Note: This template uses BIG-IQ 6.1.0 and BIG-IP 13.1.1. Looking for BIG-IQ 7.x releases? Check out this other git repository
To deploy this CFT in AWS, complete the following steps.
Note: This template is not supported in the Paris region and in AWS GovCloud.
-
To get a BIG-IQ trial license, go to F5 Cloud Edition Trial.
Select BIG-IP Cloud Edition - Advanced Web Application Firewall
-
Subscribe and accept the Terms and Conditions for these F5 products:
-
Setting up an IAM resource for the Service Scaling Group
-
Launch the trial stack template by right-clicking this button and choosing Open link in new window:
(new VPC/demo app)
-
In the CloudFormation Template (CFT), populate this information:
- Stack name (must be fewer than 25 characters)
- Subnets in each availability zone (AZ1 and AZ2) (ensure they are not the same)
- If you did not do it previously, accept the BIG-IQ and BIG-IP license terms by visiting the URLs specified, clicking Continue to Subscribe, and accepting terms
- BIG-IQ Centralized Management (CM) License Key (from F5 trial BIG-IQ Console Node)
- BIG-IQ Data Collection Device (DCD) License Key (from F5 trial BIG-IQ Data Collection Device)
- BIG-IP WAF License Pool Key (from F5 trial BIG-IP VE Trial, Adv WAF, Per App VE, 3 Instances, used for the SSG)
- SSH Key (your AWS key pair name)
- SSG CloudFormation Stack Name (must be unique and fewer than 25 characters)
Expected time: ~5 min
-
Open the EC2 console and wait until the BIG-IQ instances are fully deployed.
- Instance State: running
- Status Checks: 2/2 checks passed
Expected time: ~5 min
-
Use admin user and your AWS SSH key to SSH into the BIG-IQ DCD instance, then execute the following commands:
# bash # /config/cloud/setup-dcd.sh- When prompted, enter a password for BIG-IQ. You will use this same password again on the BIG-IQ CM instance. Details on prohibited characters.
- Let the scripts finish before moving to the next step.
Expected time: ~2 min
-
Use admin user and your AWS SSH key to SSH into the BIG-IQ CM instance, then execute the following commands:
# bash # /config/cloud/setup-cm.sh- Enter the AWS access key ID/secret key (used for the Service Scaling Group object creation), BIG-IQ and BIG-IP passwords.
- The password must match the password you used on the BIG-IQ DCD instance in the previous step.
- The password for BIG-IP must pass the basic pam_cracklib checks (e.g.,
olleH!321olleH!321), which ensure that the password:- Does not contain dictionary words.
- Is not a palindrome.
- Is not too simple.
- Let the scripts finish before moving to the next step.
Expected time: ~30 min
Note: the AWS access key ID/secret key requires full access permissions for the following AWS resources: Auto Scale Groups, Instances, SQS, S3, CloudWatch, and CloudFormation. Additionally, you need list, create, and delete permissions for the IAM role/rolePolicy/InstanceProfile. For quicker testing, assign a AdministratorAccess policy to your keys.
-
Open BIG-IQ CM in a web browser by using the public IP address with https, for example:
https://<public_ip>If you have new VPC/demo app
- Use the username
admin. - Click the Applications tab > APPLICATIONS. An application demo protected with an F5 Web Application Firewall (WAF) is displayed.
- You can manage the Service Scaling Group by clicking the Applications tab > ENVIRONMENTS > Service Scaling Groups.
If you have an existing VPC/no demo app
- Use the username
admin. - You can manage the Service Scaling Group by clicking the Application tab > ENVIRONMENTS > Service Scaling Groups.
- Click the Applications tab > APPLICATIONS. Create. Select
Default-f5-HTTPS-WAF-lb-template.- Name: your application name
- Domain Names: your application domain names (e.g. ELB DNS name)
- Environment: select the available Service Scaling Group
- Name of Classic Load Balancer: the name of your ELB (EC2 > Load Balancing > Load Balancers)
- Listeners: your application ports (e.g. TCP/443 - TCP/443 and TCP/80 - TCP/80)
- Servers's IP Address: your application server's IP addresses
- Use the username
For more information, go to the BIG-IP Cloud Edition Knowledge Center.
-
Open BIG-IQ CM in a web browser by using the public IP address, for example:
https://<public_ip>- Delete the application, under Applications tab > APPLICATIONS, select the application, then click Delete.
Expected time: ~5 min
- Delete the Service Scaling Group, under Application tab > ENVIRONMENTS > Service Scaling Groups, select the AWS SSG, then Delete.
Expected time: ~15 min
-
Open the Cloud Formation Console and delete the stack.
Expected time: ~10 min
- In the BIG-IQ UI, if the application deployment fails, click Retry.
- In the BIG-IQ UI, check the BIG-IQ license on the Console Node and Data Collection Device (System > THIS DEVICE > Licensing) and the BIG-IP license pool (Devices > LICENSE MANAGEMENT > Licenses).
- In the BIG-IQ UI, check the Cloud Environment to ensure all the information is populated correctly (Applications > ENVIRONMENTS > Cloud Environments).
- In the BIG-IQ CLI, check the following logs: /var/log/restjavad.0.log and /var/log/orchestrator.log.
- In AWS Marketplace, ensure you have subscribed and accepted the terms for F5 products.
- In AWS CFT Console, check the CFT status, make sure it is COMPLETED.
- In AWS IAM Console, confirm the Access Key has the necessary permissions.
- In AWS EC2 Console, check the Activity History in the Auto Scaling Group.
Copyright 2014-2019 F5 Networks Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Individuals or business entities who contribute to this project must have completed and submitted the F5 Contributor License Agreement.