AWS

In this section, you can see a failover event diagram, example declaration, and requirements for implementing Cloud Failover in AWS.

Failover Event Diagram

This diagram shows a failover event with Cloud Failover implemented in AWS. You can see Elastic IP addresses with matching tags are associated with the secondary private IP matching the virtual address corresponding to the active BIG-IP device. Route targets with destinations matching the Failover Extension configuration are updated with the network interface of the active BIG-IP device.

../_images/AWSFailoverExtensionHighLevel.gif

Example Declaration

This example declaration shows the minimum information needed to update the cloud resources in AWS. See the Quickstart section for steps on how to post this declaration.

{
    "class": "Cloud_Failover",
    "environment": "aws",
    "externalStorage": {
        "scopingTags": {
            "f5_cloud_failover_label": "mydeployment"
        }
    },
    "failoverAddresses": {
        "scopingTags": {
            "f5_cloud_failover_label": "mydeployment"
        }
    },
    "failoverRoutes": {
        "scopingTags": {
            "f5_cloud_failover_label": "mydeployment"
        },
        "scopingAddressRanges": [
            "192.168.1.0/24"
        ]
    }
}

Requirements

These are the minimum requirements for setting up Cloud Failover in AWS:

  • 2 BIG-IP systems in Active/Standby configuration. You can find an example AWS Cloudformation template here. Any configuration tool can be used to provision the resources.

  • An AWS Identity and Access Management (IAM) role with sufficient access. See the instructions below for creating and assigning an IAM role.

  • An S3 bucket for Cloud Failover extension cluster-wide file(s). This must be tagged with a key/value pair corresponding to the key/value(s) provided in the externalStorage.scopingTags section of the Cloud Failover extension configuration.

    Important

    Ensure the required storage accounts do not have public access.

  • Elastic IP addresses tagged with:
    • a key/value corresponding to the key/value(s) provided in the failoverAddresses.scopingTags section of the Cloud Failover extension configuration
    • a special key called VIPS containing a comma-separated list of addresses mapping to a private IP address on each instance in the cluster that the Elastic IP is associated with. For example: 10.0.0.10,10.0.0.11
  • Route(s) in a route table tagged with:
    • a key/value corresponding to the key/value(s) provided in the failoverRoutes.scopingTags section of the Cloud Failover extension configuration
    • a special key called f5_self_ips containing a comma-separated list of addresses that map to a self IP address on each instance in the cluster. Example: 10.0.0.10,10.0.0.11

    Note

    The failover extension configuration failoverRoutes.scopingAddressRanges contains a list of destination routes to update.

Creating and assigning an IAM Role

To create and assign an IAM role you must have a user role of iam:CreateUser.

  1. In AWS, go to IAM > Roles and create a policy with the following permissions:
  • EC2 Read/Write
  • S3 Read/Write
  • STS Assume Role

For example:

../_images/AWSIAMRoleSummary.png
  1. Assign an IAM role to each instance by navigating to EC2 > Instances > Instance > Actions > Instance Settings > Attach/Replace IAM Role

For example:

../_images/AWSIAMRoleAssignedToInstance.png

Note

To provide feedback on this documentation, you can file a GitHub Issue.