Secure Mesh Site (Early Access) FAQs
This document provides information on general and specific user queries on the new workflow for deploying CEs using Secure Mesh Sites.
General FAQs
What is New Secure Mesh Site?
We have introduced a simplified workflow to configure and manage Customer Edge (CE) Sites via the new Secure Mesh Site (version 2) with the August release of F5 Distributed Cloud. With this release, you will be able to create a CE site anywhere. This release presents the following features:
- Removal of certified hardware (making it easy to deploy in any provider)
- Flexibility to choose F5 Distributed Cloud Regional Edges (REs)
- Removal of unnecessary user inputs (example: latitude/longitude for the CE site)
- Support for dynamic interfaces
- Using a single IP endpoint for registration and upgrades
- Support to deploy CE sites in any region
- Introducing CE support on F5 rSeries (5000 and onwards running F5OS 1.8 and above)
Is the new Secure Mesh functionality Generally Available (GA)?
The new Secure Mesh functionality is available in Early Access (EA). This functionality will become Generally Available (GA) by end of December, 2024.
Early Access Designation & Meaning
The new Secure Mesh functionality is available in Early Access (EA) in August, 2024. Early Access means that this functionality is to be used for Proof of Concept (PoC) & Proof of Value (PoV) deployments only. This should not be used for Production deployments. Feedback from these deployments will be used to mature the workflow as we make this Generally Available (GA).
When should I use the new Secure Mesh Site (version 2) functionality?
Utilize the new Secure Mesh Site functionality in the following cases:
- All Proof-of-Concept (PoC) or Proof-of-Value (PoV) deployments
- All staging and advanced PoC deployments
- Need to deploy in a provider which is not already supported (example: F5 rSeries, OCI)
When using the new Secure Mesh Sites, what are the caveats that one should be aware of with the August release?
The following caveats are to be noted while using the new Secure Mesh Site in the August release:
- Secure Mesh Site deployments are supported only on platforms listed in the validated platforms guide.
- For sites that have High Availability (HA) disabled, only 1 node is supported. This node will be the Control node. To this site, additional nodes should not be added.
- For sites that have HA eachnabled, nodes of the site should be powered on serially with a gap of at least 90 seconds before powering on the next node.
- All nodes in a site should have the same resources - CPU | Memory | Disk (use the same instance flavor in case of CSPs like AWS, Azure, GCP).
- Baremetal provider is not supported for Early Access (EA).
- LTE / Cellular interfaces are not supported for Early Access (EA).
- Vertical scaling of sites is not supported in this phase. Once CE nodes are deployed, they should not be re-sized.
- Addition of interfaces should be done when all nodes of the site are powered down. You should shut down all nodes in the site > add the required interface to each node in the site > power on all nodes > configure the newly added interface on each node - making sure that the interface is configured to be in the same VRF (Network) on each node. Note: All nodes in a site should have the same number of interfaces.
- CE node decommission workflow is not supported for Early Access (EA). To remove a worker node from a site, first delete the worker node from the provider (for example, delete the VM hosted on VMware ESXi), wait for the node to go down in the F5 Distributed Cloud Console, and delete the node from the CE site configuration.
Note: The 'decommission node' workflow will be added in an upcoming release.
- Do not use the same name for a Site, even if you had deleted the Site with the same name previously created with in the last 30 days.
- For sites that have HA enabled, only add 3 nodes while provisioning the site and wait for site to come online. These nodes will come up as "Control" nodes. Worker nodes can then be added. DO NOT add worker nodes while provisioning the CE site
Known Issues:
You might see the Obelix table syncer list operation failed
critical alert raised after the site is deployed . This alert is benign and will be removed as this functionality becomes Generally Available (GA).
Note: These features are expected to be available before GA. This FAQ document will be updated as more functionalities are made available.
Will the new Secure Mesh Site utilize a single IP endpoint for registration and updates?
Yes. The new Secure Mesh Site will utilize a single IP owned by F5 to register the Customer Edge (CE) sites. This will greatly simplify egress rules required for the Customer Edge (CE) to connect to F5 Distributed Cloud to register and to pull updates. > Note: The Customer Edge (CE) sites will continue to require connectivity to F5 Regional Edges (REs). You can refer to this document for more information.
Will the single endpoint for registration and updates be applicable to all site types?
No. In the August release, only the new Secure Mesh Site will utilize a single IP owned by F5 for registration & updates. All other site types will continue to utilize the older list of IPs and domains. In upcoming releases, the following enhancements will be added:
- New site deployments - regardless of site type will use the single IP
- Existing site deployments will automatically switch to using the single IP
Note: This single IP will be within the list of IPs/Domains that customers would have allow listed as per this document.
If a Customer Edge (CE) site has a DRP configured to be used for customers use-cases, will it interfere with the single IP endpoint for registration and updates?
No. Customers can use DRP functionality on their Customer Edge (CE) deployments. This will not conflict with the single IP endpoint used for CE registration & updates. Customers do not need to add any specific allowlist rules to make a CE work.
--
Using existing CE Site Models
What happens to my existing CE deployments?
You can continue to use your existing Customer Edge site deployments which include - AWS VPC, AWS TGW, Azure VNet, GCP VPC, Secure Mesh Sites (version 1) and Sites created via Fleets. They will continue to be fully supported.
What happens to my existing Secure Mesh Sites?
You can continue to use your existing Secure Mesh Sites (version 1). They will be fully supported.
Where can I find Secure Mesh sites that I created before August?
Your existing Secure Mesh sites will reside in the "Manage > Site Management > Customer Edges > Secure Mesh Sites" section within the Network Connect.
What happens to my existing AppStack deployments?
There is no change to AppStack at this point. Continue using AppStack sites as before.
What site type should I use for my production deployments?
If you need to deploy a Customer Edge (CE) site for production workloads, here is the recommendation:
- If deploying in a cloud environment
- If you need orchestration - utilize AWS VPC/TGW, Azure VNet or GCP VPC sites
- If you are deploying manually - utilize the old Secure Mesh Site (version 1)
- If using outside automation - utilize automation based on old Secure Mesh Site (version 1)
- If deploying in an on-prem environment
- Utilize the old new Secure Mesh Site (version 1)
Note: Do not use "fleets" to configure Sites.
Can I continue using Site types that provide orchestration such as AWS VPC, AWS TGW, Azure VNet, GCP sites?
For PoC environments, unless orchestration is a must have, it is recommended to use the new Secure Mesh site (version 2) workflow. > Note: Orchestration capabilities will be added to the new Secure Mesh site in the upcoming releases.
For Production environments, continue using the existing site types (AWS VPC/TGW, Azure VNet, GCP VPC)
Would fleets continue to be supported?
Users are discouraged from using fleets. Fleets will be deprecated. Migration of CE sites created using 'fleets' to the new Secure Mesh Sites would be required. Timelines for deprecation along with detailed migration guidance will be provided at the time the new Secure Mesh site becomes Generally Available (GA).
Would existing site types continue to be supported?
Existing site types will continue to be fully supported. When the new Secure Mesh site is made Generally Available (GA), a detailed deprecation plan will be sent out. This will include detailed instructions on deprecation and migration methodology.
Once the new Secure Mesh site is Generally Available (GA), new site deployments using: Old Secure Mesh Sites (version 1), and Fleets will be disallowed. However, existing sites will continue to be fully supported, these sites will need to then be migrated to the new Secure Mesh sites (version 2), for which detailed migration guidance will be provided.
--