F5 BIG-IP Virtual Edition on AWS

Partner Solution Deployment Guide

June 2022
Alex Applebaum, Greg Crosby, Andrey Kashcheev, Nitin Khanna, Yossi Rosenboim, Michael Shimkus, F5
Andrew Glenn and Troy Ameigh, AWS Integration and Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by F5 in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This Partner Solution deploys F5 BIG-IP Virtual Edition on the AWS Cloud. If you are unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

This deployment guide discusses architectural considerations and configuration steps for deploying a failover cluster of BIG-IP VE instances on the Amazon Web Services (AWS) Cloud. It also provides links for launching AWS CloudFormation templates that automate the deployment.

BIG-IP VE is a security services platform designed for delivering speed, availability, and security for business-critical applications and networks. As an aggregation tier for your application portfolio, you can use BIG-IP VE to standardize security, logging, and telemetry policies. It enables intelligent L4-L7 traffic management, robust network and web application firewalls, simplified application access, and much more. For more information about BIG-IP VE, navigate to the F5 website.

This Partner Solution deploys a highly available cluster of two BIG-IP VE instances provisioned with:

Local Traffic Manager (LTM) - Performs uniform resource identifier (URI) routing, SSL encryption, TCP optimization, and automatic discovery of automatically scaled web applications.
Application Security Manager (ASM) - A best of breed web application firewall to help protect against:
- Automated attacks and bots - Automated attacks and bots that can overwhelm application resources.
- Credential theft - Attacks that steal application credentials or take advantage of compromised accounts.
- Attacks on mobile clients - Bots that target browser-based and mobile clients.
- Application-layer attacks - Application-layer attacks that can evade signature and reputation-based security solutions.
- Web app and API attacks - New attack surfaces and threats due to the rapid adoption of APIs.
- Targeted attack campaigns - Active attack campaigns are difficult to detect from singular attacks.

Costs and licenses

The Partner Solution requires a subscription to the Amazon Machine Image (AMI) for F5 BIG-IP Virtual Edition, which is available from AWS Marketplace.

By default, this Partner Solution deploys F5 BIG-IP BEST with IPI and Threat Campaigns (PAYG, 25Mbps) instances.

If you want to deploy other types of BIG-IP VE instances, accept the terms for the desired offering and obtain the AMI ID for that offering. For example, to get the list of BIG-IP VE AMI IDs in us-east-1, pass the desired AMI ID to the template’s bigIpImageId parameter.

aws ec2 describe-images --filters 'Name=name,Values=*BIGIP*' --query 'Images[*].[ImageId,Name]' --region us-east-1

If deploying to a production environment, you can use Bring Your Own License (BYOL) instances (for example, F5 BIG-IP VE - ALL (BYOL, 2 Boot Locations)), which require registration keys. If you don’t have registration keys, visit the F5 website. Additional pricing, terms, and conditions may apply.

Architecture

Deploying this Partner Solution for a new virtual private cloud (VPC) with default parameters builds the following BIG-IP VE environment in the AWS Cloud.

Figure 1: Partner Solution architecture for BIG-IP VE on AWS

As shown in Figure 1, the Partner Solution sets up the following:

A highly available architecture that spans two Availability Zones.*
A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
In the public subnets:
- Managed NAT gateways to allow outbound internet access for resources in the private subnets.*
- A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to EC2 instances in public and private subnets.*
- BIG-IP VE deployed to Amazon Elastic Compute Cloud (Amazon EC2) instances.
In the private subnets:
- An example application to help demonstrate BIG-IP VE functionality.
- An elastic network interface that represents the public-facing network interface card (NIC) of a clustered pair of BIG-IP VE instances.
AWS Identity and Access Management (IAM) for a role and EC2 instance profile.
An Amazon S3 SSE-S3 encrypted bucket used to provide failover state.

*The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Partner Solution provides the following deployment options:

Deploy BIG-IP VE into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys BIG-IP VE into this new VPC.
Deploy BIG-IP VE into an existing VPC. This option provisions BIG-IP VE in your existing AWS infrastructure.

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and BIG-IP VE settings.

Predeployment steps

Subscribe to the BIG-IP VE AMI

This Partner Solution requires a subscription to the AMI for BIG-IP VE in AWS Marketplace.

Sign in to your AWS account.
Open the page for the BIG-IP VE AMI in AWS Marketplace, and then choose Continue to Subscribe.
Review the terms and conditions for software usage, and then choose Accept Terms. A confirmation page loads, and an email confirmation is sent to the account owner. For detailed subscription instructions, see the AWS Marketplace documentation.
When the subscription process is complete, close out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace, as the Partner Solution deploys the AMI for you.

Prepare your AWS account

This Partner Solution requires:

The appropriate permission in AWS to launch AWS CloudFormation templates. You must be an IAM user with the Administrator Access policy attached and have permission to create the objects contained in this Partner Solution, including VPCs, Elastic IP addresses, EC2 instances, IAM roles and Instance Profiles, SSE-S3 encrypted S3 buckets, SSH Key Pairs, AWS Secrets Manager secrets, etc.
An SSH key pair in AWS for management access to BIG-IP VE. For more information about creating and/or importing the key pair in AWS, refer to Amazon EC2 key pairs and Linux instances. If one is not specified, one will be created for you named BigIpSshKeyPair.
An AWS secret stored in AWS Secrets Manager with the password used to access and cluster the HA pair. If you don’t specify a secret, the solution creates one named BigIpSecret with an auto-generated password. To obtain the secret value, run the get-secret-value AWS Command Line Interface (AWS CLI) command, changing the Region and secret name as needed:
```
aws secretsmanager get-secret-value --secret-id BigIpSecret --query "SecretString" --output text --region us-east-1
```

For more information, refer to the AWS Secrets Manager documentation.

To update the password to your organization’s policy or requirements, refer to: * K13121: Changing system maintenance account passwords. * K15497: Configuring a secure password policy for the BIG-IP system.

Configuration notes

The Partner Solution template provides an initial deployment for an infrastructure use case, which means that it doesn’t support managing the entire deployment exclusively via the template’s update-stack feature.

+ This Partner Solution uses the cloud-init package to send the instance user data, which is only used to provide an initial BIG-IP VE configuration and not as the primary configuration API for a long-running platform. You can use the update-stack feature to update certain cloud resources, however the BIG-IP VE configuration needs to align with cloud resources such as IPs and NICs. Therefore, updating one resource without the other can result in inconsistent states, while updating other resources, like the bigIpImageId or bigIpInstanceType parameters, can trigger an entire instance re-deloyment.

+ For example, to upgrade software versions, traditional in-place upgrades and configuration management are required. For details, refer to the Support section.

This solution requires BIG-IP VE to have internet access to download the required software packages. If you are deploying this solution in a private subnet, configure a NAT gateway or instance to allow BIG-IP VE to access the internet. See the Security section for more information.

This solution uses Cloud Failover Extension (CFE) to provide failover functionality. By default, this solution creates an S3 bucket for the F5 Cloud Failover Extension (CFE). The bucket is configured with AWS SSE-S3 encryption enabled, and the IAM role is set to enforce AES256 encryption. For more information, refer to:

This template can send non-identifiable statistical information to F5 Networks to help improve templates. You can disable this functionality for this deployment by setting the the value of the allowUsageAnalytics input parameter to false, or you can disable it system-wide by setting the autoPhonehome system class property value to to false in the F5 Declarative Onboarding declaration. For more information, refer to the next section and also the Security section.

Customize the BIG-IP VE configuration

If needed, customize the BIG-IP VE configuration. The initial BIG-IP VE configurations are passed through the F5 BIG-IP Runtime Init configuration files. These files are the primary mechanisms to customize the initial BIG-IP VE configurations for your deployment. They also allow for large amounts of BIG-IP VE customizations. Customizing the BIG-IP VE configurations generally involves updating and rehosting these files and passing their location through the bigIpRuntimeInitConfig template parameters.

By default, the Partner Solution deploys a minimal 2NIC PAYG configuration into the default Partner Solution network topology using the following configuration files in this repo’s /declarations folder:

runtime-init-conf-2nic-payg-instance01.yaml
runtime-init-conf-2nic-payg-instance02.yaml

A minimal baseline HA failover cluster is deployed. No virtual services are provisioned.

Optionally, you can deploy an example web application firewall (WAF)-protected web service to illustrate how services work. The example application deploys web application instances and a WAF-protected virtual service on the BIG-IP VE instances. To deploy the example application, set the provisionExampleApp parameter to true and reference the following configuration files via the bigIpRuntimeInitConfig parameters:

runtime-init-conf-2nic-payg-instance01-with-app.yaml
runtime-init-conf-2nic-payg-instance02-with-app.yaml

If your deployment requires additional customizations, update and rehost your configuration files at a custom URL.

IMPORTANT If hosting on GitHub, URLs that point to GitHub must use the raw file format (for example, raw.githubusercontent.com).

The BIG-IP VE configurations must match the external environment in which they are deployed. Although the provided runtime-init configuration examples extract and templatize many common values, some values are still hard-coded and must be updated to match your specific environment or deployment first.

Common customization example 1

To deploy a Bring Your Own License (BYOL) instance, perform these steps:

Edit or modify the Declarative Onboarding (DO) declaration in a corresponding example byol runtime-init configuration file with the new regKey value.

Example snippet:

From:

...
          My_License:
            class: License
            licenseType: regKey
            regKey: REPLACE_WITH_VALID_REGKEY
...

To:

...
          My_License:
            class: License
            licenseType: regKey
            regKey: AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE
...

Publish or host the customized runtime-init configuration file at a location that can be accessed by BIG-IP VE at deployment time (for example, Git, S3, etc.).
Update the bigIpRuntimeInitConfig input parameters to reference the new URLs of the updated configurations.
Update the bigIpImageId input parameter to a valid BYOL image ID.

Common customization example 2

If you want to change host names, perform these steps to disable usage reporting to the BIG-IP VE NTP and DNS servers, etc.:

Edit or modify the DO declaration in a corresponding example runtime-init configuration file with the new values.

Example snippet:

From:

...
          My_System:
            autoPhonehome: true
            class: System
            hostname: "failover01.local"
...
          failoverGroup:
            class: DeviceGroup
            type: sync-failover
            members:
              - failover01.local
              - failover02.local
...

To:

...
          My_System:
            autoPhonehome: false
            class: System
            hostname: "bigip-cluster-01-a.yourcompany.com"
...
          failoverGroup:
            class: DeviceGroup
            type: sync-failover
            members:
              - bigip-cluster-01-a.yourcompany.com
              - bigip-cluster-01-b.yourcompany.com
...

Publish or host the customized runtime-init configuration files at a location that can be accessed by BIG-IP VE at deployment time (for example, Git, S3, etc.).
Update the bigIpRuntimeInitConfig input parameters to reference the new URLs of the updated configurations.

For additional information and examples, refer to the F5 BIG-IP Runtime Init GitHub repository.

Deployment steps

Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.
Choose the correct AWS Region, and then choose Next.
On the Create stack page, keep the default setting for the template URL, and then choose Next.

On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.
Choose Create stack. The stack takes about 30 minutes to deploy.
Monitor the stack’s status, and when the status is CREATE_COMPLETE, the F5 BIG-IP Virtual Edition deployment is ready.
To view the created resources, choose the Outputs tab.

Postdeployment steps

Access the BIG-IP VE IP address

After the stacks show a CREATE_COMPLETE status, you can access the BIG-IP VE instances through the bastion host. If you’ve provisioned the example application, optionally test the WAF service:

To access the parent template outputs, perform one of the following steps: * If using the AWS Management Console, navigate to CloudFormation > <stack name> > Outputs. * If using the AWS Command Line Interface (AWS CLI), run this command:

aws --region ${REGION} cloudformation describe-stacks --stack-name ${STACK_NAME}  --query  "Stacks[0].Outputs"

To obtain the private IP address of the BIG-IP VE management port, perform one of the following steps: * If using the AWS Management Console, navigate to CloudFormation > <stack name> > Outputs > bigipInstance01MgmtPrivateIp. * If using the AWS CLI, run this command:

aws --region ${REGION} cloudformation describe-stacks --stack-name ${STACK_NAME} --query  "Stacks[0].Outputs[ OutputKey=='bigipInstance01MgmtPrivateIp'].OutputValue" --output text

To obtain the public IP address of the bastion host, perform one of the following steps: * If using the AWS Management Console, navigate to CloudFormation > <stack name> > Outputs > <bastion host>. * If using the AWS CLI, run this command:

aws --region ${REGION} cloudformation describe-stacks --stack-name ${STACK_NAME} --query  "Stacks[0].Outputs[ OutputKey=='bastionHost'].OutputValue" --output text

SSH

From your desktop client/shell, run this command to create an SSH tunnel. Replace the variables in brackets before running the command.

ssh -i [keyname-passed-to-template.pem] -o ProxyCommand='ssh -i [keyname-passed-to-template.pem] -W %h:%p ec2-user@[BASTION-HOST-PUBLIC-IP]' admin@[BIG-IP-MGMT-PRIVATE-IP]

Example:

ssh -i ~/.ssh/mykey.pem -o ProxyCommand=`ssh -i ~/.ssh/mykey.pem -W %h:%p ec2-user@34.82.102.190' admin@10.0.1.11

SSH and Configuration Utility (WebUI)

To obtain the URL address of the BIG-IP VE management port, perform the following steps:

Multi-NIC environments use https://host, and single NIC environments use https://host:8443.

From your desktop client/shell, run this command to create an SSH tunnel through the bastion host:

ssh -i [keyname-passed-to-template.pem] ec2-user@[BASTION-HOST-PUBLIC-IP] -L [DESKTOP_PORT]:[BIG-IP-MGMT-PRIVATE-IP]:[BIGIP-GUI-PORT]

Example:

ssh -i ~/.ssh/mykey.pem ec2-user@34.82.102.190 -L 8443:10.0.1.11:443

In a browser, navigate to the BIG-IP VE user interface:

https://localhost:8443

By default, the BIG-IP VE system’s WebUI starts with a self-signed certificate. Follow your browser’s instructions for accepting self-signed certificates For example, if using Firefox, select Advanced > Accept Risk and Continue. If using Chrome, click inside the page and type thisisunsafe.

SSH

From TMOS Shell (tmsh), type bash and then press the Enter key to access the bash shell.

Examine the downloaded BIG-IP VE configuration file:

cat /config/cloud/runtime-init.conf

Examine the running BIG-IP VE configurations:

F5 Automation Toolchain declarations include:

curl -su admin: http://localhost:8100/mgmt/shared/declarative-onboarding | jq .
curl -su admin: http://localhost:8100/mgmt/shared/appsvcs/declare | jq .

Cloud Failover Extension declaration includes:

curl -su admin: http://localhost:8100/mgmt/shared/cloud-failover/declare | jq .

WebUI

If you provisioned the example application, navigate to Virtual Services.
From the Partition menu in the upper-right corner of the screen, select Partition = Tenant_1.
Navigate to Local Traffic > Virtual Servers. You should see the virtual services for HTTP and HTTPS, with both appearing as green. Select them to look at the configuration that’s declared in the AS3 declaration.
Navigate to Security > Application Security, and select the CustomWAFPolicy policy so you can inspect it.

Test the WAF service

If you’ve provisioned the example application, perform the following steps to test the WAF service:

To obtain the address of the WAF service, perform one of the following steps:
- If using the AWS Management Console, navigate to CloudFormation > <STACK_NAME> > Outputs > applicationPublicIp.
- If using the AWS CLI, run this command:
  aws --region ${REGION} cloudformation describe-stacks --stack-name ${STACK_NAME} --query "Stacks[0].Outputs[?OutputKey=='applicationPublicIp'].OutputValue" --output text

To verify that the application is responding, paste the IP address in a browser: https://${IP_ADDRESS_FROM_OUTPUT}

By default, the virtual service starts with a self-signed certificate. Follow your browser’s instructions for accepting self-signed certificates For example, if using Firefox, select Advanced > Accept Risk and Continue. If using Chrome, click inside the page and type thisisunsafe.

To use CURL:

curl -sko /dev/null -w '%{response_code}\n' https://${IP_ADDRESS_FROM_OUTPUT}

Verify the WAF is configured to block illegal requests:

curl -sk -X DELETE https://${IP_ADDRESS_FROM_OUTPUT}

The response should include a message that the request was blocked and a reference support ID, for example:

$ curl -sko /dev/null -w '%{response_code}\n' https://55.55.55.55
200
$ curl -sk -X DELETE https://55.55.55.55
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
Please consult with your administrator.<br><br>Your support ID is:
2394594827598561347<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>

Test the failover

If you deployed the example application, perform the following steps to test the failover:

Log in to the BIG-IP VE instances.
Perform the following steps:
- If using the AWS Management Console, navigate to Device Management of Active Instance > Traffic-Groups, and select the box next to traffic-group-1. Then select Force to Standby.
- If using the BIG-IP VE command line, run this command:
  tmsh run sys failover standby

Verify that the Elastic IP address associated with the virtual service (applicationPublicIp) is remapped to the peer BIG-IP VE instance (for example, from 10.0.10.11 in Availability Zone 1 to 10.0.20.11 in Availability Zone 2).

To verify that the application is responding:
- Paste the IP address in a browser: https://${IP_ADDRESS_FROM_OUTPUT}

Use CURL:

curl -sko /dev/null -w '%{response_code}\n' https://${IP_ADDRESS_FROM_OUTPUT}

Verify the WAF is configured to block illegal requests:
```
curl -sk -X DELETE https://${IP_ADDRESS_FROM_OUTPUT}
```

In this example, traffic uses Source Network Address Translation (SNAT). According to the example application, the client is the SNAT address. The real client IP is passed via the x-forwarded-for: header. Observe how the client IP address changes from one BIG-IP VE instance in one Availability Zone to the other.

Best practices for using BIG-IP VE on AWS

For illustration purposes, this Partner Solution provides an option to pre-provision additional cloud resources (IP addresses) needed for an example virtual service. However, in practice, it’s designed solely to facilitate the initial deployment as cloud-init runs once. It’s typically used for initial provisioning, not as the primary configuration API for a long-running platform. More typically in an infrastructure use case, virtual services are added after initial deployment, outside the lifecycle of this Cloudformation template.

Add services via the cloud

Provision additional IP addresses on the desired network interfaces. Refer to the following resources: - Assign a secondary private IPv4 address - Allocate an Elastic IP address - Associate an Elastic IP address with an instance or network interface

Add services via BIG-IP VE

Create virtual services that match the secondary IP addresses. Also update the AS3 declaration with additional virtual services. Refer to Composing an AS3 Declaration for more information.

For cloud resources, templates can be created or customized to pre-provision and update addtional resources (for example, various combinations of NICs, IPs, public IPs, etc). Refer to the Support section for more information. For the BIG-IP VE configurations, use either REST or Automation Toolchain clients like Ansible or Terraform.

Delete the deployment

Cloudformation doesn’t delete S3 buckets that contain data. To delete this deployment, manually empty and/or delete the S3 bucket created for the Cloud Failover Extension (provided via the cfeS3Bucket parameter). In the AWS Management Console, go to S3 and search for the cfeS3Bucket bucket name. Select the radio button associated with the bucket and select Empty.

You can now delete the deployment. Still in the AWS Management Console, open Cloudformation, go to Stacks, and select the radio button associated with the parent stack. Finally, select Empty.

For more information, refer to Troubleshooting AWS CloudFormation.

Security

This solution requires internet access for downloading additional F5 software components used for onboarding and configuring the BIG-IP VE instance (via GitHub.com). Internet access is required via the management interface and then via a dataplane interface (for example, external Self-IP) once a default route is configured. Refer to Overview of management interface routing for more details. By default, as a convenience, this Partner Solution provisions public IP addresses to enable this, but in a production environment, outbound access should be provided by a routed SNAT service (for example, NAT gateway, custom firewall, etc).

Access via web proxy is not currently supported. Other options include either (1) hosting the file locally and modifying the runtime-init package URL and configuration files to point to local URLs instead or (2) Baking them into a custom image, using the F5 BIG-IP Image Generation Tool.

Internet access is also required for contacting native cloud services (for example, s3.amazonaws.com, ec2.amazonaws.com, etc.) for various cloud integrations.

Onboarding

Use F5 BIG-IP Runtime Init to fetch secrets from native vault services.

Operation

Use the following resources:

F5 Application Services 3 for features like Service Discovery
F5 Telemetry Streaming for logging and reporting
Cloud Failover Extension for updating IP addresses and route mappings

You can use additional cloud services like VPC endpoints to address calls to native services traversing the internet. See the Security section for more details.

The Partner Solution’s CloudFormation template downloads the following helper code to configure the BIG-IP VE system:

f5-bigip-runtime-init.gz.run: The self-extracting installer for the F5 BIG-IP Runtime Init RPM can be verified against a SHA256 checksum provided as a release asset on the F5 BIG-IP Runtime Init public GitHub repository, for example: https://github.com/F5Networks/f5-bigip-runtime-init/releases/download/1.4.1/f5-bigip-runtime-init-1.4.1-1.gz.run.sha256.
F5 BIG-IP Runtime Init: The self-extracting installer script extracts, verifies, and installs the F5 BIG-IP Runtime Init RPM package. Package files are signed by F5 and automatically verified using GPG.
F5 Automation Toolchain components: F5 BIG-IP Runtime Init downloads, installs, and configures the F5 Automation Toolchain components. Although optional, F5 recommends adding the extensionHash field to each extension installation operation in the configuration file. This field triggers verification of the downloaded component package checksum against the provided value. The checksum values are published as release assets on each extension’s public GitHub repository, for example: https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.30.0/f5-appsvcs-3.30.0-5.noarch.rpm.sha256

The following configuration file verifies the DO and application services extensions before configuring AS3 from a local file:

runtime_parameters: []
extension_packages:
    install_operations:
        - extensionType: do
          extensionVersion: 1.23.0
          extensionHash: bfe88c7cf3fdb24adc4070590c27488e203351fc808d57ae6bbb79b615d66d27
        - extensionType: as3
          extensionVersion: 3.30.0
          extensionHash: 47cc7bb6962caf356716e7596448336302d1d977715b6147a74a142dc43b391b
extension_services:
    service_operations:
      - extensionType: as3
        type: url
        value: file:///examples/declarations/as3.json

For more information about F5 BIG-IP Runtime Init and additional examples, refer to the GitHub repository.

This template can send non-identifiable statistical information to F5 Networks to help improve templates. You can disable this functionality for this deployment by setting the value of the allowUsageAnalytics input parameter to false, or you can disable it system-wide by setting the autoPhonehome system class property value to false in the F5 Declarative Onboarding declaration. Refer to the Customizing the BIG-IP Configuration section for more information.

BIG-IP VE may contact the following list of endpoints during onboarding:

BIG-IP VE image default:
- vector2.brightcloud.com (by BIG-IP VE image for IPI subscription validation)
Solution/onboarding:
- github.com (for downloading helper packages mentioned earlier)
- f5-cft.s3.amazonaws.com (downloading GPG Key and other helper configuration files)
- license.f5.com (licensing functions)
Telemetry:
- product-s.apis.f5.com.
- f5-prod-webdev-prod.apigee.net.
- id-prod-global-endpoint.trafficmanager.net.
- global.azure-devices-provisioning.net.
- www-google-analytics.l.google.com

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

The following issues are most common:

The entire stack was not created
Resource(s) within the stack failed to deploy

If a CloudFormation template in the stack failed, choose the name of the failed stack and then choose Events. Check the Status Reason column for details about the cause of the failed event.

When creating a GitHub issue for a failed template, include as much information as possible from the stack event.

Common causes of deployment failure include:

Required fields were left empty or contained incorrect values (for example, an input type mismatch, prohibited characters, etc.), causing template validation failure.
Insufficient permissions to create the deployment or resources created by a deployment (for example, IAM roles, etc).
Resource limitations (for example, exceeded limit of IP addresses or compute resources, etc.).
An AWS service issue. To check service health, visit the AWS service health dashboard.

If all stacks were created successfully, but the BIG-IP VE or AWS service is unavailable, log in to the BIG-IP VE instance via SSH to confirm the BIG-IP VE deployment or configuration update was successful. For example, you can check that the startup scripts completed as expected on BIG-IP VE. To verify BIG-IP VE deployment, perform the following steps:

Obtain the IP address of the BIG-IP VE instance. To learn more, refer to Access the BIG-IP VE IP address*.
Check the startup script to make sure it was installed/interpolated correctly: cat /opt/cloud/instance/user-data.txt
Check the logs (in order of invocation):
- cloud-init logs:
  - /var/log/boot.log
  - /var/log/cloud-init.log
  - /var/log/cloud-init-output.log
- runtime-init logs:
  - /var/log/cloud/startup-script.log: Contains events that happen prior to running f5-bigip-runtime-init. For example, if the files required by the deployment fail to download, those events are logged here.
  - /var/log/cloud/bigIpRuntimeInit.log: Contains events logged by the f5-bigip-runtime-init onboarding utility. If the configuration is invalid, causing onboarding to fail, those events are logged here. If deployment is successful, you will see an All operations completed successfully event.
- Automation tool chain logs:
  - /var/log/restnoded/restnoded.log: Contains events logged by the F5 Automation Toolchain components. If an Automation Toolchain declaration fails to deploy, the details of those events are logged here.

Search most critical errors first (for example, egrep -i err /var/log/<Logname>).

If you can’t log in to the BIG-IP VE instance, navigate to EC2 > Instances, select the check box next to the instance you want to troubleshoot, and then choose Actions > Monitor and Troubleshoot > Get System Log or Get Instance Screenshot for potential logging to serial console.

aws ec2 get-console-output --region ${REGION}  --instance-id <ID>

Support

Due to the heavy customization requirements of external cloud resources and BIG-IP VE configurations, F5 does not provide technical support for deploying, customizing, or troubleshooting CloudFormation templates. However, the various underlying products and components used in the deployed Partner Solution such as BIG-IP Virtual Edition, F5 BIG-IP Runtime Init, F5 Automation Toolchain extensions, and F5 Cloud Failover are supported by F5 and can be deployed with other orchestration tools. To learn more, refer to Support Policies. For problems with the templates deployed as-is, report a GitHub issue.

For help with authoring and support for custom templates, engage with F5 Professional Services.

Resources

F5 website
F5 BIG-IP Virtual Edition - BEST (PAYG, 25Mbps)
F5 BIG-IP VE - ALL (BYOL, 2 Boot Locations)
Local Traffic Manager (LTM)
Application Security Manager (ASM)
F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 25Mbps)
F5 BIG-IP Runtime Init - to fetch secrets from cloud vault services
F5 Cloud Failover Extension (CFE) → for updating cloud resources (IP and route mappings)
F5 Automation Tool Chain
- F5 Declarative Onboarding (DO) - for system onboarding
- F5 Application Services 3 (AS3) - declarative virtual service definitions
- F5 Telemetry Streaming (TS) - for logging and reporting (not deployed by default in this solution )
- Example Application (nginx)
F5 Certification

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.