Why yes, I am and It’s true! F5 is now in the Azure Marketplace. Now enterprises can make use of the same services, features, and functionality in the Azure cloud as they have for years in their private datacenters. So step right up and be the first kid on your block to their very own BIG-IP in Azure! That’s my one sales pitch; promise. Still, it’s pretty cool.
Cloud-only Deployments - Currently, the BIG-IP in Azure is only supported in single-arm mode. While not as flexible as the traditional multi-arm design, the majority of modules can be deployed.
For example, a BIG-IP with LTM, APM, and ASM, and AFM, (see right) can be deployed in front of a multi-tier application providing L7 traffic optimization, secure access,and a WAF. For more information on the various BIG-IP modules and services definitely checkout out F5’s site.
Hybrid Deployments - For larger hybrid deployments, you can add BIG-IP DNS, (formerly Global Traffic Manager) into your deployment, (see below) to provide additional high availability and optimization. Here’s a short demo from the recent Microsoft Ignite conference showing this functionality. Note: The actual demo starts at the 18:05 mark).
Additionally, a BIG-IP on premises can be utilized to establish a secure IPsec tunnel between the data center and Azure.
Deploying and Configuring the BIG-IP
Azure Marketplace - The following steps show how I have deployed the BIG-IP from the Azure Marketplace. For detailed guidance on deploying, refer to the relevant documentation available at support.f5.com.
Step 1 – From the Azure portal, (https://.portal.azure.com) select ‘New’ --- ‘Security + Identity’ ---- F5 BIG-IP VE. There are a number of options to choose from base upon the modules and bandwidth required. Currently, the VE is only offered as BYOL, (Bring Your Own License) model. So the version you choose will not be relevant as the license you apply will dictate the level of functionality. In this instance, I have selected the ‘BEST’ version.
Under the deployment model blade, select ‘Create’. You will notice that Resource Manager is the only option for deploying the BIG-IP from the marketplace.
Step 2 – Provide the basic deployment information. In this instance, I am utilizing password authentication rather than SSH public key. With that said, both options are available.
Select ‘OK’ to continue to deployment step 2.
Step 3 – Depending upon the version of BIG-IP selected, a variety of VM sizes are recommended. Additionally, you can view all sizes and select accordingly. You will want to ensure you have selected a VM size that is sufficient for the number of modules required and anticipated traffic.
For my deployment, since I intend to make use of LTM, APM, and ASM modules I have selected ‘Standard_A3’. Choose ‘Select’ to continue.
Step 4 – On the next blade you will select various options related to storage and networking. In my example, I have elected to go with the default settings, (i.e. new storage account, virtual network, subnet, etc.).
IMPORTANT- Currently, the BIG-IP is not compatible with Azure diagnostics. Therefore, you need to ensure diagnostics are disabled at both storage and monitoring levels, (see right). Choose ‘OK’ to continue.
Step 5 – After reviewing the Summary and Offer Details screens select ‘OK’ and ‘BUY” respectively to continue. The BIG-IP, along with the associated infrastructure objects, will now be deployed.
After the deployment process completes, you will be able to view the BIG-IP’s information as well as configure inbound security rules.
A Few Key Points - There a few key points to remember with respect to the BIG-IP Azure edition.
Management Interface and HTTPS Virtual Server Conflicts – If the BIG-IP is going to include an HTTPS virtual server and you intend to use the GUI interface to configure the BIG-IP, it will be necessary to modify the default management port to avoid conflicts. Additionally, you must setup an inbound security rule on the newly created network security group, (NSG) object.
By default and SSH endpoint map entry is created. At a minimum, to allow for application access, for example HTTPS, you will need to create an additional security rule, (see right). If you require external management as well you can modify the BIG-IP’s to eliminate port conflict. This will require accessing the BIG-IP via SSH and running a few simple commands. Refer to the official deployment guidance for configuration steps.
Afterwards, it’s simply a matter of connecting to your BIG-IP’s management GUI for licensing, provisioning, and configuring. Like I said, “Pretty Cool”.
Single-Arm Mode - Currently, during the provisioning process, the BIG-IP will be a preconfigured with a single interface, VLAN, and Self-IP.
Addressing – The Self-IP address will be provided via Azure IaaS DHCP. With that said, it is possible to deploy the BIG-IP via PowerShell to configure static addressing. This Self-IP address will be used for both management access as well as for application access, (virtual server address). Securing access to the management GUI and SSH access can be controlled through network security group, (NSG) inbound security rules.
Licensing - The current release of F5’s BIG-IP in Azure makes use of BYOL, (Bring Your Own License). Just reach out to you F5 account rep or reseller for licensing options.
Thanks for the article, helpful in understanding the limitations in Azure and the need for single arm mode. When running through the initial configuration guide, be sure to select finish prior to the networking config, otherwise it will error and tell you the management IP is the same as the self-ip.