Secure Mesh Site FAQs

We have introduced a simplified workflow to configure and manage Customer Edge (CE) Sites via the new Secure Mesh Site (version 2) with the release of F5 Distributed Cloud. With this release, you will be able to create a CE site anywhere. This release presents the following features:

• Removal of certified hardware (making it easy to deploy in any provider)
• Flexibility to choose F5 Distributed Cloud Regional Edges (REs)
• Removal of unnecessary user inputs (example: latitude/longitude for the CE site)
• Support for dynamic interfaces
• Using a single IP endpoint for registration and upgrades
• Support to deploy CE sites in any region
• Introducing CE support on F5 rSeries (5000 and onwards running F5OS 1.8 and above).

The new Secure Mesh functionality is Generally Available (GA) for VMware, AWS and Azure. It is available as Early Access for F5 rSeries, GCP, OCI, Openstack, Nutanix, KVM and BareMetal.

Early Access means that this functionality is to be used for Proof of Concept (PoC) & Proof of Value (PoV) deployments only. This should not be used for Production deployments.

Utilize the new Secure Mesh Site functionality in the following cases:

• Need to deploy in a provider which is not already supported (example: F5 rSeries, OCI, Nutanix)
• For Generally Available providers, All deployments
• For Early Access providers, All Proof-of-Concept (PoC) or Proof-of-Value (PoV) deployments or staging deployments.

The following caveats are to be noted while using the Secure Mesh Site v2:

• Secure Mesh Site deployments are supported only on platforms listed in the validated platforms guide
• For sites that have High Availability (HA) disabled, only 1 node is supported. This node will be the Control node. To this site, additional nodes should not be added
• For sites that have HA enabled, nodes of the site should be powered on serially with a gap of at least 90 seconds before powering on the next node
• All nodes in a site should have the same resources - CPU | Memory | Disk (use the same instance flavor in case of CSPs like AWS, Azure, GCP)
• LTE / Cellular interfaces are not supported
• Vertical scaling of sites is not supported. Once CE nodes are deployed, they should not be re-sized
• Addition of interfaces should be done when all nodes of the site are powered down. You should shut down all nodes in the site > add the required interface to each node in the site > power on all nodes > configure the newly added interface on each node - making sure that the interface is configured to be in the same VRF (Network) on each node. Note: All nodes in a site should have the same number of interfaces
• CE node decommission workflow is not supported. To remove a worker node from a site, first delete the worker node from the provider (for example, delete the VM hosted on VMware ESXi), wait for the node to go down in the F5 Distributed Cloud Console, and delete the node from the CE site configuration

Note: The decommission node workflow will be added in a future release.

• Do not use the same name for a Site, even if you had deleted the Site with the same name previously created with in the last 30 days
• For sites that have HA enabled, only add 3 nodes while provisioning the site and wait for site to come online. These nodes will come up as "Control" nodes. Worker nodes can then be added. DO NOT add worker nodes while provisioning the CE site.

Yes. The new Secure Mesh Site will utilize a single IP owned by F5 to register the Customer Edge (CE) sites. This will greatly simplify egress rules required for the Customer Edge (CE) to connect to F5 Distributed Cloud to register and to pull updates.

Note: The Customer Edge (CE) sites will continue to require connectivity to F5 Regional Edges (REs). You can refer to this document for more information.

No. Only Secure Mesh Site v2 will utilize a single IP owned by F5 for registration & updates. All other site types will continue to utilize the older list of IPs and domains. In upcoming releases, the following enhancements will be added:

• New site deployments - regardless of site type will use the single IP
• Existing site deployments will automatically switch to using the single IP

Note: This single IP will be within the list of IPs/Domains that customers would have allow listed as per this document.

No. Customers can use DRP functionality on their Customer Edge (CE) deployments. This will not conflict with the single IP endpoint used for CE registration & updates. Customers do not need to add any specific allowlist rules to make a CE work.

You can continue to use your existing Customer Edge site deployments which include - AWS VPC, AWS TGW, Azure VNet, GCP VPC, Secure Mesh Sites (version 1) and Sites created via Fleets. They will continue to be fully supported.

You can continue to use your existing Secure Mesh Sites (version 1). They will be fully supported.

Your existing Secure Mesh sites will reside in the "Manage > Site Management > Customer Edges > Secure Mesh Sites" section within the Network Connect.

There is no change to AppStack at this point. Continue using AppStack sites as before.

If you need to deploy a Customer Edge (CE) site for production workloads, here is the recommendation:

• If deploying in a cloud environment
  • If you need orchestration - utilize AWS VPC/TGW, Azure VNet or GCP VPC sites
  • If you are deploying manually - utilize the Secure Mesh Site v2 for AWS and Azure
  • If using outside automation - utilize automation based Secure Mesh Site v2 for AWS and Azure
• If deploying in an on-prem environment
  • Utilize the Secure Mesh Site v2 for VMware provider
  • Utilize the old new Secure Mesh Site (version 1) for all others

Note: Do not use "fleets" to configure Sites.

Unless orchestration is a must have, it is recommended to use the new Secure Mesh site (version 2) workflow for AWS and Azure.

Note: Orchestration capabilities will be added to the Secure Mesh site v2 in the upcoming releases.

Continue using the existing site types (AWS VPC/TGW, Azure VNet, GCP VPC) when orchestration is needed.

Users are discouraged from using fleets. Fleets will be deprecated in future release. Migration of CE sites created using 'fleets' to the Secure Mesh Site v2 would be required. Timelines for deprecation along with detailed migration guidance will be provided in future when deprecation of fleets is announced.

Existing site types continue to be fully supported till further announcement.