tag:blogger.com,1999:blog-7255850341729335726.post4525036728640706592..comments2024-03-15T22:09:04.759-07:00Comments on Ramblings: Deploying F5 BIG IP HA Active/Passive (Active/Standby) on AWS EC2 / VPCAkash Bhunchalhttp://www.blogger.com/profile/11207979421679230417noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-7255850341729335726.post-46045733014660305952018-11-17T12:29:03.309-08:002018-11-17T12:29:03.309-08:00Very cozy looking rooms. Let me know if your going...Very cozy looking rooms. Let me know if your going to Mexico. Oh and btw. you should read our Tipping in Mexico guide if you do. It will save you a lot of awkward moments. <a href="https://www.lemigliorivpn.com/guide-vpn-faq/consigli-pratici/qbittorrent-vpn-torrent-anonimo/" rel="nofollow">www.lemigliorivpn.com</a><br />Lynna Connerhttps://www.blogger.com/profile/10148028990041792924noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-50455319728304009732016-07-16T21:04:20.784-07:002016-07-16T21:04:20.784-07:00Thanks that helps ..i was thinking on the same lin...Thanks that helps ..i was thinking on the same lines ,just wanted to confirm if these are the valid options or am i missing something.<br /><br />Appreciate ur replyAnonymoushttps://www.blogger.com/profile/07040031234481609356noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-30383951965477032802016-07-16T10:29:55.309-07:002016-07-16T10:29:55.309-07:00I run a windows box in my VPC which is open to pub...I run a windows box in my VPC which is open to public and from that I access the private Ip of my F5 management console OR if you want you can extend your VPC to integrate with your office network with AWS VPN and access that private IP from withing your office network. Akash Bhunchalhttps://www.blogger.com/profile/11207979421679230417noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-56607789711260092142016-07-16T09:45:07.412-07:002016-07-16T09:45:07.412-07:00how can we implement f5 in management aws console ...how can we implement f5 in management aws console as management console shouldnt have internet connection wherein my f5 need access to Internet Anonymoushttps://www.blogger.com/profile/07040031234481609356noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-80766286051188418842015-10-21T10:22:07.259-07:002015-10-21T10:22:07.259-07:00The biggest problem with ELB is that it does not h...The biggest problem with ELB is that it does not have a fixed public IP (EIP) ,although I read somewhere that AWS is coming up with it. <br /><br />Most of the people use single instance of F5 for traffic routing as well as loadbalancing. The same instance may be used by the couch base cluster as well as the web tier.<br /><br />Anything which requires IP for communication creates problem with ELB. Also you cannot make use of GTM of F5 if you put a proxy in between. One of our customers uses GTM for region level failover.<br /><br />In short, if ELB works for you with F5 then go ahead. In my case the load balancing and proxy requirements didnt allow me to use ELB anywhere in my setup :(Akash Bhunchalhttps://www.blogger.com/profile/11207979421679230417noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-31431318957320018402015-10-21T09:23:10.598-07:002015-10-21T09:23:10.598-07:00Hi Guys,
Great article and great discussion here ...Hi Guys,<br /><br />Great article and great discussion here ... I am just going through process of using F5s in AWS.<br /><br />Basically inside AWS having 2 F5s in single AZ is pointless as AZ is just a datacenter and if you loose this you are stuck ... How about add a transparent ELB in front of two F5s and run them in ACTIVE-ACTIVE mode?<br /><br /> Anonymoushttps://www.blogger.com/profile/03609801156989677464noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-12722917326182627572015-05-13T20:40:10.186-07:002015-05-13T20:40:10.186-07:00Hi Crippa,
EIPs are flexible but AWS never change...Hi Crippa,<br /><br />EIPs are flexible but AWS never changes/removes/withdraws EIPs without your consent. Once an EIP is blocked by you, it will stay in your account forever until you surrender it (which you would not). Same follows for the FQDN associated with an EIP (which ever machine has the new EIP, FQDN points to that). You control which machine in your cloud this EIP can be associated.<br /><br />EIP is different from public DNS (and IP) which AWS assigns when you launch a machine with that setting selected. Now this is something which may/will change when you STOP/START the server and you may lose the IP/DNS. So for all critical services always make use of an EIP and NOT AWS assigned public DNS.<br /><br />I hope I answered your question. <br /><br />Akash Bhunchalhttps://www.blogger.com/profile/11207979421679230417noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-7898814667904965492015-05-13T13:21:04.935-07:002015-05-13T13:21:04.935-07:00Hi Akash
I need a clarification. You say:
"Y...Hi Akash<br />I need a clarification. You say: <br />"You just need to replace the name servers of your domain with IPs of both the GTM servers (their GTM modules)"<br />But inside AWS, the IPs of both GTM are EIP, ... and what happens if AWS moves GTM, for any reasons? Name servers refer to IPs that doesn't exist more. <br />AWS gives me objects that are always the same in terms of id000x for an instance and FQDN ... but EIP are an association, and can change ... giving problem at name server resolution.<br />For above reason we think at external GTM boxes, not inside AWS.<br />What you think?<br />I'm not so expert with AWS ... so I appreciate if you can help me on that clarification request.<br />Regards,<br />Gianluigi.Anonymoushttps://www.blogger.com/profile/04397612950711466918noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-21723458327480804102015-05-12T20:02:51.279-07:002015-05-12T20:02:51.279-07:00Hi Gianluigi,
You can always use GTM with health ...Hi Gianluigi,<br /><br />You can always use GTM with health check for simulating the same. I hope you are running these two servers in ACTIVE-ACTIVE mode so that the config is always in sync. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/3.html<br /><br />Also, you can run GTM (module) on these boxes themselves and do not need to setup a separate box for the same. GTM modules of both these boxes communicate among themselves and share their load/usage status. You just need to replace the name servers of your domain with IPs of both the GTM servers (their GTM modules). GTM works as your DNS nameserver in this case.<br />Akash Bhunchalhttps://www.blogger.com/profile/11207979421679230417noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-59727899799276088432015-05-12T13:41:06.180-07:002015-05-12T13:41:06.180-07:00Hi Akash.
Thanks for your answer. We will work wit...Hi Akash.<br />Thanks for your answer. We will work with two F5 Standalone boxes, one in each AZ, with an external GTM that will implement http/s monitor the two FQDN associate to EIP of VsFQDN_box1a in AZ 1a, and EIP of VsFQDN_box1b in AZ 1b.<br />Regards,<br />Gianluigi.Anonymoushttps://www.blogger.com/profile/04397612950711466918noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-43950548068615838882015-05-08T00:23:56.654-07:002015-05-08T00:23:56.654-07:00Hi Gianluigi,
You can have pools across two AZs, ...Hi Gianluigi,<br /><br />You can have pools across two AZs, that is not a problem. Problem is with the floating SELF IPs of the F5 Box VLANs. These floating IPs need to move from one F5 box to the other, else failover would not work. Even the Virtual Server floating IPs would not move across AZ. The backend (pools) can be in multi AZ witout any problem but now the F5 boxes.<br /><br />Please let me know if I misunderstood you.Akash Bhunchalhttps://www.blogger.com/profile/11207979421679230417noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-67407742455734036902015-05-06T06:08:58.466-07:002015-05-06T06:08:58.466-07:00Hi Akash.
Thank to confirm us that you have implem...Hi Akash.<br />Thank to confirm us that you have implemented HA inside a single AZ.<br /><br />Let me say that you have a VPC with AZ 1a and 1b. You have F5 VE in AZ 1a. <br />What you think to have some Vs in 1a, with associated a pool that has pool-member inside of VLAN inside 1b, so routed from VPC gateway?<br /><br />Regards.<br />Gianluigi.Anonymoushttps://www.blogger.com/profile/04397612950711466918noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-10270103837140012252015-05-06T04:43:56.779-07:002015-05-06T04:43:56.779-07:00Hi Gianluigi,
We cannot do active-passive over tw...Hi Gianluigi,<br /><br />We cannot do active-passive over two AZs AFAIK, for the very simple reason that a VPC subnet cannot exist across two AZs. Each VLANs (Internal and External) floating self IP moves from one box to the other on failover (secondary private IP). As one IP cannot exist in two subnets, there is no way we can float the IPs across two AZs.<br /><br />Please let me know if you have found a way to achieve this :)Akash Bhunchalhttps://www.blogger.com/profile/11207979421679230417noreply@blogger.comtag:blogger.com,1999:blog-7255850341729335726.post-63449078362434642882015-05-06T03:20:09.163-07:002015-05-06T03:20:09.163-07:00Hi Akash.
You have tested, the above implementatio...Hi Akash.<br />You have tested, the above implementation, inside a single availability zone, correct?<br />Do you have any idea, in case if we have 2 availability zone and would like a dual availability setup?<br />Many thanks,<br />Gianluigi CrippaAnonymoushttps://www.blogger.com/profile/04397612950711466918noreply@blogger.com