Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

BIG-IP in Azure? Are You Serious?

Greg_Coward
F5 Employee
F5 Employee

on ‎12-Nov-2015 10:23

Why yes, I am and It’s true!  F5 is now in the Azure Marketplace.  Now enterprises can make use of the same services, features, and functionality in the Azure cloud as they have for years in their private datacenters. So step right up and be the first kid on your block to their very own BIG-IP in Azure!   That’s my one sales pitch; promise.  Still, it’s pretty cool. 


Cloud-only Deployments - Currently, the BIG-IP in Azure is only supported in single-arm mode.  While not as flexible as the traditional multi-arm design, the majority of modules can be deployed.

For example, a BIG-IP with LTM, APM, and ASM, and AFM, (see right) can be deployed in front of a multi-tier application providing L7 traffic optimization, secure access,and a WAF.  For more information on the various BIG-IP modules and services definitely checkout out F5’s site.

0151T000003d6bUQAQ.png


Hybrid Deployments - For larger hybrid deployments, you can add BIG-IP DNS, (formerly Global Traffic Manager) into your deployment, (see below) to provide additional high availability and optimization.  Here’s a short demo from the recent Microsoft Ignite conference showing this functionality.  Note: The actual demo starts at the 18:05 mark).

Additionally, a BIG-IP on premises can be utilized to establish a secure IPsec tunnel between the data center and Azure.

0151T000003d6bVQAQ.png

 

Deploying and Configuring the BIG-IP

     


Azure Marketplace - The following steps show how I have deployed the BIG-IP from the Azure Marketplace.  For detailed guidance on deploying, refer to the relevant documentation available at support.f5.com.


 
0151T000003d6bWQAQ.png

Step 1 – From the Azure portal, (https://.portal.azure.com) select ‘New’ --- ‘Security + Identity’ ---- F5 BIG-IP VE.  There are a number of options to choose from base upon the modules and bandwidth required.  Currently, the VE is only offered as BYOL, (Bring Your Own License) model.  So the version you choose will not be relevant as the license you apply will dictate the level of functionality.  In this instance, I have selected the ‘BEST’ version.

Under the deployment model blade, select ‘Create’.  You will notice that Resource Manager is the only option for deploying the BIG-IP from the marketplace.




Step 2 – Provide the basic deployment information.  In this instance, I am utilizing password authentication rather than SSH public key.  With that said, both options are available.

Select ‘OK’ to continue to deployment step 2.

0151T000003d6bXQAQ.png
0151T000003d6bYQAQ.png


Step 3 – Depending upon the version of BIG-IP selected, a variety of VM sizes are recommended.  Additionally, you can view all sizes and select accordingly.  You will want to ensure you have selected a VM size that is sufficient for the number of modules required and anticipated traffic.

For my deployment, since I intend to make use of LTM, APM, and ASM modules I have selected ‘Standard_A3’.  Choose ‘Select’ to continue.


Step 4 – On the next blade you will select various options related to storage and networking.  In my example, I have elected to go with the default settings, (i.e. new storage account, virtual network, subnet, etc.).

IMPORTANT- Currently, the BIG-IP is not compatible with Azure diagnostics.  Therefore, you need to ensure diagnostics are disabled at both storage and monitoring levels, (see right).  Choose ‘OK’ to continue.

0151T000003d6bZQAQ.png


0151T000003d6baQAA.png


Step 5 – After reviewing the Summary and Offer Details screens select ‘OK’ and ‘BUY” respectively to continue.  The BIG-IP, along with the associated infrastructure objects, will now be deployed.

0151T000003d6bbQAA.png

 


After the deployment process completes, you will be able to view the BIG-IP’s information as well as configure inbound security rules.

0151T000003d6bcQAA.png



A Few Key Points - There a few key points to remember with respect to the BIG-IP Azure edition.


Management Interface and HTTPS Virtual Server Conflicts –
If the BIG-IP is going to include an HTTPS virtual server and you intend to use the GUI interface to configure the BIG-IP, it will be necessary to modify the default management port to avoid conflicts.  Additionally, you must setup an inbound security rule on the newly created network security group, (NSG) object.

By default and SSH endpoint map entry is created.  At a minimum, to allow for application access, for example HTTPS, you will need to create an additional security rule, (see right).  If you require external management as well you can modify the BIG-IP’s to eliminate port conflict.  This will require accessing the BIG-IP via SSH and running a few simple commands.  Refer to the official deployment guidance for configuration steps.

Afterwards, it’s simply a matter of connecting to your BIG-IP’s management GUI for licensing, provisioning, and configuring.
Like I said, “Pretty Cool”.

0151T000003d6bdQAA.png


Single-Arm Mode - Currently, during the provisioning process, the BIG-IP will be a preconfigured with a single interface, VLAN, and Self-IP.

Addressing – The Self-IP address will be provided via Azure IaaS DHCP.  With that said, it is possible to deploy the BIG-IP via PowerShell to configure static addressing.  This Self-IP address will be used for both management access as well as for application access, (virtual server address).  Securing access to the management GUI and SSH access can be controlled through network security group, (NSG) inbound security rules.

Licensing - The current release of F5’s BIG-IP in Azure makes use of BYOL, (Bring Your Own License).  Just reach out to you F5 account rep or reseller for licensing options.


Additional Links:

BIG-IP in Azure Deployment Guidance

The BIG-IP Platform and Microsoft Azure: Application Services in the Cloud

Connecting to Windows Azure with the BIG-IP

Understanding Network Virtual Appliances | Microsoft Ignite 2015 | Channel 9  - Brief demo of the above referenced hybrid architecture starts at the 18:05 mark.

BIG-IP in Azure Walkthrough Video

0 Kudos
Comments
rangara10_75278
Nimbostratus
Nimbostratus
‎31-Mar-2016 16:03
Not sure why there are screen shots of the ADFS-related stuff in this article. Perhaps the images for this article were mixed up with an older one.
0 Kudos
Dave_20158
Nimbostratus
Nimbostratus
‎30-Jun-2016 06:26
Thanks for the article, helpful in understanding the limitations in Azure and the need for single arm mode. When running through the initial configuration guide, be sure to select finish prior to the networking config, otherwise it will error and tell you the management IP is the same as the self-ip.
0 Kudos
f51
Nimbostratus
Nimbostratus
‎14-Sep-2017 14:28

Hello Sir,

 

I am trying deploy f5 HA in Azure. I am using azure arm template from gihub/f5 and we have our own subnets and networks.

 

can you please guide me with the steps.

 

Thanks in advance.

 

0 Kudos
Version history
Last update:
‎12-Nov-2015 10:23
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC