Hello, I ma having bad times while creating deployment in AWS from templates without internet access:https://github.com/F5Networks/f5-aws-cloudformation-v2I already deployed yaml and runtime package on apache server in VPC. Based on tcpdump, the F5s are doenloading configuration files correctly. But then there is some wget timeout in EC2 Console. I think its trying to download some other stuff, yet I have no idea how to modify the runtime package. Can even open it via tar or gzip.Does anyone know how to do this? Customer does not want to allow internet access and proxy is not supported by CFT templates. Thank you Best regards

Hi,It sounds like you have not deployed VPC Endpoints in your environment, you will need these for failover to work. Please see this document - https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/DEPLOYMENT-TRAFFIC-FLOWS.mdThe process to modify the location of configuration files is documented in the input parameters - https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/failover#template-input-parameters

Hello, thank you for your reply, I moved forward now stucked at:GPG PUB Key location: https://f5-cft.s3.amazonaws.com/f5-bigip-runtime-init/gpg.keyWhich timeouts :(. Best regards

Hello, I am moving forward, now stucked at:+ f5-bigip-runtime-init --config-file /config/cloud/runtime-init.conf --skip-telemetry024-10-09T14:45:54.733Z [13134]: info: MAC address found for 1.1: 06:f2:15:df:16:7f2024-10-09T14:45:54.736Z [13134]: info: Primary IP for 06:f2:15:df:16:7f: 172.31.3.2002024-10-09T14:45:54.739Z [13134]: info: ip and mask for 06:f2:15:df:16:7f: 172.31.3.200/242024-10-09T14:45:54.754Z [13134]: info: Interface:1.12024-10-09T14:45:54.755Z [13134]: info: MAC address found for 1.1: 06:f2:15:df:16:7f2024-10-09T14:45:54.759Z [13134]: info: Primary IP for 06:f2:15:df:16:7f: 172.31.3.2002024-10-09T14:45:54.762Z [13134]: info: ip and mask for 06:f2:15:df:16:7f: 172.31.3.200/24And nothing is happening. Cant enter the device so no clue :). not sure about the routing and how the routing through VPC endpoint exactly works Thank you Best regards

What is the first error in the CFT logs? That will tell what is failing. I have attached the screen shot of the VPC endpoints from my isolated environment that works with F5 example CFTs. You have deployed an ec2 instance connect endpoint, not an ec2 api endpoint. You will need the VPC endpoints as listed here - https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/DEPLOYMENT-TRAFFIC-FLOWS.md . AWS has documented how VPC interface endpoints were here - https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html and how gateway endpoints work here - https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html. The Deployment-Traffic-Flows document describes how routing on BIG-IP changes during automated onboarding which influences which route tables and subnets in AWS need the route added to their route tables.

Unable to create F5 in AWS via CFT - no internet access

Heath_Parrott
Employee
Oct 08, 2024
Hi,

It sounds like you have not deployed VPC Endpoints in your environment, you will need these for failover to work. Please see this document - https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/DEPLOYMENT-TRAFFIC-FLOWS.md

The process to modify the location of configuration files is documented in the input parameters - https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/failover#template-input-parameters
Jan_Loukota
Nimbostratus
Oct 09, 2024
Hello,

thank you for your reply, I moved forward now stucked at:
GPG PUB Key location: https://f5-cft.s3.amazonaws.com/f5-bigip-runtime-init/gpg.key
Which timeouts :(.

Best regards

Heath_Parrott

Employee

Oct 09, 2024

Hi,

Have you placed a copy of the key in the same location as the runtime init files?

bigIpRuntimeInitPackageUrl

https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v1.5.0/dist/f5-bigip-runtime-init-1.5.0-1.gz.run

string

Supply a URL to the bigip-runtime-init package.

You will need to deploy AWS VPC S3 endpoints for CFE to work properly and the CFTS require that several other VPC endpoints be deployed - https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/DEPLOYMENT-TRAFFIC-FLOWS.md That may be the easier path.

Jan_Loukota
Nimbostratus
Oct 09, 2024
Hello,

I am moving forward, now stucked at:
+ f5-bigip-runtime-init --config-file /config/cloud/runtime-init.conf --skip-telemetry
024-10-09T14:45:54.733Z [13134]: info: MAC address found for 1.1: 06:f2:15:df:16:7f
2024-10-09T14:45:54.736Z [13134]: info: Primary IP for 06:f2:15:df:16:7f: 172.31.3.200
2024-10-09T14:45:54.739Z [13134]: info: ip and mask for 06:f2:15:df:16:7f: 172.31.3.200/24
2024-10-09T14:45:54.754Z [13134]: info: Interface:1.1
2024-10-09T14:45:54.755Z [13134]: info: MAC address found for 1.1: 06:f2:15:df:16:7f
2024-10-09T14:45:54.759Z [13134]: info: Primary IP for 06:f2:15:df:16:7f: 172.31.3.200
2024-10-09T14:45:54.762Z [13134]: info: ip and mask for 06:f2:15:df:16:7f: 172.31.3.200/24
And nothing is happening. Cant enter the device so no clue :).

not sure about the routing and how the routing through VPC endpoint exactly works

Thank you

Best regards
- Heath_Parrott
  Employee
  Oct 09, 2024
  What is the first error in the CFT logs? That will tell what is failing. I have attached the screen shot of the VPC endpoints from my isolated environment that works with F5 example CFTs. You have deployed an ec2 instance connect endpoint, not an ec2 api endpoint. You will need the VPC endpoints as listed here - https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/DEPLOYMENT-TRAFFIC-FLOWS.md . AWS has documented how VPC interface endpoints were here - https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html and how gateway endpoints work here - https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html. The Deployment-Traffic-Flows document describes how routing on BIG-IP changes during automated onboarding which influences which route tables and subnets in AWS need the route added to their route tables.
Jan_Loukota
Nimbostratus
Oct 09, 2024
Hello Heath,

the error is:
Embedded stack arn:aws:cloudformation:eu-central-1:187459682462:stack/BIGG-BigIpInstance01-KA2Y71Z1W0H6/ae001fb0-8664-11ef-9ff7-061566941dc5 was not successfully created: The following resource(s) failed to create: [Bigip2NicInstance].
Do you want me to share yaml files?

I am re-creating the Endpoints as described.

Thank you very much

Best regards
- Heath_Parrott
  Employee
  Oct 09, 2024
  Have you subscribed to the offer you are calling in AWS marketplace (This is common - If you have not subscribed you will never see an instance deploy to EC2, failure of the deployment takes about 15 minutes)? Did you select an instance type that is supported or is there a capacity issue ( m5.2xl or m5.xl are safe buts but we support many instance types - this is less common? If the instance deployed but was deleted it was either a lack of another resource (check for other errors in the CFT logs) or the CloudFormation VPC endpoint was not reachable (in this case you will see the CFT running and get stuck at the end).
  
  If these things do not work the follow the manual deployment methods as documented.
Jan_Loukota
Nimbostratus
Oct 09, 2024
I did subscribed. Yes it dies after 15m. Instance type is default one.

Will share some snipets that might be causing troubles.
- having my own bucket with copied repository

- using my apache http server with needed files
we want to use BYOL but I dont have license yet, wanted to do that after or generate trials for a moment
AMI package correcponds to ALL with two boot locations

- not sure here about the S3 gateway, from link you provided there are multiple routes attached to it, but I dont understand what is needed there.

- changed startup init not to contact internet

changed to fetch files locally from my apache

Is there a posibility that you may see a part where I am doing really wrong?

Thank you very much

Best regards
Heath_Parrott
Employee
Oct 09, 2024
IIRC correctly you will need the license keys to deploy the instances via the CFTs for BYOL, deploying manually from the marketplace you do not. In the child stack deployment of the instance do you see this event?

7:04 UTC-0500

Bigip2NicInstance

CREATE_IN_PROGRESS

-

Received SUCCESS signal with UniqueId i-xxxxxxxxxx
Jan_Loukota
Nimbostratus
Oct 10, 2024
..
Jan_Loukota
Nimbostratus
Oct 10, 2024
..
Jan_Loukota
Nimbostratus
Oct 10, 2024
Now I am getting Startup success, nothing in logs, just rollback after some time. Seems to be problem with Declarative onboarding ....
024-10-10T13:04:18.768Z [13232]: silly: ipcalc function resolved first element: 172.31.1.1 of provided IPv4 CIDR
+ [[ 1 -eq 0 ]]
++ date +%Y-%m-%dT%H:%M:%S.%3NZ
+ echo '2024-10-10T06:04:28.686Z : Startup Script Finish'
2024-10-10T06:04:28.686Z : Startup Script Finish
+ rm -f /tmp/6337.tmp

And error CFT: The following resource(s) failed to create: [Bigip2NicInstance].

Failed to receive 1 resource signal(s) within the specified duration

It might be failing on activation of license. Based on https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/main/examples/DEPLOYMENT-TRAFFIC-FLOWS.md how did you achive to reach the activation portal?

But the PAYG template is not even having the license part in YAML, so not the case here.

Thank you

Forum Discussion

Unable to create F5 in AWS via CFT - no internet access

Recent Discussions

SSL bridging without SSL proxy forward

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

F5 Health Monitor Receive String as JSON

Cloudflare True-Client-IP as Persistence

Related Content

unable create service case in my.f5.com

Create a DevCentral account

Unable to Create UCS files

Unable to access GUI

Create an Internet exposed HTTPS Load-Balancer on Volterra with Terraform (Origin handled by a Volterra node)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS