f5 big ip on ibm solution architecture€¦ · or more pairs of f5 big–ip virtual edition virtual...
TRANSCRIPT
Copyright IBM Corporation 2018 Page 1 of 11
F5 BIG–IP on IBM Cloud
Solution Architecture
Date: 2018–02–22
Copyright IBM Corporation 2018 Page 2 of 11
Table of Contents
1 Introduction................................................................................................................................ 4
1.1 About F5 BIG–IP Virtual Edition .......................................................................................... 4
1.2 Background ......................................................................................................................... 4
1.3 Key Benefits ........................................................................................................................ 5
2 Design ....................................................................................................................................... 6
2.1 Overview.............................................................................................................................. 6
2.2 F5 BIG–IP Virtual Edition Deployment ................................................................................ 6
Virtual machine configuration ..................................................................................... 7
Network configuration ................................................................................................. 8
VMware DRS .............................................................................................................. 9
Caveats ....................................................................................................................... 9
Appendix A—License Requirements ............................................................................................. 10
Appendix B—Reference ................................................................................................................. 11
List of Figures
Figure 1 VMware Cloud Foundation on IBM Cloud ........................................................................................ 4
Figure 2 F5 BIG–IP on IBM Cloud High Level Components .......................................................................... 6
Figure 3 Overview of a BIG–IP virtual edition networking configuration ............................................ 7
List of Tables
Table 1 F5 BIG–IP sizing model .............................................................................................................................. 7
Table 2 F5 BIG–IP virtual machine summary ................................................................................................... 7
Copyright IBM Corporation 2018 Page 3 of 11
Summary of Changes
This section records the history of significant changes to this document. Only the most significant changes
are described here.
Version Date Author Description of Change
1.0
2018–02–22 Jack Benney
Frank Chodacki
Daniel De Araujo
Bob Kellenberger
Simon Kofkin–Hansen
Scott Moonen
Dan Mullen
Jim Robbins
Initial Release
Copyright IBM Corporation 2018 Page 4 of 11
1 Introduction
1.1 About F5 BIG–IP Virtual Edition
The purpose of this document is to define and describe the F5 BIG–IP architecture for the vCenter Server
and VMware Cloud Foundation offerings deployed in the IBM Cloud. Specifically, it will detail the
components of the solution and high–level configuration of each component in the design. This solution is
considered to be an additional component and extension of both the vCenter Server solution offering and
the VMware Cloud Foundation solution offering on IBM Cloud. As a result, this document will not cover
the existing configuration of the foundation solutions on IBM Cloud. Therefore, it is highly recommended
to review and understand the VMware on IBM Cloud solution architecture located on the IBM Architecture
Center before reading this document.
Figure 1 VMware Cloud Foundation on IBM Cloud
1.2 Background
IBM Cloud clients who make use of physical network traffic management and load optimization appliances
for their on–premises environments may be interested in an equivalent virtualized solution for their
VMware environments in the IBM Cloud. IBM Cloud offers F5 BIG–IP Virtual Edition, which includes the
F5 Local Traffic Manager (LTM) feature set. The F5 LTM provides both static and dynamic load balancing
along with application layer proxies that prioritize traffic. All capability is deployed in a redundant
configuration to prevent single point of failure in the network layer.
Copyright IBM Corporation 2018 Page 5 of 11
1.3 Key Benefits
Several licensing options are available for F5 BIG–IP Virtual Edition on IBM Cloud. The Good licensing
tier offers the following capabilities:
• Local Traffic Manager (LTM) for L4–L7 load balancing and traffic management
The Better licensing tier adds the following BIG–IP capabilities:
• DNS
• Advanced Firewall Manager (AFM) for advanced firewall services
• Application Acceleration Manager (AAM) for application performance optimization
The Best licensing tier adds the following BIG–IP capabilities:
• Application Security Manager (ASM), for L7 security
• Access Policy Manager (APM), for simplified application access including SSO and MFA
Copyright IBM Corporation 2018 Page 6 of 11
2 Design
2.1 Overview
The F5 BIG–IP Virtual Edition solution complements the IBM Cloud for VMware Solutions offerings by
providing application availability, access control, and security services. These services are provided by one
or more pairs of F5 BIG–IP Virtual Edition virtual machines deployed to your VMware on IBM Cloud
cluster.
Figure 2 F5 BIG–IP on IBM Cloud High Level Components
2.2 F5 BIG–IP Virtual Edition Deployment
BIG–IP Local Traffic Manager (LTM) does not replace NSX but rather complements and enhances the
existing NSX architecture. BIG–IP can be installed into either VMware Cloud Foundation (VCF) or
vCenter Server (VCS) instances on IBM Cloud. In both scenarios, BIG–IP VE will be deployed with two
virtual network interfaces (vNIC) in the client’s data plane. However, LTM can manage all NSX–aware
network segments if the proper routing has been configured. An additional vNIC is configured in the
management plane and a fourth and final vNIC is configured in the control plane for high availability.
Figure 3 shows an overview of one possible instantiation of this architecture.
Copyright IBM Corporation 2018 Page 7 of 11
Figure 3 Overview of a BIG–IP virtual edition networking configuration
In this figure, the Internal and External network segments represent public and private segments in the
client’s data plane. This instance has been configured to use a logical switch (VXLAN) for both of the
BIG–IP data interfaces.
Virtual machine configuration
The F5 BIG–IP offering is deployed as a pair of virtual machines within your primary vSphere cluster to
enable a high availability configuration.
The configuration of the appliances follows a small, medium or large template, and depends on the chosen
licensing model and licensed bandwidth. Table 1 shows the template used for each license option and
throughput:
Throughput Good Configuration Better Configuration Best Configuration
≤ 1 Gbps Small Medium Large
≥ 3 Gbps Large Large Large
Table 1 F5 BIG–IP sizing model
Depending on the template, the appliances are deployed with the configuration shown in Table 2:
Attribute Small Template Medium Template Large Template
CPU 2 vCPU 4 vCPU 8 vCPU
RAM 4 GB 8 GB 16 GB
High availability Two appliances deployed to enable high availability
Disk usage Two disks totaling 149 GB on the cluster’s management datastore:
• 20 GB
• 129 GB
Disk backing Management datastore: vSAN or IBM Cloud Endurance, as applicable
Table 2 F5 BIG–IP virtual machine summary
Copyright IBM Corporation 2018 Page 8 of 11
Although two virtual machines are deployed, BIG–IP clustering is not preconfigured by the IBM Cloud
automation. This is because aspects of the clustering configuration, such as TLS certificates, are not known
at the time of deployment. After the F5 BIG–IP machines have been deployed, you must login to them and
configure certificates, interfaces and addresses, and clustering. See more details in the developerWorks
recipe, Working with F5 Networks BIG–IP in IBM Cloud for VMware.
Network configuration
The BIG–IP virtual machines are deployed with four network interfaces, configured as follows:
BIG–IP Interface Configuration
1.0 [Management] Attached to Private A VLAN using SDDC-DPortGroup-Mgmt, with IP
addresses assigned by IBM Cloud automation from management subnet
1.1 [Internal] If instance is VCS and sample Workload logical switch is present, attached to
that. Otherwise, if instance is VCF or if sample Workload switch is absent,
attached to a dynamically created port group on Private A VLAN using SDDC-Dswitch-Private.
In all cases, IP addresses unassigned and link initially inactive
1.2 [External] Attached to Public VLAN using SDDC-DPortGroup-External, but IP
addresses unassigned and link initially inactive
1.3 [HA] Attached to a new logical switch based on the name given to the F5 BIG–IP
service instance at the time of deployment; e.g., ltm1-BigIPHA
Management Interface
The BIG–IP management interface is preconfigured and ready to access immediately after deployment.
You should not re–assign or re–configure the management interface.
A firewall rule and source NAT rule are created on the management NSX Edge Services Gateway (ESG) to
allow the device to connect to the public network using http and https only. This is to allow license
management and it is not recommended to change these rules as it could lead to the license being
deactivated.
Data Network Interfaces
There are two vNICs defined for the BIG–IP data plane. These correspond to the BIG–IP Internal and
External interfaces. Depending on your network topology design, the external, or “north-south” interface
might be connected to any of the following networks:
• Public network
o Direct connection to public network
o Indirect connection protected by NSX Edge Services Gateway (ESG)
o Indirect connection protected by FortiGate security appliance using routing
o Indirect connection protected by FortiGate virtual appliance
• IBM Cloud private network
• NSX logical switch (VXLAN)
The external interface is initially attached to the external port group and switch, but may be reconfigured
after deployment.
The internal interface is intended for connection to your VMware workload. Depending on your network
topology design it might be connected to any of the following networks:
• Connection to IBM Cloud private network
• Connection to NSX logical switch (VXLAN)
Copyright IBM Corporation 2018 Page 9 of 11
The internal interface is initially attached to either the sample Workload logical switch (if the instance is
VCS and the sample switch is present), or else a dynamically created port group on the IBM Cloud private
network. In any case, you may reconfigure it after deployment according to your requirements.
Since the appliance traffic management networks are not initially configured, both the external and internal
interfaces are left inactive and no IP address is assigned. If you plan to use either the IBM Cloud public
VLAN or private VLAN for either interface, you must order your own subnets from the IBM Cloud portal
for use with the BIG–IP virtual appliances.
High Availability Interface
The high availability interface is pre–configured on a dedicated logical switch (VXLAN). You should not
re–assign or re–configure the HA interface, or reuse the logical switch for any other purpose. Note that
BIG–IP allows for standalone deployments, but IBM Cloud does not support this configuration.
VMware DRS and reservations
Because it provides time–sensitive networking services, BIG–IP should be configured to ensure that it has
adequate resources. The IBM Cloud automation configures a reservation to ensure that the virtual
appliances receive their full allotment of CPU and memory.
In order to assure high availability, the IBM Cloud automation creates a DRS anti–affinity rule to restrict
the two BIG–IP virtual machines from running on the same host.
Caveats
It is not possible to change the licensing tier or licensed throughput of your BIG–IP deployment once it has
been deployed. In order to achieve this, you must deploy a new instance of F5 BIG–IP, migrate your
configuration to the new instance, and delete the original instance.
F5 BIG–IP limits the appliance throughput based on your chosen maximum bandwidth. Because network
performance is affected by many factors, not all configurations and topologies may be able to achieve your
chosen maximum bandwidth.
Copyright IBM Corporation 2018 Page 10 of 11
Appendix A—License Requirements This architecture requires BIG–IP licensing from F5. IBM Cloud automation provisions the F5 BIG–IP
license based on your chosen license tier and throughput. Your IBM Cloud monthly bill will reflect your
order and ongoing usage of F5 BIG-IP Virtual Edition.
The BIG–IP virtual machines require outbound connectivity to F5 licensing servers to activate and
maintain their license. This connectivity is preconfigured as described in section 2.2.2.1 and should not be
re–configured.
Copyright IBM Corporation 2018 Page 11 of 11
Appendix B—Reference Additional information about IBM Cloud and F5 BIG–IP on IBM Cloud can be found at the following
sites:
• IBM Cloud Architecture Center for Virtualization:
https://www.ibm.com/cloud/garage/content/architecture/virtualizationArchitecture/
• Working with F5 Networks BIG–IP in IBM Cloud for VMware:
https://developer.ibm.com/recipes/tutorials/working-with-f5-networks-bigip-in-ibm-cloud-for-
vmware/
• F5 introduction to iRules: https://devcentral.f5.com/articles/sid/6955