Deploy Secure Mesh Site v2 on VMware (ClickOps)
Objective
This guide provides instructions on how to create a customer edge (CE) site using the F5® Distributed Cloud Console and VMware. For more information, see F5® Distributed Cloud - Customer Edge.
As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site to VMware.
Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.
General Prerequisites
The following general prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
VMware vSphere Hypervisor (ESXi) 7.0 or later. The examples in this document are based on version 7.0.0.
-
At least one interface in your VMWare ESXi environment with Internet connectivity.
-
Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
-
Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.
-
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interface should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
-
Internet Control Message Protocol (ICMP) must be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
Configuration Overview
To create a Secure Mesh Site, here are the high-level steps:
- Site Object Creation: Configure the site in the F5 Distributed Cloud Console.
- Image Download: Gather all the information required to find the VMWare OVA installation template.
- Node Management: Use the OVA template to boot and install on all nodes.
- Interface Management: Add additional interfaces on the nodes, if necessary.
The document describes one- and two-interface deployments for single and clustered sites.
Procedure
This guide explains how to deploy a single-node secure mesh site with dual interfaces, including deviations from this specific model, where necessary, to adjust to different node and interface requirements.
Create a Site Object
- Create a secure mesh site object in the Distributed Cloud Console. For instructions, see the Create Secure Mesh Site guide.
Be sure to set the Provider Name
option to VMware
. Keep all other default values.
Figure: Select VMware
Note: For information about the High Availability option, see the Create Secure Mesh Site guide.
Generate Node Token
A node token is required to register a CE Site node to the Distributed Cloud Console.
-
In Distributed Cloud Console, select the
Multi-Cloud Network Connect
service. -
Navigate to
Manage
>Site Management
>Secure Mesh Sites v2
. -
For your site, click
...
>Generate Node Token
.
Figure: Node Token
-
Click
Copy
. -
Save the value locally. This token is used later. The token value is hidden for security purposes.
Figure: Node Token
- Click
Close
.
Download Node Image and Create ESXi Virtual Machine
VMWare uses OVA (Open Virtualization Appliance) file to store various files associated with a Virtual Machine (VM). This file is stored in the Open Virtualization Format (OVF) as a TAR archive.
F5 Distributed Cloud packages software in an OVA template file that lets you add a pre-configured virtual machine to the vCenter Server or ESXi inventory. Using vApps properties of the OVA template, you can configure the site and specify the data (site name, site token, location and so on) required to register the site on the F5XC Console.
Download Node Image
-
Navigate to
Manage
>Site Management
>Secure Mesh Sites v2
. -
From the Secure Mesh Sites page, for your site, click
...
>Download Image
and then save the image locally.
Figure: Download VMware OVA Template
- Optionally, to obtain a download link that you can use with CLI utilities, such as
curl
orwget
, clickCopy Image Name
.
Create ESXi Virtual Machine
Important: The name of the VM should not include
.
. For example, hostname can benode-0
ornode0
butnode.f5.com
is not supported. If configuring a multi-node site, each node hostname must be unique.
You must connect the first node interface to an IPv4 subnet with connectivity to the Internet. The deployment process (image downloads, registration and so on) uses an F5 proxy that is automatically configured by deployment automation.
Use the following instructions to create an OVF template and store it on vSphere Client for multiple uses.
Step 1: Log in to the vSphere Client.
- Log in to the vSphere Client. Then click
Menu > Hosts and Clusters
.
Figure: Log in to vSphere Client
Step 2: Deploy the OVF template.
- Right-click on
Data Center
and clickDeploy OVF Template
.
Figure: Deploy the OVF template
- Select the OVF template you downloaded and then click
Next
.
Figure: Select an OVF template
- Enter a unique
Virtual machine name
and select a folder to store the OVF template. Then clickNext
.
Figure: Select a name and folder
- Select a host to run the template and then click
Next
.
Figure: Select a compute resource
- Review the template details and then click
Next
.
Figure: Review details
- Select where you want to store the files for the deployed template and then click
Next
.
Figure: Select storage
- For the Source Network named
OUTSIDE
, select aDestination Network
. The Destination Network must have an internet connection. Then clickNext
.
The Outside Network is the Site Local Outside (SLO) network of the site.
Figure: Select networks
- In the
Token
field, copy and paste the node token that you saved earlier.
Important: When you create a multi-node site, make sure to change the
Hostname
for each node. For example, set hostnames tonode-0
,node-1
andnode-2
. Create one node at a time.
-
Optionally, set a
Password
for the Admin account. The default password is “Volterra123”. Keep the default settings for all other configurations. -
Click
Next
.
Figure: Customize template
- Click
Next
andFinish
to complete deployment.
Figure: Ready to complete
Create an OVF Template Using the VMware OVF Tool
The VMware Open Virtualization Format (OVF) Tool is a command-line utility that lets you import and export OVF packages to and from VMware products.
To download the OVF Tool and view the VMware documentation, go to Open Virtualization Format (OVF) Tool.
Use the following OVF tool import commands to create an OVA template using the F5 Distributed Cloud Site image file:
$ ovftool --acceptAllEulas --allowAllExtraConfig --importAsTemplate \
--name=f5xc-ce-9.2024.22-20240724192736 \
--datastore=<datastore_name> \
--net:"OUTSIDE=<network_name>" \
--vmFolder=<folder_name> \
f5xc-ce-9.2024.22-20240724192736.ova \
'vi://<username>:<password>@<vCenter_IP>/<datacenter>/host/<host_IP>/'
Output:
Opening OVA source: f5xc-ce-9.2024.22-20240724192736.ova
The manifest validates.
Opening VI target: vi://user%40domain@10.21.X.X:443/datacenter/host/10.21.X.X/
Warning:
- Line 149: Unable to parse 'enableMPTSupport' for attribute 'key' on element 'Config'.
Deploying to VI: vi://user%40domain@10.21.X.X:443/datacenter/host/10.21.X.X/
Transfer Completed
Completed successfully.
The following table provides information about the parameters above:
Name | Description |
---|---|
datastore_name | Name of the data store/storage on the ESXi host |
network_name | Name of the network adapter on the ESXi host with internet connectivity |
folder_name | VM and template folder on vSphere |
username | Username of the vSphere client |
password | Password of the vSphere client user |
vCenter_IP | IP address of the vSphere client |
datacenter | Name of the data center configured on the vCenter server |
host_IP | IP address of the ESXi hosts connected on the vCenter server |
Verify CE Site Registration
-
In Distributed Cloud Console, navigate to
Multi-Cloud Network Connect
>Overview
>Infrastructure
>Sites
. -
Select the site. The
Dashboard
tab should clearly show that the CE Site has registered successfully with theSystem Health
of 100% as well asData Plane
/Control Plane
both being up.
Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.
Add New Network Interface
After the CE Site registers successfully, you can add additional network interfaces if necessary to meet your requirements. Make sure that you connect another network interface to the VMware VM.
Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. All nodes in a given CE site should have the same number of network interfaces attached. Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE site has three nodes, each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 should also be in the SLI VRF.
When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.
-
Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
-
In the
Multi-Cloud Network Connect
service, clickManage
>Site Management
>Secure Mesh Sites v2
. -
For the VMware site, click
...
>Manage Configuration
.
Figure: Manage Site Configuration
- Click
Edit Configuration
.
Figure: Edit Configuration
- In the
Provider
section, click the pencil button to edit the desired node.
Figure: Edit Node Configuration
- Click the pencil button to edit the SLI interface.
Figure: Add Interface
-
From the
Interface Type
menu, select the interface type from the following options:Ethernet Interface
: This is the default option.VLAN Interface
: Choose parent interface and VLAN ID.Bond Interface
: Choose bond name, members, and bond mode.
Note:
Interface Name
is not a mandatory field.
Figure: Interface Type
- Select the un-configured network device that is detected by the node by clicking
See Suggestions
.
Figure: Ethernet Device
-
From the
IPv4 Interface Address Method
menu, select the IP address configuration from the following options:DHCP Client
Static IP
Figure: IP Address Configuration
Important: The IP address for the SLO interface cannot be changed. This change can damage cluster configuration.
- Assign interface configurations for the
Select VRF
option to VRF. The default and most common option isSite Local Inside (Local VRF)
, but can also be assigned toSegment (Global VRF)
.
Figure: VRF Configuration
-
Click
Apply
. Then clickApply
again. Then clickSave and Exit
to complete Secure Mesh Site configuration. -
Power back up the VM.
-
To view the SLI interface, navigate to the
Infrastructure
tab. TheInterfaces
section provides the SLI information.
Figure: Interfaces View
Troubleshooting
For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
Concepts
On this page:
- Objective
- General Prerequisites
- Configuration Overview
- Procedure
- Create a Site Object
- Generate Node Token
- Download Node Image and Create ESXi Virtual Machine
- Download Node Image
- Create ESXi Virtual Machine
- Create an OVF Template Using the VMware OVF Tool
- Verify CE Site Registration
- Add New Network Interface
- Troubleshooting
- Concepts