Secure Mesh Site FAQs
This document provides information on general and specific user questions for the new workflow for deploying F5® Distributed Cloud Customer Edges (CEs) using secure mesh sites.
General FAQs
What is the new Secure Mesh Site?
We have introduced a simplified workflow to configure and manage Customer Edge (CE) Sites via the new Secure Mesh Site (version 2) with the release of F5 Distributed Cloud. With this release, you will be able to create a CE site anywhere. This release presents the following features:
- Removal of certified hardware (making it easy to deploy in any provider)
- Flexibility to choose F5 Distributed Cloud Regional Edges (REs)
- Removal of unnecessary user inputs (for example: latitude/longitude for the CE site)
- Support for dynamic interfaces
- Using a single IP address endpoint for registration and upgrades
- Support for deploying CE sites in any region
- Introducing CE support on F5 rSeries (5000 and onwards running F5OS 1.8 and above).
Is the new Secure Mesh functionality Generally Available?
These providers are Generally Available (GA): VMware, AWS, Azure, GCP, OCI, and OpenStack. These providers are Early Access (EA): F5 rSeries, Nutanix, KVM, and Baremetal.
What is Early Access designation for sites?
Early Access (EA) means that this functionality is to be used for Proof of Concept (PoC) and Proof of Value (PoV) deployments only. These sites should not be used for production deployments.
When should I use the new Secure Mesh Site (version 2) functionality?
Utilize the new Secure Mesh Site functionality in the following cases:
- Need to deploy in a provider which is not already supported (example: F5 rSeries, OCI, Nutanix)
- For Generally Available providers, All deployments
- For Early Access providers, all Proof-of-Concept (PoC) or Proof-of-Value (PoV) deployments, or staging deployments.
When using the new Secure Mesh Sites, what are the caveats that one should be aware of?
The following caveats are to be noted while using the Secure Mesh Site v2:
- Secure Mesh Site deployments are supported only on platforms listed in the validated Customer Edge Ecosystem Support guide.
- For sites that have High Availability (HA) disabled, only one (1) node is supported. This node will be the Control node. To this Site, additional nodes should not be added.
- For sites that have HA enabled, the nodes of the Site should be powered on serially with a gap of at least 90 seconds before powering on the next node.
- All nodes in a Site should have the same resources: CPU, memory, and disk storage (use the same instance flavor for cloud service providers, like AWS, Azure, and GCP).
- LTE/cellular interfaces are not supported.
- Vertical scaling of sites is not supported. After CE nodes are deployed, they should not be re-sized.
- Addition of interfaces should be done when all nodes of the site are powered down. You should shut down all nodes in the site, add the required interface to each node in the site, power on all nodes, and configure the newly added interface on each node, making sure that the interface is configured to be in the same VRF (network) on each node. Note that all nodes in a Site should have the same number of interfaces.
- CE node decommission workflow is not supported. To remove a worker node from a Site, first delete the worker node from the provider (for example, delete the VM hosted on VMware ESXi), wait for the node to go down in the F5 Distributed Cloud Console, and then delete the node from the CE Site configuration.
Note: The
decommission node
workflow will be added in a future release.
- Do not use the same name for a Site, even if you have deleted the Site with the same name previously created with in the last 30 days.
- For sites that have high availability (HA) enabled, only add three (3) nodes while provisioning the Site and wait for Site to come online. These nodes will come up as Control nodes. Worker nodes can then be added. Do NOT add worker nodes while provisioning the CE Site.
Will the new Secure Mesh Site utilize a single IP address endpoint for registration and updates?
Yes. The new Secure Mesh Site will utilize a single IP owned by F5 to register the Customer Edge (CE) sites. This will greatly simplify egress rules required for the Customer Edge (CE) to connect to F5 Distributed Cloud to register and to pull updates.
Note: The Customer Edge (CE) sites will continue to require connectivity to F5 Regional Edges (REs). You can refer to this document for more information.
Will the single endpoint for registration and updates be applicable to all site types?
No. Only Secure Mesh Site v2 will utilize a single IP address owned by F5 for registration and updates. All other site types will continue to utilize the older list of IP addresses and domains.
In upcoming releases, the following enhancements will be added:
- New site deployments, regardless of site type, will use a single IP address.
- Existing site deployments will automatically switch to using the single IP address.
Note: This single IP address will be within the list of IP addresses/domains that customers would have allowlisted as per this Firewall and Proxy Server Allowlist Reference guide.
If a CE site has a DRP configured for customers use-cases, will it interfere with the single IP address endpoint for registration and updates?
No. Customers can use DRP functionality on their CE deployments. This will not conflict with the single IP endpoint used for CE registration and updates. Customers do not need to add any specific allowlist rules to make a CE work.
--
Using Existing CE Site Models
What happens to my existing CE deployments?
You can continue to use your existing CE Site deployments, which include AWS VPC, AWS TGW, Azure VNet, GCP VPC, secure mesh sites (version 1), and sites created using fleets. They will continue to be fully supported.
What happens to my existing Secure Mesh Sites?
You can continue to use your existing Secure Mesh Sites (version 1). They will be fully supported.
Where can I find Secure Mesh sites I have created?
Your existing Secure Mesh sites will reside in the Manage > Site Management > Customer Edges > Secure Mesh Sites section within the Multi-Cloud Network Connect service.
What happens to my existing F5 Distributed Cloud App Stack deployments?
There is no change to App Stack at this point. Continue using App Stack sites as before.
What site type should I use for my production deployments?
If you need to deploy a Customer Edge (CE) site for production workloads, here is the recommendation:
-
If deploying in a cloud environment:
- If you need orchestration, use AWS VPC/TGW, Azure VNet, or GCP VPC sites
- If you are deploying manually, use the Secure Mesh Site v2 for AWS and Azure
- If using outside automation, use automation based on Secure Mesh Site v2 for AWS and Azure
-
If deploying in an on-premises environment:
- Use the Secure Mesh Site v2 for VMware provider
- Use the old new Secure Mesh Site (version 1) for all others
Caution: Do not use fleets to configure sites.
Can I continue using Site types that provide orchestration, such as AWS VPC, AWS TGW, Azure VNet, or GCP?
Unless orchestration is a must-have, it is recommended to use the new Secure Mesh site (version 2) workflow for AWS and Azure.
Note: Orchestration capabilities will be added to the Secure Mesh site v2 in upcoming releases.
Continue using the existing site types (AWS VPC/TGW, Azure VNet, GCP VPC) when orchestration is needed.
Would fleets continue to be supported?
Users are discouraged from using fleets. Fleets will be deprecated in a future release. Migration of CE sites created using fleets to the Secure Mesh Site v2 would be required. Timelines for deprecation, along with detailed migration guidance, will be provided in the future when deprecation of fleets is announced.
Would existing site types continue to be supported?
Existing site types will continue to be fully supported until further announcement.