External interface selfIP without elastic IP on AWS - no internet access for management port

Question

We have multi-NIC f5 deployed in AWS - external, internal and management interface. Only External interface can have elastic IP associated with it. Internal and management subnets are internal only. We access the management port through VPN (so no elastic IP required on the port). On the external interface, we have a selfIP and VIP (virtual server) - the only VIP has associated ElasticIP so our virtual server is accessible from the internet. &nbsp;
PROBLEM: When I connect to the management server and try to do any operation that requires internet access it fails (for example ping, check for updates). I spend some time trying to get this solved and at the moment the only way...&nbsp;
SOLUTION: ... is to associate elasticIP with the selfIP on the external interface. &nbsp;
This way I need to "waste" one elasticIP address on the external selfIP just so I can do periodic maintenance tasks like checking for updates/hotfixes and if using let's encrypt to refresh certificates every 2-3 months. I know that elasticIPs are only like $0.005 per hour, but this still feels like an overkill. &nbsp;
F5 DOCUMENTATION ERROR - official f5 documentation for 12.1.0 multi-NIC deployment in AWS does not mention assigning elasticIP. Documentation suggests assigning elasticIP to the management port which solves this problem I guess but is insecure (to be fair they say that this is an insecure solution). This is fair enough for a "quick start", but can you please update documentation, to let people know that if you do not assign elasticIP to external selfIP and your management port is internal only you will not have internet access for your management tasks and that you need to assign EIP to external selfIP. &nbsp;
QUESTION: for more experience f5 gurus... Does anyone know if there is a way of "sending" management traffic through one of the VIPs which needs EIP to make the resource available to the world (instead of assigning EIP to selfIP)? Or is there any other way of not wasting elasticIPs just for maintenance? &nbsp;
Long post, I hope it's not too confusing and will help at least one person...&nbsp;

marek_228998 · Answer

Lukasz,&nbsp;
F5 Support should be happy to answer to your question. Have you configured any routing for the management port? In my configurations, I didn't assign EIPs to SelfIPs, only "private" range of IPs were configured on F5,&nbsp;
--Marek &nbsp;

john_heyer_1508 · Answer

Ran in to similar problem with my deployment.  Easiest solution was set the default route as the gateway for the internal interface, which already had a NAT gateway defined.  
&nbsp;
Elastic IPs can still be mapped to the secondary IPs on the external interface; the BigIP will see the packets come in and automatically route via external.  &nbsp;

Forum Discussion

External interface selfIP without elastic IP on AWS - no internet access for management port

2 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Traffic Management User Interface Vulnerability: The Fix and Temporary Mitigation Options

management interface failover

Minimizing Security Complexity: Managing Distributed WAF Policies

Application Programming Interface (API) Authentication types simplified

NGINX Management Suite API Connectivity Manager - Modern API driven Applications