Awesome! Quick question, can i route that "Alien range" across different VPCS?

Hi Sebastian, yes - but you have to use a Transit Gateway to route between your VPCs. Transit Gateways were released in late 2018, and they will allow you to route between multiple VPCs. Prior to this, you needed to manage VPC peering relationships individually, and these peering relationships did not allow you to route a non-VPC IP range. (The other option prior to the release of Transit Gateways was to build IPSec VPN connections yourself between VPCs and I have not covered that here).

Thanks Michael.

Yes i didnt want to go down the IPsec vpn route.

I need to test this out ASAP 😄

Hello Michael! Thanks for the article. Quick question. Since bigip-1 and bigip-2 are on different AZs, and that means different subnets, how did you solve the default route after you clustered? Not the management routes, the TMOS routes (because they sync these stuff)... Cheers, Rafael!

Hi Rafael, I deployed this template from F5's supported sample templates. I recommend doing the same. The template deployment configures default routes into a LOCAL_ONLY partition on each device, so that this default route for a device does not sync to the paired device.

Hello Michael, thank you for the article, it is really interesting and very useful for us because our desgin don't include EIPs. In case, F5 can't connect to the Internet, do you have workaround for this situation ? Br

Hi Amintej, glad to hear it's useful. 2 things I can think to say in response: 1. If using the template I did, you will need internet connectivity from the BIG-IP, at least at the time of the template deployment. This is because the template includes instructions to download certain required packages at the time of deployment (like the HA iApp), as well as do things like license the device. If you don't have this connectivity, you'll need to set this up manually (out of scope of this article). If using the template I have used, it actually needs internet access through both the mgmt interface and the ext interface. 2. The API call that is made at time of failover requires access to the internet from the BIG-IP. So this automatic update of the AWS route won't work without it. However, you could still make this API call yourself. You could write a script that updates the AWS route, along with any other things you need to do in case one of your AZ's becomes unreachable, for example, you may have application-level settings within your app to update in a real failover/disaster. So you could get by if your BIG-IP devices cannot reach the Internet. You'd need to manually deploy them and set them up (license, etc), and then script the failover scenario (updating AWS routes) yourself. Let me know if this helps!

hi @Michael OLeary

So let me get this straight...when i setup HA across AZ's for the purpose of load balancing internal services within a VPC. Failover wont work if my F5's dont have internet access?

Hi Sebastian. Failover of the devices will work without Internet access. The standby device will become active at the time of failover. However, if you'd like to have an AWS route automatically updated with an API call (which can be easily set up with the HA iApp), then you'll need the BIG-IP to be able to make an HTTPS connection to the (public) AWS API endpoint. The alternative would be to script this route update yourself for your failover scenario. Does that make sense?

Thanks Michael thats what i thought. Makes sense.

HI Michael, one more question. So the F5 will failvoer.. (great .. thats normal)... Let me know if you can shed some light, how would i go about scripting this? would i do something on the f5? or would i use another server that requires access ? DM if you want 😄

Hi Sebastian, no problem. Likewise feel free to DM me. Yes, the F5 failover part is normal, and yes, updating any AWS routes automatically will require an API call. If you don't want to let the HA iApp set that up for you, you could script yourself. Consider this out of scope of this article, but you'll need to consider: a) you need to make a AWS API call to update the specific routes you have b) you can do this using a AWS cli command from a Windows or Linux box that has Internet access c) you should have some failure detection mechanism so that you can run this script when it is required. Obviously it's easier to let the HA iApp set this up, but if you have other non-F5 things to do at the time of failover, like update your application, then you could script this as part of your whole recovery activity. However, if you don't already use the AWS API for your own processes, I would recommend just using the HA iApp, especially to start with as you learn.

Cool, thanks .. last question 😄 can i use the API Gateway to handle this? (Does that make sense) ?

One more 😄 .. can i use aws cloud watch to watch the failure of the f5 and when a failure occurs use a lamda function to call the api to failover the routes ?

Hi Sebastian, I don't see why not, but I'd consider that beyond the recommendations of this article, because I haven't tested it. I like the idea though, getting those native services to do it instead of a different server. This is all to avoid allowing the BIG-IP appliance to access the internet and make the API call, right? Perhaps you could have the BIG-IP initiate that at failover, but use your own tools? If possible, could you research that and let us know how it works out? I'd be very interested in seeing that set up with tools that allowed you to make that AWS update without having the BIG-IP access the Internet via API call. I think for supportability though, the iApp is still the best bet.

Great, info.. I'm working on deploy BIG-IP in AWS with HA across AZ’s with EIP’s in my case. Do you have any details around how to get routing setup and configured between F5 and the backed servers in AWS?

Thanks,

Hi Wildzfor, if you are going to use EIPs, you still use a supported template and the HA iApp. Unless you SNAT all of your traffic to your backend servers, you are going to need a route in AWS so that return traffic from the backend servers routes out of the same BIG-IP device that it came in through. That's where the HA iApp can update it automatically for you. Follow the documentation and let us know how you go.

Hello,we deployed a VPC endpoint and enable private DNS for the endpoint indside Security VPC, with this configuration you can call to AWS API using public domains because inside the VPC the public urls are internally resolved to private addresses. We tested failover succefully.

That is so interesting amintej, thanks for sharing that!

This is a great write up. Thx!

Hello, I am doing the same scenario, almost the same architecture, I wanted to know about the iapp template, I kept asking myself for an elastic-ip to continue the display, what should I do or write there? , or how should that iapp be configured when the architecture has been defined the same as you have indicated?

Hi Omar, you should choose "No, do not configure high availability across Availability Zones" from the field above and then you will not enter any EIP. I know this sounds counter-intuitive, but that field is assuming you will use EIP's. In this architecture discussed, we are not using EIP's.

Also - at this point you should really be using the Cloud Failover Extension (CFE) which was released about a year ago, and is mentioned in an update to the article above. The CFE allows you to declare a failover configuration as a JSON template, and that iApp is no longer the way to do it going forward into the future.

Feel free to email me or reach out directly if you need help.

hello, michael, first thank you for your support, I have some questions:

1.- "should really be using the Cloud Failover Extension (CFE)" do you mean that I can no longer use the iapp ha? or will it stop working?

2.- regarding CFE, I am having a lot of trouble following the documentation https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/userguide/quickstart.html I don't know if there is another article where Explain better, I am following the steps and when I run the api rest https: // {{host}} / mgmt / shared / cloud-failover / info I get another message from the one shown in the guide.

Now about the statements that are placed in the API, I don't know what should be put exactly in the json and where that should be put in the postman.

If it is possible you could indicate your email to make your queries is only the final part of a deployment that I am doing, only that I am missing, my email is jenciso@securesoftcorp.com, do you have any email?

Hi Omar

1. The iApp won't stop working, it is just being deprecated. I just downloaded the latest iApp templates from downloads.f5.com and it included the AWS HA iApp, with a helpful ReadMe txt file that included this line: "The planned EoSD/EoTS/EoL date for this iApp template is 12/31/20." Also, you can check out this KB article for details about iApp deprecation: https://support.f5.com/csp/article/K13422.
2. Good job on starting with the CFE! I'll gladly help you out over email and we can set up a call if needed. I'll shoot you an email now.

Mike.

Hi,Michael, I'm doing poc just like what your article's description.Did you have some more detail guide or setup manual  which I can follow to setup my POC more easily?

  Thanks!

Qiang 

I know it is a while ago, but big kudos on keeping an article updated with more recent developments. Cloud is moving fast.

Awesome  Articale  with great info  ..!!!