Skip to content
This repository has been archived by the owner on Jul 21, 2020. It is now read-only.

Latest commit

 

History

History

azure

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
build
build
 
 
built
built
 
 
experimental
experimental
 
 
scripts
scripts
 
 
README.md
README.md
 
 

README.md

BIG-IP Cloud Edition Trial Quick Start - Azure

Note: This template uses BIG-IQ 6.1.0 and BIG-IP 13.1.1. Looking for BIG-IQ 7.x releases? Check out this other git repository

Deployment Diagram

Instructions for Azure

To deploy this ARM template in Azure cloud, complete the following steps.

Note: This template is not supported in the regions where Microsoft/insights is not available

  1. To get a BIG-IQ trial license, go to F5 Cloud Edition Trial.

    Select BIG-IP Cloud Edition - Advanced Web Application Firewall

  2. Enable programmatic deployment for these F5 products:

  3. Setting up a Service Principal Account for the Service Scaling Group

  4. Launch the trial stack template by right-clicking this button and choosing Open link in new window:

    (new VNET/demo app)

    (existing VNET/no demo app)

  5. In the ARM Template, populate this information:

    • Resource group (select existing or create new)
    • Admin user name (default value is azureuser)
    • Authentication type (password or ssh key string)
    • Password / sshPublicKey for the BIG-IQ Data Collection Device (DCD) and Centralized Management (CM) instances (you will connect to the instances by using these credentials)
    • BIG-IQ password (management console's password)
    • Service principal secret (identity string created during app registration)
    • Azure client ID (under app registration, the Application ID)
    • License keys for CM, DCD, and BIG-IP
    • Location (the default is the resource group's location; change if you want to deploy the resources in another location)

    Note: This template is not supported in the regions where Microsoft/insights is not available (example of supported region: East US, Southeast Asia, Canada Central, West Europe, Central India, UK South, more to come in Q1 2019)

    • Service Scaling Group (SSG), DCD, and CM instance names (must be fewer than 25 characters)

  6. Accept the terms and conditions and launch the cloud deployment.

    Expected time: ~30 min

  7. Open BIG-IQ CM in a web browser by using the public IP address with https, for example: https://<public_ip>

    If you have new VNET/demo app

    • Use the username admin.
    • Click the Applications tab > APPLICATIONS. An application demo protected with an F5 Web Application Firewall (WAF) is displayed.
    • You can manage the Service Scaling Group by clicking the Applications tab > ENVIRONMENTS > Service Scaling Groups.

    If you have an existing VNET/no demo app

    • Use the username admin.
    • You can manage the Service Scaling Group by clicking the Application tab > ENVIRONMENTS > Service Scaling Groups.
    • Click the Applications tab > APPLICATIONS. Create. Select Default-f5-HTTPS-WAF-lb-template.
      • Name: your application name
      • Domain Names: your application domain names
      • Environment: select the available Service Scaling Group
      • Listeners: your application ports (e.g. TCP/443 - TCP/443 and TCP/80 - TCP/80)
      • Servers's IP Address: your application server's IP addresses

For more information, go to the BIG-IP Cloud Edition Knowledge Center.

Security instructions

  1. F5 strongly recommends that you configure autoshutdown / whitelist the public IP addresses in the network security group you use to access the SSH port of the Azure instances. (This template deploys a network security group with ports 22, 80, and 443 open to the public.)

  2. Avoid enabling the root account on publicly exposed Azure instances.

Tear down instructions

  1. If you want to preserve other resouces in the group, delete only the resources that were created. You can find these resources under Resource Group > Deployments. Otherwise, you can delete the entire resource group.
  2. An SSG resource group was also created; it has SSG in its name. Find and delete this group.

Troubleshooting

  1. In the BIG-IQ UI, if the application deployment failed, click Retry.

  2. In the BIG-IQ UI, check the BIG-IQ license on Console Node and Data Collection Device (System > THIS DEVICE > Licensing) and the BIG-IP license pool (Devices > LICENSE MANAGEMENT > Licenses).

  3. In the BIG-IQ UI, check the Cloud Environment to ensure all of the information is populated correctly (Applications > ENVIRONMENTS > Cloud Environments).

  4. In the BIG-IQ CLI, check following logs: /var/log/setup.log, /var/log/restjavad.0.log and /var/log/orchestrator.log.

  5. In the Azure Marketplace, ensure that programmatic deployment is enabled for F5 products.

  6. In Azure Active Directory, ensure that app registration has the necessary permissions for API access, to delegate permissions to other users, and to add the users to the owner list of app registration.

  7. Ensure you assigned the contributor role (RBAC) to the scope of the current resource/subscription associated with the app registration.

  8. If you encounter a MarketPurchaseEligibility error while deploying the template, check the availability of BIG-IP and BIG-IQ.

    For example, for BIG-IP:

    Get-AzureRmMarketplaceTerms -Publisher "f5-networks" -Product "f5-big-ip-byol" -Name "f5-big-all-1slot-byol" | Set-AzureRmMarketplaceTerms -Accept

  9. If the cloud provider test connection fails, ensure the service prinicpal associated with application has all requried permissions. If the cloud provider connection is still unsuccessful, restart the instances and check again.

  10. When you deploy an application by using automated scripts, only one SSG is supported. To deploy more than one SSG and associate an application with it, follow the manual configuration process.

  11. If you encounter the following error:

    "message":"Value 'ip10-azureinternal-f5' used in property 'properties.dnsSettings.domainNameLabel' of resource 'ubuntu-ip-xyz' (microsoft.network/publicipaddresses) is invalid

    Edit the template to change the value under loadBalancerDnsName parameter of the linkedTemplate. (The deployment can fail when there is an existing public IP resource with same name.)

  12. If you encounter the following error:

    Error {u'message': u"The subscription is not registered for the resource type 'components' in the location 'westus'. Please re-register for this provider in order to have access to this location.", u'code': u'MissingRegistrationForLocation'}

    This is caused by recent changes in Azure Application Insight GA in some regions. Try to deploy the quickstart in different location.

    Note: This template is not supported in the regions where Microsoft/insights is not available (example of supported region: East US, Southeast Asia, Canada Central, West Europe, Central India, UK South, more to come in Q1 2019)

  13. If encountered the following error:

    The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid

    Ensure to give sshPublicKey in the openssh convention for example in following format ssh-rsa keyData user@domain

Copyright

Copyright 2014-2019 F5 Networks Inc.

License

Apache V2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributor License Agreement

Individuals or business entities who contribute to this project must have completed and submitted the F5 Contributor License Agreement.