Check out the new F5 Distributed Cloud Technical Knowledge Hub

Objective

This guide provides instructions on how to create a customer edge (CE) site using the Microsoft Azure Console and deploy to an Azure VNet. For more information on sites, see F5® Distributed Cloud Site.

This guide will show you how to create a single node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can successfully deploy an Azure CE Site using both Mesh or App Stack and in any supported combination of nodes and interfaces.

Site Types and Scenarios

The scenarios below in the table have been tested successfully. The Network Address Translation Gateway (NAT GW) device in Table 1 references the Azure NAT Gateway. However, technically this should also work with third-party firewalls.

Note: In the Number of Nodes column, 1/3 indicates 1 or 3 nodes. IGW references Internet Gateway.

Provider	Site Type	Number of Nodes	Gateway Type	Interfaces	Scenario
Azure	Mesh	1/3	Ingress/Egress	2	Behind IGW
Azure	Mesh	1/3	Ingress	1	Behind IGW
Azure	App Stack	1/3	-	1	Behind IGW
Azure	Mesh	1/3	Ingress/Egress	2	Behind NAT GW
Azure	Mesh	1/3	Ingress	1	Behind NAT GW
Azure	App Stack	1/3	-	1	Behind NAT GW

Site Differences

This chapter explains the difference between the deployment of a single-node site with a single interface and three-node sites with multi-NIC interfaces.

One Node Single Interface Site Differences (Mesh/App Stack)

Both the F5 Distributed Cloud App Stack and single-NIC Mesh sites have a single interface and are therefore similar when it comes to deployment.

Important: It is the same procedure for one node single-NIC Mesh and App Stack sites.

For single-NIC Mesh sites, the following are key differences:

Name of the virtual machine in Azure Marketplace..
Certified hardware image name.
Only SLO is needed/required instead of both the SLO and SLI. No need to add a second network interface.
For an App Stack Site, you need to add the Site using Multi-Cloud Network Connect > Manage > Site Management > App Stack Sites page and not through the Secure Mesh Sites page.
For an App Stack Site, F5 recommends 100 GB for storage.

Three Node Cluster Site Differences

Important: It is the same procedure for three-node multi-NIC Mesh and three-node App Stack sites.

The following are key differences:

Follow the same procedure when provisioning a single node CE site. No additional steps are required.
Ensure each instance has a unique name to make operation easier.
Three pending registration requests appear in Console. As for the case with single node configurations, you must create the Secure Mesh Site object and add the internal interface to each F5 CE virtual machine before accepting those registration requests.
A Secure Mesh Site has the same configuration as a single-node site, with the only difference being three nodes (master-0, master-1, and master-2). Note that the node name can be whatever you decide. For an App Stack Site, you must add the site using Multi-Cloud Network Connect > Manage > Site Management > App Stack Sites page and not through the Secure Mesh Sites page.
You must approve the three pending registration requests one by one. Each cluster name (site name) must be the same. It is important to update the cluster size to 3. This must be repeated for each of the three registration requests.

Sites Behind Azure NAT Gateway

For scenarios where there is a requirement to have the CE site deployed without a public IP address, you can place the CE behind a NAT Gateway.

If you are deploying a site in this scenario, there are a few differences to note:

There is no public IP association with the CE(s).
You must ensure the CE can get to the Internet through its SLO interface.
From the Azure side, ensure that the routing table from the SLO subnet has a default route 0.0.0.0/0 that points to the NAT Gateway.
The NAT Gateway is a zonal object. In other words, it belongs to one availability zone. Therefore, in the case of a three-node CE cluster, you might want to deploy additional NAT Gateways for high availability.

Prerequisites

The following prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
An account with Microsoft Azure. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.
Resources required per node: Minimum 4 vCPUs and 14 GB RAM.
F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as eth0 and the SLI interface as eth1.
For a single NIC deployment (ingress gateway/Mesh or App Stack), only a single subnet (SLO) is required.
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Procedure

The following procedure provides instructions for deploying a single-node Mesh site with dual interfaces (ingress/egress) to an Azure VNet using the Azure Console.

Create External Network Security Group

You must create an External Network Security Group that will be attached to the external interface of the CE site.

Step 1: Navigate to security group creation page.

In Azure Console, navigate to the Network security groups service.

Figure: Search for Network Security Group

Step 2: Create and configure security group policy.

Click Create.
Assign the new security group to your resource group. This procedure uses f5-ce-resource-group as an example.
Give the network security group an indicative name. In this procedure, it is f5-ce-external-network-security-group.
Click Review + create.
After you create the network security group, click on it to set up the inbound and outbound rules.

Step 2.1: Create inbound rules.

Ensure you add rules for the following:

Allowed SSH from the instance. Azure will figure out the public IP address that a user is configuring from and allows it. You can also use the custom option and enter your corporate public address space.
Allowed ICMP for troubleshooting.
Allowed TCP Port 65500 for the local UI on the CE.
For three node clusters, ensure that traffic is allowed between the nodes.

Important: Be aware that allowing access to any source to the CE control plane is not recommended. It should be filtered using the public IP of your organization.

When creating load balancers to publish applications, you will need to add additional rules in your network security group to accept the traffic that comes to your virtual IP address (VIP).

Step 2.2: Create outbound rules.

Create an allow-all policy for egress traffic. This is the default configuration.

Step 3: Confirm rules created.

In the overview section for your network security group, you can see all the rules that have been created. Confirm the rules are as desired.

Create SSH Key Pairs

You need to create key pairs for SSH login into the virtual machine for troubleshooting purposes.

Step 1: Navigate to SSH key creation page.

In Azure Console, navigate to the SSH keys service.
Click Create.

Step 2: Configure SSH key pairs.

Verify the Subscription and Resource group are correctly selected.
In the Key pair name field, enter a name.
Click Review + create.

After successful validation, click Create.
Click Download private key and create resource to download the key pair locally to your machine since the pair will not be saved in Azure. You will need the key pair to log into the CE node. The private key pair file is named f5-ce-keypair.pem as an example.

Create Public IP

In Azure Console, create a public IP and give it a name.

Navigate to the Public IP addresses creation page and click Create.

Under Configuration details, in the Name field, enter a name for the Public IP.
Leave the remaining options with their default values.

Click Review + create.
After validation passes, click Create.

Existing Resource Group Details

In this procedure, we are deploying a dual interface single Node CE. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.

Create Site Token

Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes. To create the token, see the Create Secure Mesh Site guide.

Modify the User Data File

Download the raw .yml file to your machine and input the value of the site token into the Token field. See GitHub User Data File for more information. Afterwards, save the file on your machine as you will need it for the user data when creating the F5 CE virtual machine.

          #cloud-config
#only value to be modified is token
write_files:
- path: /etc/hosts
  content: |
    # IPv4 and IPv6 localhost aliases 
    127.0.0.1 localhost
    127.0.0.1 vip
  permissions: 0644
  owner: root
- path: /etc/vpm/config.yaml
  permissions: 0644
  owner: root
  content: |
    Vpm:
      ClusterType: ce
      Token: # token value here
      MauricePrivateEndpoint: https://register-tls.ves.volterra.io
      MauriceEndpoint: https://register.ves.volterra.io
      CertifiedHardwareEndpoint: https://vesio.blob.core.windows.net/releases/certified-hardware/aws.yml
    Kubernetes:
      EtcdUseTLS: True
      Server: vip

Create the CE Virtual Machine

Create the F5 CE instance using the previously created parameters. It is recommended that you create a table and fill it with the information prior to deploying the CE instance.

See table below for example parameters and explanations used for this procedure.

Parameter	Value	Notes
Name	`f5-ce`	Name of CE site.
Region	`France-central`	Name of Azure region in which site is deployed.
Image Name	Volterra VoltMesh and VoltStack Node Free Plan	Located in Azure Marketplace.
Certified Hardware Name	`azure-byol-multi-nic-voltmesh`	This is the certified hardware name.
Instance Type	Standard_D3_v2	Minimum instance requirements: 4 vCPUs, 14 GB RAM, 80 GB storage for Mesh nodes, and 100 GB storage for App Stack.
Resource Group	`f5-ce-resource-group`	Created in Azure Console.
SLO Subnet ID	`f5-ce-external-subnet`	Existing subnet.
SLI Subnet ID	`f5-ce-internal-subnet`	Existing subnet.
Key Pair	`f5-ce-keypair`	Key pair created in Azure Console.
Security Groups	`f5-ce-external-security-group`	Name of security group created in Azure Console.
Public IP Address	`f5-ce-ip`	IP address created in Azure Console.
Site Name	`f5-ce-demo`	Equals `ves-io-site-name` value.
Token	Confidential. Value varies.	Value for site token ID generated in F5 Console.
Storage	80 GiB/100 GiB (App Stack) recommended.	Minimum disk space that is required.

Step 1: Create new virtual machine.

In Azure Console, within your resource group, click Create.

Use the search bar to locate the right CE image. You can search for "Volterra Free Plan." This procedure uses the image for Volterra VoltMesh and VoltStack Node Free Plan. This plan image corresponds to the azure-byol-multi-nic-voltmesh certified hardware.
After you find the image, click Create.

Step 2: Configure new virtual machine.

Enter a VM name.
Ensure the correct region and availability zone are selected.

From the Size menu, choose the instance type. This procedure uses Standard_D3_v2 as an example. This instance type is the minimum required to deploy an F5 CE Site to Azure cloud.

From the SSH public key source menu, assign the previously created SSH key pair.
In the Username field, Enter cloud-user as the default user to SSH log into the CE instance.

Click Next:Disk.
From the OS disk size menu, select 128 GiB (E10).

Step 3: Configure virtual machine networking.

Click Next:Networking.
Ensure the following parameters for network interface configuration:
- From the Virtual network menu, select the network.
- From the Subnet menu, select the external interface.

Important: You cannot create/assign the internal interface to the virtual machine in this step. It will be added at a later step.

From the Public IP menu, select the IP previously created.
For the NIC network security group option, select Advanced. This option is needed so that you are able to select the network security group.
From the Configure network security group menu, select the security group previously created.
Select the Delete NIC when VM is deleted option.

Step 4: Configure advanced settings.

Click the Advanced tab to skip the Management and Monitoring configuration.
In the Custom data field, copy and paste the user data file information (which includes the site token).

Step 5: Complete VM creation.

Click on Review + create. After validation process completes successfully, click Create.

Step 6: Track VM deployment progress.

You can track deployment progress by connecting to your instance's public IP on port 65500. It may take a few minutes for the web interface to appear.

The default username is admin and the default password is Volterra123. You will be required to change the default password on your first login attempt.

The CE will show in Approval state. This means that the CE is awaiting registration approval from F5 Console. Before approving registration, you need to add a second interface to the CE site.

Add Second Interface to CE Site

In Azure portal, select your VM and click Stop.
After the VM stops, click Network settings. Then click Attach network interface.

Click Create and attach network interface.

Select the resource group previously created for this VM.
In the Name field, enter a new name for this second interface.
In the Subnet field, enter a new name for this interface. Make sure to reference that this is an internal interface since the external interface was previously created.

Click Create.
After the second interface is attached to your VM, restart the VM.
Connect to the CE's local UI to verify that the second interface was properly configured.

Register Site

In Distributed Cloud Console, perform additional site registration configuration and create secure mesh site.

Step 1: Visually confirm requests appear.

In Distributed Cloud Console, navigate to the site registrations page.
Under the Pending Registrations tab, confirm the registration request appears but do not accept it.
If you cannot see the Cluster Name, check under the Other Registrations tab.

Step 2: Create secure mesh site.

Navigate to Manage > Site Management > Secure Mesh Sites.
Click Add Secure Mesh Site.
In the form, add a name for the site. Ensure that the Name is the same as the tag value for ves-io-site-name.

For the Generic Server Certified Hardware value, copy the value from the parameters' table above.
For the master node configuration, enter a name. The node name can be any name you desire.
Enter values for Longitude and Latitude that reflect the CE’s location and ensures the CE registers to the nearest regional edge (RE).
After you finish with configuration, click Save and Exit.

Step 3: Change fields to match site name.

On the site Registrations page, for your site, change the Cluster Name to match the Site Name and ves-io-site-name. All three values must match.

Click Save and Exit. After a few minutes, the site status changes to ADMITTED.
Connect to the CE's local UI to verify that the registration request was properly configured.
After the CE site is fully provisioned, you can access it using SSH with cloud-user and your private key.

Troubleshooting

For troubleshooting and opening a support case, see the Troubleshooting Manual Site Deployment Registration Issues guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to Distributed Cloud published Terraform errors, networking and security misconfiguration, or CE internal process issues. The guide also provides instructions for contacting the F5 Distributed Cloud Support Team if you are unable to resolve the issue.

Deploy Site with Azure Console ClickOps

On This Page: