Failover is handled by Azure LB + CFE (no floating IPs, no gratuitous ARP in Azure) and Azure health probes determine F5 active node

      let me know if you are looking for more details.

    HTH

    F5 Design Engineer