如何跨两个 Azure Stack Hub 实例部署 F5How to deploy F5 across two Azure Stack Hub instances

本文逐步讲解如何在两个 Azure Stack Hub 环境中设置外部负载均衡器。This article walks you through setting up an external load balancer on two Azure Stack Hub environments. 你可使用此配置管理不同的工作负载。You can use this configuration to manage different workloads. 在本文中,你将跨两个独立的 Azure Stack Hub 实例将 F5 部署为全局负载均衡解决方案。In this article, you'll deploy F5 as a global load-balancing solution across two independent Azure Stack Hub instances. 你还将跨两个实例部署在 NGINX 服务器中运行的负载均衡的 Web 应用。You'll also deploy a load balanced web app running in an NGINX server across your two instances. 它们将在 F5 虚拟设备的高可用性故障转移对之后运行。They'll run behind a high-availability, failover pair of F5 virtual appliances.

你可在 f5-azurestack-gslb GitHub 存储库中找到 Azure 资源管理器模板。You can find the Azure Resource Manager templates in the f5-azurestack-gslb GitHub repository.

F5 负载均衡概述Overview of load balancing with F5

F5 硬件(负载均衡器)可能在 Azure Stack Hub 外部,位于托管 Azure Stack Hub 的数据中心内。The F5 hardware, the load-balancer, may be outside of Azure Stack Hub and within the datacenter that hosts Azure Stack Hub. Azure Stack Hub 没有用于跨两个单独的 Azure Stack Hub 部署对工作负载进行负载均衡的本机功能。Azure Stack Hub doesn't have a native capability to load balance workloads across two separate Azure Stack Hub deployments. F5 的 BIG-IP 虚拟版 (VE) 在两个平台上运行。The F5's BIG-IP virtual edition (VE) run on both platforms. 此设置通过复制支持应用程序服务来支持 Azure 和 Azure Stack Hub 体系结构之间的奇偶校验。This set up supports parity between Azure and Azure Stack Hub architectures through replication of the supporting application services. 你可在一个环境中开发应用,然后将其移至另一个环境。You can develop an app in one environment and move it to another. 你还可对整个生产就绪的 Azure Stack Hub 执行镜像操作,包括相同的 BIG-IP 配置、策略和应用程序服务。You can also mirror the entire production-ready Azure Stack Hub, including the same BIG-IP configurations, policies, and application services. 借助该方法,不再需要进行无数小时的应用程序重构和测试,并能够专注于编写代码。The approach eliminates the need for countless hours of application refactoring and testing, and allows you to get on with writing code.

保护应用程序及其数据通常是开发人员在将应用移至公有云时要考虑的问题。Securing applications and their data is often a concern for developers moving apps to the public cloud. 但不一定要这样做。This doesn't need to be the case. 你可在 Azure Stack Hub 环境中生成应用,而安全架构师则在 F5 的 Web 应用程序防火墙 (WAF) 上配置必要的设置。You can build an app in your Azure Stack Hub environment, while a security architect configures the necessary settings on F5's web application firewall (WAF). 因为知道应用程序将受到相同的行业领先 WAF 的保护,所以可在 Azure Stack Hub 中复制整个堆栈。The entire stack can be replicated in Azure Stack Hub with the knowledge that the application will be protected by the same industry-leading WAF. 使用相同的策略和规则集,就不会存在因使用不同的 WAF 而可能会产生的任何安全薄弱环节或漏洞。With identical policies and rulesets, there won't be any security loopholes or vulnerabilities that might otherwise be generated by employing different WAFs.

Azure Stack Hub 具有独立于 Azure 的市场。Azure Stack Hub has a separate marketplace from Azure. 仅可添加特定项目。Only certain items are added. 在这种情况下,你可在每个 Azure Stack Hub 上创建一个新的资源组并部署已经可用的 F5 虚拟设备。In this case, if you want to create a new resource group on each of the Azure Stack Hubs and deploy the F5 virtual appliance that are already available. 在此处,你将看到需要提供公共 IP 地址用于允许两个 Azure Stack Hub 实例之间的网络连接。From there, you'll see that a Public IP address will be required to allow network connectivity between both Azure Stack Hub instances. 实质上,它们都是孤岛,而公共 IP 可让它们在两个位置之间进行通信。Essentially, they are both islands and the Public IP will allow them to talk across both locations.

BIG-IP VE 先决条件Prerequisites for BIG-IP VE

  • F5 BIG-IP VE - ALL (BYOL, 2 Boot Locations) 下载到每个 Azure Stack Hub 市场中。Download F5 BIG-IP VE - ALL (BYOL, 2 Boot Locations) into each Azure Stack Hub Marketplace. 如果它们在门户中不可用,请联系云操作员。If you don't have them available to you in your portal, contact your cloud operator.

  • 可在以下 GitHub 存储库中找到 Azure 资源管理器模板: https://github.com/Mikej81/f5-azurestack-gslbYou can find the Azure Resource Manager template in the following GitHub repository: https://github.com/Mikej81/f5-azurestack-gslb.

在每个实例上部署 F5 BIG-IP VEDeploy F5 BIG-IP VE on each instance

部署到 Azure Stack Hub 实例 A 和实例 B。Deploy to Azure Stack Hub instance A and instance B.

  1. 登录到 Azure Stack Hub 用户门户。Sign into the Azure Stack Hub user portal.

  2. 选择“+ 创建资源”。 Select + Create a Resource.

  3. 通过键入 F5 来搜索市场。Search the marketplace by typing F5.

  4. 选择“F5 BIG-IP VE – ALL (BYOL, 2 Boot Locations)” 。Select F5 BIG-IP VE – ALL (BYOL, 2 Boot Locations).

    “仪表板 > 新建 > 市场 > 全部内容 > F5 BIG-IP VE – ALL (BYOL, 2 Boot Locations)”对话框中的搜索框内显示了 f5。

  5. 在下一页的底部,选择“创建”。At the bottom of the next page, select Create.

    “F5 BIG-IP VE – ALL (BYOL, 2 Boot Locations)”对话框提供了有关 BIG-IP VE 和可部署的模块的信息,具体取决于你的许可证。

  6. 创建一个名为“F5-GSLB”的新资源组****。Create a New Resource Group called F5-GSLB.

  7. 使用以下值作为示例来完成部署:Use the following values as an example to complete the deployment:

    Microsoft.Template 对话框的“输入”页显示了 15 个包含有关示例部署的值的文本框,如“VIRTUALMACHINENAME”和“ADMINUSERNAME”。

  8. 验证部署是否成功完成。Validate that your deployment completes successfully.

    Microsoft.Template 对话框的“概述”页报告了“部署完成”,并提供有关该部署的详细信息。


    每个 BIG-IP 部署大约需要 20 分钟。Each BIG-IP Deployment should take around 20 minutes.

配置 BIG-IP 设备Configure BIG-IP appliances

执行 Azure Stack Hub A 和 B 需要完成的步骤。Follow these steps needs for both Azure Stack Hub A and B.

  1. 登录到 Azure Stack Hub 实例 A 上的 Azure Stack Hub 用户门户,查看通过 BIG-IP 模板部署创建的资源。Sign into the Azure Stack Hub user portal on Azure Stack Hub instance A to review the resources created from the BIG-IP template deployment.

    F5-GSLB 对话框的“概述”页列出了已部署的资源和相关的信息。

  2. 遵循 F5 上有关 BIG-IP 配置项的说明。Follow the instructions at F5 for BIG-IP Configuration items.

  3. 配置 BIG-IP 宽泛 IP 列表以侦听部署到 Azure Stack Hub 实例 A 和 B 的设备。有关说明,请参阅 BIG-IP GTM 配置Configure BIG-IP Wide IP List to listen across both appliances deployed to Azure Stack Hub instance A and B. For instructions, see BIG-IP GTM Configuration.

  4. 验证 BIG-IP 设备的故障转移。Validate Failover of BIG-IP Appliances. 在测试系统上,将 DNS 服务器配置为使用以下值:On a test system, configure your DNS servers to use the following:

    • Azure Stack Hub 实例 A = f5stack1-ext 公共 IP 地址Azure Stack Hub instance A = f5stack1-ext public IP Address
    • Azure Stack Hub 实例 B = f5stack1-ext 公共 IP 地址Azure Stack Hub instance B = f5stack1-ext public IP Address
  5. 浏览到 www.contoso.com,浏览器会加载 NGINX 默认页。Browse to www.contoso.com and your browser loads the NGINX default page.

创建 DNS 同步组Create a DNS sync group

  1. 启用根帐户以建立信任。Enable the root account to establish trust. 请遵循更改系统维护帐户密码 (11.x-15.x) 中的说明。Follow the instruction at Changing system maintenance account passwords (11.x - 15.x). 设置信任(证书交换)后,请禁用根帐户。After you set the trust (certificate exchange), disable the root account.

  2. 登录到 BIG-IP 并创建 DNS 同步组。Sign in to the BIG-IP and create a DNS Sync Group. 有关说明,请参阅创建 BIG-IP DNS 同步组For instructions, see Creating BIG-IP DNS Sync Group.


    可在 F5-GSLB 资源组中找到 BIP-IP 设备的本地 IP。You can find the local IP of the BIP-IP Appliance in your F5-GSLB Resource Group. 网络接口为“f5stack1-ext”,而你可连接到公共 IP 或专用 IP(取决于访问权限)。The Network Interface is "f5stack1-ext" and you want to connect to the Public or Private IP (depending on access).

    “DNS >> GSLB :数据中心 :数据中心列表”对话框列出了数据中心和状态。

    “DNS >> GSLB :服务器 :服务器列表”对话框列出了服务器和状态。

  3. 选择新资源组“F5-GSLB”并选择“f5stack1”虚拟机,然后在“设置”下选择“网络”****************。Select the new resource group F5-GSLB and select the f5stack1 virtual machine, under Settings select Networking.

安装后配置Post install configurations

安装后,需要配置 Azure Stack Hub NSG 并锁定源 IP 地址。After you have installed, you'll need to configure your Azure Stack Hub NSGs and lock down the source IP addresses.

  1. 建立信任后,禁用端口 22。Disable the port 22 after the trust has been established.

  2. 当系统联机时,阻止源 NSG。When your system is online, block the source NSGs. 管理 NSG 应锁定到管理源,外部 (4353/TCP) NSG 应锁定到其他实例以进行同步。在部署带有虚拟服务器的应用程序前,还应锁定 443。Management NSG should be locked to management source, External (4353/TCP) NSG should be locked to the other instance for sync. 443 should also be locked until applications with Virtual Servers are deployed.

  3. GTM_DNS 规则设置为允许端口 53 (DNS) 流量进入,且 BIG-IP 解析程序将立即开始工作。GTM_DNS Rule is set to allow port 53 (DNS) traffic in, and BIG-IP resolver will start working once. 侦听器已创建。Listeners are created.

    “网络接口”对话框的 fStack1-ext 页显示有关 fstack1-ext 接口的信息,以及有关其 NSG(即 fstack1-ext-nsg)的信息。

  4. 在 Azure Stack Hub 环境中部署基本 Web 应用程序工作负荷,以在 BIG-IP 之后进行负载均衡。Deploy a basic web application workload within your Azure Stack Hub environment to Load Balance behind the BIG-IP. 可从在 Docker 上部署 NGINX 和 NGINX Plus 中找到使用 NGNIX 服务器的示例。You can find an example for using the NGNIX server at Deploying NGINX and NGINX Plus on Docker.


    在 Azure Stack Hub A 和 Azure Stack Hub B 上部署 NGNIX 实例。Deploy an instance of NGNIX on both Azure Stack Hub A and Azure Stack Hub B.

  5. 在每个 Azure Stack Hub 实例中将 NGINX 部署到 Ubuntu VM 上的 Docker 容器中后,请验证是否可以访问服务器上的默认网页。After NGINX is deployed in a docker container on an Ubuntu VM within each of the Azure Stack Hub instances, validate that you can reach the default webpage on the servers.

    “欢迎使用 nginx!”

  6. 登录到 BIG-IP 设备的管理界面。Sign in to the management interface of the BIG-IP appliance. 在此示例中,使用“f5-stack1-ext”公共 IP 地址****。In this example, use the f5-stack1-ext Public IP address.

    BIG-IP 配置实用工具的登录屏幕要求提供用户名和密码。

  7. 通过 BIG-IP 公开访问 NGINX。Publish access to NGINX through the BIG-IP.

    • 在此任务中,将使用虚拟服务器和池配置 BIG-IP,以允许对 WordPress 应用程序的入站 Internet 访问。In this task, you'll configure the BIG-IP with a Virtual Server and Pool to allow inbound Internet access to the WordPress application. 首先,需要为 NGINX 实例标识专用 IP 地址。First you need to identify the private IP address for the NGINX instance.
  8. 登录到 Azure Stack Hub 用户门户。Sign in to the Azure Stack Hub user portal.

  9. 选择 NGINX 网络接口。Select your NGINX Network Interface.

    “仪表板 > 资源组 > NGINX > ubuntu2673”对话框的“概述”页显示了有关 ubuntu2673 网络接口的信息。

  10. 在 BIG-IP 控制台中,转到“本地流量”>“池”>“池列表”,然后选择“+”********。From the BIG-IP console, go to Local traffic > Pools > Pool List and Select +. 使用表中的值配置池。Configure the pool using the values in the table. 将所有其他字段保留为默认值。Leave all other fields to their defaults.


    Key Value
    名称Name NGINX_PoolNGINX_Pool
    运行状况监视器Health Monitor HTTPSHTTPS
    节点名称Node Name NGINXNGINX
    地址Address <your NGINX private IP address>
    服务端口Service Port 443443
  11. 选择“完成”。Select Finished. 如果正确配置,池状态为绿色。When configured correctly, the pool status is green.

    右侧窗格的标题为“本地流量 >> 池 :池列表”,并且新创建的池是列表中的唯一条目。

    现在,你需要配置虚拟服务器。You now need to configure the virtual server. 为此,你首先需要找到 F5 BIG-IP 的专用 IP。To do this, you first need to find the private IP of your F5 BIG-IP.

  12. 在 BIG-IP 控制台中,转到“网络”>“Self IP”并记下 IP 地址****。From the BIG-IP console, go to Network > Self IPs and note the IP address.

    左侧窗格提供了导航功能,以用于显示“自身 IP”。

  13. 通过转到“本地流量” > “虚拟服务器” > “虚拟服务器列表”并选择“+”来创建虚拟服务器 。Create a virtual server by going to Local Traffic > Virtual Servers > Virtual Server List and Select +. 使用表中的值配置池。Configure the pool using the values in the table. 将所有其他字段保留为默认值。Leave all other fields to their defaults.

    Key Value
    目标地址Destination Address <Self IP address of the BIG-IP>
    服务端口Service Port 443443
    SSL 配置文件(客户端)SSL Profile (Client) clientsslclientssl
    源地址转换Source Address Translation 自动映射Auto Map

    左侧窗格用于将右侧窗格导航到“本地流量 >> 虚拟服务器 :虚拟服务器列表 >> NGINX”,其中已输入所需的信息。


  14. 现在,你已完成 NGINX 应用程序的 BIG-IP 配置。You have now completed the BIG-IP configuration for the NGINX application. 若要验证功能是否正常,请浏览站点并验证 F5 统计信息。To verify proper functionality, browse the site and verify F5 statistics.

  15. 打开浏览器以转到 https://<F5-public-VIP-IP>,并确保它显示 NGINX 默认页。Open a browser to https://<F5-public-VIP-IP> and ensure it displays your NGINX default page.

    “欢迎使用 nginx!”

  16. 现在,通过导航到“统计信息”>“模块统计信息”>“本地流量”检查虚拟服务器的统计信息,从而验证流量****。Now check the statistics of your virtual server to verify traffic flow, by navigating to Statistics > Module Statistics > Local Traffic.

  17. 在“统计信息类型”下,选择“虚拟服务器”********。Under Statistics Type, select Virtual Servers.

    左侧窗格已将右侧窗格导航到“统计信息 >> 模块统计信息 :本地流量 >> 虚拟服务器”,并且列表显示了 NGINX 虚拟服务器和其他虚拟服务器。

更多信息For more information

可找到有关使用 F5 的一些参考文章:You can find some reference articles about using F5:

后续步骤Next steps

Azure Stack Hub 网络的差异和注意事项Differences and considerations for Azure Stack Hub networking