Customer Edge - Secure Mesh Site FAQs

We have introduced a simplified workflow to configure and manage Customer Edge (CE) Sites via the new Secure Mesh Site (version 2) with the release of F5 Distributed Cloud. With this release, you will be able to create a CE site anywhere. This release presents the following features:

• Removal of certified hardware (making it easy to deploy in any provider)
• Flexibility to choose F5 Distributed Cloud Regional Edges (REs)
• Removal of unnecessary user inputs (for example: latitude/longitude for the CE site)
• Support for dynamic interfaces
• Using a single IP address endpoint for registration and upgrades
• Support for deploying CE sites in any region

These providers are Generally Available (GA): VMware, AWS, Azure, GCP, OCI, Nutanix, OpenStack, and Equinix. The following provider is Early Access (EA): KVM.

Early Access (EA) means that this functionality is to be used for Proof of Concept (PoC) and Proof of Value (PoV) deployments only. These sites should not be used for production deployments.

Utilize the new Secure Mesh Site functionality in the following cases:

1. For Generally Available providers, all deployments.
2. For Early Access providers, all Proof-of-Concept (PoC) or Proof-of-Value (PoV) deployments, or staging deployments.

The following caveats are to be noted while using the Secure Mesh Site v2:

• Secure Mesh Site deployments are supported only on platforms listed in the validated Customer Edge Ecosystem Support guide.
• For sites that have High Availability (HA) disabled, only one (1) node is supported. This node will be the Control node. To this Site, additional nodes should not be added.
• For sites that have HA enabled, the nodes of the Site should be powered on serially with a gap of at least 90 seconds before powering on the next node.
• All nodes in a Site should have the same resources: CPU, memory, and disk storage (use the same instance flavor for cloud service providers, like AWS, Azure, and GCP).
• LTE/cellular interfaces are not supported.
• Vertical scaling of sites is not supported. After CE nodes are deployed, they should not be re-sized.
• Addition of interfaces should be done when all nodes of the site are powered down. You should shut down all nodes in the site, add the required interface to each node in the site, power on all nodes, and configure the newly added interface on each node, making sure that the interface is configured to be in the same VRF (network) on each node. Note that all nodes in a Site should have the same number of interfaces.
• CE node decommission workflow is not supported. To remove a worker node from a Site, first delete the worker node from the provider (for example, delete the VM hosted on VMware ESXi), wait for the node to go down in the F5 Distributed Cloud Console, and then delete the node from the CE Site configuration.

Note: The decommission node workflow will be added in a future release.

• Do not use the same name for a Site, even if you have deleted the Site with the same name previously created with in the last 30 days.
• For sites that have high availability (HA) enabled, only add three (3) nodes while provisioning the Site and wait for Site to come online. These nodes will come up as Control nodes. Worker nodes can then be added. Do NOT add worker nodes while provisioning the CE Site.

Yes. The new Secure Mesh Site will utilize a single IP owned by F5 to register the Customer Edge (CE) sites. This will greatly simplify egress rules required for the Customer Edge (CE) to connect to F5 Distributed Cloud to register and to pull updates.

Note: The Customer Edge (CE) sites will continue to require connectivity to F5 Regional Edges (REs). You can refer to this document for more information.

No. Only Secure Mesh Site v2 will utilize a single IP address owned by F5 for registration and updates. All other site types will continue to utilize the older list of IP addresses and domains.

No. Customers can use DRP functionality on their CE deployments. This will not conflict with the single IP endpoint used for CE registration and updates. Customers do not need to add any specific allowlist rules to make a CE work.

CE Site deployments, which include AWS VPC, AWS TGW, Azure VNet, GCP VPC, secure mesh sites (version 1), and sites created using fleets will be marked for deprecation in a future release. Deprecation will follow standard F5 policies and timelines. Any CE deployments of these types will continue to be fully supported until they are deprecated. Migration tooling will be provided to assist in migrating to the new CE Site deployment using Secure Mesh Site (version 2).

You can continue to use your existing Secure Mesh Sites (version 1). They will be fully supported.

Your existing Secure Mesh sites will reside in the Manage > Site Management > Customer Edges > Secure Mesh Sites section within the Multi-Cloud Network Connect service.

There is no change to App Stack at this point. Continue using App Stack sites as before.

If you need to deploy a Customer Edge (CE) site for production workloads, here is the recommendation:

If deploying in a cloud environment:

• If you need orchestration, use AWS VPC/TGW, Azure VNet, or GCP VPC sites.
• If you are deploying manually, use the Secure Mesh Site v2 for AWS, Azure, GCP, and OCI.

If deploying in an on-premises environment:

• Use the Secure Mesh Site v2 for VMware & OpenStack providers.
• Use the old new Secure Mesh Site (version 1) for all other providers.

Caution: Do not use fleets to configure sites in any environment.

Unless orchestration is a must-have, it is highly recommended using the new Secure Mesh site (version 2) workflow for AWS, Azure, and GCP.

Users are discouraged from using fleets. Fleets will be deprecated in a future release. Migration of CE sites created using fleets to the Secure Mesh Site v2 would be required. Timelines for deprecation, along with detailed migration guidance, will be provided in the future when deprecation of fleets is announced.

Existing site types will continue to be fully supported until further announcement.