f5 big ip on ibm solution architecture - ibm.com · big–ip local traffic manager (ltm) does not...

Copyright IBM Corporation 2018 of 11

F5 BIG–IP on IBM Cloud

Solution Architecture

Date: 2018–02–22


Table of Contents

1 Introduction................................................................................................................................ 4

1.1 About F5 BIG–IP Virtual Edition .......................................................................................... 4

1.2 Background ......................................................................................................................... 4

1.3 Key Benefits ........................................................................................................................ 5

2 Design ....................................................................................................................................... 6

2.1 Overview.............................................................................................................................. 6

2.2 F5 BIG–IP Virtual Edition Deployment ................................................................................ 6

Virtual machine configuration ..................................................................................... 7

Network configuration ................................................................................................. 8

VMware DRS .............................................................................................................. 9

Caveats ....................................................................................................................... 9

Appendix A—License Requirements ............................................................................................. 10

Appendix B—Reference ................................................................................................................. 11

List of Figures

Figure 1 VMware Cloud Foundation on IBM Cloud ........................................................................................ 4

Figure 2 F5 BIG–IP on IBM Cloud High Level Components .......................................................................... 6

Figure 3 Overview of a BIG–IP virtual edition networking configuration ............................................ 7

List of Tables

Table 1 F5 BIG–IP sizing model .............................................................................................................................. 7

Table 2 F5 BIG–IP virtual machine summary ................................................................................................... 7


Summary of Changes

This section records the history of significant changes to this document. Only the most significant changes

are described here.

Version Date Author Description of Change

1.0

2018–02–22 Jack Benney

Frank Chodacki

Daniel De Araujo

Bob Kellenberger

Simon Kofkin–Hansen

Scott Moonen

Dan Mullen

Jim Robbins

Initial Release


1 Introduction

1.1 About F5 BIG–IP Virtual Edition

The purpose of this document is to define and describe the F5 BIG–IP architecture for the vCenter Server

and VMware Cloud Foundation offerings deployed in the IBM Cloud. Specifically, it will detail the

components of the solution and high–level configuration of each component in the design. This solution is

considered to be an additional component and extension of both the vCenter Server solution offering and

the VMware Cloud Foundation solution offering on IBM Cloud. As a result, this document will not cover

the existing configuration of the foundation solutions on IBM Cloud. Therefore, it is highly recommended

to review and understand the VMware on IBM Cloud solution architecture located on the IBM Architecture

Center before reading this document.

Figure 1 VMware Cloud Foundation on IBM Cloud

1.2 Background

IBM Cloud clients who make use of physical network traffic management and load optimization appliances

for their on–premises environments may be interested in an equivalent virtualized solution for their

VMware environments in the IBM Cloud. IBM Cloud offers F5 BIG–IP Virtual Edition, which includes the

F5 Local Traffic Manager (LTM) feature set. The F5 LTM provides both static and dynamic load balancing

along with application layer proxies that prioritize traffic. All capability is deployed in a redundant

configuration to prevent single point of failure in the network layer.

https://www.ibm.com/devops/method/content/architecture/virtualizationArchitecture

https://www.ibm.com/devops/method/content/architecture/virtualizationArchitecture


1.3 Key Benefits

Several licensing options are available for F5 BIG–IP Virtual Edition on IBM Cloud. The Good licensing

tier offers the following capabilities:

• Local Traffic Manager (LTM) for L4–L7 load balancing and traffic management

The Better licensing tier adds the following BIG–IP capabilities:

• DNS

• Advanced Firewall Manager (AFM) for advanced firewall services

• Application Acceleration Manager (AAM) for application performance optimization

The Best licensing tier adds the following BIG–IP capabilities:

• Application Security Manager (ASM), for L7 security

• Access Policy Manager (APM), for simplified application access including SSO and MFA


2 Design

2.1 Overview

The F5 BIG–IP Virtual Edition solution complements the IBM Cloud for VMware Solutions offerings by

providing application availability, access control, and security services. These services are provided by one

or more pairs of F5 BIG–IP Virtual Edition virtual machines deployed to your VMware on IBM Cloud

cluster.

Figure 2 F5 BIG–IP on IBM Cloud High Level Components

2.2 F5 BIG–IP Virtual Edition Deployment

BIG–IP Local Traffic Manager (LTM) does not replace NSX but rather complements and enhances the

existing NSX architecture. BIG–IP can be installed into either VMware Cloud Foundation (VCF) or

vCenter Server (VCS) instances on IBM Cloud. In both scenarios, BIG–IP VE will be deployed with two

virtual network interfaces (vNIC) in the client’s data plane. However, LTM can manage all NSX–aware

network segments if the proper routing has been configured. An additional vNIC is configured in the

management plane and a fourth and final vNIC is configured in the control plane for high availability.

Figure 3 shows an overview of one possible instantiation of this architecture.


Figure 3 Overview of a BIG–IP virtual edition networking configuration

In this figure, the Internal and External network segments represent public and private segments in the

client’s data plane. This instance has been configured to use a logical switch (VXLAN) for both of the

BIG–IP data interfaces.

Virtual machine configuration

The F5 BIG–IP offering is deployed as a pair of virtual machines within your primary vSphere cluster to

enable a high availability configuration.

The configuration of the appliances follows a small, medium or large template, and depends on the chosen

licensing model and licensed bandwidth. Table 1 shows the template used for each license option and

throughput:

Throughput Good Configuration Better Configuration Best Configuration

≤ 1 Gbps Small Medium Large

≥ 3 Gbps Large Large Large

Table 1 F5 BIG–IP sizing model

Depending on the template, the appliances are deployed with the configuration shown in Table 2:

Attribute Small Template Medium Template Large Template

CPU 2 vCPU 4 vCPU 8 vCPU

RAM 4 GB 8 GB 16 GB

High availability Two appliances deployed to enable high availability

Disk usage Two disks totaling 149 GB on the cluster’s management datastore:

• 20 GB

• 129 GB

Disk backing Management datastore: vSAN or IBM Cloud Endurance, as applicable

Table 2 F5 BIG–IP virtual machine summary


Although two virtual machines are deployed, BIG–IP clustering is not preconfigured by the IBM Cloud

automation. This is because aspects of the clustering configuration, such as TLS certificates, are not known

at the time of deployment. After the F5 BIG–IP machines have been deployed, you must login to them and

configure certificates, interfaces and addresses, and clustering. See more details in the developerWorks

recipe, Working with F5 Networks BIG–IP in IBM Cloud for VMware.

Network configuration

The BIG–IP virtual machines are deployed with four network interfaces, configured as follows:

BIG–IP Interface Configuration

1.0 [Management] Attached to Private A VLAN using SDDC-DPortGroup-Mgmt, with IP

addresses assigned by IBM Cloud automation from management subnet

1.1 [Internal] If instance is VCS and sample Workload logical switch is present, attached to

that. Otherwise, if instance is VCF or if sample Workload switch is absent,

attached to a dynamically created port group on Private A VLAN using SDDC-Dswitch-Private.

In all cases, IP addresses unassigned and link initially inactive

1.2 [External] Attached to Public VLAN using SDDC-DPortGroup-External, but IP

addresses unassigned and link initially inactive

1.3 [HA] Attached to a new logical switch based on the name given to the F5 BIG–IP

service instance at the time of deployment; e.g., ltm1-BigIPHA

Management Interface

The BIG–IP management interface is preconfigured and ready to access immediately after deployment.

You should not re–assign or re–configure the management interface.

A firewall rule and source NAT rule are created on the management NSX Edge Services Gateway (ESG) to

allow the device to connect to the public network using http and https only. This is to allow license

management and it is not recommended to change these rules as it could lead to the license being

deactivated.

Data Network Interfaces

There are two vNICs defined for the BIG–IP data plane. These correspond to the BIG–IP Internal and

External interfaces. Depending on your network topology design, the external, or “north-south” interface

might be connected to any of the following networks:

• Public network

o Direct connection to public network

o Indirect connection protected by NSX Edge Services Gateway (ESG)

o Indirect connection protected by FortiGate security appliance using routing

o Indirect connection protected by FortiGate virtual appliance

• IBM Cloud private network

• NSX logical switch (VXLAN)

The external interface is initially attached to the external port group and switch, but may be reconfigured

after deployment.

The internal interface is intended for connection to your VMware workload. Depending on your network

topology design it might be connected to any of the following networks:

• Connection to IBM Cloud private network

• Connection to NSX logical switch (VXLAN)

https://developer.ibm.com/recipes/tutorials/working-with-f5-networks-bigip-in-ibm-cloud-for-vmware/


The internal interface is initially attached to either the sample Workload logical switch (if the instance is

VCS and the sample switch is present), or else a dynamically created port group on the IBM Cloud private

network. In any case, you may reconfigure it after deployment according to your requirements.

Since the appliance traffic management networks are not initially configured, both the external and internal

interfaces are left inactive and no IP address is assigned. If you plan to use either the IBM Cloud public

VLAN or private VLAN for either interface, you must order your own subnets from the IBM Cloud portal

for use with the BIG–IP virtual appliances.

High Availability Interface

The high availability interface is pre–configured on a dedicated logical switch (VXLAN). You should not

re–assign or re–configure the HA interface, or reuse the logical switch for any other purpose. Note that

BIG–IP allows for standalone deployments, but IBM Cloud does not support this configuration.

VMware DRS and reservations

Because it provides time–sensitive networking services, BIG–IP should be configured to ensure that it has

adequate resources. The IBM Cloud automation configures a reservation to ensure that the virtual

appliances receive their full allotment of CPU and memory.

In order to assure high availability, the IBM Cloud automation creates a DRS anti–affinity rule to restrict

the two BIG–IP virtual machines from running on the same host.

Caveats

It is not possible to change the licensing tier or licensed throughput of your BIG–IP deployment once it has

been deployed. In order to achieve this, you must deploy a new instance of F5 BIG–IP, migrate your

configuration to the new instance, and delete the original instance.

F5 BIG–IP limits the appliance throughput based on your chosen maximum bandwidth. Because network

performance is affected by many factors, not all configurations and topologies may be able to achieve your

chosen maximum bandwidth.


Appendix A—License Requirements This architecture requires BIG–IP licensing from F5. IBM Cloud automation provisions the F5 BIG–IP

license based on your chosen license tier and throughput. Your IBM Cloud monthly bill will reflect your

order and ongoing usage of F5 BIG-IP Virtual Edition.

The BIG–IP virtual machines require outbound connectivity to F5 licensing servers to activate and

maintain their license. This connectivity is preconfigured as described in section 2.2.2.1 and should not be

re–configured.


Appendix B—Reference Additional information about IBM Cloud and F5 BIG–IP on IBM Cloud can be found at the following

sites:

• IBM Cloud Architecture Center for Virtualization:

https://www.ibm.com/cloud/garage/content/architecture/virtualizationArchitecture/

• Working with F5 Networks BIG–IP in IBM Cloud for VMware:

https://developer.ibm.com/recipes/tutorials/working-with-f5-networks-bigip-in-ibm-cloud-for-

vmware/

• F5 introduction to iRules: https://devcentral.f5.com/articles/sid/6955

https://www.ibm.com/cloud/garage/content/architecture/virtualizationArchitecture/



https://devcentral.f5.com/articles/sid/6955

f5 big ip on ibm solution architecture - ibm.com · big–ip local traffic manager (ltm) does not...

Documents