search

F5Networks / f5-aws-cloudformation

CloudFormation Templates for quickly deploying BIG-IP services in Amazon Web Services EC2
112 stars 118 forks source link

f5-existing-stack-cluster-byol-2nic-bigiq-licmgmt.template v4.1.3 - Security Group Create Failure #71

Closed jmcalalang closed 4 years ago

jmcalalang commented 5 years ago

Do you already have an issue opened with F5 support?

No, this is experimental and opening a Support issue won't be looked at

Description

The current template for LM BIG-IQ Cluster creates the management and internal security groups with only access from the template parameters, this doesn't allow clustering to happen as the Private addresses are never added.

management

    "deviceManagementSecurityGroup": {
        "Properties": {
            "GroupDescription": "management interface policy",
            "SecurityGroupIngress": [{
                    "CidrIp": {
                        "Ref": "restrictedSrcAddress"
                    },
                    "FromPort": "22",
                    "IpProtocol": "tcp",
                    "ToPort": "22"
                },
                {
                    "CidrIp": {
                        "Ref": "restrictedSrcAddress"
                    },
                    "FromPort": "443",
                    "IpProtocol": "tcp",
                    "ToPort": "443"
                },
                {
                    "CidrIp": {
                        "Ref": "restrictedSrcAddressApp"
                    },
                    "FromPort": "27017",
                    "IpProtocol": "tcp",
                    "ToPort": "27017"
                }

internal

    "deviceSubnet1SecurityGroup": {
        "Properties": {
            "GroupDescription": "internal interface policy",
            "SecurityGroupIngress": [
                {
                    "CidrIp": {
                    "Ref": "restrictedSrcAddress"
                    },
                    "FromPort": "22",
                    "IpProtocol": "tcp",
                    "ToPort": "22"
                },
                {
                    "CidrIp": {
                        "Ref": "restrictedSrcAddressApp"
                    },
                    "FromPort": "443",
                    "IpProtocol": "tcp",
                    "ToPort": "443"
                },
                {
                    "CidrIp": {
                        "Ref": "restrictedSrcAddressApp"
                    },
                    "FromPort": "27017",
                    "IpProtocol": "tcp",
                    "ToPort": "27017"
                }

Template

https://raw.githubusercontent.com/F5Networks/f5-aws-cloudformation/master/experimental/bigiq/licenseManagement/cluster/2nic/existing-stack/byol/f5-existing-stack-cluster-byol-2nic-bigiq-licmgmt.template

Severity Level

Severity: Severity 3

This isnt a supported template however, this seems to break the builds.

Tracking: @aknot242

wduongf5 commented 5 years ago

Hi Jon,

I was able to reproduce the issue. I created an internal tracking number 1161 for the issue.

crosbygw commented 4 years ago

@jmcalalang
Big-iq does not have the same setup as big-ip clustering, you should see the following in your GUI when ha has successfully been setup on big-iq's: Screen Shot 2020-01-31 at 9 35 17 AM

Here is a link to big-iq ha documentation: https://support.f5.com/csp/article/K36398804

Security groups do not require the same ports to be open as they do for big-ip clustering; ie udp:1026 and tcp:4353.

I am going to close issue, please re-open if you have any further questions.