F5 NGINXaaS for Azure: Multi-Region Architecture

The F5 NGINXaaS for Azure offering recently announced general availability. Trust me...I've been using it and having fun! In this article, I will show you an example hub and spoke architecture using GitHub Actions and Azure Functions to automate NGINX configurations. As a bonus, I have code on GitHub that you can use to deploy this example.

Topics Covered:

 

NGINXaaS for Azure Architecture Explained

The NGINXaaS for Azure architecture consists of an F5 subscription as well as customer subscription.

  • F5 subscription - hidden from user, NGINX Plus instances, control plane, data plane
  • Customer subscription - eNICs from VNet Injection, customer network stack, customer workloads

F5 Subscription

The NGINXaaS offering creates NGINX Plus instances and other related components like NGINX control plane and data plane resources in the F5 subscriptions. These items are not visible to the end user, and therefore result in the operational tasks of upgrades and scaling being managed by the NGINXaaS offering instead of the user.

Each NGINX deployment, like other Azure services, is regional in nature. If you need to deploy NGINX closer to the client, then this will require multiple NGINX deployments (ex. westus2, eastus2). Each NGINX deployment will have a unique listener address. You can then use DNS to send clients to an NGINX deployment in the nearest region. Here is an example diagram.

Customer Subscription

The customer subscription has items like network stacks, Key Vaults, monitoring, application workloads, and more. The NGINX deployment automatically creates ethernet NICs (eNICs) in the customer subscription using VNet Injection and subnet delegation. The eNICs are deployed inside their own Azure Resource Group. They receive IP addressing from the customer VNet and are indeed visible by the user. However, there is no management needed with the eNICs because they are part of the NGINX deployment.

Note: In my testing during public preview, I have noticed that Azure lets you manually remove subnet delegation for the NGINX service. Warning...do NOT do this. It will break traffic flow.

Hub and Spoke Architecture

You can easily make a hub and spoke design with NGINX in the mix using VNet peering. This is a great use case when required to use a shared NGINX deployment across different VNets, environments, or scaling workloads across multiple regions. Recall from earlier that an NGINX deployment will automatically create eNICs in the customer subscription. Therefore, you can control the entry point into the customer environment and the traffic flows.

For example, configuring NGINX to use a customer shared VNet with peering gives you a hub and spoke design such as the picture below. This results in the NGINX eNICs being deployed into a customer Shared VNet (hub). Meanwhile the customer places workloads into their own VNets (spokes).

Demo Code

If this is the first time deploying NGINXaaS for Azure in your subscription, then you will need to subscribe to it in the marketplace.

  1. Search for “F5 NGINXaaS for Azure” in marketplace or follow this link
  2. Select F5 NGINXaaS for Azure and choose "Public Preview" and subscribe

Time to play with code! Click the link below and review the README to deploy the demo example. There are prerequisites to follow. For example, you need to have a GitHub repository that stores the NGINX configuration files. You also need to have an Azure Key Vault and secret containing your GitHub access token. These are explained in the README.

GitHub repo - F5 NGINXaaS for Azure Deployment with Demo Application in Multiple Regions

After the deployment is done, you have a few options on how to handle NGINX configurations. I will share examples in future articles, but for now go ahead and explore on your own. Refer to the NGINXaaS for Azure documentation "NGINX Configuration" to get started.

Summary

This article gives an example architecture for deploying the NGINXaaS for Azure offering. I shared details on the different NGINX components, and I also shared demo code to help you explore the solution on your own!

Contact us with any questions or requirements. We would love to hear from you!

Resources

Updated Mar 19, 2024
Version 6.0
  • hi jeff am using below access policy , but my ip subnet match whitelisted IP not  taking CMEternal path , can i get any irule for routing