Deploy Site with Azure Console ClickOps
On This Page:
- Objective
- Site Types and Scenarios
- Site Differences
- One Node Single Interface Site Differences (Mesh/App Stack)
- Three Node Cluster Site Differences
- Sites Behind Azure NAT Gateway
- Prerequisites
- Procedure
- Create External Network Security Group
- Create SSH Key Pairs
- Create Public IP
- Create Site Token
- Modify the User Data File
- Create the CE Virtual Machine
- Add Second Interface to CE Site
- Register Site
- Troubleshooting
- Concepts
- References
Objective
This guide provides instructions on how to create a customer edge (CE) site using the Microsoft Azure Console and deploy to an Azure VNet. For more information on sites, see F5® Distributed Cloud Site.
This guide will show you how to create a single node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can successfully deploy an Azure CE Site using both Mesh or App Stack and in any supported combination of nodes and interfaces.
Site Types and Scenarios
The scenarios below in the table have been tested successfully. The Network Address Translation Gateway (NAT GW) device in Table 1 references the Azure NAT Gateway. However, technically this should also work with third-party firewalls.
Note: In the
Number of Nodes
column,1/3
indicates 1 or 3 nodes.IGW
references Internet Gateway.
Provider | Site Type | Number of Nodes | Gateway Type | Interfaces | Scenario |
---|---|---|---|---|---|
Azure | Mesh | 1/3 | Ingress/Egress | 2 | Behind IGW |
Azure | Mesh | 1/3 | Ingress | 1 | Behind IGW |
Azure | App Stack | 1/3 | - | 1 | Behind IGW |
Azure | Mesh | 1/3 | Ingress/Egress | 2 | Behind NAT GW |
Azure | Mesh | 1/3 | Ingress | 1 | Behind NAT GW |
Azure | App Stack | 1/3 | - | 1 | Behind NAT GW |
Site Differences
This chapter explains the difference between the deployment of a single-node site with a single interface and three-node sites with multi-NIC interfaces.
One Node Single Interface Site Differences (Mesh/App Stack)
Both the F5 Distributed Cloud App Stack and single-NIC Mesh sites have a single interface and are therefore similar when it comes to deployment.
Important: It is the same procedure for one node single-NIC Mesh and App Stack sites.
For single-NIC Mesh sites, the following are key differences:
-
Name of the virtual machine in Azure Marketplace..
-
Only SLO is needed/required instead of both the SLO and SLI. No need to add a second network interface.
-
For an App Stack Site, you need to add the Site using
Multi-Cloud Network Connect
>Manage
>Site Management
>App Stack Sites
page and not through theSecure Mesh Sites
page. -
For an App Stack Site, F5 recommends 100 GB for storage.
Three Node Cluster Site Differences
Important: It is the same procedure for three-node multi-NIC Mesh and three-node App Stack sites.
The following are key differences:
-
Follow the same procedure when provisioning a single node CE site. No additional steps are required.
-
Ensure each instance has a unique name to make operation easier.
-
Three pending registration requests appear in Console. As for the case with single node configurations, you must create the Secure Mesh Site object and add the internal interface to each F5 CE virtual machine before accepting those registration requests.
-
A Secure Mesh Site has the same configuration as a single-node site, with the only difference being three nodes (
master-0
,master-1
, andmaster-2
). Note that the node name can be whatever you decide. For an App Stack Site, you must add the site usingMulti-Cloud Network Connect
>Manage
>Site Management
>App Stack Sites
page and not through theSecure Mesh Sites
page. -
You must approve the three pending registration requests one by one. Each cluster name (site name) must be the same. It is important to update the cluster size to
3
. This must be repeated for each of the three registration requests.
Sites Behind Azure NAT Gateway
For scenarios where there is a requirement to have the CE site deployed without a public IP address, you can place the CE behind a NAT Gateway.
If you are deploying a site in this scenario, there are a few differences to note:
-
There is no public IP association with the CE(s).
-
You must ensure the CE can get to the Internet through its SLO interface.
-
From the Azure side, ensure that the routing table from the SLO subnet has a default route 0.0.0.0/0 that points to the NAT Gateway.
-
The NAT Gateway is a zonal object. In other words, it belongs to one availability zone. Therefore, in the case of a three-node CE cluster, you might want to deploy additional NAT Gateways for high availability.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An account with Microsoft Azure. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.
-
Resources required per node: Minimum 4 vCPUs and 14 GB RAM.
-
F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as
eth0
and the SLI interface aseth1
. -
For a single NIC deployment (ingress gateway/Mesh or App Stack), only a single subnet (SLO) is required.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Procedure
The following procedure provides instructions for deploying a single-node Mesh site with dual interfaces (ingress/egress) to an Azure VNet using the Azure Console.
Create External Network Security Group
You must create an External Network Security Group that will be attached to the external interface of the CE site.
Step 1: Navigate to security group creation page.
- In Azure Console, navigate to the
Network security groups
service.
Step 2: Create and configure security group policy.
-
Click
Create
. -
Assign the new security group to your resource group. This procedure uses
f5-ce-resource-group
as an example. -
Give the network security group an indicative name. In this procedure, it is
f5-ce-external-network-security-group
. -
Click
Review + create
. -
After you create the network security group, click on it to set up the inbound and outbound rules.
Step 2.1: Create inbound rules.
Ensure you add rules for the following:
-
Allowed SSH from the instance. Azure will figure out the public IP address that a user is configuring from and allows it. You can also use the custom option and enter your corporate public address space.
-
Allowed ICMP for troubleshooting.
-
Allowed TCP Port 65500 for the local UI on the CE.
-
For three node clusters, ensure that traffic is allowed between the nodes.
Important: Be aware that allowing access to any source to the CE control plane is not recommended. It should be filtered using the public IP of your organization.
When creating load balancers to publish applications, you will need to add additional rules in your network security group to accept the traffic that comes to your virtual IP address (VIP).
Step 2.2: Create outbound rules.
Create an allow-all policy for egress traffic. This is the default configuration.
Step 3: Confirm rules created.
In the overview section for your network security group, you can see all the rules that have been created. Confirm the rules are as desired.
Create SSH Key Pairs
You need to create key pairs for SSH login into the virtual machine for troubleshooting purposes.
Step 1: Navigate to SSH key creation page.
-
In Azure Console, navigate to the
SSH keys
service. -
Click
Create
.
Step 2: Configure SSH key pairs.
-
Verify the
Subscription
andResource group
are correctly selected. -
In the
Key pair name
field, enter a name. -
Click
Review + create
.
-
After successful validation, click
Create
. -
Click
Download private key and create resource
to download the key pair locally to your machine since the pair will not be saved in Azure. You will need the key pair to log into the CE node. The private key pair file is namedf5-ce-keypair.pem
as an example.
Create Public IP
In Azure Console, create a public IP and give it a name.
- Navigate to the
Public IP addresses
creation page and clickCreate
.
-
Under
Configuration details
, in theName
field, enter a name for the Public IP. -
Leave the remaining options with their default values.
-
Click
Review + create
. -
After validation passes, click
Create
.
Existing Resource Group Details
In this procedure, we are deploying a dual interface single Node CE. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.
Create Site Token
Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes. To create the token, see the Create Secure Mesh Site guide.
Modify the User Data File
Download the raw .yml
file to your machine and input the value of the site token into the Token
field. See GitHub User Data File for more information. Afterwards, save the file on your machine as you will need it for the user data when creating the F5 CE virtual machine.
#cloud-config
#only value to be modified is token
write_files:
- path: /etc/hosts
content: |
# IPv4 and IPv6 localhost aliases
127.0.0.1 localhost
127.0.0.1 vip
permissions: 0644
owner: root
- path: /etc/vpm/config.yaml
permissions: 0644
owner: root
content: |
Vpm:
ClusterType: ce
Token: # token value here
MauricePrivateEndpoint: https://register-tls.ves.volterra.io
MauriceEndpoint: https://register.ves.volterra.io
CertifiedHardwareEndpoint: https://vesio.blob.core.windows.net/releases/certified-hardware/aws.yml
Kubernetes:
EtcdUseTLS: True
Server: vip
Create the CE Virtual Machine
Create the F5 CE instance using the previously created parameters. It is recommended that you create a table and fill it with the information prior to deploying the CE instance.
See table below for example parameters and explanations used for this procedure.
Parameter | Value | Notes |
---|---|---|
Name | f5-ce | Name of CE site. |
Region | France-central | Name of Azure region in which site is deployed. |
Image Name | Volterra VoltMesh and VoltStack Node Free Plan | Located in Azure Marketplace. |
Certified Hardware Name | azure-byol-multi-nic-voltmesh | This is the certified hardware name. |
Instance Type | Standard_D3_v2 | Minimum instance requirements: 4 vCPUs, 14 GB RAM, 80 GB storage for Mesh nodes, and 100 GB storage for App Stack. |
Resource Group | f5-ce-resource-group | Created in Azure Console. |
SLO Subnet ID | f5-ce-external-subnet | Existing subnet. |
SLI Subnet ID | f5-ce-internal-subnet | Existing subnet. |
Key Pair | f5-ce-keypair | Key pair created in Azure Console. |
Security Groups | f5-ce-external-security-group | Name of security group created in Azure Console. |
Public IP Address | f5-ce-ip | IP address created in Azure Console. |
Site Name | f5-ce-demo | Equals ves-io-site-name value. |
Token | Confidential. Value varies. | Value for site token ID generated in F5 Console. |
Storage | 80 GiB/100 GiB (App Stack) recommended. | Minimum disk space that is required. |
Step 1: Create new virtual machine.
- In Azure Console, within your resource group, click
Create
.
-
Use the search bar to locate the right CE image. You can search for "Volterra Free Plan." This procedure uses the image for Volterra VoltMesh and VoltStack Node Free Plan. This plan image corresponds to the
azure-byol-multi-nic-voltmesh
certified hardware. -
After you find the image, click
Create
.
Step 2: Configure new virtual machine.
-
Enter a VM name.
-
Ensure the correct region and availability zone are selected.
- From the
Size
menu, choose the instance type. This procedure usesStandard_D3_v2
as an example. This instance type is the minimum required to deploy an F5 CE Site to Azure cloud.
-
From the
SSH public key source
menu, assign the previously created SSH key pair. -
In the
Username
field, Entercloud-user
as the default user to SSH log into the CE instance.
-
Click
Next:Disk
. -
From the
OS disk size
menu, select128 GiB (E10)
.
Step 3: Configure virtual machine networking.
-
Click
Next:Networking
. -
Ensure the following parameters for network interface configuration:
-
From the
Virtual network
menu, select the network. -
From the
Subnet
menu, select the external interface.
-
Important: You cannot create/assign the internal interface to the virtual machine in this step. It will be added at a later step.
-
From the
Public IP
menu, select the IP previously created. -
For the
NIC network security group
option, selectAdvanced
. This option is needed so that you are able to select the network security group. -
From the
Configure network security group
menu, select the security group previously created. -
Select the
Delete NIC when VM is deleted
option.
Step 4: Configure advanced settings.
-
Click the
Advanced
tab to skip theManagement
andMonitoring
configuration. -
In the
Custom data
field, copy and paste the user data file information (which includes the site token).
Step 5: Complete VM creation.
Click on Review + create
. After validation process completes successfully, click Create
.
Step 6: Track VM deployment progress.
You can track deployment progress by connecting to your instance's public IP on port 65500. It may take a few minutes for the web interface to appear.
The default username is admin
and the default password is Volterra123
. You will be required to change the default password on your first login attempt.
The CE will show in Approval
state. This means that the CE is awaiting registration approval from F5 Console. Before approving registration, you need to add a second interface to the CE site.
Add Second Interface to CE Site
-
In Azure portal, select your VM and click
Stop
. -
After the VM stops, click
Network settings
. Then clickAttach network interface
.
- Click
Create and attach network interface
.
-
Select the resource group previously created for this VM.
-
In the
Name
field, enter a new name for this second interface. -
In the
Subnet
field, enter a new name for this interface. Make sure to reference that this is an internal interface since the external interface was previously created.
-
Click
Create
. -
After the second interface is attached to your VM, restart the VM.
-
Connect to the CE's local UI to verify that the second interface was properly configured.
Register Site
In Distributed Cloud Console, perform additional site registration configuration and create secure mesh site.
Step 1: Visually confirm requests appear.
-
In Distributed Cloud Console, navigate to the site registrations page.
-
Under the
Pending Registrations
tab, confirm the registration request appears but do not accept it. -
If you cannot see the
Cluster Name
, check under theOther Registrations
tab.
Step 2: Create secure mesh site.
-
Navigate to
Manage
>Site Management
>Secure Mesh Sites
. -
Click
Add Secure Mesh Site
. -
In the form, add a name for the site. Ensure that the
Name
is the same as the tag value forves-io-site-name
.
-
For the
Generic Server Certified Hardware
value, copy the value from the parameters' table above. -
For the master node configuration, enter a name. The node name can be any name you desire.
-
Enter values for
Longitude
andLatitude
that reflect the CE’s location and ensures the CE registers to the nearest regional edge (RE). -
After you finish with configuration, click
Save and Exit
.
Step 3: Change fields to match site name.
- On the site
Registrations
page, for your site, change theCluster Name
to match theSite Name
andves-io-site-name
. All three values must match.
-
Click
Save and Exit
. After a few minutes, the site status changes toADMITTED
. -
Connect to the CE's local UI to verify that the registration request was properly configured.
-
After the CE site is fully provisioned, you can access it using SSH with
cloud-user
and your private key.
Troubleshooting
For troubleshooting and opening a support case, see the Troubleshooting Manual Site Deployment Registration Issues guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to Distributed Cloud published Terraform errors, networking and security misconfiguration, or CE internal process issues. The guide also provides instructions for contacting the F5 Distributed Cloud Support Team if you are unable to resolve the issue.