F5 BIG-IQ Virtual Edition (HA) in Microsoft Azure

This deployment consists of executing a powershell script which provisions a BIG-IQ VE high availability (HA) configuration pair and then logging into the new VE instances and using the TMSH to enable the root and admin passwords.

The BIG-IQ HA configuration is limited to two systems: primary and secondary. Only the primary BIG-IQ system can manage BIG-IP devices. With BIG-IQ HA, the BIG-IQ system periodically push-replicates the entire BIG-IQ system state from the primary peer to the secondary to keep the two systems synchronized. The replication occurs every thirty seconds by default and is configurable. This method of synchronization allows the secondary peer to be promoted manually to the primary and take over management of the BIG-IP devices if the primary system is not fully functional. There is no automatic failover from the primary to the secondary.

If you are deploying to an environment that uses custom DNS, you need to revise your script to target a different endpoint.

Prerequisites

You must meet the following prerequisites to use this procedure:

You have two BIG-IQ systems properly licensed.
Both BIG-IQ systems are running the same software version for the high-availability pair to synchronize properly.
Both BIG-IQ systems are synchronized to a Network Time Protocol (NTP) server and their clocks synchronized within sixty seconds.
Both BIG-IQ systems are configured with the same master key.
You have administrative access to both BIG-IQ systems.

Deployment Plan

Step 1 – Create a new resource group
Step 2 – Create a new Network Security Group
Step 3 – Provision BIG IQ PRIMARY instance
Step 4 – Provision BIG IQ SECONDARY instance
Step 5 -Attach the Network Security Group
Step 6 -Create your User Accounts
Step 7 – Browser Login
Step 8 – Licensing setup
Step 9 – Pairing BIG-IQ systems for high availability
Step 10 – Synchronizing your BIG-IQ systems

Failover options – Manually promoting the secondary BIG-IQ system to be the primary
Failover options – Resetting the secondary BIG-IQ to be standalone when the primary is unavailable
Maintenance options – Removing the secondary BIG-IQ system
Maintenance options – Splitting a high availability pair
Maintenance options – Manually synchronizing the BIG-IQ systems
Maintenance options – Changing how often BIG-IQ systems are synchronized
Maintenance options – Updating the secondary BIG-IQ system with changes from the primary

Deployment Steps

Step 1 - Create a new resource group

Create a new resource group container for your BIG-IQ resources,

$ResourceGroupName = "resourcegroupname"
$location = "uaenorth"
New-AzResourceGroup `
-Name $ResourceGroupName `
-Location $location `
-Tag @{CustomerName="Customer01"; `
AutoShutdownSchedule="None"; `
Environment="sandbox";}

Step 2 - Create a new Network Security Group

You need to create a new NSG with the addition of port 22 (for SSH access to your VE) and port 443 (for HTTPS access) as per below,

##Step 1: Create your new NSG
$ResourceGroupName = "allen-f5-bigiq"
$location = "uaenorth"
$NSGname = 'f5BIGIQ-NSG'
$Variables = @{
  'Name'              = $NSGname
  'ResourceGroupName' = $ResourceGroupName
  'Location'          = $location
}
$AzNSG = New-AzNetworkSecurityGroup @Variables


##Step 2: Provision the NSG ACEs / Rules 
#Create 2 inbound rules:

$AzNSG = Get-AzNetworkSecurityGroup `
-Name $NSGname `
-ResourceGroupName $ResourceGroupName

$Variables1 = @{
'Name' = 'f5-big-iq-https'
'NetworkSecurityGroup' = $AzNSG
'Protocol' = 'TCP'
'Direction' = 'Inbound'
'Priority' = 200
'SourceAddressPrefix' = '*'
'SourcePortRange' = '*'
'DestinationAddressPrefix' = '*'
'DestinationPortRange' = 443
'Access' = 'Allow'
}
Add-AzNetworkSecurityRuleConfig @Variables1 | Set-AzNetworkSecurityGroup `


$Variables2 = @{
'Name' = 'f5-big-iq-ssh'
'NetworkSecurityGroup' = $AzNSG
'Protocol' = 'TCP'
'Direction' = 'Inbound'
'Priority' = 300
'SourceAddressPrefix' = '*'
'SourcePortRange' = '*'
'DestinationAddressPrefix' = '*'
'DestinationPortRange' = 22
'Access' = 'Allow'
}
Add-AzNetworkSecurityRuleConfig @Variables2 | Set-AzNetworkSecurityGroup `


##Step 3: Add a Lock NSG
#update these variable to lock your NSG's when deploying in production

$ResourceGroupName = "allen-f5-bigiq"
$location = "uaenorth"
$NSGname = 'f5BIGIQ-NSG'

New-AzResourceLock `
-LockLevel CanNotDelete `
-LockNotes "This production resource has been locked" `
-LockName "Locked by Allen" `
-ResourceName $NSGname `
-ResourceType "Microsoft.Network/networkSecurityGroups" `
-ResourceGroupName $ResourceGroupName `
-Force

Step 3 - Provision BIG IQ PRIMARY instance

This script will create your primary BIG-IQ instance as part of the BIG-IQ pair:

# Tested with PowerShell 7.0.0 and Az module 4.7.0 

##Step 1 - Enable PIM if required


##Step 2 - Login to Azure Portal
Connect-AzAccount -UseDeviceAuthentication


#Step 3 -  Provide values for the variables
# instance name
$bigiqInstance = 'BIG-IQ-PRIMARY'
             			
#STEP 4 - IDENTIFY YOUR TARGET RESOURCE GROUP
$resourceGroup = '<YOUR BIGIQ RESOURCE GROUP>'
$resourcegroupvnet = '<YOUR VNET RESOURCE GROUP>'
$location = '<YOUR AZURE LOCATION>'		 
#Get vm sizes per location (optional). I HAVE ADDED THIS IF REQUIRED:
#Get-AZVMSize -Location uaenorth | Where-Object {$_.Name -like '*Standard_B*'}
$vmSize = '<SELECT YOUR SKU SIZE>'
$diskSizeGB = '127'
                        
# Azure Network Info
$vnetName = 'vnet-uaenorth'
$subnetNic1name = '<SUBNET NAME WHERE THIS NIC WILL BE LOCATED>'
$subnetNic2name = '<SUBNET NAME WHERE THIS NIC WILL BE LOCATED>'
                     
# VM specific info
$ipName = $bigiqInstance + '_Pip'
$nic1Name = $bigiqInstance + '_mgmt'
$nic2Name = $bigiqInstance + '_internal'
                        
$vmName = $bigiqInstance + '-vm'
$computerName = $bigiqInstance

# Get the username and password to be used for the administrators account on the VM. 
# This is used when connecting to the VM using ssh. (do NOT use admin for User, e.g. adminUser)  
$cred = Get-Credential

$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupvnet -Name $vnetName
$pip = New-AzPublicIpAddress -Name $ipName -ResourceGroupName $resourceGroup -Location $location `
-AllocationMethod Static

$subnetNic1 = Get-AzVirtualNetworkSubnetConfig -Name $subnetNic1name -VirtualNetwork $vnet
$subnetNic2 = Get-AzVirtualNetworkSubnetConfig -Name $subnetNic2name -VirtualNetwork $vnet

$nic1 = New-AzNetworkInterface -Name $nic1Name -ResourceGroupName $resourceGroup -Location $location `
-SubnetId $subnetNic1.Id -PublicIpAddressId $pip.Id               
                        
$nic2 = New-AzNetworkInterface -Name $nic2Name -ResourceGroupName $resourceGroup -Location $location `
-SubnetId $subnetNic2.Id
                        
# Start building the VM configuration
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$vm = Set-AzVMOperatingSystem -VM $vm -Linux -ComputerName $computerName -Credential $cred
$vm = Set-AzVMOSDisk -VM $vm -DiskSizeInGB $diskSizeGB -CreateOption FromImage -Caching ReadWrite
$vm = Set-AzVMSourceImage -VM $vm -PublisherName f5-networks -Offer f5-big-iq -Skus "f5-bigiq-virtual-edition-byol" -Version latest
                                          
# Finish the VM configuration and add the NIC.
$vm = Add-AzVMNetworkInterface -VM $vm -Id $nic1.Id -Primary
$vm = Add-AzVMNetworkInterface -VM $vm -Id $nic2.Id
                                       
##REGISTRATION ON YOUR SUBSCRIPTION
# Set the VM image as source image for the new VM
Set-AzVMPlan -VM $vm -Name f5-bigiq-virtual-edition-byol -Product f5-big-iq -Publisher f5-networks
                        
# Accept terms - I HAVE NOTICED THAT THE POWERSHELL CMD DOES NOT WORK, SO I HAVE ADDED THE BASH SCRIPT BELOW
#Get-AzMarketplaceTerms -Publisher "f5-networks" -Product "f5-big-iq" -Name "f5-bigiq-virtual-edition-byol" | Set-AzMarketplaceTerms -Accept

az vm image terms accept `
--publisher f5-networks `
--offer f5-big-iq `
--plan f5-bigiq-virtual-edition-byol


# Create the VM
New-AzVM -VM $vm -ResourceGroupName $resourceGroup -Location $location
                        
# Verify that the VM was created
$vmList = Get-AzVM -ResourceGroupName $resourceGroup
$vmList.Name

Step 4 - Provision BIG IQ SECONDARY instance

This script will create your secondary BIG-IQ instance as part of the BIG-IQ pair:

# Tested with PowerShell 7.0.0 and Az module 4.7.0 

##Step 1 - Enable PIM if required


###I'VE DISABLED THIS SINCE THIS WAS ALREADY ENABLED WHEN WE CREATED THE PRIMARY INSTANCE
##Step 2 - Login to Azure Portal - 
#Connect-AzAccount -UseDeviceAuthentication


#Step 3 -  Provide values for the variables
# instance name
$bigiqInstance = 'BIG-IQ-SECONDARY'
             			
#STEP 4 - IDENTIFY YOUR TARGET RESOURCE GROUP
$resourceGroup = '<YOUR BIGIQ RESOURCE GROUP>'
$resourcegroupvnet = '<YOUR VNET RESOURCE GROUP>'
$location = '<YOUR AZURE LOCATION>'		 
#Get vm sizes per location (optional). I HAVE ADDED THIS IF REQUIRED:
#Get-AZVMSize -Location uaenorth | Where-Object {$_.Name -like '*Standard_B*'}
$vmSize = '<SELECT YOUR SKU SIZE>'
$diskSizeGB = '127'
                        
# Azure Network Info
$vnetName = 'vnet-uaenorth'
$subnetNic1name = '<SUBNET NAME WHERE THIS NIC WILL BE LOCATED>'
$subnetNic2name = '<SUBNET NAME WHERE THIS NIC WILL BE LOCATED>'
                     
# VM specific info
$ipName = $bigiqInstance + '_Pip'
$nic1Name = $bigiqInstance + '_mgmt'
$nic2Name = $bigiqInstance + '_internal'
                        
$vmName = $bigiqInstance + '-vm'
$computerName = $bigiqInstance

# Get the username and password to be used for the administrators account on the VM. 
# This is used when connecting to the VM using ssh. (do NOT use admin for User, e.g. adminUser)  
$cred = Get-Credential

$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupvnet -Name $vnetName
$pip = New-AzPublicIpAddress -Name $ipName -ResourceGroupName $resourceGroup -Location $location `
-AllocationMethod Static

$subnetNic1 = Get-AzVirtualNetworkSubnetConfig -Name $subnetNic1name -VirtualNetwork $vnet
$subnetNic2 = Get-AzVirtualNetworkSubnetConfig -Name $subnetNic2name -VirtualNetwork $vnet

$nic1 = New-AzNetworkInterface -Name $nic1Name -ResourceGroupName $resourceGroup -Location $location `
-SubnetId $subnetNic1.Id -PublicIpAddressId $pip.Id               
                        
$nic2 = New-AzNetworkInterface -Name $nic2Name -ResourceGroupName $resourceGroup -Location $location `
-SubnetId $subnetNic2.Id
                        
# Start building the VM configuration
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$vm = Set-AzVMOperatingSystem -VM $vm -Linux -ComputerName $computerName -Credential $cred
$vm = Set-AzVMOSDisk -VM $vm -DiskSizeInGB $diskSizeGB -CreateOption FromImage -Caching ReadWrite
$vm = Set-AzVMSourceImage -VM $vm -PublisherName f5-networks -Offer f5-big-iq -Skus "f5-bigiq-virtual-edition-byol" -Version latest
                                          
# Finish the VM configuration and add the NIC.
$vm = Add-AzVMNetworkInterface -VM $vm -Id $nic1.Id -Primary
$vm = Add-AzVMNetworkInterface -VM $vm -Id $nic2.Id
                                       
##REGISTRATION ON YOUR SUBSCRIPTION
# Set the VM image as source image for the new VM
Set-AzVMPlan -VM $vm -Name f5-bigiq-virtual-edition-byol -Product f5-big-iq -Publisher f5-networks
                        
# Accept terms - I HAVE NOTICED THAT THE POWERSHELL CMD DOES NOT WORK, SO I HAVE ADDED THE BASH SCRIPT BELOW
#Get-AzMarketplaceTerms -Publisher "f5-networks" -Product "f5-big-iq" -Name "f5-bigiq-virtual-edition-byol" | Set-AzMarketplaceTerms -Accept

az vm image terms accept `
--publisher f5-networks `
--offer f5-big-iq `
--plan f5-bigiq-virtual-edition-byol


# Create the VM
New-AzVM -VM $vm -ResourceGroupName $resourceGroup -Location $location
                        
# Verify that the VM was created
$vmList = Get-AzVM -ResourceGroupName $resourceGroup
$vmList.Name

Step 5 -Attach the Network Security Group

Attach the NSG created earlier, to each of the Management interfaces on each of your BIG-IQ instances,

Step 6 -Create your User Accounts

To access your BIG-IQ instance with a browser and an admin password, you must create an admin user password. To access your BIG-IQ instance with root credentials, you must first enable root access and then specify a root password.

If you plan to establish a high availability peer for this BIG-IQ VE, both devices must have root access enabled.

Login via ssh and use the credentials that you specified in your deployment script and login via the public IP address of your BIG-IQ VE,

$ ssh <nameoffirstimeaccessuser>@<publicipofbigiq>

At the tmsh command prompt, type:
modify auth password admin

Enter a strong secure password.
The terminal window displays the message: changing password for admin, and then prompts: new password

Enter your new password and then press Enter. The terminal window displays the message: confirm password.

Re-Enter the new password and press Enter.

At the tmsh command prompt, type:
tmsh modify /sys db systemauth.disablerootlogin value false

(If the terminal window does not display an error message, then root access is now enabled)

At the tmsh command prompt, type:
modify auth password root

Enter a strong secure password.The terminal window displays the message: changing password for root, and then prompts: new password.
Type your new password and press Enter. The terminal window displays the message: confirm password.

Re-type the new password and press Enter.

To ensure that the system retains the password changes, at the tmsh command prompt type:
save sys config
then press Enter

The admin and root passwords are now changed

Step 7 - Browser Login 

Verify your browser login via https://publicip/ with your admin username specified in the script and new admin password,

Step 8 - Licensing setup

Before you can use this new BIG-IQ you must license both of your instances. You have to have both / primary and secondary BIG-IQ systems properly licensed.

The last step in the setup and licensing process prompts you to change the admin and root passwords. When you reach that step, do not type in a password. No entry that you provide will be processed successfully. Instead, just click Next to complete the process.

License tab:

Select your license,

Master key tab:

Create a 16 key alphanumeric password and keep in a safe place for recovery,

This is a prerequisite for your pair – Both BIG-IQ systems are configured with the same master key.

Password tab:

Specify your Admin password,

System Personality tab:

You will need a license to select the BIG-IQ Central Management option,

Networking tab:

Identify the BIG-IQ instance,

Services tab:

Prerequisite – both BIG-IQ systems must be synchronized to a Network Time Protocol (NTP) server and their clocks synchronized within sixty seconds of each other,

Lauch tab:

Step 9 - Pairing BIG-IQ systems for high availability

Before you can configure BIG-IQ^® systems for high availability (HA), you must have two licensed BIG-IQ systems, installed with the required system components. For the high-availability pair to synchronize properly, each must be running the same BIG-IQ version, and the clocks on each system must be synchronized within 60 seconds, and remain synchronized. Prior to establishing the pair, examine the NTP settings at the BIG-IQ system level and the current system time value.

You pair two BIG-IQ systems to create a high availability cluster.

1. Select the BIG-IQ instance to act as the primary in the HA cluster. The configuration of this system is the one that will be preserved,
2. Log in to the selected BIG-IQ system using your administrator credentials,
3. From the BIG-IQ main list > select System,
4. Hover over the HA Peer Group, click the gear icon and select Add Device,
5. In the New Device screen, complete the following settings:These settings define the secondary peer in the HA cluster.
   1. In the IP Address field, type the self IP address.
   2. In the User name field, type the administrative user name.
   3. For Password, type the administrative password.
   4. In the Root Password field, type the root password.
   5. From the Group list, select HA Peer Group.
6. Click Add.

When you expand the HA Peer Group, you see both nodes of the HA cluster. The localhost node is the system you are on.

Step 10 - Synchronizing your BIG-IQ systems

The BIG-IQ systems in a HA configuration are synchronized automatically every thirty seconds by default. However you can manually synchronize the systems as needed. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the primary BIG-IQ user interface.
2. Navigate to System > BIG-IQ HA.
3. Select BIG-IQ HA Settings.
4. For File Sync Status, select Sync Files to manually initiate the configuration synchronization from the primary to the secondary system.

Failover options - Manually promoting the secondary BIG-IQ system to be the primary

If your primary BIG-IQ system is experiencing a system issue but still online, you may want to promote the secondary BIG-IQ to fulfil the primary role until the issue is resolved on the primary BIG-IQ instance. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the primary BIG-IQ system.
2. Navigate to System > BIG-IQ HA.
3. Select BIG-IQ HA Settings.
4. For Secondary Device property, select Promote.
5. The primary BIG-IQ user interface prompts for a confirmation. Select OK to proceed. Both devices restart their services and log all users out. The secondary BIG-IQ restarts with the last data set it has received from the primary and becomes the primary BIG-IQ system.

Failover options - Resetting the secondary BIG-IQ to be standalone when the primary is unavailable

If the existing primary BIG-IQ system is no longer accessible, you may want to reset the secondary BIG-IQ to be standalone to continue managing the BIG-IP devices until the primary BIG-IQ system is back online. To do so, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the secondary BIG-IQ system.
2. Navigate to System > BIG-IQ HA.
3. Select BIG-IQ HA Settings.
4. Note that the HA Pair State property reports that the primary database on the primary BIG-IQ is down.
5. For Secondary Device, select Reset to Standalone.
6. The secondary BIG-IQ user interface prompts for a confirmation. Select OK to proceed. After the primary BIG-IQ system is back online, you may have to remove the secondary BIG-IQ from its configuration and setup the HA configuration again.

Maintenance options - Removing the secondary BIG-IQ system

If you need to remove the secondary BIG-IQ system, for example to re-setup HA configuration after the secondary BIG-IQ was reset to standalone while the primary BIG-IQ was unavailable, you can do so by performing the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the primary BIG-IQ system.
2. Navigate to System > BIG-IQ HA.
3. Select Remove Secondary.
4. When the BIG-IQ user interface prompts for a confirmation, select Remove.

Maintenance options - Splitting a high availability pair

To change or reconfigure peers that are in a BIG-IQ^® high availability (HA) pair, you must first delete the HA relationship.

1. Log in to the primary BIG-IQ system, using administrator credentials.
2. From the BIG-IQ list, select System.
3. On the BIG-IQ Systems panel, expand the HA Peer Group.
4. Hover over the secondary peer and when the gear icon appears, click it and select Properties to open the screen.
5. In the expanded screen, click Remove.

The pair is now split. Consult the status line at the top of the screen for the status. Both nodes display a status of Standalone.

Maintenance options - Manually synchronizing the BIG-IQ systems

The BIG-IQ^® systems in an HA Peer Group are synchronized automatically. If you need the systems to be synchronized immediately, you can manually synchronize the systems and view information about the synchronization using the properties screen of the primary BIG-IQ system.

1. Log in to the primary BIG-IQ system, using administrator credentials.
2. From the BIG-IQ main list, select System.
3. On the BIG-IQ Systems panel, expand the HA Peer Group.
4. Hover over the primary BIG-IQ system and when the gear icon appears, click it and select Properties to open the screen.
5. In the expanded screen, on the Properties tab, review the information in the HA Sync Interval setting.
   • The number displayed at the top field of this setting is the number of minutes to wait before synchronizing the BIG-IQ systems. By default, this number is 10, but it can be any whole number from 5 to 60.
   • Next displays the time the BIG-IQ systems will next be synchronized.
   • The area below the Next line lists whether the synchronization succeeded or failed. If it succeeded, the time when the synchronization occurred is listed. If it failed, an error message is listed.
6. Click Sync Now to cause the BIG-IQ systems to be synchronized immediately.

The configuration of the primary BIG-IQ system is copied to the secondary BIG-IQ system. You do not see these changes on the secondary system until that system is promoted to being the primary system, or until the secondary system is updated and restarted using the Restart with Last Update from Primary option available on the secondary BIG-IQ system.

Maintenance options - Changing how often BIG-IQ systems are synchronized

The BIG-IQ^® systems in an HA Peer Group are synchronized automatically at a regular interval. If you need to lengthen or shorten the synchronization interval, you can change it using the properties screen of the primary BIG-IQ system.

1. Log in to the primary BIG-IQ system, using administrator credentials.
2. From the BIG-IQ main list, select System.
3. On the BIG-IQ Systems panel header, expand the HA Peer Group.
4. Hover over the primary BIG-IQ system, in this case labeled as localhost, and when the gear icon appears, click it and select Properties to open the screen.
5. In the screen on the Properties tab, in the HA Sync Interval settings, review the number displayed, and change it if needed.This value is the number of minutes to wait before synchronizing the BIG-IQ systems. You can change this value to a whole number from 5 to 60.
6. Click Save to save your changes.

Maintenance options - Updating the secondary BIG-IQ system with changes from the primary

Because configuration changes from the primary BIG-IQ^® system are not automatically used to update the configuration of the secondary BIG-IQ system, you may want to periodically update the configuration of the secondary BIG-IQ system manually.

1. Log in to the secondary BIG-IQ system, using administrator credentials.
2. From the BIG-IQ main list, select System.
3. On the BIG-IQ Systems panel, expand HA Peer Group.
4. Hover over the secondary BIG-IQ system, in this case, localhost, and when the gear icon appears, click it and select Properties to open the screen.
5. In the expanded screen on the Properties tab, in the Actions on this Device setting, click Restart with Last Update from Primary.

The secondary system applies the last set of configuration changes it received from the primary system, and then restarts.

Rerence material

https://techdocs.f5.com/en-us/bigiq-7-1-0/big-iq-centralized-management-and-msft-azure-setup/deploying-big-iq-virtual-edition.html#GUID-D577B148-365F-41A8-B1CC-0AAA282FCF00

https://my.f5.com/manage/s/article/K36398804#proc1

https://my.f5.com/manage/s/article/K36398804

https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-initial-setup-4-6-0/7.html