f5 bigip in GCP - accessing management via ssh in a 3nic deployment

gistfile1.md

gcloud compute ssh only targets nic0, therefore it is not possible to use it. The same applies to the SSH button in the VM instances list within the GCP Cloud Console.

Here is how I do it using gcloud and openssh from my Mac.

Make sure you have setup the Google Cloud SDK which provides you with the gcloud cli.

Check if you have a default project set

> gcloud config get-value project
black-transport-233607

If you don't not either set it via gcloud config set project <gcpProject> or specify --project <gcpProject> with every gcloud command.

List all compute instances which names contain 'bigip':

> gcloud compute instances list --filter 'name:(bigip)'
NAME         ZONE            MACHINE_TYPE   INTERNAL_IP                         EXTERNAL_IP                   STATUS
bigip1-f5-a  asia-east2-a    n1-standard-4  10.100.9.14                         198.18.142.15                 RUNNING
bigip1-f5-b  europe-west6-a  n1-standard-2  10.0.0.3                            198.18.16.191                 RUNNING
bigip1-f5-c  us-east1-b      n1-standard-2  10.100.41.7                         198.18.91.171                 RUNNING
bigip1-f5-d  us-east2-a      n1-standard-2  10.101.40.2                         198.18.87.101                 RUNNING
bigip1-f5-e  europe-west4-b  n1-standard-4  172.16.7.2,172.16.29.2,10.99.81.13  198.18.187.243,198.18.91.14   RUNNING
#                                           |  nic0  | |   nic1  | |   nic2  |  |    nic0    | |   nci1   |
#                                                      |_________|                             |__________|
#                                                           ^                                        ^
#                                                internal management IP                   external management IP

Add ssh public key to VM instance

This step only required when you haven't added your public key to the project For more details visit: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

> echo "$USER:$(cat ~/.ssh/id_ed25519.pub | cut -d' ' -f1,2) $USER" > ./myGCPpubKey

> gcloud compute instances add-metadata bigip1-f5-e --metadata-from-file ssh-keys=./myGCPpubKey
No zone specified. Using zone [europe-west4-b] for instance: [bigip1-f5-e].
Updated [https://www.googleapis.com/compute/v1/projects/black-transport-233607/zones/europe-west4-b/instances/bigip1-f5-e].

Reboot BIG-IP (only required after first deployment)

gcloud compute instances stop bigip1-f5-e --zone europe-west4-b 
gcloud compute instances start bigip1-f5-e --zone europe-west4-b 

Read the Management natIP/public IP address from VM instance accessConfig

using jq

> gcloud --format json compute instances describe bigip1-f5-e | jq '.networkInterfaces[].accessConfigs[]? | select(.name == "Management NAT") | .natIP'
No zone specified. Using zone [europe-west4-b] for instance: [bigip1-f5-e].
"198.18.91.14"

or awk

> gcloud --format json compute instances describe bigip1-f5-e | awk '/Management NAT/ {m=1} /.natIP/ {if (m==1) print $2}'
No zone specified. Using zone [europe-west4-b] for instance: [bigip1-f5-e].
"198.18.91.14"

ssh into BIG-IP

> ssh -i ~/.ssh/id_ed25519 -l admin 198.18.91.14
The authenticity of host '198.18.91.14 (198.18.91.14)' can't be established.
ECDSA key fingerprint is SHA256:m+Te9Pah0PnMTeyXUtx2nW142H84+uiGJD/VE+zuhMY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '198.18.91.14' (ECDSA) to the list of known hosts.
admin@(bigip1-f5-e)(cfg-sync Standalone)(ModuleNotLicensed::Active)(/Common)(tmos)#