Migrate an F5 BIG-IP workload to F5 BIG-IP VE on the AWS Cloud

Created by Will Bauer (AWS)

Source: F5 BIG-IP TMOS 13.1 and later	Target: F5 BIG-IP VE on AWS	R Type: Rehost
Environment: Production	Technologies: Migration; Security, identity, compliance; Networking	Workload: All other workloads
AWS services: Amazon EC2; Amazon VPC; AWS Transit Gateway; Amazon CloudFront; Amazon CloudWatch; AWS Global Accelerator; AWS CloudFormation

Summary

Organizations are looking to migrate to the Amazon Web Services (AWS) Cloud to increase their agility and resilience. After you migrate your F5 BIG-IP security and traffic management solutions to the AWS Cloud, you can focus on agility and adoption of high-value operational models across your enterprise architecture.

This pattern describes how to migrate an F5 BIG-IP workload to an F5 BIG-IP Virtual Edition (VE) workload on the AWS Cloud. The workload will be migrated by rehosting the existing environment and deploying aspects of replatforming, such as service discovery and API integrations. AWS CloudFormation templates accelerate your workload’s migration to the AWS Cloud.

This pattern is intended for technical engineering and architectural teams that are migrating F5 security and traffic management solutions, and accompanies the guide Migrating from F5 BIG-IP to F5 BIG-IP VE on the AWS Cloud on the AWS Prescriptive Guidance website.

Prerequisites and limitations

Prerequisites 

• An existing on-premises F5 BIG-IP workload.

• Existing F5 licenses for BIG-IP VE versions.

• An active AWS account.

• An existing virtual private cloud (VPC) configured with an egress through a NAT gateway or Elastic IP address, and configured with access to the following endpoints: Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), AWS Security Token Service (AWS STS), and Amazon CloudWatch. You can also modify the Modular and scalable VPC architecture Quick Start as a building block for your deployments. 

• One or two existing Availability Zones, depending on your requirements. 

• Three existing private subnets in each Availability Zone.

• AWS CloudFormation templates, available in the F5 GitHub repository. 

During the migration, you might also use the following, depending on your requirements:

• An F5 Cloud Failover Extension to manage Elastic IP address mapping, secondary IP mapping, and route table changes. 

• If you use multiple Availability Zones, you will need to use the F5 Cloud Failover Extensions to handle the Elastic IP mapping to virtual servers.

• You should consider using F5 Application Services 3 (AS3), F5 Application Services Templates (FAST), or another infrastructure as code (IaC) model to manage the configurations. Preparing the configurations in an IaC model and using code repositories will help with the migration and your ongoing management efforts.

Expertise

• This pattern requires familiarity with how one or more VPCs can be connected to existing data centers. For more information about this, see Network-to-Amazon VPC connectivity options in the Amazon VPC documentation. 

• Familiarity is also required with F5 products and modules, including Traffic Management Operating System (TMOS), Local Traffic Manager (LTM), Global Traffic Manager (GTM), Access Policy Manager (APM), Application Security Manager (ASM), Advanced Firewall Manager (AFM), and BIG-IQ.

Product versions

• We recommend that you use F5 BIG-IP version 13.1 or later, although the pattern supports F5 BIG-IP version 12.1 or later.

Architecture

Source technology stack

• F5 BIG-IP workload

Target technology stack  

• Amazon CloudFront

• Amazon CloudWatch

• Amazon EC2

• Amazon S3

• Amazon VPC

• AWS Global Accelerator

• AWS STS

• AWS Transit Gateway

• F5 BIG-IP VE

Target architecture 

Tools

• AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.

• Amazon CloudFront speeds up distribution of your web content by delivering it through a worldwide network of data centers, which lowers latency and improves performance.   

• Amazon CloudWatch helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.

• Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.

• AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

• Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

• AWS Security Token Service (AWS STS) helps you request temporary, limited-privilege credentials for users.

• AWS Transit Gateway is a central hub that connects virtual private clouds (VPCs) and on-premises networks.

• Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Epics

Discovery and assessment

Task	Description	Skills required
Assess the performance of F5 BIG-IP.	Collect and record the performance metrics of the applications on the virtual server, and metrics of systems that will be migrated. This will help to correctly size the target AWS infrastructure for better cost optimization.	F5 Architect, Engineer and Network Architect, Engineer
Evaluate the F5 BIG-IP operating system and configuration.	Evaluate which objects will be migrated and if a network structure needs to be maintained, such as VLANs.	F5 Architect, Engineer
Evaluate F5 license options.	Evaluate which license and consumption model you will require. This assessment should be based on your evaluation of the F5 BIG-IP operating system and configuration.	F5 Architect, Engineer
Evaluate the public applications.	Determine which applications will require public IP addresses. Align those applications to the required instances and clusters to meet performance and service-level agreement (SLA) requirements.	F5 Architect, Cloud Architect, Network Architect, Engineer, App Teams
Evaluate internal applications.	Evaluate which applications will be used by internal users. Make sure you know where those internal users sit in the organization and how those environments connect to the AWS Cloud. You should also make sure those applications can use domain name system (DNS) as part of the default domain.	F5 Architect, Cloud Architect, Network Architect, Engineer, App Teams
Finalize the AMI.	Not all F5 BIG-IP versions are created as Amazon Machine Images (AMIs). You can use the F5 BIG-IP Image Generator Tool if you have specific required quick-fix engineering (QFE) versions. For more information about this tool, see the "Related resources" section.	F5 Architect, Cloud Architect, Engineer
Finalize the instance types and architecture.	Decide on the instance types, VPC architecture, and interconnected architecture.	F5 Architect, Cloud Architect, Network Architect, Engineer

Complete security and compliance-related activities

Task	Description	Skills required
Document the existing F5 security policies.	Collect and document existing F5 security policies. Make sure you create a copy of them in a secure code repository.	F5 Architect, Engineer
Encrypt the AMI.	(Optional) Your organization might require encryption of data at rest. For more information about creating a custom Bring Your Own License (BYOL) image, see the "Related resources" section.	F5 Architect, Engineer Cloud Architect, Engineer
Harden the devices.	This will help protect against potential vulnerabilities.	F5 Architect, Engineer

Configure your new AWS environment

Task	Description	Skills required
Create edge and security accounts.	Sign in to the AWS Management Console and create the AWS accounts that will provide and operate the edge and security services. These accounts might be different from the accounts that operate VPCs for shared services and applications. This step can be completed as part of a landing zone.	Cloud Architect, Engineer
Deploy edge and security VPCs.	Set up and configure the VPCs required to deliver edge and security services.	Cloud Architect, Engineer
Connect to the source data center.	Connect to the source data center that hosts your F5 BIG-IP workload.	Cloud Architect, Network Architect, Engineer
Deploy the VPC connections.	Connect the edge and security service VPCs to the application VPCs.	Network Architect, Engineer
Deploy the instances.	Deploy the instances by using the AWS CloudFormation templates from the "Related resources" section.	F5 Architect, Engineer
Test and configure instance failover.	Make sure that the AWS Advanced HA iAPP template or F5 Cloud Failover Extension is configured and operating correctly.	F5 Architect, Engineer

Configure networking

Task	Description	Skills required
Prepare the VPC topology.	Open the Amazon VPC console and make sure that your VPC has all the required subnets and protections for the F5 BIG-IP VE deployment.	Network Architect, F5 Architect, Cloud Architect, Engineer
Prepare your VPC endpoints.	Prepare the VPC endpoints for Amazon EC2, Amazon S3, and AWS STS if an F5 BIG-IP workload does not have access to a NAT Gateway or Elastic IP address on a TMM interface.	Cloud Architect, Engineer

Migrate data

Task	Description	Skills required
Migrate the configuration.	Migrate the F5 BIG-IP configuration to F5 BIG-IP VE on the AWS Cloud.	F5 Architect, Engineer
Associate the secondary IPs.	Virtual server IP addresses have a relationship with the secondary IP addresses assigned to the instances. Assign secondary IP addresses and make sure “Allow remap/reassignment” is selected.	F5 Architect, Engineer

Test configurations

Task	Description	Skills required
Validate the virtual server configurations.	Test the virtual servers.	F5 Architect, App Teams

Finalize operations

Task	Description	Skills required
Create the backup strategy.	Systems must be shut down to create a full snapshot. For more information, see “Updating an F5 BIG-IP virtual machine” in the “Related resources” section.	F5 Architect, Cloud Architect, Engineer
Create the cluster failover runbook.	Make sure that the failover runbook process is complete.	F5 Architect, Engineer
Set up and validate logging.	Configure F5 Telemetry Streaming to send logs to the required destinations.	F5 Architect, Engineer

Complete the cutover

Task	Description	Skills required
Cut over to the new deployment.		F5 Architect, Cloud Architect, Network Architect, Engineer, AppTeams

Related resources

Migration guide

• Migrating from F5 BIG-IP to F5 BIG-IP VE on the AWS Cloud

F5 resources

• AWS CloudFormation templates in the F5 GitHub repository

• F5 in AWS Marketplace

• F5 BIG-IP VE overview 

• Example Quickstart - BIG-IP Virtual Edition with WAF (LTM + ASM)

• F5 Application services on AWS: an overview (video)

• F5 Application Services 3 Extension User Guide 

• F5 cloud documentation

• F5 iControl REST wiki

• F5 Overview of single configuration files (11.x - 15.x)

• F5 topology lab

• F5 whitepapers

• F5 BIG-IP Image Generator Tool

• Updating an F5 BIG-IP VE virtual machine

• Overview of the UCS archive "platform-migrate" option