F5 Virtual Edition AWS Internet Routing

Question

I have a Virtual F5 fronting some internet facing services with elastic IPs that then get routed to internal AWS hosts and that all works fine.  My instance has multiple interfaces, eth0 being the mangement VLAN (10.0.2.1), eth1 being "external" (a subnet that has a security group that allows external internet connectivity), and subsequent interfaces for different lab subnets. I've been approached to create an APM VIP where the node is external to my VPC however my F5 can't seem to route to the internet. I have a default route set with the destination set as 0.0.0.0 set to "Use Gateway" and I provide the gateway address of the "external" interface (10.0.5.1). If I ssh to the F5 itself and attempt to ping an external host it resolves DNS but then times out.  If I force ping to use the management interface, eth0, it works no problem (I opened up the security group on the management subnet earlier attempting to troubleshoot this issue).  Obviously I don't want to route traffic through my management interface, but I can't seem to understand why I can't route traffic through the default gateway on my "external" interface.  I am able to ping that gateway from the F5, and I can communicate with hosts on that subnet.  Here is the route table: 
[root@ip-10-0-2-150:Active:Standalone] config  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
127.1.1.0       0.0.0.0         255.255.255.0   U     0      0        0 tmm0
127.3.0.0       0.0.0.0         255.255.255.0   U     0      0        0 mgmt_bp
10.0.2.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.2.0    0.0.0.0         255.255.255.0   U     9      0        0 eth0
10.0.102.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_EAST_VIP1
10.0.103.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_EAST_VIP2
10.0.100.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_WEST_VIP1
10.0.101.0    0.0.0.0         255.255.255.0   U     0      0        0 F5_WEST_VIP2
10.0.5.0     0.0.0.0         255.255.255.0   U     0      0        0 External
127.7.0.0       127.1.1.254     255.255.0.0     UG    0      0        0 tmm0
0.0.0.0         10.0.5.1     0.0.0.0         UG    0      0        0 External
0.0.0.0         10.0.2.1    0.0.0.0         UG    9      0        0 eth0

I have a single route table for the VPC that includes all subnets, and a single route domain on the F5 that includes all VLANs.

andy_mcgrath · Answer

This sounds more like an AWS VPC issue than an F5 issue. Do you have another system using the same VPC route with your AWS environment to test internet access with?&nbsp;

johnny_test_197 · Answer

It wasn't the VPC, it ended up that even though the "external" interface was on an external vlan at the time of provisioning it didn't get a public IP assigned. Once I attached an elastic to that interface everything started routing properly.

Forum Discussion

F5 Virtual Edition AWS Internet Routing

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Quick Optimizations for F5 BIG-IP Virtual Edition

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Integrating SSL Orchestrator with Cisco WSA Virtual Edition

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1