Configuring vRealize Automation Load Balancing Using F5 BIG-IP (SKKB1006)

Introduction

This post will go through the F5 BIG-IP configuration needed so that it can be used as vRealize Automation (vRA) load balancing and high availability solution.

Lab Environment

The following environment has been used in all of the examples below:

  • Active Directory Domain called vmware.com
  • Windows Server 2012 R2 (with FQDN lan1dc1.vmware.com)
    • Domain Controller
    • DNS Server.
    • PowerShell v4 Host.
    • .NET 4 Framework installed (4.0.30319)
  • Windows Server 2008 R2 SP1 (with FQDN lan1dm1.vmware.com)
    • Domain Member
    • PowerShell v3 Host.
    • .NET 4 Framework installed (4.0.30319)
  • vCO 5.5.1.0 Virtual Appliance (with FQDN vco-a-01.vmware.com)
    • vCO PowerShell Plugin installed (version 1.0.4.1736639)

The full lab logical design can be seen HERE.

Logical Design

The following is a representation of the F5 and vRA logical design:

Deploying the F5 BIG-IP Virtual Edition Appliance

Follow the steps described below to deploy the F5 Big-IP virtual appliance.

Logon to the vSphere Web Client.
In the Inventory List navigate to Hosts and select the host where you want to deploy the appliance.
Browse the BIG-IP .ova file and click Next.

Review the information on the Review details page and click Next.

Read the license agreement on the Accept EULAs page and click Accept and Next.

Fill in the information on the Select name and folder page and click on Next

Review the configuration on the Select Configuration page and click Next

Review the storage configuration on the Select storage page and click Next

Review the information on the Setup networks page.
For the purpose of this document we will not be utilizing the full F5 Network separation and therefore will be using only the Management and Internal interfaces.
The Management interface will connect the F5 to our management network.
The Internal interface will connect to the network where vRA is going to be deployed.
We will not be using the F5 External and HA network interfaces.
For use outside PoC and test environments please refer to the official F5 documentation on recommendation how to use and configure all available F5 network interfaces according to best practises.
Note: Please note the following:

  • The Management and internal interfaces need to be connected to two separate subnets.
  • The Management interface cannot be used for load balancing.
  • For the purpose of this lab, and due to the nested virtualization we are connecting the Internal Interface an NSX virtual wire where we will be deploying the vRA components.

Select the appropriate configuration and click Next.

Review the configuration on the Ready to complete page and click Finish

F5 BIG-IP Initial Configuration

Follow the steps described below to perform initial configure the F5 Big-IP.

Login to the F5 BIG-IP Configuration Utility.
Use default username Admin and password Admin.

On the Welcome page click Next to start the Setup Utility.

On the License page click Activate

Enter you Base Registration Key and click Next.

After licencing has finished login again to the BIG-IP Configuration Utility interface

Navigate to the Platform tab and fill in the general networking properties and Time Zone Settings.
Note: These are the settings for the Management interface you have configured during the F5 BIG-IP Virtual Machine Appliance deployment and correspond to the first NIC of the F5 VM. In this example these settings are applied to Network Adapter 1 which is connected to a management network via the “vDS – ESXi Mgmt” vds.

Click Next.

The connection to the utility will be temporary reset for the settings to take effect. 

Login again to the BIG-IP Configuration Utility interface.

Navigate to the Network tab. 

Under the Advanced Network Configuration section click Finished. 

Depending on the License you have entered you will see different tabs and functionalities being enabled.

Note: If you do not see any of the configuration options or tabs throughout discussed in this guide, you most likely entered a license that does no’t allow you to use thoese functionalities. If thatis is the case, make sure to you re-activate the product with the correct license and gain access toenable thoese functionalities.

Navigate to the Network tab and then to VLANs.
Click Create.

We need at least one VLAN configured to initialize the F5 Internal Network (Interface 1.1)

Enter the Name for the VLAN.
Under Resources make sure Interface 1.1 is selected and tagging is set to Untagged.
Click Add. Click Finished

You should see the VLAN being created.

Navigate to the Network tab and then to Interfaces. Here you can initialize the remaining 3 interfaces of the F5 appliance:

  • Interface 1.1 (Internal)
  • Interface 1.2 (External)
  • Interface 1.3 (HA)

Interface 1.0 is the Management interface that was initialized during the deployment of the OVA and configured earlier in this document. 
As mentioned earlier for the purpose of this document we will be utilizing only the Internal (Interface 1.1) Interface for vRA load balancing and high availability configuration.

The Internal Interface or Interface 1.1 corresponds to Network Adapter 2 of our F5 appliance. We have attached this network adapter to a VDS Switch where our vRA deployment will be done.

While on the Interfaces page select the Interface with name 1.1 and click Enable.

You should see the status of the interface changing from UNINITIALIZED to UP.

Note: If the Status doesn’t change you have probably misconfigured the VLAN in the previous steps.

Navigate to the System tab and then to Configuration. than Device and select DNS.

Make sure correct DNS Lookup Server and DNS search Domain have been added. 

 

Configure the F5 Internal Network

Follow the steps described below to specify self IP addresses and settings for VLAN internal, which is the default VLAN for the internal network.

Login to the F5 BIG-IP Configuration Utility.

Navigate to the Network tab and then to Self IP’s tab.

Click Create

On the New Self IP (SIP) page enter the Name , IP Address and Netmask.
The SIP address acts like an interface through which the F5 can communicate on a given subnet.
In this example we will connect this to the subnet where the vRA will be deployed.
In the VLAN/Tunner option select the Interface1-LB we configured earlier.
In the Port Lockdown option select Allow All.
Click Finised

You should see the SIP being created

 

Configuring F5 BIG-IP Health Monitors

Login to the F5 BIG-IP Configuration Utility

Navigate to Local Traffic and then to Monitors. Here is where we will create our health monitors to monitor our pool members.

Click Create.

In the General Properties page, populate the fields as follows to create the health monitor:
Name: vra-https-postgres (or name according to customer naming conventions)
Type: HTTPS
Interval: 5 seconds
Timeout: 9 seconds
Send String: GET /vPostgresService.py\r\n
Receive String: Postgres.Master=true
Username: <VAMI Username>
Password: <VAMI password>
Alias Service Port: 5480

Click Finished

You should see the Health Monitor being created.

Create another Health Monitor with the following General Properties:
Name: vra-https-va-web
Type: HTTPS
Interval: 5 seconds
Timeout: 9 seconds
Send String: GET /vcac/services/api/status\r\n
Receive String: REGISTERED

Click Finished

Create another Health Monitor with the following General Properties:
Name: vra-https-iaas-web
Type: HTTPS
Interval: 5 seconds
Timeout: 9 seconds
Send String: GET /WAPI/api/status\r\n
Receive String: true

Click Finished

Create another Health Monitor with the following General Properties:
Name: vra-https-iaas-mgr
Type: HTTPS
Interval: 5 seconds
Timeout: 9 seconds
Send String: GET /VMPS2\r\n
Receive String: ProxyAgentService

Click Finished

All the monitors you created above will be listed under the Monitor List tab

 

Configuring F5 BIG-IP Server Pools

Login to the F5 BIG-IP Configuration Utility

Navigate to Local Traffic and then to the Pools tab

Click Create

Create a Pool with the following General Properties:
Name: pool-vra-va-5432 (or name according to customer naming conventions)
Health Monitor: vra-https-postgres
Load balancing Method: Round Robin
New Members: <vRA Node1>,<vRA Node2>
Port: 5432

Click Finished.

Node: During the initial deployment of the vRA nodes you might need to switch the pool Health Monitor to https_443 in order to proceed with the deployment. You should switch back to the vra-https-postgres before you configure the vRA Database with a LB name, otherwise the Database configuration might fail as no adequate load balancing will take place and redirect to the appropriate online node

You should see the pool being created and the status as Available (green)

When you select the pool and click the Members tab you should see both nodes listed and reporting under the Current Members tab
If you have set the vra-https-postgres monitor for the pool-vra-va-5432 and you still haven’t configured vRA Internal Postgress replication you will see both nodes shown with status Offline (red)
If you have set the vra-https-postgres monitor for the pool-vra-va-5432 and you have already configured vRA Internal Postgress replication you will see the active node shown with status Available (green) and the passive node with status Offline (red). This is the case shown on the screenshot.

If you have set the https_443 monitor for the pool-vra-va-5432 and you will see all nodes with status Available (green)

Create a Pool with the following General Properties:

Name: pool-vra-va-web-443 (or name according to customer naming conventions)
Health Monitor: vra-https-va-web
Load balancing Method: Least Connections (member)
New Members: <vRA Node1>,<vRA Node2>
Service Port: 443

Click Finished.

Node: The pool will be shown with status Offline. During the initial deployment of the vRA nodes you might need to switch the pool Health Monitor to https_443 in order to see if the nodes are reporting. You should switch back to the vra-https-va-web after you have configured IaaS components as the monitor is looking for services to be registered. 

Create a Pool with the following characteristics:

Name: pool-vra-iaas-web-443 (or name according to customer naming conventions)
Health Monitor: vra-https-iaas-web
Load balancing Method: Least Connections (member)
New Members: <Iaas Web Server 1>,<IaaS Web Server 2>
Port: 443

Click Finished.

Note: The pool will be shown with status Offline. During the deployment of the vRA Iaas Web and Model manager Data Servers you might need to switch the pool Health Monitor to https_443 in order to see proceed with the deployment. You should switch back to the vra-https-iaas-web after you have deployed the servers. Otherwise you deployment might fail.

Create a Pool with the following General Properties:

Name: pool-vra-iaas-mgr-443 (or name according to customer naming conventions)
Health Monitor: vra-https-iaas-mgr
Load balancing Method: Round Robin
New Members: <Primary Iaas Manager Service>,<Secondary Iaas Manager Service>
Port: 443

Click Finish.

Node: The pool will be shown with status Offline. During the deployment of the vRA Iaas manager Servers you need switch the pool Health Monitor to https_443 in order to see proceed with the deployment. You should switch back to the vra-https-iaas-mgr after you have deployed the servers. Otherwise you deployment might fail.

At this point you should see all 4 pools being configured.

Note: Iif the pools are not configured with default https_443 Health Monitors, and the actual vRA components are not installed, most of the pools will have status Offline (red). 

Configuring F5 BIG-IP Virtual Servers

Login to the F5 BIG-IP Configuration Utility.

Navigate to Local Traffic and then to Virtual Servers.

Create a new Server pool with the following General Properties:

Name: vip-vra-va-5432
Type: Performance (layer 4)
Destination Address: <IP address of the VIP for the vRA VA server name> (this is the same VIP as for the vRA Databsae name)
Service Port: 5432
Source Address Translation: Auto Map
Default Pool: pool-vra-va-5432
Default Persistence Profile: <none>

You should see the pool being created.

Create a new Server pool with the following General Properties:

Name: vip-vra-va-443
Type: Standard
Destination Address: <IP address of the VIP for the vRA VA server name> (this is the same VIP as for the vRA Databsae name)
Service Port: 443
Source Address Translation: Auto Map
Default Pool: pool-vra-va-web-443
Default Persistence Profile: source_addr_carp (updated: 3.31.2015. Note that the screenshot is not updated)



Create a new Server pool with the following General Properties:

Name: vip-vra-iaas-web-443
Type: Standard
Destination Address: <Load Balanceer address for the IaaS Web and Model Manager Data Servers>
Service Port: 443
Source Address Translation: Auto Map
Default Pool: pool-vra-iaas-web-443
Default Persistence Profile: source_addr_carp (updated: 3.31.2015. Note that the screenshot is not updated)



Create to create a new Server pool with the following characteristics:
Name: vip-vra-iaas-mgr-443
Type: Performance (Layer 4)
Destination Address: <Load Balanceer address for the IaaS Manager Service>
Service Port: 443
Source Address Translation: Auto Map
Default Pool: pool-vra-iaas-mgr-443
Default Persistence Profile: <none>


You should now see the following pools created.

Note You might see most of the pools shown as Offline (red) due to the reasons mentioned earlier.

Navigate to Local Traffic and then to Network Map. As mentioned earlier depending on the health Monitors configured and the stage of the vRA Distributed install, you might see most of the servers shown with status Offline (red). This is shown on the first screenshot.

In a final scenario where you are monitoring using the customer created monitors (not the https_443) created in this document and the vRA Distributed install deployment has already finished , you will see all nodes shown with status Available (green) except the vRA VA Passive database node under the pool-vra-va-5432 pool and the pool-vra-iaas-mgr-443 pool. This is shown on the second screenshot, (although different names have been used here)


 

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *