Professional Documents
Culture Documents
July, 2016
Contents
1. Introduction ............................................................................................................................................................ 3
2. BIG-IP Standalone Deployment ............................................................................................................................ 4
2.1. Setting Microsoft Azure (for BIG-IP Standalone deployment) ........................................................................ 5
Dashboard. .............................................................................................................................................. 5
Creating Resource Groups ..................................................................................................................... 6
Creating Web Application Servers .......................................................................................................... 8
Creating BIG-IP .....................................................................................................................................15
Configuring Server load-balancing on BIG-IP .......................................................................................32
[Reference] Changing the settings of WordPress for SSL offloading ...................................................35
2.2. Accessing Virtual Server for test ..................................................................................................................36
3. BIG-IP redundant Deployment ............................................................................................................................37
3.1. Setting Microsoft Azure (BIG-IP Redundant Deployment) ...........................................................................38
Creating 2nd BIG-IP (BIP-VE002) ..........................................................................................................38
Changing Inbound Security Rules ........................................................................................................38
Activating License to BIG-IP .................................................................................................................39
Setting Config-Sync between BIG-IPs ..................................................................................................39
Confirming if Config-Sync is working ....................................................................................................43
Setting Azure Load Balancer ................................................................................................................44
Confirming Public IP address of Azure Load Balancer .........................................................................49
3.2. Accessing the public IP address of Azure Load Balancer ............................................................................49
4. Microsoft Azure Security Center F5 WAF Solution ...........................................................................................50
4.1. F5 WAF Network diagram ............................................................................................................................50
4.2. Setting summary of already deployed web service ......................................................................................51
Resource Group ....................................................................................................................................51
Web Applications servers ......................................................................................................................51
Azure Load Balancer.............................................................................................................................52
Setting F5 WAF form Security Center ...................................................................................................54
Pseudo attack test.................................................................................................................................59
Confirming objects created automatically .............................................................................................61
[Reference] Confirm current Quota and request to increase quota ......................................................64
5. Conclusion ...........................................................................................................................................................66
6. Appendix Connecting between Resource Groups with IPSec-VPN ...............................................................67
6.1. Adding Gateway Subnets .............................................................................................................................68
6.2. Creating Public IP addresses .......................................................................................................................70
6.3. Creating Virtual Network Gateways .............................................................................................................72
6.4. Setting Connections .....................................................................................................................................75
6.5. Test ...............................................................................................................................................................77
1. Introduction
The objective of this document is to guide you on how to setup the BIG-IP in Microsoft Azure.
To deploy BIG-IP from Azure Market Place, you'll be able to use High-Level L4-7 load-balancing functions in
Azure
Additionally, you can add Web Application Firewall, SAML federation and so on to the BIG-IP in it.
If you deploy two BIG-IPs with Azure Load-Balancer, you can deploy a redundant system of BIG-IPs in it.
This guide is aimed to explain to you the necessary typical setup approach with helpful screenshots to facilitate
the smooth setup of BIG-IP in Azure by step-by-step.
<enter part about license. Something like: This guide assumes that the user has purchased a valid F5 license. If
not, they can contact F5 sales to obtain an evaluation license.>
3
2. BIG-IP Standalone Deployment
Firstly, assuming there is no redundancy, you will deploy a network like the following diagram in Azure.
Using two WordPress virtual machines as Web Applications that will be prepared in Azure Market place in this
guide.
For deploying a redundant BIG-IP system with Azure load-balancer, Availability Set is assigned to the BIG-IP
when it is created. (To be a pool member of AzureLB, Availability Set must be assigned to VM. Because Azure
does not allow to change the setting after VM created.)
4
2.1. Setting Microsoft Azure (for BIG-IP Standalone deployment)
You are going to set up a standalone BIG-IP which will be load-balancing in Microsoft Azure in this section.
Dashboard.
[Reference] If you want to change language you want to use in Azure console, you can do that by clicking the Icon
which is in the red circle above.
5
Creating Resource Groups
This section guides you to create two resource groups as depicted in the BIG-IP Standalone Deployment network
diagram.
(1) The following screen is shown by clicking "Resource Groups" and you click the "+" button in it.
Pay-As-You-Go
Pay-As-You-Go
6
2.1.2.2. Resource Group for BIG-IPs
7
Creating Web Application Servers
This section explains how to create Virtual machines of the web application in their Resource Group.
(1) The following screen is shown by clicking "Virtual Machines" and you click the "+" button in it.
Pay-As-You-Go
(2) Put "wordpress" in search form and select WordPress and push Create button.
Select WordPress
8
(3) Define the settings as follows in "Basics" setting screen.
Pay-As-You-Go
Select Size
9
(5) Nothing set in the optional features setting screen, in this guide. Click "OK" button.
10
(6) Click "OK" button after checking Summary of settings for the VM.
Pay-As-You-Go
11
2.1.3.2. WordPress (2nd)
In the same way as 1st one, create a second virtual machine for the Wordpress application.
12
2.1.3.3. Setting DNS name
Set the DNS name of the two web applications to resolve public IP addresses to them through the DNS protocol.
(When you define pool members in BIG-IP, you will use these DNS names instead of IP addresses.)
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
13
(3) Click "Configuration" in Settings column.
Put a hostname as you like (ex: wp001) in the DNS name label and push Save icon.
Pay-As-You-Go
Pay-As-You-Go
14
Creating BIG-IP
This section guides you to create a BIG-IP as a Virtual Machine and import the license to it.
(1) The following screen is shown by clicking "Virtual Machines" and you click the "+" button in it.
Pay-As-You-Go
(2) Enter "F5" in the search form and select the one that you want deploy.
(3) "F5 BIG-IP ADC GOOD (LTM) - BYOL" was selected in this guide.
Push "Create" button.
15
(4) Define the following settings in the screen that appears.
Pay-As-You-Go
Select size
16
(6) Next is the optional features setting screen. Two settings are needed.
a) BIG-IP in Azure does not support Monitoring. So you have to choose "Disabled" in it.
b) Create "Availability Set" and assign it to BIG-IP.
Availability Set is needed when you set redundancy of BIG-IPs.
(It's not possible to assign this after the VM is created, so it has to be set and assigned to VM when creating
it.)
[5] Push
17
(7) Two values are changed as follows. Click "OK" button.
(8) Click "OK" button after checking Summary of settings for the VM.
Pay-As-You-Go
18
(9) Click "Purchase" button after checking the price.
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
19
2.1.4.2. Changing Inbound Security Rules
(1) Check current Inbound Security Rules and add HTTPS(TCP/443) rule
You can see the rule by clicking on: "Virtual machines" => "BIP-VE001" => "Settings" => "Network interfaces"
=> "bip-ve0016(*)" => "Settings " => " Network security group " => " BIP-VE001 " => " Settings " => " Inbound
security rules"
(*)It was assigned automatically to NIC of BIG-IP by Azure, so the value will be changed depending on your
environment.
Select TCP
Put 443
20
(3) HTTPS(TCP/443) rule was added as follows.
21
2.1.4.3. Activating license to BIG-IP
These steps explain how to access the BIG-IP WebUI, and how to activate the BIG-IP license.
(1) You can see the Public IP address of BIG-IP by clicking "Virtual machines" => " BIP-VE001".
Pay-As-You-Go
Pay-As-You-Go
(2) Access to the public IP address with HTTPS(TCP/443) by entering it into the address bar of a Web browser
on a PC connected to Internet.
Ex) https://104.41.184.151/
Login to BIG-IP with Username and Password you specified when you created the VM.
22
(3) Push "Next" button.
(5) Enter the license key that you purchased into the "Base Registration Key" field and push the "Next" button.
23
(6) This is EULA (End User License Agreement). Push "Accept" button.
(7) After you wait some seconds, the screen will change as follows. Push "Continue" button.
24
(8) The "Resource Provisioning" will appear. Only LTM will be used in this guide, and it will be configured by
default so push "Next" button.
(9) The next screen shows the device certificate that BIG-IP has. Push "Next" button.
25
(10) Define Hostname, Timezone, and password for login.
Select Timezone
(11) After making the changes above you need to login again with the Username and Password you specified in
the previous screen.
26
(13) This is just confirmation. The following screen is shown on "Network" => "VLANs".
You will find that the VLAN was created automatically.
(14) This is just confirmation. The following screen is shown on "Network" => "Self IPs".
You will find that the Self-IP were set in internal VLAN.
(15) This is just confirmation. The following screen is shown on "Network" => "Routes".
You will find that the default route was set automatically.
(16) This is just confirmation. The following screen is shown on "System" => "Configuration" => "Device" =>
"DNS".
You will find that the DNS server was set automatically.
27
2.1.4.4. Changing port number of accessing WebUI
Therefore, you have to change the TCP port number which is used to access the BIG-IP WebUI from
HTTPS(TCP/443) to different port number (this example uses 8443).
Check Challenge/response
28
(2) Enter the following commands in the CLI.
[admin-admin@ve001:Active:Standalone] ~ # tmsh
admin-admin@(ve001)(cfg-sync Standalone)(Active)(/Common)(tmos)#
(Prompt is too long, so "(tmos)#" is used instead of above one)
Select TCP
Put 8443
30
(5) Access the Public-IP of BIG-IP with TCP/8443 using Web browser of PC which is connected to Internet, and
confirm you can see WebUI of the BIG-IP.
Ex) https://104.41.184.151:8443/
31
Configuring Server load-balancing on BIG-IP
This section guides you to setup server load balancing on the BIG-IP.
Public IP addresses are changed frequently in Microsoft Azure, for example when VM is rebooted, so you should
set FQDN as pool member instead of Public IP address.
(1) The following screen is shown by clicking "Local Traffic" => "Pools" and define settings as follows.
(Repeat above
for other pool members)
32
(2) This is just confirmation. Click on number of "Members" of "wordpress-pool".
33
2.1.5.2. Setting Virtual Server
The following screen is shown by clicking on "Local Traffic" => "Virtual Servers" and push "Create" button in
upper right. Define as follows.
~ Omitting ~
**Considering redundant settings you are going to configure in the next section, wildcard is defined in destination.
34
[Reference] Changing the settings of WordPress for SSL offloading
In this guide, Client requests of HTTPS(TCP/443) are terminated at Virtual Server of BIG-IP and BIG-IP sends the
requests as HTTP(TCP/80) to pool members (WordPress). This is also called SSL offloading.
In this situation, WordPress got the request as HTTP(TCP/80), so WordPress responds with "http://~~" as links in
the HTML body to Clients.
Virtual server of HTTP(TCP/80) is not set for the application in this guide, so " http://~~" requests from clients will
get error as the result.
Therefore, you have to add the following settings in the WordPress config file.
(1) Connect Public IP address of WordPress using TeraTerm or Putty with SSH.
(2) Add red 3 lines as follows to underside of "<?php" but upper side of configuration file of WordPress: wp-
confg.php
<?php
/**
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
$_SERVER['HTTPS'] = 'on';
35
2.2. Accessing Virtual Server for test
Confirm if you can see the WordPress web screen when you access to the HTTPS(TCP/443) virtual server.
36
3. BIG-IP redundant Deployment
This section shows you how to build a redundant system by adding another BIG-IP, which is "BIP-VE002" in the
following diagram.
Currently in Azure, you cannot use all the redundancy functionality (Device Service Cluster) that BIG-IP has.
So Azure Load Balancer has to do the load-balancing to these 2 BIG-IPs for redundancy.
[Reference URL]
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-msft-azure-12-0-0/3.html
37
3.1. Setting Microsoft Azure (BIG-IP Redundant Deployment)
In the same way as 1st BIG-IP, create BIG-IP as Virtual Machine, noting 2 points as follows.
Note-1
Note-2
38
Activating License to BIG-IP
In the same way as 1st BIG-IP, activate license to 2nd BIG-IP: BIP-VE002.
(2) Confirm the values of "PRIMARY PRIVATE IP" that are assigned to hostname of BIG-IP in "ATTACHED TO".
Pay-As-You-Go
39
3.1.4.2. Setting BIP-VE002
Note) TCP/443 is needed in initial steps of redundancy setting, so you don't change port number to TCP/8443 for
WebUI access for now.
a) Enter TMSH.
[admin-admin@ve002:Active:Standalone] ~ # tmsh
d) Set the private IP address which is assigned as Self IP to use for Config-Sync.
a) Enter TMSH.
[admin-admin@ve001:Active:Standalone] ~ # tmsh
d) Set the private IP address which is assigned as Self IP to use for Config-Sync.
40
e) Device Trust Setting: BIP-VE001 will trust BIP-VE002 by this setting.
41
3.1.4.4. Initial Config Sync
You've already set "auto-sync" in the previous command. So when you change configuration in a BIG-IP, the
configuration is synchronized to other BIG-IP automatically. But you have to synchronize at first by manual.
(1) Log in to WebUI of BIP-VE001 and the following screen is shown by clicking on "Device Management" =>
"Overview". Select self (ve001.f5jp.azure) and push Sync button.
Select
(2) Check the Sync Status to confirm that the initial Config Sync was successful
42
3.1.4.5. Setting "TCP/8443" for WebUI of BIP-VE002
When the configuration is synchronized, the following management settings are also synchronized.
However, filtering setting of Self IP was not synchronized. So you have to change these settings manually.
For example, by removing and re-adding a health monitor from a pool in the BIG-IP, you can confirm if the
configuration of the other BIG-IP has the same setting.
43
Setting Azure Load Balancer
Pay-As-You-Go
44
(3) Set as follows in the appeared screen, and assign a Public IP address. "AzureLB001" was defined as LB
name in this guide.
Click
(4) Select Resource Group you created for BIG-IP and push "Create" button.
45
(5) Click "AzureLB001" you created.
Pay-As-You-Go
Pay-As-You-Go
(6) It takes about 20 minutes for assigning a Public IP address to it. You can move to the next settings without
without waiting for it.
Pay-As-You-Go
Define name
(as you like)
Select TCP
Put 443
46
(8) Following are the Pool settings. Set as follows.
Click
Select
2 BIG-IPs
Click
47
(10) This is pool status you set.
(11) Finally you need to configure the Load Balancing Rule setting. Set as follows.
Define name
(as you like)
Put 443
Put 443
Select persistence
48
Confirming Public IP address of Azure Load Balancer
By clicking Azure load balancer you created, you can see the Public IP address that was assigned.
Pay-As-You-Go
Pay-As-You-Go
Confirm if you can see WordPress screen by accessing the public IP address with "https://" from a web browser in
PC which is connected to Internet.
Ex) https://13.71.150.80
Confirm if you can see the same screen after power-down or reloading one of the BIG-IPs.
49
4. Microsoft Azure Security Center F5 WAF Solution
You can also easily deploy the F5 WAF solution from Microsoft Azure Security Center.
Assuming a customer wants to protect the web application with WAF after they've already started a service using
Azure Load Balancer.
50
4.2. Setting summary of already deployed web service
Resource Group
Pay-As-You-Go
Pay-As-You-Go
(1) wordpress003
Pay-As-You-Go
(2) wordpress004
Pay-As-You-Go
51
Azure Load Balancer
Pay-As-You-Go
Pay-As-You-Go
52
(3) Probe (Health Monitor)
53
Setting F5 WAF form Security Center
This section guides you to deploy F5 WAF from Azure Security Center.
Click
(2) Click public IP address which is assigned to AzureLB002 and Click "Add a web application firewall".
Click
Click
[Note]
In this guide status, wordpress003 and 004 also have Public IP address, but only the public IP address for
AzureLB002 needs to be configured for WAF services.
The F5 WAF is going to be applied to only AzureLB002, and this scenario assumes that wordpress003 and 004 will
be protected by the other settings, such as, limiting source IP address using Inbound security rules to make sure
they can only be accessed through AzureLB002 by the public, but the operator can have full access to the
application servers for maintenance.
54
(3) Click "Create New" and click "F5 Networks" icon.
Click
Click
55
(5) Set Hostname and Password for login to F5 WAF.
(6) Enter the License key and select security level and type of application that you want to protect.
56
(7) Set DNS name of F5 WAF to resolve public IP address of it by DNS.
Pay-As-You-Go
Status of Public IP address of AzureLB002 is "Pending WAF finalization", this means that the WAF settings
are waiting to be finalized.
** If you cannot see the screen below as expected, try to push reload button of Web Browser in your PC to reload
the page.
57
(9) In this scenario, Public IP address for the web service is going to be changed from Azure LB to F5 WAF, so
Azure Security Center ask if you already changed DNS setting.
You've already set DNS name, so check "I updated my DNS record" and click "Restrict Traffic" button.
** If you cannot see the screen below as expected, try to push reload button of Web Browser in your PC to reload
the page.
58
Pseudo attack test
Try perform a pseudo attack to the WordPress page by accessing the virtual server of F5 WAF.
59
(3) You can see the attack detail if you login to BIG-IP.
60
Confirming objects created automatically
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
Pay-As-You-Go
(1) Summary
Pay-As-You-Go
Pay-As-You-Go
(2) LB rules
61
(3) Azure LB NAT rule-1 (for Accessing WebUI of BIG-IP)
62
(5) Availability set (for becoming pool member of Azure LB).
Pay-As-You-Go
Pay-As-You-Go
63
[Reference] Confirm current Quota and request to increase quota
When you want to build two BIG-IPs as a redundant pair using Security Center, you might see an error message
because Cores per subscription is 10 in default. Default Instance type of F5 WAF (BIG-IP) is "Standard A4" which
has 8 Cores, so 16 (8 + 8) cores can't be deployed in default.
But if you want to increase it, you can request to Azure by following steps.
(1) Click "?" icon in Upper right and click "New support request".
Select "Quota"
PayAsYouGo
64
(3) Define "Problem" as follows.
(5) You will receive an e-mail from Microsoft Azure after above setting. Increase your quota by following the
guidelines in the message.
65
5. Conclusion
You have completed basic BIG-IP LTM setup in Microsoft Azure.
If you add and enable other software licenses, BIG-IP has many traffic management features like session
persistence, HTTP logging, and traffic customization by iRules scripting which has not been explained in this
document. Customer can utilize BIG-IP to achieve well designed traffic control and optimize application
infrastructure.
Other BIG-IP series have many additional software options to enhance application accessibility like Global load-
balancing, Firewall, SSL-VPN, etc. Please access our web site where you can find the entire suite of F5 solutions.
You may check for more information at our websites, or send an enquiry to your local F5 Sales representative.
66
6. Appendix Connecting between Resource Groups with IPSec-VPN
If you'd like to connect between Resource Groups, there is a way to use "Virtual Network Gateway" service of
Azure to connect them with IPSec-VPN as follows.
In this deployment, you can use private IP addresses for pool members instead of Public IP address.
[Note] When you create two resource groups, both of them might have same subnet of Virtual Network. So before
you start the configuration you need to check their subnets.
67
6.1. Adding Gateway Subnets
You have to add "Gateway Subnet" to each Virtual Network in both resource groups.
Pay-As-You-Go
Pay-As-You-Go
68
(4) Click "+ Gateway Subnet" icon, and click "OK" button in "Add Subnet".
Pay-As-You-Go
Pay-As-You-Go
69
6.2. Creating Public IP addresses
Two Public IP addresses are needed to connect between two Resource Groups with IPSec-VPN.
Pay-As-You-Go
70
(3) Define values as follows and push "Create" button.
Pay-As-You-Go
Assigning the public IP addresses takes quite a lot of time, so it is recommended to start the next step without
waiting for it.
71
6.3. Creating Virtual Network Gateways
Virtual Network Gateways are used to connect between two Resource Groups with IPSec.
Pay-As-You-Go
72
(3) Firstly, create it for BIP-RG001. Set values as follows.
Pay-As-You-Go
(4) In the same way, Create Virtual Network Gateway for SVR-RG001
(5) As the result, two Virtual Network Gateways are created as follows.
Pay-As-You-Go
73
(6) You have to wait for Max.45 minutes till Virtual Network Gateways are generated. "Updating" status is shown
during that period.
Pay-As-You-Go
Click
(7) Finally, when the "Updating" status disappears, the Public IP address is assigned as follows.
Pay-As-You-Go
74
6.4. Setting Connections
"Connections" are used to connect two Virtual Network Gateways with IPSec-VPN, so they need to be configured.
Select "Connections"
Pay-As-You-Go
"VNet-to-VNet" is selected
as default
75
(4) This is Connection setting. Set values as follows.
76
(6) The following status shows that the resource groups are already connected. It takes about 10 minutes for the
status to become "Connected".
Pay-As-You-Go
6.5. Test
Configure the private IP addresses that are assigned to WordPress Servers as Pool Members of the BIG-IP.
If the health monitor status is green it means the polling succeeds and the connection is functioning properly.
77