Deploying F5 BigIP in Microsoft Azure

This is a real pain the @r$e. Forget all your habits acquired in the happy world of VMWare or on physical BigIP boxes. Azure is nothing like this. It’s  all about limitations.

In fact all of them stem from the fact that you can have only one interface on your F5 VE box in Azure. One for everything – management, SNAT and all of your VSs.  Yes, you have heard me correctly – all these pieces have to survive on the single interface and single IP address. Arrghhh!…

And this is not funny as you have to jiggle with non-standard ports.

First of all, if you’re planning to have an SSL VS on port 443, move your management port to something like 8443:

modify sys httpd ssl-port 8443
modify net self-allow defaults add { tcp:8443 }
save sys config

Secondly, to create a VS, you have to use that single IP address that was leased to the VM by Azure DHCP, which makes you specify something like 10.0.0.0/24 as the destination address of your virtual server .

Actually, I just let my VE box get an IP address once and then simply set this address as a static one for the box itself and for all VSs I create. This does work though your public IP will certainly keep changing if you shut down your VM – “thanks” to Microsoft for keeping us employed to fix things they break :).

Thirdly, forget about SNAT pools which you would normally want to create in VMWare world or on physical BigIP to achieve proper scalability. You have to use Automap – nothing else works as you have only one IP address to play with. Sorry 🙂

Fourthly, in Azure you have such thing as a security group which controls all access to your VM, even from within the same subnet. So to keep your sanity while troubleshooting I’d recommend a rule similar to the following:

To be continued….

[06/06/2016] Update: F5 have published a workaround which makes Azure deployments a bit closer to real life use cases…