Deploy using the NGINXaaS Console

Overview

This guide explains how to deploy F5 NGINXaaS for Google Cloud (NGINXaaS) using Google Cloud Console and the NGINXaaS Console. The deployment process involves creating a new deployment, configuring the deployment, and testing the deployment.

Before you begin

Before you can deploy NGINXaaS, follow the steps in the Prerequisites topic to subscribe to the NGINXaaS for Google Cloud offering in the Google Cloud Marketplace.

Create a network attachment

NGINXaaS requires a network attachment to connect your consumer Virtual Private Cloud (VPC) network and your NGINXaaS deployment’s VPC network.

  1. Access the Google Cloud Console.

  2. Create a consumer VPC network and subnetwork. See Google’s documentation on creating a VPC and subnet for a step-by-step guide.

    • The region you choose in this step must match the region where your NGINXaaS deployment will be created.

  3. Create a network attachment in your new subnet that automatically accepts connections. See Google’s documentation on creating a network attachment for a step-by-step guide.

  4. Make a note of the network attachment ID. You will need it in the next steps to create your NGINXaaS deployment.

    NGINXaaS for Google Cloud currently supports the following regions:

    NGINXaaS Geography Google Cloud Regions
    US us-west1, us-east1, us-central1
    EU europe-west2, europe-west1

Access the NGINXaaS Console

Once you have completed the subscription process and created a network attachment, you can access the NGINXaaS Console.

  • Visit https://console.nginxaas.net/ to access the NGINXaaS Console.
  • Log in to the console with your Google credentials.
  • Select the appropriate Geography to work in, based on the region your network attachment was created in.

Create or import an NGINX configuration

In the NGINXaaS Console,

  1. On the left menu, select Configurations.

  2. Select Add Configuration to add a new NGINX configuration.

  3. You can either create a new configuration from scratch or copy an existing configuration:

    • Select New configuration to create a new config.
      • Provide a name for your configuration and an optional description.
      • Change the configuration path if needed.
      • Select to start with the “F5 NGINXaaS Default” (a basic NGINX setup) or an empty configuration file.
      • Select Next.
    • Select Copy existing configuration to use one of the existing configuration files in your account as template.
      • Provide a name for your configuration and an optional description.
      • Change the configuration path if needed.
      • Use the Choose configuration to copy list to select the configuration file you want to copy.
      • Use the Choose configuration version to copy list to select the version of the configuration file you want to copy.
      • Select Next.

  4. Modify the configuration file as needed and select Save.

    • You can import certificates using the Add file option.
If you are not using the “F5 NGINXaaS Default”, or if making modifications to the config, please be aware of the NGINX configuration required content which must be included.

Create a new deployment

Next, create a new NGINXaaS deployment using the NGINXaaS Console:

  1. On the left menu, select Deployments.

  2. Select Add Deployment to create a new deployment.

    • Enter a Name.
    • Add an optional description for your deployment.
    • Change the NCU Capacity if needed.
      • The default value of 20 NCU should be adequate for most scenarios.
    • In the Cloud Details section, enter the network attachment ID that you created earlier or select it in the Network attachment list.
      • The network attachment ID is formatted like the following example: projects/my-google-project/regions/us-east1/networkAttachments/my-network-attachment.
    • In the Apply Configuration section, select an NGINX configuration you created earlier from the Choose Configuration list.
    • Select a Configuration Version from the list.
    • Select Submit to begin the deployment process.

Your new deployment will appear in the list of deployments. The status of the deployment will be “Pending” while the deployment is being created. Once the deployment is complete, the status will change to “Ready”.

Configure your deployment

In the NGINXaaS Console,

  1. To open the details of your deployment, select its name from the list of deployments.
    • You can view the details of your deployment, including the status, region, network attachment, NGINX configuration, and more.
  2. Select Edit to modify the deployment description, and NCU Capacity.
    • You can also configure monitoring from here. Detailed instructions can be found in Enable Monitoring
  3. Select Update to save your changes.
  4. Select the Configuration tab to view the current NGINX configuration associated with the deployment.
  5. Select Update Configuration to change the NGINX configuration associated with the deployment.
  6. To modify the contents of the NGINX configuration, see Update an NGINX Configuration.

Set up connectivity to your deployment

To set up connectivity to your NGINXaaS deployment, you will need to configure a Private Service Connect backend.

  1. Access the Google Cloud Console and choose a project where you would like to create resources for connecting to your F5 NGINXaaS deployment.
  2. Create or reuse a VPC network.
  3. Create a proxy-only subnet in your consumer VPC. See Google’s documentation on creating a proxy-only subnet for a step-by-step guide.
  4. Create a public IP address. See Google’s documentation on reserving a static address for a step-by-step guide.
  5. Create a Network Endpoint Group (NEG). See Google’s documentation on creating a NEG for a step-by-step guide.
    • For Target service, enter your NGINXaaS deployment’s Service Attachment, which is visible on the Deployment Details section for your deployment.
    • For Producer port, enter the port your NGINX server is listening on. If you’re using the default NGINX config, enter port 80.
    • For Network and Subnetwork select your consumer VPC network and subnet.
  6. Create a regional external proxy Network Load Balancer. See Google’s documentation on configuring the load balancer for a step-by-step guide.
    • For Network, select your consumer VPC network.
    • For Backend configuration, follow Google’s step-by-step guide to add a backend.
    • In the Frontend configuration section,
      • For IP address, select the public IP address created earlier.
      • For Port number, enter the same port as your NEG’s Producer port, for example, port 80.

If you have multiple ports configured on NGINX, you will have to create a new network endpoint group for every port. You can also automate these steps by using the following helper script:

Show helper script
bash
#!/bin/bash

# Default values
PROJECT=""
REGION=""
NETWORK=""
SA_URI=""
PORTS="80"

# Prerequisites:
# - gcloud CLI installed and configured
# - An existing projectID and a VPC network created in that project
# - A valid Service Attachment URI from F5 NGINXaaS

# Function to display usage
usage() {
   cat << EOF
   Usage: $0 --project PROJECT --region REGION --network NETWORK --service-attachment SA_URI [--ports PORTS]

   Options:
      --project                 GCP Project ID
      --region                  GCP Region
      --network                 VPC Network name
      --service-attachment      Service Attachment Self Link
      --ports                   Comma-separated list of ports (default: 80)
      --help                    Show this help message

   Note: Proxy subnet and public IP will be automatically created as 'psc-proxy-subnet' and 'psc-vip' respectively.

   Example:
      $0 --project my-project --region us-central1 --network my-vpc \\
         --service-attachment "projects/producer-proj/regions/us-central1 serviceAttachments/  my-service" \\
      --ports "80,443,8080"
   EOF
}

# Parse command line arguments
while [[ $# -gt 0 ]]; do
   case $1 in
      --project)
         PROJECT="$2"
         shift 2
         ;;
      --region)
         REGION="$2"
         shift 2
         ;;
      --network)
         NETWORK="$2"
         shift 2
         ;;
      --service-attachment)
         SA_URI="$2"
         shift 2
         ;;
      --ports)
         PORTS="$2"
         shift 2
         ;;
      --help|-h)
         usage
         exit 0
         ;;
     *)
         echo "Unknown option: $1"
         usage
         exit 1
         ;;
   esac
done

# Set auto-generated proxy subnet name and VIP name
PROXY_SUBNET="psc-proxy-subnet"
VIPNAME="psc-vip"

# Validate required parameters
missing_params=()
[[ -z "$PROJECT" ]] && missing_params+=("--project")
[[ -z "$REGION" ]] && missing_params+=("--region")
[[ -z "$NETWORK" ]] && missing_params+=("--network")
[[ -z "$SA_URI" ]] && missing_params+=("--service-attachment")

if [[ ${#missing_params[@]} -gt 0 ]]; then
   echo "Error: Missing required parameters: ${missing_params[*]}"
   usage
   exit 1
fi

# Create proxy-only subnet (skip if exists)
echo "Creating proxy-only subnet..."
if ! gcloud compute networks subnets describe $PROXY_SUBNET --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
   gcloud compute networks subnets create $PROXY_SUBNET \
      --project=$PROJECT --region=$REGION \
      --network=$NETWORK \
      --range=192.168.1.0/24 \
      --purpose=REGIONAL_MANAGED_PROXY \
      --role=ACTIVE
   echo "Created proxy-only subnet: $PROXY_SUBNET"
else
   echo "Proxy-only subnet $PROXY_SUBNET already exists"
fi

# Create regional VIP address (skip if exists)
echo "Creating regional VIP address..."
if ! gcloud compute addresses describe $VIPNAME --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
   gcloud compute addresses create $VIPNAME --region=$REGION --project=$PROJECT --network-tier=PREMIUM
fi
VIP=$(gcloud compute addresses describe $VIPNAME --region=$REGION --project=$PROJECT --format='get(address)')
echo "Using VIP address: $VIP"

# Convert comma-separated ports to array
IFS=',' read -ra PORTS_ARRAY <<< "$PORTS"

for P in "${PORTS_ARRAY[@]}"; do
   echo "Processing port $P..."
  
   # Create Network Endpoint Group (skip if exists)
   if ! gcloud compute network-endpoint-groups describe psc-neg-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
      gcloud compute network-endpoint-groups create psc-neg-$P \
         --project=$PROJECT --region=$REGION \
         --network-endpoint-type=private-service-connect \
         --psc-target-service="$SA_URI" \
         --network=$NETWORK \
         --producer-port=$P
   fi

   # Create Backend Service (skip if exists)
   if ! gcloud compute backend-services describe be-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
      gcloud compute backend-services create be-$P \
         --project=$PROJECT --region=$REGION \
         --protocol=TCP --load-balancing-scheme=EXTERNAL_MANAGED
   
   # Add backend to service
   gcloud compute backend-services add-backend be-$P \
      --project=$PROJECT --region=$REGION \
      --network-endpoint-group=psc-neg-$P \
      --network-endpoint-group-region=$REGION
   fi

   # Create Target TCP Proxy (skip if exists)
   if ! gcloud compute target-tcp-proxies describe tp-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
      gcloud compute target-tcp-proxies create tp-$P \
         --project=$PROJECT --region=$REGION --backend-service=be-$P
   fi

   # Create Forwarding Rule (skip if exists)
   if ! gcloud compute forwarding-rules describe fr-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
      gcloud compute forwarding-rules create fr-$P \
         --project=$PROJECT --region=$REGION \
         --address=$VIP --network=$NETWORK \
         --target-tcp-proxy=tp-$P --target-tcp-proxy-region=$REGION \
         --ports=$P --load-balancing-scheme=EXTERNAL_MANAGED \
         --network-tier=PREMIUM --ip-protocol=TCP
   fi
  
   echo "Completed setup for port $P"
done

echo "Setup complete! Public Virtual IP: $VIP"

Test your deployment

  1. To test your deployment, go to the IP address created in Set up connectivity to your deployment using your favorite web browser.

What’s next

Manage your NGINXaaS users

View source
Edit this page
Create a new issue