Create GCP Site (Orchestrated)

Objective

This guide provides instructions on how to create and deploy a Virtual Private Cloud (VPC) F5 Distributed Cloud Site in Google Cloud Platform (GCP).

You can deploy a VPC site if the workload you want to secure, connect, or load balance is present on or will be deployed in the same VPC. You may also choose to deploy a VPC site if you want to use the F5® managed Kubernetes offering by creating an App Stack site.

Overview

F5® Distributed Cloud supports GCP VPC site creation in both greenfield and brownfield environments. In a greenfield environment, it can automate the creation of VPC networks, subnets, firewall rules, routes, and other networking features. In a brownfield environment, you can choose existing resources from your VPC or choose to create new resources using the site creation wizard.

Clustering of Customer Edge Nodes

GCP VPC sites can be deployed as a single node or as a three-node site. These nodes host the control processes, data plane processes, and the IPsec connections to the Regional Edges (REs). For production deployment, a three-node site is recommended as it provides high availability and capacity for L7 features like Load Balancing, WAAP, and more.

Important: Worker nodes are not currently supported on any type of GCP VPC site.

GCP VPC Site Deployment Modes

A site can be deployed in three different modes, as explained below. For a generic network topology of a site, see Network Topology of a Site.

Ingress Gateway (One Interface): This mode provides discovery of services and endpoints reachable from this subnet and delivers it to any other site in the customer tenant. The site can provide TCP or HTTP load balancing and L7 security services for the apps that it discovers on the VPC. This mode can be used for application delivery or IP address overlap use cases, but as it functions only as an ingress gateway, it cannot provide L3 connectivity to networks on other sites in the tenant. This mode also provides Secure Kubernetes Gateway functionality to Kubernetes clusters deployed on the same VPC.

A three-node deployment diagram is shown below.

Figure: GCP VPC Site Deployment - Ingress Gateway (One Interface)

Figure: GCP VPC Site Deployment - Ingress Gateway (One Interface)

In this deployment mode, the CE node is attached to a single Subnet called the Site Local Outside (SLO), per GCP Zone in a VPC network. For a three-node cluster, the nodes will be distributed across three GCP zones. The default route associated with SLO must point to the Internet Gateway (IGW). This way the CE can reach the Internet and open the IPsec connections to the Regional Edges (REs).

The default configuration is to use an Internet Gateway for this, but Cloud NAT Gateway is also supported as an egress gateway option. The workloads can be deployed on a private subnet with a default route pointing to the Cloud NAT Gateway or on a public subnet with a default route pointing to the Internet Gateway. These subnets and routes are not auto-created.

Ingress/Egress Gateway (Two Interfaces): In this mode, the CE functions as a default gateway for the VPC network. This way, it can provide egress connectivity to the internet and L3 connectivity from the instances and subnets on the VPC network to subnets on other sites if a global network is configured. It can also provide the load balancing, Secure Kubernetes Gateway, and other L7 security features, like ingress gateway mode.

A three-node deployment diagram is shown below.

Figure: GCP VPC Site Deployment - Ingress/Egress Gateway (Two Interfaces)

Figure: GCP VPC Site Deployment - Ingress/Egress Gateway (Two Interfaces)

In this mode, the CE node is attached to two interfaces on two different subnets, on two VPC networks. One subnet is labeled as Site Local Outside (SLO), and the other as Site Local Inside (SLI). The default route on the SLO VPC network points to the IGW as the default gateway (Cloud NAT gateway is also supported). This provides Internet connectivity to the CE nodes. The default route on the SLI VPC network points to the SLI interface of the CE node or the internal TCP passthrough Network Load balancer for CE SLI IP addresses, in case of multi-node CE site.

F5® Distributed Cloud App Stack Cluster (App Stack) (One Interface): This deployment mode must be used if you want to use the site as an F5-managed Kubernetes site to host your applications. This site mode also provides Secure Kubernetes Gateway for the applications deployed on it by discovering the services, providing load balancing and L7 security features, like WAAP, Bot Detection, DDoS protection, and more.

The deployment and configuration of this site is identical to the Ingress Gateway (One Interface) Site. The difference with this deployment is the certified hardware type being gcp-byol-voltstack-combo. This configures and deploys an instance type that allows the site to have Kubernetes pods or VMs deployed on the site using Kubernetes APIs via managed K8s or virtual K8s endpoints.

Site Status Descriptions

These descriptions provide information for the various stages of site deployment in Distributed Cloud Console. They also provide information to help you troubleshoot errors that may occur during the deployment and registration stages.

PLANNING: Site resources are being planned for creation.

PLAN_INIT_ERRORED: Planning of site resources failed at init stage.

PLAN_ERRORED: Planning of site failed with errors.

PLAN_QUEUED: Planning of site resources queued to be implemented.

APPLIED: Site resources are created, and site is waiting to come online.

APPLY_ERRORED: Creation of site resources failed with errors.

APPLY_INIT_ERRORED: Creation of site resources failed with errors at initial stage.

APPLYING: Site creation is in progress.

APPLY_PLANNING: Site resources are being planned.

APPLY_PLAN_ERRORED: Planning of site failed with errors.

APPLY_QUEUED: Creation of site resources queued to be implemented.

DESTROYED: Site resources are destroyed and site is OFFLINE.

DESTROY_ERRORED: Destroying of site resources failed with errors.

DESTROYING: Destroying of site resources in progress.

DESTROY_QUEUED: Destroying of site resources queued to be destroyed.

GENERATED: Site Object created in F5 Distributed Cloud Console database as per configuration.

TIMED_OUT: Creation/Destroying of site resources is failed with a timeout.

ERRORED: Creation/Destroying of site resources is failed with errors.

PROVISIONING: Site resources are created and waiting for site to come online.

Prerequisites

General

Note: By proceeding with the installation, download and/or access and use, as applicable, of the Distributed Cloud Services software, and/or Distributed Cloud Services platform, you acknowledge that you have read, understand, and agree to be bound by this agreement.

  • Resources required per node:
    • vCPUs: Minimum 4 vCPUs.
    • Memory: 14 GB RAM.
    • Disk storage:
      • Minimum 80 GB for Mesh site.
      • Minimum 100 GB for App Stack site.

Note: For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Instance type with Intel x86-based processor. ARM and Mac instances are not supported. Recommended instance types are:

    • n1-standard-4 (4 vCPU, 16 GB RAM)
    • n1-standard-8 (8 vCPU, 32 GB RAM)
    • n1-standard-16 (16 vCPU, 64 GB RAM)

  • Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

  • UDP port 6080 needs to be opened between all the nodes of the site.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Existing VPC

VPC network names, and GCP region and zone names.

New default routes will be created for the existing subnets selected for Site Local Outside (SLO) and Site Local Inside (SLI) interfaces.

Deploy Using Console

The following video shows the GCP VPC site creation and site deployment workflow using Console:

You can create and manage a GCP VPC site in Console by first creating the site object using the guided wizard and then deploying it using the automated method.

Create GCP VPC Site Object

The guided wizard to create the GCP VPC site object guides you through the steps for required configuration.

Step 1: Start site object creation.

  • Log into Console.

  • From the homepage, select Multi-Cloud Network Connect.

Figure: Console Homepage

Figure: Console Homepage

  • Click Manage > Site Management > GCP VPC Sites.

  • Click Add GCP VPC Site.

  • Enter Name, enter Labels, and Description as needed.

Figure: GCP Site Set Up

Figure: GCP Site Set Up

Step 2: Configure GCP VPC region.

From the GCP Region drop-down menu, click See Common Values to select a region.

Figure: Select Region

Figure: Select Region

Step 3: Configure site type settings.

  • From the Select Ingress Gateway or Ingress/Egress Gateway drop-down menu, select an option:

    • Ingress Gateway (One Interface)

    • Ingress/Egress Gateway (Two Interface)

    • App Stack Cluster (One Interface)

Ingress Gateway (one interface)

  • For the Ingress Gateway (One Interface) option, click Configure.

  • From the GCP zone names list, click See Suggestions to select an option that matches the configured GCP Region.

  • From the Number of main nodes menu, select the number of master nodes for this site. 1 is for a single node site and 3 is for a multi-node site.

Important: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site. Use Add Item to add different zones.

Figure: Main Nodes

Figure: Main Nodes

  • From the VPC Network for Local Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC network name is automatically generated.

    • Specify VPC Network Name: Creates a network that is entered in the GCP VPC Network Name field.

    • Existing VPC Network: Specify an existing VPC network name from the GCP Region select previously. Enter its name in the GCP VPC Network Name field.

  • From the Subnet for Local Interface menu, perform one of the following:

    • For the New Subnet Parameters option, enter a name for the subnet in the VPC Subnet Name field and a subnet prefix in the IPv4 Subnet Prefix field. The subnet name will be auto-generated if a name is not specified.

    • For the Existing Subnet option, specify the existing subnet name on the existing VPC network selected above in the VPC Subnet Name field.

  • In the Advanced Options section, enable the Show Advanced Fields option and perform the following:

    • From the Performance Mode menu, select an option:

    • L7 Enhanced: This option optimizes the site for Layer 7 traffic processing.

    • L3 Mode Enhanced Performance: This option optimizes the site for Layer 3 traffic processing. Only choose this option if the site is used for L3 connectivity and not any L7 features. Select whether to use this feature with or without jumbo frames.

Note: The L3 Mode Enhanced Performance feature works on CE sites with a minimum of 5 cores and a minimum of 3 GB memory. Jumbo frames (Ethernet frames with a larger payload than the Ethernet standard maximum transmission unit of 1,500 bytes) are supported for L3 Mode Enhanced Performance.

  • Click Apply to save the configuration.
Ingress/Egress Gateway (two interfaces)

  • For the Ingress/Egress Gateway (Two Interface) option, click Configure.

  • From the GCP zone names list, click See Suggestions to select an option that matches the configured GCP Region.

  • From the Number of main nodes menu, select the number of master nodes for this site. 1 is for a single node site and 3 is for a multi-node site.

Important: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site. Use Add Item to add different zones.

  • From the VPC Network for Inside Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC network name is automatically generated.

    • Specify VPC Network Name: Creates a network that is entered in the GCP VPC Network Name field.

    • Existing VPC Network: Specify an existing VPC network name from the GCP Region select previously. Enter its name in the GCP VPC Network Name field.

  • From the Subnet for Inside Interface menu, perform one of the following steps:

    • For the New Subnet Parameters option, enter a name in the VPC Subnet Name field, and enter an IP address prefix in the IPv4 Subnet Prefix field. Subnet name will be auto-generated if a name is not specified.

    • For the Existing Subnet option, enter an existing VPC network name in the VPC Subnet Name field for the existing VPC network selected above.

  • From the VPC Network for Outside Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC network name is automatically generated.

    • Specify VPC Network Name: Creates a VPC network name that is created in the GCP Region. Enter a name in the GCP VPC Network Name field.

    • Existing VPC Network: Specifies an existing VPC network name in the GCP Region. Enter a name in the GCP VPC Network Name field.

  • From the Subnet for Outside Interface menu, perform one of the following steps:

    • New Subnet Parameters: enter the name in the VPC Subnet Name field, and enter an IP address prefix in the IPv4 Subnet Prefix field. Subnet name will be auto-generated if a name is not specified.

    • Existing Subnet: Specifies an existing subnet name for the existing VPC network previously selected. Enter an existing VPC network name in the VPC Subnet Name field.

  • In the Site Network Firewall section:

    • Optionally, add a firewall policy by selecting Active Firewall Policies or Active Enhanced Firewall Policies from the Manage Firewall Policy menu. Select an existing firewall policy, or select Add Item to create and apply a firewall policy or Configure for an enhanced version.

Note: See the Create Firewall Policy guide for more information.

  • From the Manage Forward Proxy menu, select an option to use the site as a forward proxy for outgoing requests. This configuration allows you to filter Internet-bound outgoing traffic from the site:

    • Disable Forward Proxy if you want clients on-site to directly connect to services on the Internet. All outbound traffic is allowed.

    • Enable Forward Proxy with Allow All Policy if you want all outbound traffic to be allowed and need the CE to proxy the outbound connections and SNAT over the SLO IP.

    • Enable Forward Proxy and Manage Policies if you want the CE to proxy traffic for selected TLS domains or HTTP URLs: Select an existing forward proxy policy or select Add Item to create and apply a forward proxy policy.

Note: See the Forward Proxy Policies guide for more information.

  • In the Advanced Options section, optionally enable Show Advanced Fields.

  • Select Connect Global Networks from the Select Global Networks to Connect menu to enable site-to-site L3 connectivity, and perform the following:

    • Click Add Item.

    • From the Select Network Connection Type menu, select an option:

      • Select Direct Site Local Inside to a Global Network to allow subnets on the site’s VPC and subnets on other sites on the same global network to be routable to each other without NAT.

      • Select Direct Site Local Outside to a Global Network to allow subnets on the site’s VPC to route to subnets on other sites without NAT, but disable other sites to have a route to the current site’s subnets other than the outside subnet.

    • From the Global Virtual Network menu, select an existing global network or create a new network using Add Item. See the Virtual Networks guide for more information.

    • Click Apply.

  • From the Select DC Cluster Group menu, select an option to set the site in a DC cluster group:

    • Not a Member of DC Cluster Group: Default option.

    • Member of DC Cluster Group via Outside Network: Select this option if other sites are reachable via SLO interface.

    • Member of DC Cluster Group via Inside Network: Select this option if other sites are reachable via SLI interface.

Note: For more information, see the Configure DC Cluster Group guide.

  • From the Manage Static Routes for Inside Network menu, select Manage Static Routes. Click Add Item. Perform one of the following steps:

    • Select Simple Static Route and then enter a static route in the Simple Static Route field. Specify the destination in a.b.c.d/m format. The route is always added on SLI, and the ARP for the destination must resolve from the CE’s SLI.

    • Select Custom Static Route and then click Configure. Perform the following steps:

      • In the Subnets section, click Add Item. Select IPv4 or IPv6 option from the Version menu. Enter a prefix and a prefix length for the subnet. Click Apply. You can use the Add Item option to set more subnets.

      • In the Nexthop section, select a next-hop type from the Type menu. Select IPv4 or IPv6 from the Version menu in the Address subsection. Enter an IP address. From the Network Interface menu, select an option.

      • From the Static Route Labels field, select supported labels using Add Label. You can select more than one from this list.

      • From the Attributes menu, select supported attributes. You can select more than one from this list.

      • Click Apply to add the custom route.

      • Click Apply.

  • Select Manage Static routes from the Manage Static Routes for Outside Network menu, and click Add Item. Follow the same procedure as that of managing the static routes for inside network.

  • From the Site Mesh Group Connection Type menu, select an option:

    • Select Site Mesh Group Connection via Public IP if other sites in SMG are accessible only over the Internet.

    • Select Site Mesh Group Connection via Private IP if other sites in SMG are accessible over private connectivity.

  • From the Performance Mode menu, select an option:

    • L7 Enhanced: This option optimizes the site for Layer 7 traffic processing.

    • L3 Mode Enhanced Performance: This option optimizes the site for Layer 3 traffic processing. Only choose this option if the site is used for L3 connectivity and not any L7 features. Select whether to use this feature with or without jumbo frames.

Note: The L3 Mode Enhanced Performance feature works on CE sites with a minimum of 5 cores and a minimum of 3 GB memory. Jumbo frames (Ethernet frames with a larger payload than the Ethernet standard maximum transmission unit of 1,500 bytes) are supported for L3 Mode Enhanced Performance.

If L3 Mode Enhanced Performance is not enabled on all CE sites in a Site Mesh Group, the MTU configured on the site-to-site tunnel interfaces will not be consistent. Therefore, it is recommended to enable L3-focused performance mode on all sites participating in a Site Mesh Group.

  • Click Apply to save the configuration.
Figure: Advanced Options

Figure: Advanced Options

App Stack Cluster (one interface)

  • For the App Stack Cluster (One Interface) option, click Configure.

  • From the GCP zone names list, click See Suggestions to select an option that matches the configured GCP Region.

  • From the Number of main nodes menu, select the number of master nodes for this site. 1 is for a single node site and 3 is for a multi-node site.

Important: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site. Use Add Item to add different zones.

Figure: App Stack Site

Figure: App Stack Site

  • From the VPC Network for Local Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC network name is automatically generated.

    • Specify VPC Network Name: Creates a network that is entered in the GCP VPC Network Name field.

    • Existing VPC Network: Specify an existing VPC network name from the GCP Region select previously. Enter its name in the GCP VPC Network Name field.

  • From the Subnet for Local Interface menu, perform one of the following:

    • For the New Subnet Parameters option, enter a name for the subnet in the VPC Subnet Name field and a subnet prefix in the IPv4 Subnet Prefix field. The subnet name will be auto-generated if a name is not specified.

    • For the Existing Subnet option, specify the existing subnet name on the existing VPC network selected above in the VPC Subnet Name field.

  • In the Site Network Firewall section:

    • Optionally, add a firewall policy by selecting Active Firewall Policies or Active Enhanced Firewall Policies from the Manage Firewall Policy menu. Select an existing firewall policy, or select Add Item to create and apply a firewall policy or Configure for an enhanced version.

Note: See the Create Firewall Policy guide for more information.

  • From the Manage Forward Proxy menu, select an option to use the site as a forward proxy for outgoing requests. This configuration allows you to filter Internet-bound outgoing traffic from the site:

    • Disable Forward Proxy if you want clients on-site to directly connect to services on the Internet. All outbound traffic is allowed.

    • Enable Forward Proxy with Allow All Policy if you want all outbound traffic to be allowed and need the CE to proxy the outbound connections and SNAT over the SLO IP.

    • Enable Forward Proxy and Manage Policies if you want the CE to proxy traffic for selected TLS domains or HTTP URLs: Select an existing forward proxy policy or select Add Item to create and apply a forward proxy policy.

Note: See the Forward Proxy Policies guide for more information.

  • In the Storage Configuration section, enable the Show Advanced Fields option.

  • From the Select Configuration for Storage Classes menu, select Add Custom Storage Class if you want to use a user-created storage class for storage devices or external storage deployed outside F5 Distributed Cloud Services.

  • Click Add Item.

  • In the Storage Class Name field, enter a name for the storage class as it will appear in Kubernetes.

  • Optionally, enable the Default Storage Class option to make this new storage class the default class for all clusters.

  • Click Apply.

  • Optionally, configure more settings in the Advanced Options section by enabling Show Advanced Fields.

  • Select Connect Global Networks from the Select Global Networks to Connect menu to enable site-to-site L3 connectivity, and perform the following:

    • Click Add Item.

    • From the Select Network Connection Type menu, select an option:

      • Select Direct Site Local Inside to a Global Network to allow subnets on the site’s VPC and subnets on other sites on the same global network to be routable to each other without NAT.

      • Select Direct Site Local Outside to a Global Network to allow subnets on the site’s VPC to route to subnets on other sites without NAT, but disable other sites to have a route to the current site’s subnets other than the outside subnet.

    • From the Global Virtual Network menu, select an existing global network or create a new network using Add Item. See the Virtual Networks guide for more information.

    • Click Apply.

  • From the Select DC Cluster Group menu, select an option to set the site in a DC cluster group:

    • Not a Member of DC Cluster Group: Default option.

    • Member of DC Cluster Group via Outside Network: Select this option if other sites are reachable via SLO interface.

    • Member of DC Cluster Group via Inside Network: Select this option if other sites are reachable via SLI interface.

Note: For more information, see the Configure DC Cluster Group guide.

  • From the Site Mesh Group Connection Type menu, select an option:

    • Select Site Mesh Group Connection via Public IP if other sites in SMG are accessible only over the Internet.

    • Select Site Mesh Group Connection via Private IP if other sites in SMG are accessible over private connectivity.

  • From the Manage Static Routes for Site Local Network menu, select an option:

    • Disable Static Routes: Default option. No new static routes are created.

    • Manage Static Routes: Add a new static route: Click Add Item. Perform one of the following steps:

    • Select Simple Static Route and then enter a static route in the Simple Static Route field. Specify the destination in a.b.c.d/m format. The route is always added on SLI, and the ARP for the destination must resolve from the CE’s SLI.

    • Select Custom Static Route and then click Configure. Perform the following steps:

      • In the Subnets section, click Add Item. Select IPv4 or IPv6 option from the Version menu. Enter a prefix and a prefix length for the subnet. Click Apply. You can use the Add Item option to set more subnets.

      • In the Nexthop section, select a next-hop type from the Type menu. Select IPv4 or IPv6 from the Version menu in the Address subsection. Enter an IP address. From the Network Interface menu, select an option.

      • From the Static Route Labels field, select supported labels using Add Label. You can select more than one from this list.

      • From the Attributes menu, select supported attributes. You can select more than one from this list.

      • Click Apply to add the custom route.

      • Click Apply.

  • From the Site Local K8s API access menu, select an option:

    • Disable Site Local K8s API access: Select this option if you do not want to access the k8s API for the site directly and instead are using it as one of the sites in Virtual Kubernetes (vk8s) and want to access it via vk8s API only.

    • Enable Site Local K8s API access: Select this option if you want to configure the site for managed K8s and want to access the site’s API endpoint directly. From the Enable Site Local K8s API access menu, select an existing managed K8s cluster name or create a new one by clicking on Add Item.

Note: Distributed Cloud Services support both mutating and validating webhooks for managed K8s. Webhook support can be enabled in the K8s configuration. For more information, see the Create K8s Cluster guide.

  • Click Apply.
Step 4: Select cloud credentials.

Refer to the Cloud Credentials guide for more information. Ensure that the GCP credentials are applied with required access policies as per the Policy Requirements document.

  • From the Cloud Credentials menu, select your existing GCP credentials object, or click Add Item to load the credential creation wizard.

  • To create new credentials, use the following guidelines:

    • Enter a name in the Metadata section.

    • Optionally, set labels and enter a description.

    • From the Select Cloud Credential Type menu, select GCP Credentials.

    • Click Configure.

    • Select an option for the Secret Info:

      • If you select Blindfold Secret, enter the secret in the field, and then click Blindfold.

      • If you select Clear Secret, enter the secret in one of the formats displayed.

Note: The secret is your GCP service account keys in JSON format.

  • Click Apply.
Step 5: Set the site node parameters.

  • In the Site Node Parameters section, enable the Show Advanced Fields option.

  • From the GCP Instance Type for Node menu, select the instance type using See Common Values.

  • In the Public SSH key box, enter the public key used for SSH purposes.

  • Optionally, configure the Cloud Disk Size option. The minimum disk size is 80 GB for mesh sites and 100 GB for App Stack Sites.

  • Optionally, add a geographic address and enter the latitude and longitude values. The coordinates will be auto-populated based on the GCP region selected, but you have the option to override it. The coordinates allow the site to be shown in a proper location on the site map on the dashboard.

Step 6: Configure the advanced options.

  • In the Advanced Configuration section, enable the Show Advanced Fields option.

  • From the Logs Streaming menu, select Enable Logs Streaming to configure the syslog server. Keep Disable Logs Streaming selected if streaming is not required.

  • From the F5XC Software Version menu, keep the default selection of Latest SW Version or select F5XC Software Version to specify an older version number.

  • From the Operating System Version menu, keep the default selection of Latest OS Version or select Operating System Version to specify an older version number.

  • For GCP Labels, use Add Label to link sites together using a label. A maximum of thirty (30) tags are supported per instance.

  • From the Offline Survivability Mode menu, select Enable Offline Survivability Mode. This action will restart all pods for your site. For more information, see the Manage Site Offline Survivability guide.

Step 6.1: Optionally, configure private link.

  • From the Private Connectivity To Site drop-down menu, select an option:

    • Disable Private Connectivity: Default option.

    • Enable Private Connectivity: Enables a private link to your cloud site. For more information, see the CloudLink guide.

Step 6.2: Configure blocked services from site.

  • From the Services to be blocked on site menu, select the service you want to be blocked/allowed on the CE node. This configuration only blocks access to the services running on the CE nodes and not to the services to which the CE is acting as a load balancer or a default gateway. See the following options:

    • Block DNS, SSH & WebUI services on Site: Default option.

    • Allow access to DNS, SSH & WebUI services on Site: Select this option to allow incoming traffic to these services.

    • Custom Blocked Services Configuration: Select this option and click Add Item to block specific services. Select the service to block (DNS or SSH) on the SLO or SLI network from the Blocked Services Value Type menu.

Step 7: Complete the site object creation.
New VPC Site

Click Save and Exit to complete creating the site. The Status field for the site object displays Validation in progress. After validation, the field displays Validation Succeeded.

Existing VPC Site

If you use an existing VPC, Console will validate whether certain existing objects are available and valid. This provides current information to help troubleshoot and fix any potential issues without having to wait until the full site deployment process completes.

After you click Save and Exit, the validation process begins and is displayed as Validation in progress.

If the site deployment validation failed, a message with Validation Failed will be displayed. Click on the tooltip to display a popup message with the error.

If the site deployment validation succeeded, a message with Validation Succeeded will be displayed.

Note: The QUEUED state references a site status action that is in process. The site status will remain in QUEUED state until the backend service is ready to execute Apply/Plan/Destroy commands. The site status (under the Status column) is updated on the Console once the execution begins. After a maximum duration of 15 minutes, the site will stay in the QUEUED state until the status times out, after which a new state is set as PROVISION_TIMEOUT.

Deploy Site

Creating the GCP VPC site object in Console generates the Terraform parameters.

Step 1: Deploy site.

  • Navigate to the GCP VPC site object by clicking Manage > Site Management > GCP VPC Sites.

  • Find your GCP VPC site object and click Apply under the Status column. The Status column for the site object changes first to Queued and then to Applying.

Note: Optionally, you can perform Terraform plan activity before the deployment. Find your GCP VPC site object and click ... > Plan (Optional) to generate the execution plan for Terraform.

  • Wait for the status to change to Applied.

  • To check the status for the apply action, click ... > Terraform Parameters for site object, and select the Apply Status tab.

Step 2: Confirm site deployed and online.

  • Navigate to Multi-Cloud Network Connect > Overview > Sites.

  • Verify status is Online. It takes a few minutes for the site to deploy and status to change to Online.

Note: You cannot add worker nodes. You can use SSH to log in to your node with username cloud-user and your private key.

Delete VPC Site

You have two options when deleting a site in Console. You delete the site entirely, with all its resources and configuration. Or you can simply delete the site, its resources, but maintain the existing configuration (so that it can be re-applied at a later time).

Note: Deleting the VPC object deletes the sites, nodes, the VPC, and other objects created in the cloud for the site. This action also removes the site object from Console and cannot be undone.

Destroying a site deployed on an existing VPC will leave the subnets used for Site Local Outside, Site Local Inside, and Workload subnets without any explicit route associations.

Delete Site Completely

  • Navigate to Manage > Site Management > GCP VPC Sites.

  • Locate the site object.

  • Select ... > Delete.

  • Click Delete in pop-up confirmation window. In case the delete operation does not remove the object and returns any error, check the error from the status, fix the error, and re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the ... > Terraform Parameters > Apply status option.

Delete Site but Maintain Configuration

  • Navigate to Manage > Site Management > GCP VPC Sites.

  • Locate the site object.

  • Click Destroy for your site. Alternately, click ... > Destroy.

  • In the pop-up window, type DELETE.

  • Click Destroy to confirm the action. On successful operation, the site status will show Destroyed and the Apply button will appear on the row of your site. This can be used to create the site again at a later time, if required. The site object is no longer required and can be removed from Console by clicking Delete in the Actions menu for the site.

Deploy Site Using Terraform

This chapter provides instructions on how to create a single-node or multi-node site on GCP with Terraform.

Perform the following procedure to deploy a site using Terraform:

Step 1: Confirm Terraform is installed.

In a terminal, enter terraform version. If you need to install, follow the instructions in the official guide.

Step 2: Create API credentials file.

Log into Console and create an API 12 certificate file and then download it. Use the instructions at Credentials for more help.

Step 3: Create a new directory on your system to place files for deployment.

Create a new directory on your system to place files for deployment.

Step 4: Create the deployment file.

  • Create a file and name it main.tf file, and place it in the newly created directory.

  • Copy and paste the following information into the file:

terraform {
  required_version = ">= 0.13.1"
  required_providers {
    volterra = {
      source = "volterraedge/volterra"
    }
  }
}
variable "site_name" {}
variable "gcp_cred_file" {}
variable "gcp_instance_type" {
  default = "n1-standard-4"
}
variable "gcp_region" {
  default = "us-east1"
}
variable "gcp_az" {
  default = "us-east1-b"
}
variable "outside_subnet_cidr_block" {
  default = "192.168.0.0/25"
}
resource "volterra_cloud_credentials" "gcp_cred" {
  name      = format("%s-cred", var.site_name)
  namespace = "system"
  gcp_cred_file {
    credential_file {
      clear_secret_info {
        url = format("string:///%s", base64encode(file(var.gcp_cred_file)))
      }
    }
  }
}
resource "volterra_gcp_vpc_site" "site" {
  name      = var.site_name
  namespace = "system"
  ssh_key   = "ssh-rsa XXXX"
  cloud_credentials {
    name      = volterra_cloud_credentials.gcp_cred.name
    namespace = "system"
  }
  gcp_region    = var.gcp_region
  instance_type = var.gcp_instance_type
  ingress_gw {
    gcp_certified_hw = "gcp-byol-voltmesh"
    gcp_zone_names   = [var.gcp_az]
    local_network {
      new_network {
        name = "outside-network"
      }
    }
    node_number = 1
    local_subnet {
      new_subnet {
        primary_ipv4 = var.outside_subnet_cidr_block
        subnet_name  = "outside-subnet"
      }
    }
  }
  lifecycle {
    ignore_changes = [labels]
  }
}
resource "volterra_tf_params_action" "apply_gcp_vpc" {
  site_name        = volterra_gcp_vpc_site.site.name
  site_kind        = "gcp_vpc_site"
  action           = "apply"
  wait_for_action  = true
  ignore_on_update = true
}
Copied!

  • Open the file and configure any necessary fields. You can change the parameters for your particular setup.

  • Save the changes and then close the file.

Step 5: Create file for variables.

  • In the same directory, create another file for variables and name it terraform.tfvars.

  • Create and assign the following variables:

    • For your site name, type a name within double quotes: site_name = "<site-name>"

    • For the GCP region, type the name within double quotes: gcp_region = "<region-name>"

    • For the GCP availability zone, type the name within double quotes: gcp_az = "<gcp-az-name>"

    • For the credential file, type the name within double quotes: gcp_cred_file = "<gcp-credential-file-location>"

site_name = <site-name>
gcp_region = <region-name>
gcp_az = <gcp-az-name>
gcp_cred_file = <gcp-credential-file-location>
Copied!
Step 6: Create and export variables for credentials and secret keys.

  • In the terminal, create and export the following variables:

    • Create this variable and assign it your API credentials password: export VES_P12_PASSWORD=<credential-password>

    • Create this variable and assign it the path to the API credential file previously created and downloaded from Console: export VOLT_API_P12_FILE=<path-to-local-p12-file>

    • Create this variable and assign it the URL for your tenant. For example: export VOLT_API_URL=https://example.console.ves.volterra.io/api

Note: You can also create and save these variables in the terraform.tfvars file. However, this may pose a security risk. Use caution when working with your credentials and secret keys.

export VES_P12_PASSWORD=<credential-password>
export VOLT_API_P12_FILE=<path-to-local-p12-file>
export VOLT_API_URL=https://example.console.ves.volterra.io/api
Copied!
Step 7: Initiate Terraform process.

Enter terraform init.

Step 8: Apply Terraform process.

  • Enter terraform apply.

  • If prompted for the access key and secret key encoded in Base64, enter both.

  • Enter yes to confirm. This may take a few minutes to complete. After the process is complete, the output will state Apply complete!.

  • In Console, navigate to the list of sites and confirm the site was applied.

Destroy Site

Perform the following procedure to destroy the site using Terraform:

  • Enter terraform destroy.

  • If prompted for the access key and secret key encoded in Base64, enter both.

  • Enter yes to confirm. This may take a few minutes to complete. After the process is complete, the output will state Destroy complete!.

  • In Console, navigate to the list of sites and confirm the site was destroyed.

Next Steps

After you have successfully deployed your site, you can choose to upgrade it or create a site mesh group (SMG).

  • To update your site to the latest OS version, click Upgrade under the Software Version tile on the dashboard.

Note: Site upgrades may take up to 10 minutes per site node. Once site upgrade has completed, you must apply the Terraform parameters to site via Action menu on cloud site management page.

Figure: Site OS Upgrade

Figure: Site OS Upgrade

Concepts

On this page: