Azure Easy Setup 20160728-Eng Finalized

Microsoft Azure
BIG-IP Setup Guide

F5 Networks V1.1
July, 2016
Contents
1. Introduction ............................................................................................................................................................ 3
2. BIG-IP Standalone Deployment ............................................................................................................................ 4
2.1. Setting Microsoft Azure (for BIG-IP Standalone deployment) ........................................................................ 5
Dashboard. .............................................................................................................................................. 5
Creating Resource Groups ..................................................................................................................... 6
Creating Web Application Servers .......................................................................................................... 8
Creating BIG-IP .....................................................................................................................................15
Configuring Server load-balancing on BIG-IP .......................................................................................32
[Reference] Changing the settings of WordPress for SSL offloading ...................................................35
2.2. Accessing Virtual Server for test ..................................................................................................................36
3. BIG-IP redundant Deployment ............................................................................................................................37
3.1. Setting Microsoft Azure (BIG-IP Redundant Deployment) ...........................................................................38
Creating 2nd BIG-IP (BIP-VE002) ..........................................................................................................38
Changing Inbound Security Rules ........................................................................................................38
Activating License to BIG-IP .................................................................................................................39
Setting Config-Sync between BIG-IPs ..................................................................................................39
Confirming if Config-Sync is working ....................................................................................................43
Setting Azure Load Balancer ................................................................................................................44
Confirming Public IP address of Azure Load Balancer .........................................................................49
3.2. Accessing the public IP address of Azure Load Balancer ............................................................................49
4. Microsoft Azure Security Center F5 WAF Solution ...........................................................................................50
4.1. F5 WAF Network diagram ............................................................................................................................50
4.2. Setting summary of already deployed web service ......................................................................................51
Resource Group ....................................................................................................................................51
Web Applications servers ......................................................................................................................51
Azure Load Balancer.............................................................................................................................52
Setting F5 WAF form Security Center ...................................................................................................54
Pseudo attack test.................................................................................................................................59
Confirming objects created automatically .............................................................................................61
[Reference] Confirm current Quota and request to increase quota ......................................................64
5. Conclusion ...........................................................................................................................................................66
6. Appendix Connecting between Resource Groups with IPSec-VPN ...............................................................67
6.1. Adding Gateway Subnets .............................................................................................................................68
6.2. Creating Public IP addresses .......................................................................................................................70
6.3. Creating Virtual Network Gateways .............................................................................................................72
6.4. Setting Connections .....................................................................................................................................75
6.5. Test ...............................................................................................................................................................77

1. Introduction
The objective of this document is to guide you on how to setup the BIG-IP in Microsoft Azure.
To deploy BIG-IP from Azure Market Place, you'll be able to use High-Level L4-7 load-balancing functions in
Azure
Additionally, you can add Web Application Firewall, SAML federation and so on to the BIG-IP in it.
If you deploy two BIG-IPs with Azure Load-Balancer, you can deploy a redundant system of BIG-IPs in it.
This guide is aimed to explain to you the necessary typical setup approach with helpful screenshots to facilitate
the smooth setup of BIG-IP in Azure by step-by-step.
<enter part about license. Something like: This guide assumes that the user has purchased a valid F5 license. If
not, they can contact F5 sales to obtain an evaluation license.>
3
2. BIG-IP Standalone Deployment
Firstly, assuming there is no redundancy, you will deploy a network like the following diagram in Azure.
Using two WordPress virtual machines as Web Applications that will be prepared in Azure Market place in this
guide.
Separating Resource groups for BIG-IPs and Web Applications.

If you want to delete and rebuild all web applications quickly, the easiest way is to delete the resource group
that contains them. But if BIG-IPs are included in it, they will be deleted at the same time. So resource groups
are separated in this guide.
For deploying a redundant BIG-IP system with Azure load-balancer, Availability Set is assigned to the BIG-IP
when it is created. (To be a pool member of AzureLB, Availability Set must be assigned to VM. Because Azure
does not allow to change the setting after VM created.)
4
2.1. Setting Microsoft Azure (for BIG-IP Standalone deployment)
You are going to set up a standalone BIG-IP which will be load-balancing in Microsoft Azure in this section.
Dashboard.
When you login to Azure, you'll see a dashboard like following.
[Reference] If you want to change language you want to use in Azure console, you can do that by clicking the Icon
which is in the red circle above.
5
Creating Resource Groups
This section guides you to create two resource groups as depicted in the BIG-IP Standalone Deployment network
diagram.
2.1.2.1. Resource Group for Web Applications
(1) The following screen is shown by clicking "Resource Groups" and you click the "+" button in it.
Pay-As-You-Go
(2) Define the following settings in the screen that appears.
Define name (as you like)
Pay-As-You-Go
6
2.1.2.2. Resource Group for BIG-IPs
In the same way as above, create resource group for BIG-IPs.
7
Creating Web Application Servers
This section explains how to create Virtual machines of the web application in their Resource Group.
2.1.3.1. WordPress (1st)
(1) The following screen is shown by clicking "Virtual Machines" and you click the "+" button in it.
Pay-As-You-Go
(2) Put "wordpress" in search form and select WordPress and push Create button.
Put "Wordpress" in search form
Select WordPress
8
(3) Define the settings as follows in "Basics" setting screen.
Define name (random)
Username for login to VM
"Password" is selected as auth type, in this guide
Password for login to VM
Pay-As-You-Go
Check User Existing and

select resource group you created
(4) Select Size of Virtual Machine.

"A0" was selected in this guide.
Select Size
9
(5) Nothing set in the optional features setting screen, in this guide. Click "OK" button.
10
(6) Click "OK" button after checking Summary of settings for the VM.
Pay-As-You-Go
(7) Click "Purchase" button after checking price.
11
2.1.3.2. WordPress (2nd)
In the same way as 1st one, create a second virtual machine for the Wordpress application.
12
2.1.3.3. Setting DNS name
Set the DNS name of the two web applications to resolve public IP addresses to them through the DNS protocol.
(When you define pool members in BIG-IP, you will use these DNS names instead of IP addresses.)
(1) Click "Browse" and search "Public IP addresses".
Put words for searching
Select "Public IP addresses"
(2) Click "wordpress001".
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
13
(3) Click "Configuration" in Settings column.
Put a hostname as you like (ex: wp001) in the DNS name label and push Save icon.
Pay-As-You-Go
[Reference] You have to put in a unique DNS name label in japaneast.cloudapp.azure.com.

Azure will check if The DNS name label you put in is unique automatically. If "" is appears in the form, it is OK.
(4) In the same way as above, configure wordpress002.

Put a hostname which is different from the one above in the DNS name label and push the Save Icon.
Pay-As-You-Go
This completes the generation of the Web application servers.
14
Creating BIG-IP
This section guides you to create a BIG-IP as a Virtual Machine and import the license to it.
2.1.4.1. Boot up BIG-IP as virtual Machine
(1) The following screen is shown by clicking "Virtual Machines" and you click the "+" button in it.
Pay-As-You-Go
(2) Enter "F5" in the search form and select the one that you want deploy.
(3) "F5 BIG-IP ADC GOOD (LTM) - BYOL" was selected in this guide.
Push "Create" button.
15
(4) Define the following settings in the screen that appears.
Username for login to VM
"Password" is selected as auth type, in this guide
Password for login to VM
Pay-As-You-Go
Check Use Existing and

select resource group you created
(5) Select Size of Virtual Machine.

"A11" was selected in this guide.
Select size
16
(6) Next is the optional features setting screen. Two settings are needed.
a) BIG-IP in Azure does not support Monitoring. So you have to choose "Disabled" in it.
b) Create "Availability Set" and assign it to BIG-IP.
Availability Set is needed when you set redundancy of BIG-IPs.
(It's not possible to assign this after the VM is created, so it has to be set and assigned to VM when creating
it.)
[3] Click here [4] Put name

as you like
[1] Select "Disabled"

in Monitoring
[2] Click here
[5] Push
17
(7) Two values are changed as follows. Click "OK" button.
Two values are changed.
(8) Click "OK" button after checking Summary of settings for the VM.
Pay-As-You-Go
18
(9) Click "Purchase" button after checking the price.
(10) It takes about 15 minutes to complete generating the BIG-IP.

After status changed to "Running" as follows, it's completed.
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
19
2.1.4.2. Changing Inbound Security Rules
Inbound security Rules of BIG-IP allows only SSH(TCP/22) as default.

To access WebUI of BIG-IP, you have to add to allow HTTPS(TCP/443) to the rules.
(1) Check current Inbound Security Rules and add HTTPS(TCP/443) rule
You can see the rule by clicking on: "Virtual machines" => "BIP-VE001" => "Settings" => "Network interfaces"
=> "bip-ve0016(*)" => "Settings " => " Network security group " => " BIP-VE001 " => " Settings " => " Inbound
security rules"
(*)It was assigned automatically to NIC of BIG-IP by Azure, so the value will be changed depending on your
environment.
You have to add HTTPS(TCP/443), so click "+" button.
Only SSH(TCP/22) is allowed as default.
(2) To add to allow HTTPS(TCP/443), define settings as follows.
Select TCP
Put 443
It takes about 30 seconds or more.
20
(3) HTTPS(TCP/443) rule was added as follows.
Rule of HTTPS(TCP/443) was added
21
2.1.4.3. Activating license to BIG-IP
These steps explain how to access the BIG-IP WebUI, and how to activate the BIG-IP license.
(1) You can see the Public IP address of BIG-IP by clicking "Virtual machines" => " BIP-VE001".
Pay-As-You-Go
Pay-As-You-Go
(2) Access to the public IP address with HTTPS(TCP/443) by entering it into the address bar of a Web browser
on a PC connected to Internet.
Ex) https://104.41.184.151/
Login to BIG-IP with Username and Password you specified when you created the VM.
22
(3) Push "Next" button.
(4) Push "Activate" button.
(5) Enter the license key that you purchased into the "Base Registration Key" field and push the "Next" button.
23
(6) This is EULA (End User License Agreement). Push "Accept" button.
(7) After you wait some seconds, the screen will change as follows. Push "Continue" button.
24
(8) The "Resource Provisioning" will appear. Only LTM will be used in this guide, and it will be configured by
default so push "Next" button.
(9) The next screen shows the device certificate that BIG-IP has. Push "Next" button.
25
(10) Define Hostname, Timezone, and password for login.
Select Timezone
Define password (as you like)

In this Guide,
username and password are re-specified
when BIG-IP is created as VM
(11) After making the changes above you need to login again with the Username and Password you specified in
the previous screen.
(12) Push "Finished" button.
26
(13) This is just confirmation. The following screen is shown on "Network" => "VLANs".
You will find that the VLAN was created automatically.
(14) This is just confirmation. The following screen is shown on "Network" => "Self IPs".
You will find that the Self-IP were set in internal VLAN.
(15) This is just confirmation. The following screen is shown on "Network" => "Routes".
You will find that the default route was set automatically.
(16) This is just confirmation. The following screen is shown on "System" => "Configuration" => "Device" =>
"DNS".
You will find that the DNS server was set automatically.
27
2.1.4.4. Changing port number of accessing WebUI
In Azure, currently only 1 NIC is allowed per 1 VM (as of July, 2016).

BIG-IP in Azure is also a VM, so this limitation also applies to it.
Therefore, you have to change the TCP port number which is used to access the BIG-IP WebUI from
HTTPS(TCP/443) to different port number (this example uses 8443).
This section guides you to do that.
(1) Login to BIG-IP with SSH.
Ex) If you use TeraTerm
Public-IP assigned to BIG-IP
Username you specified when you create BIG-IP as VM
Check Challenge/response
Password you specified when you create BIG-IP as VM
28
(2) Enter the following commands in the CLI.
[admin-admin@ve001:Active:Standalone] ~ # tmsh
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)#
(Prompt is too long, so "(tmos)#" is used instead of above one)
<Change port from 443 to 8443 for accessing WebUI >
(tmos)# list sys httpd ssl-port <=Confirm current value

sys httpd {
ssl-port 443
}}
(tmos)# modify sys httpd ssl-port 8443 <=Change port number
(tmos)# list sys httpd ssl-port <=Confirm value after change
sys httpd {
ssl-port 8443
}
<Change Filtering rules of Self IP >
(tmos)# list net self-allow defaults <= Confirm current value

net self-allow {
defaults {
igmp:any
ospf:any
pim:any
tcp:domain
tcp:f5-iquery
tcp:https (TCP/443 is allowed)
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}
(tmos)# modify net self-allow defaults add { tcp:8443 } <=Add TCP/8443
(tmos)# modify net self-allow defaults delete { tcp:443 } <=Delete TCP/443
(tmos)# list net self-allow <=Confirm value after change
net self-allow {
defaults {
igmp:any
ospf:any
pim:any
tcp:domain
tcp:f5-iquery
tcp:pcsync-https (TCP/8443 was added. TCP/443 was deleted)
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}
(tmos)# save sys config <=Save config to configuration file
29
(3) Back in the Azure configuration screen, add TCP/8443 allow rule to Inbound Security Rules.
Select TCP
Put 8443
(4) Allowed TCP/8443 was added as follows.
Allowed TCP/8443 was added
30
(5) Access the Public-IP of BIG-IP with TCP/8443 using Web browser of PC which is connected to Internet, and
confirm you can see WebUI of the BIG-IP.
Ex) https://104.41.184.151:8443/
31
Configuring Server load-balancing on BIG-IP
This section guides you to setup server load balancing on the BIG-IP.
2.1.5.1. Setting Pool
A pool is a set of servers that are load-balanced.

Each server in the pool is called a pool member.
Public IP addresses are changed frequently in Microsoft Azure, for example when VM is rebooted, so you should
set FQDN as pool member instead of Public IP address.
The following values are used in this guide.
FQDN of wordpress001: wp001.japaneast.cloudapp.azure.com

FQDN of wordpress002: wp002.japaneast.cloudapp.azure.com
(1) The following screen is shown by clicking "Local Traffic" => "Pools" and define settings as follows.
Select health monitor

for Pool Members
Select load-balancing method
Select "New FQDN Node"
Put FQDN of Pool Member

Put Port
Push "Add" button
(Repeat above
for other pool members)
32
(2) This is just confirmation. Click on number of "Members" of "wordpress-pool".
(3) Confirm that status of all pool members are Green.
33
2.1.5.2. Setting Virtual Server
Virtual Server will receive client requests with HTTPS(TCP/443).
The following screen is shown by clicking on "Local Traffic" => "Virtual Servers" and push "Create" button in
upper right. Define as follows.
**Define Wildcard (0.0.0.0/0)

Define HTTPS(443)
Select HTTP Profile
Select clientssl profile

which is prepared as default
in this guide, as a simplified
Select "Auto Map", in this guide
~ Omitting ~
Select Pool you created

Select Cookie Persistence
**Considering redundant settings you are going to configure in the next section, wildcard is defined in destination.
34
[Reference] Changing the settings of WordPress for SSL offloading
In this guide, Client requests of HTTPS(TCP/443) are terminated at Virtual Server of BIG-IP and BIG-IP sends the
requests as HTTP(TCP/80) to pool members (WordPress). This is also called SSL offloading.
In this situation, WordPress got the request as HTTP(TCP/80), so WordPress responds with "http://~~" as links in
the HTML body to Clients.
Virtual server of HTTP(TCP/80) is not set for the application in this guide, so " http://~~" requests from clients will
get error as the result.
Therefore, you have to add the following settings in the WordPress config file.
(1) Connect Public IP address of WordPress using TeraTerm or Putty with SSH.
(2) Add red 3 lines as follows to underside of "<?php" but upper side of configuration file of WordPress: wp-
confg.php
bitnami@wordpress001:~$ sudo vi /opt/bitnami/apps/wordpress/htdocs/wp-config.php
<?php
/**
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
$_SERVER['HTTPS'] = 'on';
The BIG-IP Standalone deployment setting is now completed.
35
2.2. Accessing Virtual Server for test
Confirm if you can see the WordPress web screen when you access to the HTTPS(TCP/443) virtual server.
36
3. BIG-IP redundant Deployment
This section shows you how to build a redundant system by adding another BIG-IP, which is "BIP-VE002" in the
following diagram.
Currently in Azure, you cannot use all the redundancy functionality (Device Service Cluster) that BIG-IP has.
So Azure Load Balancer has to do the load-balancing to these 2 BIG-IPs for redundancy.
[Reference URL]
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-msft-azure-12-0-0/3.html
You can set Configuration Synchronization between 2 BIG-IPs.
37
3.1. Setting Microsoft Azure (BIG-IP Redundant Deployment)
Creating 2nd BIG-IP (BIP-VE002)
In the same way as 1st BIG-IP, create BIG-IP as Virtual Machine, noting 2 points as follows.
Note-1
Note-2
Changing Inbound Security Rules
Add allowed "TCP/443" and "TCP/8443" to Inbound Security Rules of BIP-VE002.
Allowed TCP/443 and TCP/8443 are added.
38
Activating License to BIG-IP
In the same way as 1st BIG-IP, activate license to 2nd BIG-IP: BIP-VE002.
Setting Config-Sync between BIG-IPs
3.1.4.1. Confirming private IP addresses of BIG-IPs
Confirm each private IP addresses which have been assigned to BIG-IPs.
(1) Click "Browse" and search "Network Interfaces".
Put words you want to search
Select Network Interfaces
(2) Confirm the values of "PRIMARY PRIVATE IP" that are assigned to hostname of BIG-IP in "ATTACHED TO".
Pay-As-You-Go
These private IP addresses will be used in following sections.
39
3.1.4.2. Setting BIP-VE002
(1) Login to BIP-VE002 with SSH.

(2) Put the following commands in CLI of the BIG-IP
Note) TCP/443 is needed in initial steps of redundancy setting, so you don't change port number to TCP/8443 for
WebUI access for now.
a) Enter TMSH.
b) Disable Single NIC Setup.
admin-admin@(ve002)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db

provision.1nicautoconfig value disable
c) Confirm if Single NIC Setup is disabled.
admin-admin@(ve002)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db provision.1nicautoconfig

sys db provision.1nicautoconfig {
value "disable"
}
d) Set the private IP address which is assigned as Self IP to use for Config-Sync.
admin-admin@(ve002)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify cm device ve002.f5jp.azure

configsync-ip 10.1.0.5
e) Save settings to the configuration file.
admin-admin@(ve002)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
3.1.4.3. Setting BIP-VE001

(2) Put the following commands in CLI of the BIG-IP
a) Enter TMSH.
b) Disable Single NIC Setup.
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db

provision.1nicautoconfig value disable
c) Confirm if Single NIC Setup is disabled.
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db provision.1nicautoconfig

sys db provision.1nicautoconfig {
value "disable"
}
d) Set the private IP address which is assigned as Self IP to use for Config-Sync.
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify cm device ve001.f5jp.azure

configsync-ip 10.1.0.4
40
e) Device Trust Setting: BIP-VE001 will trust BIP-VE002 by this setting.
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify cm trust-domain Root ca-

devices add { 10.1.0.5 } name ve002.f5jp.azure username admin-admin password <PASSWORD>
f) Set automatic Config-Sync between 2 BIG-IPs.
admin-admin@(ve001)(cfg-sync In Sync (Trust Domain Only))(Active)(/Common)(tmos)# create cm device-

group DG001 devices add { ve001.f5jp.azure ve002.f5jp.azure } type sync-failover auto-sync enabled
network-failover disabled
g) Save settings to the configuration file.
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
41
3.1.4.4. Initial Config Sync
You've already set "auto-sync" in the previous command. So when you change configuration in a BIG-IP, the
configuration is synchronized to other BIG-IP automatically. But you have to synchronize at first by manual.
This has to be done from BIP-VE001 to BIP-VE002.
(1) Log in to WebUI of BIP-VE001 and the following screen is shown by clicking on "Device Management" =>
"Overview". Select self (ve001.f5jp.azure) and push Sync button.
Select
(2) Check the Sync Status to confirm that the initial Config Sync was successful
42
3.1.4.5. Setting "TCP/8443" for WebUI of BIP-VE002
When the configuration is synchronized, the following management settings are also synchronized.
(tmos)# list sys httpd ssl-port <=Confirm value after change

sys httpd {
ssl-port 8443 <=The value was synchronized from other BIG-IP
However, filtering setting of Self IP was not synchronized. So you have to change these settings manually.
(2) Put following comands in CLI.
admin-admin@(ve002)(cfg-sync In Sync)(Active)(/Common)(tmos)# modify net self-allow defaults add

{ tcp:8443 }
admin-admin@(ve002)(cfg-sync In Sync)(Active)(/Common)(tmos)# modify net self-allow defaults delete
{ tcp:443 }
admin-admin@(ve002)(cfg-sync In Sync)(Active)(/Common)(tmos)# save sys config
Confirming if Config-Sync is working
For example, by removing and re-adding a health monitor from a pool in the BIG-IP, you can confirm if the
configuration of the other BIG-IP has the same setting.
43
Setting Azure Load Balancer
Set Azure load balancer to do load-balancing for 2 BIG-IPs.
(1) Click "Browse" and search "Load balancers"
Put words you wants to search
Select Load Balancers
(2) Click "+".
Pay-As-You-Go
44
(3) Set as follows in the appeared screen, and assign a Public IP address. "AzureLB001" was defined as LB
name in this guide.
Define name Define name

Click
(as you like) (as you like)
Click
(4) Select Resource Group you created for BIG-IP and push "Create" button.
Select "Use existing"

Select BIP-RG001
45
(5) Click "AzureLB001" you created.
Pay-As-You-Go
Pay-As-You-Go
(6) It takes about 20 minutes for assigning a Public IP address to it. You can move to the next settings without
without waiting for it.
Pay-As-You-Go
(7) Probe means health monitor in BIG-IP. Set as follows.
Define name
(as you like)
Select TCP
Put 443
46
(8) Following are the Pool settings. Set as follows.
(9) Pool settings continue below. Set as follows.
Define name Click and Select

(as you like)
Click
Select
2 BIG-IPs
Click
47
(10) This is pool status you set.
(11) Finally you need to configure the Load Balancing Rule setting. Set as follows.
Define name
(as you like)
Put 443
Put 443
Select persistence
With this, the Azure Load Balancer setting is completed.
48
Confirming Public IP address of Azure Load Balancer
By clicking Azure load balancer you created, you can see the Public IP address that was assigned.
Pay-As-You-Go
Pay-As-You-Go
3.2. Accessing the public IP address of Azure Load Balancer
Confirm if you can see WordPress screen by accessing the public IP address with "https://" from a web browser in
PC which is connected to Internet.
Ex) https://13.71.150.80
Confirm if you can see the same screen after power-down or reloading one of the BIG-IPs.
49
4. Microsoft Azure Security Center F5 WAF Solution
You can also easily deploy the F5 WAF solution from Microsoft Azure Security Center.
This section guides you to how to configure it.
4.1. F5 WAF Network diagram
Assuming a customer wants to protect the web application with WAF after they've already started a service using
Azure Load Balancer.
50
4.2. Setting summary of already deployed web service
Resource Group
Pay-As-You-Go
Pay-As-You-Go
Web Applications servers
(1) wordpress003
Pay-As-You-Go
(2) wordpress004
Pay-As-You-Go
51
Azure Load Balancer
(1) Configuration summary
Pay-As-You-Go
Pay-As-You-Go
(2) Pool settings
52
(3) Probe (Health Monitor)
(4) Load balancing Rule
53
Setting F5 WAF form Security Center
This section guides you to deploy F5 WAF from Azure Security Center.
(1) Click "Applications" in Security Center.
Click
(2) Click public IP address which is assigned to AzureLB002 and Click "Add a web application firewall".
Click
Click
[Note]
In this guide status, wordpress003 and 004 also have Public IP address, but only the public IP address for
AzureLB002 needs to be configured for WAF services.
The F5 WAF is going to be applied to only AzureLB002, and this scenario assumes that wordpress003 and 004 will
be protected by the other settings, such as, limiting source IP address using Inbound security rules to make sure
they can only be accessed through AzureLB002 by the public, but the operator can have full access to the
application servers for maintenance.
54
(3) Click "Create New" and click "F5 Networks" icon.
Click
Click
(4) Click "Create" button in F5 WAF Solution.
55
(5) Set Hostname and Password for login to F5 WAF.
Put password for login

to the F5 WAF
(6) Enter the License key and select security level and type of application that you want to protect.
Put a License key

(Registration Keys)
Select Security Level
Select type of application

you wants to protect
It takes about 30~40 minutes for the F5 WAF to be generated.
56
(7) Set DNS name of F5 WAF to resolve public IP address of it by DNS.
Pay-As-You-Go
(8) Click again on "Applications" in Azure Security Center.
Status of Public IP address of AzureLB002 is "Pending WAF finalization", this means that the WAF settings
are waiting to be finalized.
** If you cannot see the screen below as expected, try to push reload button of Web Browser in your PC to reload
the page.
57
(9) In this scenario, Public IP address for the web service is going to be changed from Azure LB to F5 WAF, so
Azure Security Center ask if you already changed DNS setting.
You've already set DNS name, so check "I updated my DNS record" and click "Restrict Traffic" button.
(10) Re-Click "Applications" in Azure Security Center.

Public IP address of AzureLB002 has been changed to Green. This shows WAF setting is completed.
** If you cannot see the screen below as expected, try to push reload button of Web Browser in your PC to reload
the page.
F5 WAF setting has been completed.
(11) Login Information of BIG-IP
To login to the BIG-IP, refer to the following summary.
TCP port Example username Password

Web UI 8443 https://13.71.149.10:8443 admin You specified it
SSH 8022 ssh -p 8022 admin@13.71.149.10 when you created F5 WAF.
58
Pseudo attack test
Try perform a pseudo attack to the WordPress page by accessing the virtual server of F5 WAF.
(1) Add " /test.php" as prefix of URL.
(2) It will be blocked as follows.
59
(3) You can see the attack detail if you login to BIG-IP.
60
Confirming objects created automatically
Azure Security Center creates several objects automatically as follows.
4.2.6.1. New resource group
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
4.2.6.2. New Azure Load balancer
(1) Summary
Pay-As-You-Go
Pay-As-You-Go
(2) LB rules
61
(3) Azure LB NAT rule-1 (for Accessing WebUI of BIG-IP)
(4) Azure LB NAT rule-2 (for accessing CLI with SSH)
62
(5) Availability set (for becoming pool member of Azure LB).
Pay-As-You-Go
Pay-As-You-Go
63
[Reference] Confirm current Quota and request to increase quota
When you want to build two BIG-IPs as a redundant pair using Security Center, you might see an error message
because Cores per subscription is 10 in default. Default Instance type of F5 WAF (BIG-IP) is "Standard A4" which
has 8 Cores, so 16 (8 + 8) cores can't be deployed in default.
But if you want to increase it, you can request to Azure by following steps.
(1) Click "?" icon in Upper right and click "New support request".
(2) Define values as follows.
Select "Quota"
PayAsYouGo
Select "Cores per subscription"
64
(3) Define "Problem" as follows.
Select "Resource Manager"
Select Location you want increase quota
(Here is current quota)
Enter the number you want to increase
(4) Fill your contact information and push "Create" button.
(5) You will receive an e-mail from Microsoft Azure after above setting. Increase your quota by following the
guidelines in the message.
65
5. Conclusion
You have completed basic BIG-IP LTM setup in Microsoft Azure.
If you add and enable other software licenses, BIG-IP has many traffic management features like session
persistence, HTTP logging, and traffic customization by iRules scripting which has not been explained in this
document. Customer can utilize BIG-IP to achieve well designed traffic control and optimize application
infrastructure.
Other BIG-IP series have many additional software options to enhance application accessibility like Global load-
balancing, Firewall, SSL-VPN, etc. Please access our web site where you can find the entire suite of F5 solutions.
You may check for more information at our websites, or send an enquiry to your local F5 Sales representative.
<Introduction to the F5 Networks website>
Main F5 Network Site

https://f5.com
AskF5: Main knowledge based website

http://support.f5.com/kb/en-us.html
DevCentral: F5 user community site

https://devcentral.f5.com/
66
6. Appendix Connecting between Resource Groups with IPSec-VPN
If you'd like to connect between Resource Groups, there is a way to use "Virtual Network Gateway" service of
Azure to connect them with IPSec-VPN as follows.
In this deployment, you can use private IP addresses for pool members instead of Public IP address.
This section guides you how to set that up.
[Note] When you create two resource groups, both of them might have same subnet of Virtual Network. So before
you start the configuration you need to check their subnets.
67
6.1. Adding Gateway Subnets
You have to add "Gateway Subnet" to each Virtual Network in both resource groups.
(1) Click "Browse" and search "Virtual Networks".
Select "Virtual Networks"
(2) Firstly, Click "BIP-RG001".
Pay-As-You-Go
(3) Click "Subnets" in Settings.
Pay-As-You-Go
68
(4) Click "+ Gateway Subnet" icon, and click "OK" button in "Add Subnet".
(5) Gateway Subnet was added.
Pay-As-You-Go
Gateway Subnet was added
(6) In the same way, add Gateway Subnet to SVR-RG001.
Pay-As-You-Go
Gateway Subnet was added
69
6.2. Creating Public IP addresses
Two Public IP addresses are needed to connect between two Resource Groups with IPSec-VPN.
(1) Click "Browse" and Search "public IP addresses".
Select "Public IP addresses"
(2) Click "" icon.
Pay-As-You-Go
70
(3) Define values as follows and push "Create" button.
Pay-As-You-Go

Select "BIP-RG001"
(4) In the same way, create public IP address for SVR-RG001.
Assigning the public IP addresses takes quite a lot of time, so it is recommended to start the next step without
waiting for it.
71
6.3. Creating Virtual Network Gateways
Virtual Network Gateways are used to connect between two Resource Groups with IPSec.
(1) Click "Browse" and Search "Virtual Network Gateways".
Select "Virtual Network Gateways"
(2) Click "+" icon.
Pay-As-You-Go
72
(3) Firstly, create it for BIP-RG001. Set values as follows.
Select Virtual Network
Select Public IP address you created
Pay-As-You-Go
It might takes 45 minutes.
(4) In the same way, Create Virtual Network Gateway for SVR-RG001
(5) As the result, two Virtual Network Gateways are created as follows.
Pay-As-You-Go
Two Virtual Network Gateways are created
73
(6) You have to wait for Max.45 minutes till Virtual Network Gateways are generated. "Updating" status is shown
during that period.
Pay-As-You-Go
Click
(7) Finally, when the "Updating" status disappears, the Public IP address is assigned as follows.
Pay-As-You-Go
74
6.4. Setting Connections
"Connections" are used to connect two Virtual Network Gateways with IPSec-VPN, so they need to be configured.
(1) Click "Browse" and search "Connections"
Select "Connections"
(2) Click "+" icon.
Pay-As-You-Go
(3) This is basics setting. Set values as follows.
"VNet-to-VNet" is selected
as default

Select a resource group
75
(4) This is Connection setting. Set values as follows.
Select one of Virtual Network Gateway
Select other Virtual Network Gateway
Set shared key for IPSec-VPN
(5) This is summary setting. Click "OK" button.
76
(6) The following status shows that the resource groups are already connected. It takes about 10 minutes for the
status to become "Connected".
Pay-As-You-Go
Connecting between two Resource Groups has been completed.
6.5. Test
Configure the private IP addresses that are assigned to WordPress Servers as Pool Members of the BIG-IP.
If the health monitor status is green it means the polling succeeds and the connection is functioning properly.
77

Azure Easy Setup 20160728-Eng Finalized

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Azure Easy Setup 20160728-Eng Finalized

Uploaded by

Copyright:

Available Formats

Microsoft Azure

BIG-IP Setup Guide

Separating Resource groups for BIG-IPs and Web Applications.

When you login to Azure, you'll see a dashboard like following.

2.1.2.1. Resource Group for Web Applications

(2) Define the following settings in the screen that appears.

Define name (as you like)

In the same way as above, create resource group for BIG-IPs.

Define name (as you like)

2.1.3.1. WordPress (1st)

Put "Wordpress" in search form

Define name (random)

Username for login to VM

"Password" is selected as auth type, in this guide

Password for login to VM

Check User Existing and

(4) Select Size of Virtual Machine.

(7) Click "Purchase" button after checking price.

(1) Click "Browse" and search "Public IP addresses".

Put words for searching

Select "Public IP addresses"

(2) Click "wordpress001".

[Reference] You have to put in a unique DNS name label in japaneast.cloudapp.azure.com.

(4) In the same way as above, configure wordpress002.

This completes the generation of the Web application servers.

2.1.4.1. Boot up BIG-IP as virtual Machine

Define name (random)

Username for login to VM

"Password" is selected as auth type, in this guide

Password for login to VM

Check Use Existing and

(5) Select Size of Virtual Machine.

[3] Click here [4] Put name

[1] Select "Disabled"

[2] Click here

Two values are changed.

(10) It takes about 15 minutes to complete generating the BIG-IP.

Inbound security Rules of BIG-IP allows only SSH(TCP/22) as default.

You have to add HTTPS(TCP/443), so click "+" button.

Only SSH(TCP/22) is allowed as default.

(2) To add to allow HTTPS(TCP/443), define settings as follows.

Define name (as you like)

It takes about 30 seconds or more.

Rule of HTTPS(TCP/443) was added

(4) Push "Activate" button.

Define name (as you like)

Define password (as you like)

(12) Push "Finished" button.

In Azure, currently only 1 NIC is allowed per 1 VM (as of July, 2016).

This section guides you to do that.

(1) Login to BIG-IP with SSH.

Ex) If you use TeraTerm

Public-IP assigned to BIG-IP

Username you specified when you create BIG-IP as VM

Password you specified when you create BIG-IP as VM

<Change port from 443 to 8443 for accessing WebUI >

(tmos)# list sys httpd ssl-port <=Confirm current value

<Change Filtering rules of Self IP >

(tmos)# list net self-allow defaults <= Confirm current value

Define name (as you like)

(4) Allowed TCP/8443 was added as follows.

Allowed TCP/8443 was added

2.1.5.1. Setting Pool

A pool is a set of servers that are load-balanced.