Deploy Secure Mesh Site v2 on VMware (ClickOps)

Published April 5, 2023 | Last modified February 24, 2025

Objective

This guide provides instructions on how to create a customer edge (CE) site using the F5® Distributed Cloud Console and VMware. For more information, see F5® Distributed Cloud - Customer Edge.

As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site to VMware.

Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.

General Prerequisites

The following general prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.

  • VMware vSphere Hypervisor (ESXi) 7.0 or later. The examples in this document are based on version 7.0.0.

  • At least one interface in your VMWare ESXi environment with Internet connectivity.

  • Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

  • The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interface should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.

  • Internet Control Message Protocol (ICMP) must be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Configuration Overview

To create a Secure Mesh Site, here are the high-level steps:

  1. Site Object Creation: Configure the site in the F5 Distributed Cloud Console.
  2. Image Download: Gather all the information required to find the VMWare OVA installation template.
  3. Node Management: Use the OVA template to boot and install on all nodes.
  4. Interface Management: Add additional interfaces on the nodes, if necessary.

The document describes one- and two-interface deployments for single and clustered sites.

Procedure

This guide explains how to deploy a single-node secure mesh site with dual interfaces, including deviations from this specific model, where necessary, to adjust to different node and interface requirements.

Create a Site Object

  • Create a secure mesh site object in the Distributed Cloud Console. For instructions, see the Create Secure Mesh Site guide.

Be sure to set the Provider Name option to VMware. Keep all other default values.

Figure: Select VMware

Figure: Select VMware

Note: For information about the High Availability option, see the Create Secure Mesh Site guide.

Generate Node Token

A node token is required to register a CE Site node to the Distributed Cloud Console.

  • In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

  • Navigate to Manage > Site Management > Secure Mesh Sites v2.

  • For your site, click ... > Generate Node Token.

Figure: Node Token

Figure: Node Token

  • Click Copy.

  • Save the value locally. This token is used later. The token value is hidden for security purposes.

Figure: Node Token

Figure: Node Token

  • Click Close.

Download Node Image and Create ESXi Virtual Machine

VMWare uses OVA (Open Virtualization Appliance) file to store various files associated with a Virtual Machine (VM). This file is stored in the Open Virtualization Format (OVF) as a TAR archive.

F5 Distributed Cloud packages software in an OVA template file that lets you add a pre-configured virtual machine to the vCenter Server or ESXi inventory. Using vApps properties of the OVA template, you can configure the site and specify the data (site name, site token, location and so on) required to register the site on the F5XC Console.

Download Node Image

  • Navigate to Manage > Site Management > Secure Mesh Sites v2.

  • From the Secure Mesh Sites page, for your site, click ... > Download Image and then save the image locally.

Figure: Download VMware OVA Template

Figure: Download VMware OVA Template

  • Optionally, to obtain a download link that you can use with CLI utilities, such as curl or wget, click Copy Image Name.

Create ESXi Virtual Machine

Important: The name of the VM should not include .. For example, hostname can be node-0 or node0 but node.f5.com is not supported. If configuring a multi-node site, each node hostname must be unique.

You must connect the first node interface to an IPv4 subnet with connectivity to the Internet. The deployment process (image downloads, registration and so on) uses an F5 proxy that is automatically configured by deployment automation.

Use the following instructions to create an OVF template and store it on vSphere Client for multiple uses.

Step 1: Log in to the vSphere Client.

  • Log in to the vSphere Client. Then click Menu > Hosts and Clusters.
Figure: Log in to vSphere Client

Figure: Log in to vSphere Client

Step 2: Deploy the OVF template.

  • Right-click on Data Center and click Deploy OVF Template.
Figure: Deploy the OVF template

Figure: Deploy the OVF template

  • Select the OVF template you downloaded and then click Next.
Figure: Select an OVF template

Figure: Select an OVF template

  • Enter a unique Virtual machine name and select a folder to store the OVF template. Then click Next.
Figure: Select a name and folder

Figure: Select a name and folder

  • Select a host to run the template and then click Next.
Figure: Select a compute resource

Figure: Select a compute resource

  • Review the template details and then click Next.
Figure: Review details

Figure: Review details

  • Select where you want to store the files for the deployed template and then click Next.
Figure: Select storage

Figure: Select storage

  • For the Source Network named OUTSIDE, select a Destination Network. The Destination Network must have an internet connection. Then click Next.

The Outside Network is the Site Local Outside (SLO) network of the site.

Figure: Select networks

Figure: Select networks

  • In the Token field, copy and paste the node token that you saved earlier.

Important: When you create a multi-node site, make sure to change the Hostname for each node. For example, set hostnames to node-0, node-1 and node-2. Create one node at a time.

  • Optionally, set a Password for the Admin account. The default password is “Volterra123”. Keep the default settings for all other configurations.

  • Click Next.

Figure: Customize template

Figure: Customize template

  • Click Next and Finish to complete deployment.
Figure: Ready to complete

Figure: Ready to complete

Create an OVF Template Using the VMware OVF Tool

The VMware Open Virtualization Format (OVF) Tool is a command-line utility that lets you import and export OVF packages to and from VMware products.

To download the OVF Tool and view the VMware documentation, go to Open Virtualization Format (OVF) Tool.

Use the following OVF tool import commands to create an OVA template using the F5 Distributed Cloud Site image file:

$ ovftool --acceptAllEulas --allowAllExtraConfig --importAsTemplate \ 
--name=f5xc-ce-9.2024.22-20240724192736 \ 
--datastore=<datastore_name> \ 
--net:"OUTSIDE=<network_name>" \ 
--vmFolder=<folder_name> \ 
f5xc-ce-9.2024.22-20240724192736.ova \ 
'vi://<username>:<password>@<vCenter_IP>/<datacenter>/host/<host_IP>/' 
 
Output: 
Opening OVA source: f5xc-ce-9.2024.22-20240724192736.ova 
The manifest validates. 
Opening VI target: vi://user%40domain@10.21.X.X:443/datacenter/host/10.21.X.X/ 
Warning: 
 - Line 149: Unable to parse 'enableMPTSupport' for attribute 'key' on element 'Config'. 
Deploying to VI: vi://user%40domain@10.21.X.X:443/datacenter/host/10.21.X.X/ 
Transfer Completed 
Completed successfully.
Copied!

The following table provides information about the parameters above:

NameDescription
datastore_nameName of the data store/storage on the ESXi host
network_nameName of the network adapter on the ESXi host with internet connectivity
folder_nameVM and template folder on vSphere
usernameUsername of the vSphere client
passwordPassword of the vSphere client user
vCenter_IPIP address of the vSphere client
datacenterName of the data center configured on the vCenter server
host_IPIP address of the ESXi hosts connected on the vCenter server

Verify CE Site Registration

  • In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.

  • Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.

Add New Network Interface

After the CE Site registers successfully, you can add additional network interfaces if necessary to meet your requirements. Make sure that you connect another network interface to the VMware VM.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. All nodes in a given CE site should have the same number of network interfaces attached. Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE site has three nodes, each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 should also be in the SLI VRF.

When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

  • Power down the VM prior to adding any new interfaces or modifying any existing interfaces.

  • In the Multi-Cloud Network Connect service, click Manage > Site Management > Secure Mesh Sites v2.

  • For the VMware site, click ... > Manage Configuration.

Figure: Manage Site Configuration

Figure: Manage Site Configuration

  • Click Edit Configuration.
Figure: Edit Configuration

Figure: Edit Configuration

  • In the Provider section, click the pencil button to edit the desired node.
Figure: Edit Node Configuration

Figure: Edit Node Configuration

  • Click the pencil button to edit the SLI interface.
Figure: Add Interface

Figure: Add Interface

  • From the Interface Type menu, select the interface type from the following options:

    • Ethernet Interface: This is the default option.
    • VLAN Interface: Choose parent interface and VLAN ID.
    • Bond Interface: Choose bond name, members, and bond mode.

Note: Interface Name is not a mandatory field.

Figure: Interface Type

Figure: Interface Type

  • Select the un-configured network device that is detected by the node by clicking See Suggestions.
Figure: Ethernet Device

Figure: Ethernet Device

  • From the IPv4 Interface Address Method menu, select the IP address configuration from the following options:

    • DHCP Client
    • Static IP
Figure: IP Address Configuration

Figure: IP Address Configuration

Important: The IP address for the SLO interface cannot be changed. This change can damage cluster configuration.

  • Assign interface configurations for the Select VRF option to VRF. The default and most common option is Site Local Inside (Local VRF), but can also be assigned to Segment (Global VRF).
Figure: VRF Configuration

Figure: VRF Configuration

  • Click Apply. Then click Apply again. Then click Save and Exit to complete Secure Mesh Site configuration.

  • Power back up the VM.

  • To view the SLI interface, navigate to the Infrastructure tab. The Interfaces section provides the SLI information.

Figure: Interfaces View

Figure: Interfaces View

Troubleshooting

For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.

Concepts

On this page: