F5 Networks provides an Application Delivery Networking platform that works with the Oracle Cloud Infrastructure. BIG-IP VE is a security services platform designed for delivering speed, availability, and security for business-critical applications and networks. F5 and Oracle together help you rapidly deploy application services securely.
In this three-part blog series, we will discuss the steps needed to deploy and configure a single F5 BIG-IP VE on the OCI Cloud. A future blog post will cover the deployment of High Availability using two BIG-IP VE instances in a cluster.
This blog series will consist of 3 parts –
Part 1 - Preparing the OCI Environment for an F5 BIG-IP VE deployment
Part 2 - Deploying a BIG-IP VE Instance in OCI
Part 3 - Configuring and testing the BIG-IP Instance
We will use the following topology as a reference for this deployment. The diagram shows a multi-NIC deployment of a BIG-IP VE instance, configured with a Management IP for management of the BIG-IP instance, a Virtual server IP address on the External subnet for publishing an application and accepting traffic, along with the various interface Self-IP addresses for each subnet on the BIG-IP VE. Traffic flows from clients through the BIG-IP VE to the backend servers.
This deployment shows four subnets:
All subnets, IP addresses, and VNICs are created on the OCI portal first, and then when a BIG-IP VE is deployed you create the corresponding objects for the same IP addresses on the various VNICs and subnets in the BIG-IP VE configuration. Self IP’s on the F5 will correspond to the IP addresses allocated to the VNICs when creating the F5 instance.
Based on the topology diagram, the following IP addressing schema will be used -
To create a multi-NIC setup, you must first create a VCN in OCI where all your subnets and F5 Compute instance will reside.
Here is the summary of the steps needed to be followed:
Login to your OCI tenancy, on the left-hand side top Hamburger menu, click on Identity and Security, and then click on Compartments. Create a compartment for the resources that will be used as part of this setup.
If you plan on using an existing VCN use that or else create a new VCN by navigating to the Networking section and then clicking on Virtual Cloud Networks. Create a VCN by providing it with a name and a CIDR Block. You can leave all other settings to default.
Once the VCN is created click on the VCN and then on the left menu click subnets. Create four subnets as shown in the topology diagram. It is a best practice to use Regional subnets versus AD-specific subnets. Create Public and Private subnets as shown below.
Under the Networking section, click on Virtual Cloud Networks and then click on the VCN you created. From the left menu, click Internet Gateways. Type a Name for the Internet Gateway and click Internet Gateway.
Under the Networking section, click on Virtual Cloud Networks and then click on the VCN you created. From the left menu, click Route Tables. Click the Default Route table for the VCN you created and add a Route rule. The route rule consists of a 0.0.0.0/0 CIDR block with the target as the Internet Gateway you created in the preceding step.
You can create individual security lists for each subnet to be more specific. However, as this is a basic setup you can configure the Default Security list which will be used for all subnets in the VCN. Under the Networking section, click on Virtual Cloud Networks and then click on the VCN you created. From the left menu, click Security Lists. Click on the Default Security List for the VCN you created and add Ingress rules. The ingress rules in this example allow HTTPS, ICMP, and other BIG-IP HA related traffic through the lists. Leave the Egress security list at default as it allows all outgoing traffic to be permitted. In a Production Network, you would tighten the security rules to allow only what is essential and use Subnet specific Security Lists.
In this post, we configured the steps needed for preparing the OCI environment to deploy a multi-NIC BIG-IP VE. IP address planning, subnets, and naming nomenclature is a key part of this step. Part 2 of this series will detail the steps involved to deploy the F5 BIG-IP VE instance and then later followed by the configuration and testing.
Previous Post
Next Post