What roles are required to install BigIP on an EC2 or Compute Instance?

F5 requires a custom AWS role with three policies attached:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:describeinstancestatus",

"ec2:describenetworkinterfaces",

"ec2:assignprivateipaddresses"

],

"Resource": "*"

}

]

}

How many IP Addresses are needed for F5?

  • You need two Public IPs (elastic IPs in AWS). Elastic IPs ARE static IPs - but unlike regular static IPs, they can be moved around (from an instance in one AZ to another - typically to facilitate failover)..
  • You need a PRIVATE IP (a secondary IP) on the INTERNAL network interface (the one that the Virtual Server uses to talk to the Web Servers..)

What does the DNS entry look like for the Public IP Addresses?

The public DNS host name of the instance changes to match the Elastic IP address

Can you use AWS' Auto Scaling with F5? What about Target Groups?

Yes. You can define target groups as the EC2 instances hosting F5.

Can the target groups be Lambda Functions?

Yes again.

How many Network Interfaces Needed for F5 Appliances - AWS or GCP

Attaching multiple network interfaces to an instance is useful when you want to:

  • Create a management network.
  • Use network and security appliances in your VPC.
  • Create dual-homed instances with workloads/roles on distinct subnets.

Firewall Rules Needed for F5 on AWS 

Refer to the F5 documentation.

How do I do this through Terraform?

For AWS, the credentials used in the terraform provider must be able to create IAM Instance Profiles.

Need Assistance with installing F5 appliances on AWS or GCP?