Name	Name	Last commit message	Last commit date
parent directory ..
examples	examples
images	images
README.md	README.md
bigip.tf	bigip.tf
f5_onboard.tmpl	f5_onboard.tmpl
main.tf	main.tf
outputs.tf	outputs.tf
terraform.tfvars.example	terraform.tfvars.example
variables.tf	variables.tf
versions.tf	versions.tf

Deploying BIG-IP VE in Google - Standalone: 3-NIC

To Do

Community support only. Template is not F5 supported.

Issues

Find an issue? Fork, clone, create branch, fix and PR. I'll review and merge into the main branch. Or submit a GitHub issue with all necessary details and logs.

Introduction
Prerequisites
Important Configuration Notes
BYOL Licensing
BIG-IQ License Manager
Installation Example
Configuration Example
Troubleshooting

Introduction

This solution uses a Terraform template to launch a 3-NIC deployment of a cloud-focused BIG-IP VE standalone device in Google GCP. Traffic flows to the BIG-IP VE which then processes the traffic to application servers. The BIG-IP VE instance is running with multiple interfaces: management, external, internal. NIC0 is associated with the external network.

The BIG-IP VEs have the Local Traffic Manager (LTM) module enabled to provide advanced traffic management functionality. In addition, the Application Security Module (ASM) can be enabled to provide F5's L4/L7 security features for web application firewall (WAF) and bot protection.

The BIG-IP's configuration, now defined in a single convenient YAML or JSON F5 BIG-IP Runtime Init configuration file, leverages F5 Automation Tool Chain declarations which are easier to author, validate and maintain as code. For instance, if you need to change the configuration on the BIG-IPs in the deployment, you update the instance model by passing a new config file (which references the updated Automation Toolchain declarations) via template's runtimeConfig input parameter. New instances will be deployed with the updated configurations.

Prerequisites

Important: When you configure the admin password for the BIG-IP VE in the template, you cannot use the character #. Additionally, there are a number of other special characters that you should avoid using for F5 product user accounts. See K2873 for details.
This template requires one or more service accounts for the BIG-IP instance to perform various tasks:
- See Google's Understanding service accounts
- Google Secret Manager secrets access - requires "Secrets Manager Secret Accessor"
  - Performed by VM instance during onboarding to retrieve passwords and private keys
- Backend pool service discovery - requires "Compute Viewer"
  - Performed by F5 Application Services AS3
- Google Cloud Monitoring (aka StackDriver) - requires "Monitoring Editor"
  - Performed by F5 Telemetry Streaming
This template requires a service account to deploy with the Terraform Google provider and build out all the neccessary Google objects
- See the Terraform Google Provider "Adding Credentials" for details. Also, review the available Google GCP permission scopes too.
- Permissions will depend on the objects you are creating
- Note: Make sure to practice least privilege
Passwords and secrets can be located in Google Cloud Secret Manager.
- Set gcp_secret_manager_authentication to 'true'
- Set gcp_secret_name to the Secret Manager secret name. The secret contents should contain ONLY the password as plain text.
- Set gcp_secret_version to the secret version. If it is not provided, the latest version is retrieved.
This templates deploys into an EXISTING networking stack
- You must have three VPCs: a VPC for management, an external VPC, and an internal VPC. The management VPC will have one subnet for management traffic. The External VPC will have one subnet for data traffic. The Internal VPC will have one subnet as well.
- Firewall rules are required to pass traffic to the application
  - BIG-IP will require tcp/22 and tcp/443 on the mgmt network
  - Application access will require tcp/80 and tcp/443 on the external network
- If you require a new network first, see the Infrastructure Only folder to get started.

Important Configuration Notes

Variables are configured in variables.tf
Sensitive variables like Google SSH keys are configured in terraform.tfvars or Google Cloud Secret Manager
- Note: Other items like BIG-IP password can be stored in Google Cloud Secret Manager. Refer to the Prerequisites.
- The BIG-IP instance will query Google Metadata API to retrieve the service account's token for authentication.
- The BIG-IP instance will then use the secret name and the service account's token to query Google Metadata API and dynamically retrieve the password for device onboarding.
This template uses BIG-IP Runtime Init for the initial configuration. As part of the onboarding script, it will download the F5 Toolchain RPMs automatically. See the AS3 documentation and DO documentation for details on how to use AS3 and Declarative Onboarding on your BIG-IP VE(s). The Telemetry Streaming extension is also downloaded and can be configured to point to F5 Beacon, Google Cloud Monitoring (old name StackDriver), or many other consumers.
Files
- bigip.tf - resources for BIG-IP, NICs, public IPs
- main.tf - resources for provider, versions
- f5_onboard.tmpl - onboarding script which is run by commandToExecute (user data). It will be copied to /var/lib/waagent/CustomData upon bootup. This script is responsible for downloading the neccessary F5 Automation Toolchain RPM files, installing them, and then executing the onboarding REST calls via the BIG-IP Runtime Init tool.

BYOL Licensing

This template uses PayGo BIG-IP image for the deployment (as default). If you would like to use BYOL licenses, then these following steps are needed:

Find available images/versions with "byol" in the name using Google gcloud:

        gcloud compute images list --project=f5-7626-networks-public | grep f5

        # example output...

        --snippet--
        f5-bigip-15-1-6-1-0-0-10-payg-best-1gbps-220701174029
        f5-bigip-15-1-6-1-0-0-10-payg-best-200mbps-220701173825
        f5-bigip-15-1-6-1-0-0-10-byol-all-modules-2boot-loc-0701180815
        f5-bigip-16-1-3-1-0-0-11-byol-all-modules-2boot-loc-0721055536
        ...and some more

In the "variables.tf", modify image_name with the image name from gcloud CLI results

        # BIGIP Image
        variable image_name { default = "projects/f5-7626-networks-public/global/images/f5-bigip-16-1-3-1-0-0-11-byol-all-modules-2boot-loc-0721055536" }

In the "variables.tf", modify license1 with a valid regkey

        # BIGIP Setup
        variable license1 { default = "" }

In the "f5_onboard.tmpl", add the "myLicense" block under the "Common" declaration (example here)

        myLicense:
          class: License
          licenseType: regKey
          regKey: '${regKey}'

BIG-IQ License Manager

This template uses PayGo BIG-IP image for the deployment (as default). If you would like to use BYOL/ELA/Subscription licenses from BIG-IQ License Manager (LM), then these following steps are needed:

Find BYOL image. Reference BYOL Licensing step #1.
Replace BIG-IP image_name in "variables.tf". Reference BYOL Licensing step #2.
In the "variables.tf", modify the BIG-IQ license section to match your environment
In the "f5_onboard.tmpl", add the "myLicense" block under the "Common" declaration (example here)

        myLicense:
          class: License
          licenseType: ${bigIqLicenseType}
          bigIqHost: ${bigIqHost}
          bigIqUsername: ${bigIqUsername}
          bigIqPassword: ${bigIqPassword}
          licensePool: ${bigIqLicensePool}
          skuKeyword1: ${bigIqSkuKeyword1}
          skuKeyword2: ${bigIqSkuKeyword2}
          unitOfMeasure: ${bigIqUnitOfMeasure}
          reachable: false
          hypervisor: ${bigIqHypervisor}
          overwrite: true

Requirements

Name	Version
terraform	>= 1.2.0
google	>= 4.57.0

Providers

Name	Version
google	4.57.0
random	3.4.3

Modules

Name	Source	Version
bigip	F5Networks/bigip-module/gcp	1.1.11

Resources

Name	Type
google_compute_address.ext	resource
google_compute_address.int	resource
google_compute_address.mgt	resource
google_compute_address.vip	resource
google_compute_address.vip1	resource
google_compute_forwarding_rule.vip1	resource
google_compute_target_instance.f5vm01	resource
random_id.buildSuffix	resource

Inputs

Name	Description	Type	Default	Required
ssh_key	public key used for authentication in /path/file format (e.g. /.ssh/id_rsa.pub)	`string`	n/a	yes
AS3_URL	URL to download the BIG-IP Application Service Extension 3 (AS3) module	`string`	`"https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.43.0/f5-appsvcs-3.43.0-2.noarch.rpm"`	no
DO_URL	URL to download the BIG-IP Declarative Onboarding module	`string`	`"https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.36.1/f5-declarative-onboarding-1.36.1-1.noarch.rpm"`	no
FAST_URL	URL to download the BIG-IP FAST module	`string`	`"https://github.com/F5Networks/f5-appsvcs-templates/releases/download/v1.24.0/f5-appsvcs-templates-1.24.0-1.noarch.rpm"`	no
INIT_URL	URL to download the BIG-IP runtime init	`string`	`"https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v1.6.0/dist/f5-bigip-runtime-init-1.6.0-1.gz.run"`	no
TS_URL	URL to download the BIG-IP Telemetry Streaming module	`string`	`"https://github.com/F5Networks/f5-telemetry-streaming/releases/download/v1.32.0/f5-telemetry-1.32.0-2.noarch.rpm"`	no
bigIqHost	This is the BIG-IQ License Manager host name or IP address	`string`	`""`	no
bigIqHypervisor	BIG-IQ hypervisor	`string`	`"gce"`	no
bigIqLicensePool	BIG-IQ license pool name	`string`	`""`	no
bigIqLicenseType	BIG-IQ license type	`string`	`"licensePool"`	no
bigIqPassword	Admin Password for BIG-IQ	`string`	`"Default12345!"`	no
bigIqSkuKeyword1	BIG-IQ license SKU keyword 1	`string`	`"key1"`	no
bigIqSkuKeyword2	BIG-IQ license SKU keyword 2	`string`	`"key2"`	no
bigIqUnitOfMeasure	BIG-IQ license unit of measure	`string`	`"hourly"`	no
bigIqUsername	Admin name for BIG-IQ	`string`	`"admin"`	no
customImage	A custom SKU (image) to deploy that you provide. This is useful if you created your own BIG-IP image with the F5 image creator tool.	`string`	`""`	no
customUserData	The custom user data to deploy when using the 'customImage' paramater too.	`string`	`""`	no
dns_server	Leave the default DNS server the BIG-IP uses, or replace the default DNS server with the one you want to use	`string`	`"169.254.169.254"`	no
dns_suffix	DNS suffix for your domain in the GCP project	`string`	`"example.com"`	no
extSubnet	External subnet	`string`	`null`	no
extVpc	External VPC network	`string`	`null`	no
f5_password	BIG-IP Password or Google secret name (value should be Google secret name when gcp_secret_manager_authentication = true, ex. my-bigip-secret)	`string`	`"Default12345!"`	no
f5_username	User name for the BIG-IP	`string`	`"admin"`	no
gcp_project_id	GCP Project ID for provider	`string`	`null`	no
gcp_region	GCP Region for provider	`string`	`"us-west1"`	no
gcp_secret_manager_authentication	Whether to use secret manager to pass authentication	`bool`	`false`	no
gcp_secret_name	The Secret Manager secret name	`string`	`null`	no
gcp_secret_version	The version of the secret to get. If it is not provided, the latest version is retrieved.	`string`	`"latest"`	no
gcp_zone_1	GCP Zone 1 for provider	`string`	`"us-west1-a"`	no
image_name	F5 SKU (image) to deploy. Note: The disk size of the VM will be determined based on the option you select. Important: If intending to provision multiple modules, ensure the appropriate value is selected, such as AllTwoBootLocations or AllOneBootLocation.	`string`	`"projects/f5-7626-networks-public/global/images/f5-bigip-16-1-3-3-0-0-3-payg-best-plus-25mbps-221222234728"`	no
intSubnet	Internal subnet	`string`	`null`	no
intVpc	Internal VPC network	`string`	`null`	no
libs_dir	Directory on the BIG-IP to download the A&O Toolchain into	`string`	`"/config/cloud/gcp/node_modules"`	no
license1	The license token for the 1st F5 BIG-IP VE (BYOL)	`string`	`""`	no
machine_type	Google machine type to be used for the BIG-IP VE	`string`	`"n1-standard-8"`	no
mgmtSubnet	Management subnet	`string`	`null`	no
mgmtVpc	Management VPC network	`string`	`null`	no
ntp_server	Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use	`string`	`"0.us.pool.ntp.org"`	no
projectPrefix	This value is inserted at the beginning of each Google object (alpha-numeric, no special character)	`string`	`"demo"`	no
resourceOwner	This is a tag used for object creation. Example is last name.	`string`	`null`	no
svc_acct	Service Account for VM instance	`string`	`null`	no
telemetry_privateKeyId	ID of private key for the 'svc_acct' used in Telemetry Streaming to Google Cloud Monitoring. If you are not using this feature, you do not need this secret in Secret Manager.	`string`	`""`	no
telemetry_secret	Contains the value of the 'svc_acct' private key. Currently used for BIG-IP telemetry streaming to Google Cloud Monitoring (aka StackDriver). If you are not using this feature, you do not need this secret in Secret Manager.	`string`	`""`	no
timezone	If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list here). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore.	`string`	`"UTC"`	no
vm_name	Name of 1st BIG-IP. If empty, default is 'bigip1' string + prefix + random_id	`string`	`""`	no

Outputs

Name	Description
f5vm01_ext_private_ip	f5vm01 external primary IP address (self IP)
f5vm01_ext_public_ip	f5vm01 external public IP address (self IP)
f5vm01_mgmt_name	f5vm01 management device name
f5vm01_mgmt_pip_url	f5vm01 management public URL
f5vm01_mgmt_private_ip	f5vm01 management private IP address
f5vm01_mgmt_public_ip	f5vm01 management public IP address
public_vip	Public IP for the BIG-IP listener (VIP)
public_vip_url	public URL for application

Installation Example

To run this Terraform template, perform the following steps:

Clone the repo to your favorite location
Modify terraform.tfvars with the required information

    # BIG-IP Environment
    f5_username = "admin"
    f5_password = "Default12345!"
    ssh_key     = "~/.ssh/id_rsa.pub"
    mgmtVpc     = "xxxxx-net-mgmt"
    extVpc      = "xxxxx-net-ext"
    intVpc      = "xxxxx-net-int"
    mgmtSubnet  = "xxxxx-subnet-mgmt"
    extSubnet   = "xxxxx-subnet-ext"
    intSubnet   = "xxxxx-subnet-int"
    dns_suffix  = "example.com"

    # BIG-IQ Environment
    bigIqUsername = "admin"
    bigIqPassword = "Default12345!"

    # Google Environment
    projectPrefix  = "mydemo123"
    gcp_project_id = "xxxxx"
    gcp_region     = "us-west1"
    gcp_zone_1     = "us-west1-a"
    svc_acct       = "xxxxx@xxxxx.iam.gserviceaccount.com"
    resourceOwner  = "myLastName"

Initialize the directory

    terraform init

Test the plan and validate errors

    terraform plan

Finally, apply and deploy

    terraform apply

When done with everything, don't forget to clean up!

    terraform destroy

Configuration Example

The following is an example configuration diagram for this solution deployment. In this scenario, all access to the BIG-IP VE device is direct to the BIG-IP via the management interface. The IP addresses in this example may be different in your implementation.

Documentation

For more information on F5 solutions for Google, including manual configuration procedures for some deployment scenarios, see the Google GCP section of F5 CloudDocs. Also check out the Using Cloud Templates for BIG-IP in Google on DevCentral. This particular standalone example is based on the BIG-IP Quickstart F5 GDM Cloud Template on GitHub.

Creating Virtual Servers on the BIG-IP VE

In order to pass traffic from your clients to the servers through the BIG-IP system, you must create a virtual server on the BIG-IP VE. In this template, the AS3 declaration creates 1 VIP listening on 0.0.0.0/0:80 as an example.

Note: These next steps illustrate the manual way in the GUI to create a virtual server

Open the BIG-IP VE Configuration utility
Click Local Traffic > Virtual Servers
Click the Create button
Type a name in the Name field
Type an address (ex. 0.0.0.0/0) in the Destination/Mask field
Type a port (ex. 80) in the Service Port
Configure the rest of the virtual server as appropriate
Select a pool name from the Default Pool list
Click the Finished button
Repeat as necessary for other applications

Redeploy BIG-IP for Replacement or Upgrade

This example illustrates how to replace or upgrade the BIG-IP VE.

Change the image_name variable to the desired release
Revoke the problematic BIG-IP VE's license (if BYOL)
Run command

terraform taint module.bigip.google_compute_instance.f5vm01
terraform taint google_compute_target_instance.f5vm01
terraform taint google_compute_forwarding_rule.vip1

Run command

terraform apply

Troubleshooting

Serial Logs

Review the serial logs for the Google virtual machine. Login to the Google Cloud console, open "Compute Engine", then locate your instance...click it. Then review the serial logs for errors.

Onboard Logs

Depending on where onboard fails, you can attempt SSH login and try to troubleshoot further. Inspect the /config/cloud directory for correct runtime init YAML files. Inspect the /var/log/cloud location for error logs.

F5 Automation Toolchain Components

F5 BIG-IP Runtime Init uses the F5 Automation Toolchain for configuration of BIG-IP instances. Any errors thrown from these components will be surfaced in the bigIpRuntimeInit.log (or a custom log location as specified below).

Help with troubleshooting individual Automation Toolchain components can be found at F5's Public Cloud Docs:

Files

Standalone

Directory actions

More options