Create Secure Mesh Site v2

Published April 5, 2023 | Last modified May 7, 2025

Objective

This document provides instructions on how to deploy an F5 Distributed Cloud Customer Edge site using the non-orchestrated method with the new and simplified workflow of secure mesh site. This workflow can be used to deploy CE sites on-premises (VMware, KVM, and bare metal) and public clouds (AWS, Azure, GCP, and OCI) using the cloud provider’s console or the cloud provider's Terraform. Additionally, this new workflow can be used to deploy CE sites on the F5 Big-IP rSeries next-generation hardware platform.

This new and simplified workflow also includes enhancements to remove certified hardware, a single endpoint for CE site registration, and much more.

Important: These providers are Generally Available (GA): VMware, AWS, Azure, GCP, OCI, and OpenStack. These providers are Early Access (EA): F5 rSeries, Nutanix, KVM, and Baremetal.

Planning

Read the following documents before deploying a Secure Mesh Site in any provider environment:

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Prerequisites

  • An F5 Distributed Cloud Account. If you do not have an account, see Getting Started with Console.

  • One or more devices or virtual machines (VMs) consisting of interfaces with Internet reachability for site deployment.

  • Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

  • Configure your firewall or proxy server to allow connections from and to the IP addresses listed in the Distributed Cloud Services Firewall and Proxy Server Allowlist Reference guide.

Configuration Overview

Use the following sequence of actions to create a secure mesh site:

  1. Choose the provider where your secure mesh site is being deployed:

    • For high availability (HA): When High availability (HA) is disabled, the site supports only one node, which is a control node. Worker nodes cannot be added. When High availability (HA) is enabled, the site must have at least three nodes as control nodes and any additional nodes can be added as worker nodes.

    • Configure any additional parameters.

  2. For on-premises providers (VMware, KVM, and bare metal), download the image file. For cloud providers (AWS, GCP, and OCI), use Copy Image Name. For Azure, use Launch Instance. Each node in a CE site must be brought up using the same image.

  3. When launching a node, check out a node token. Each node requires a unique token generated in F5 Distributed Cloud Console.

  4. Add additional site nodes as required by initial configuration of site object.

  5. Add additional interfaces to each node as required.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

Each node must be powered off when adding new interfaces or modifying existing ones.

Create Secure Mesh Site

Log into F5 Distributed Cloud Console to create a secure mesh site.

Step 1: Enter metadata information for site.

  • In Multi-Cloud Network Connect service, navigate to Manage > Site Management > Secure Mesh Sites v2.

  • Select Add Secure Mesh Site to open the configuration form.

  • In the Metadata section, enter a name for the site.

  • Optionally, select labels and add a description.

Step 2: Select the infrastructure provider settings for site.

  • From the Provider Name menu, select the infrastructure provider from the options available. Refer to provider-specific documentation links below to bring up infrastructure in that provider:

  • For the Orchestration Mode menu option, select Not Managed By F5XC. With this option, Distributed Cloud Services will not automate any infrastructure provisioning (like node bring up). You are expected to bring up infrastructure using the provider-specific manual workflows or using the provider specific automation tools, like Terraform.

  • For the High Availability menu, choose an option. When disabled, the site supports only one node, which is a control node. Worker nodes cannot be added. When enabled, the site must have at least three nodes as control nodes and any additional nodes can be added as worker nodes.

Step 3: Configure RE site options.

Use the following steps to configure the regional edge (RE) site settings in the Regional Edge section. Your CE site will connect to the RE site for registration purposes.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • From the Regional Edge Selection menu, select the RE geography to use. The default option is use the geographically-closest RE site to where you are deploying your CE site.

  • Optionally, select the site-to-site tunnel encryption type from the Tunnel Type menu. The default option is IPsec/SSL. When IPsec/SSL is used, IPsec takes priority.

  • Optionally, configure the timeout value for site tunneling from the Tunnel Dead Timeout (msec) menu. The default option is zero (0) milliseconds.

  • Optionally, enable the offline survivability feature from the Offline Survivability Mode menu. For more information, see the Manage Site Offline Survivability guide.

Step 4: Configure site networking options.

Use the following steps to configure the CE site networking settings in the Site Networking section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • From the Site Local Outside Network menu, choose to keep the default option for the Site Local Outside interface. The SLO is required for workloads that connect to the public Internet/WAN. To configure the default SLO network, select Configure Site Local Outside Network and then click View Configuration. This uses static routes, the load balancer, and DNS server for that network.

  • From the Site Local Inside Network menu, choose to keep the default option for the Site Local Inside interface. A Site Local Inside (SLI) interface is optional and is used for workloads on a private LAN. It is not enabled by default. To add an SLI network, select Configure Site Local Inside Network and then click View Configuration. This uses static routes, the load balancer, and DNS server for that network.

  • To enable virtual IP address (VIP) redundancy when operating a CE in L2 mode: From the VRRP Mode menu, select Enable VRRP for VIP(s).

Step 5: Configure site to site connectivity options.

Use the following steps to configure the CE site networking settings in the Site To Site Connectivity section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • To connect the site to other sites using the SLO network, from the Connect using SLO Local VRF menu, select an option:

    • Site Mesh Group: This option connects your site to other sites in a mesh network. You can connect using a public IP or a private IP. For more information, see the Site Mesh Group guide.

    • Member of DC Cluster Group: This option places your site within a Direct Connect (DC) Cluster Group. For more information, see the Configure DC Cluster Group guide.

  • To connect the site to other sites using the SLI network, from the Connect using SLI Local VRF menu, select Member of DC Cluster Group. For more information, see the Configure DC Cluster Group guide.

Step 6: Configure network security for site.

Use the following steps to configure the CE site networking security settings in the Network Security section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • From the Network Firewall menu, choose to enable an enhanced firewall. Select the firewall from the drop-down menu. Use Add Item to add more than one firewall. For more information, see the Network Firewall guide.

  • From the Forward Proxy menu, choose to enable a forward proxy. Select the policy from the drop-down menu. Use Add Item to add more than one policy. The network traffic will be processed based on the order set. For more information, see the Forward Proxy Policies guide.

Step 7: Configure performance mode.

Use the following steps to configure the CE site performance mode in the Services & Resources section.

Note: The configuration option in this section is set to standard default values. Therefore, it may not be necessary to customize it unless you need customization only for advanced deployments.

  • From the Performance Mode menu, select an option:

    • L7 Enhanced: This option optimizes the site for Layer 7 traffic processing.

    • L3 Enhanced: This option optimizes the site for Layer 3 traffic processing. Only choose this option if the site is used for L3 connectivity and not any L7 features. Select whether to use this feature with or without jumbo frames.

Important: The L3 Enhanced feature works on CE sites with a minimum of 5 cores and a minimum of 3 GB memory. Jumbo frames (Ethernet frames with a larger payload than the Ethernet standard maximum transmission unit of 1,500 bytes) are supported for L3 Enhanced. If L3 Enhanced is not enabled on all CE sites in a Site Mesh Group, the MTU configured on the site-to-site tunnel interfaces will not be consistent. Therefore, it is recommended to enable L3-focused performance mode on all sites participating in a Site Mesh Group.

Step 8: Configure site management options.

Enable the Show Advanced Fields option.

Step 8.1: Configure software settings.

  • From the F5XC Software Version menu, keep the default selection of Latest SW Version or select F5XC Software Version to specify an older version number.

  • From the Operating System Version menu, keep the default selection of Latest OS Version or select Operating System Version to specify an older version number.

Step 8.2: Configure node upgrade settings.

From the Node by Node Upgrade menu, select how each worker node is upgraded. Note that this configuration does not apply to the control node(s). Optionally, configure Upgrade Wait Time, Node Batch Size, and Node Batch Size Count.

Step 8.3: Configure admin credentials.

  • Under Admin Password, click Configure. Configure the options for Secret Type, Action, and Policy Type. Enter your password in the Secret to Blindfold text box. Click Apply.

  • Enter your public SSH key.

Step 8.4: Configure node services, monitoring, and log streaming.

  • To disable the web, SSH, and DNS services for your site, from the Node Local Services menu, select Disable. Click Add Item for each service you want to disable. By default, these services are enabled to help with site troubleshooting.

  • From the Logs Streaming menu, select Enable to configure the syslog server, and then add the log receiver. Keep Disable selected if streaming is not required.

  • From the Proactive Monitoring menu, select an option to allow the streaming of debug logs to Distributed Cloud Console. The debug logs are used for troubleshooting purposes. By default, this option is enabled. However, you can choose to disable this option.

Step 8.5: Configure enterprise proxy server settings.

Optionally, choose to use a custom enterprise proxy server from the Enterprise Proxy menu. By default, all CE sites use the F5 Enterprise Proxy. If you choose Custom Enterprise Proxy, you will be required to provide your own proxy by specifying an IPv4 address and port number. In addition, you can choose to have your internal proxy use F5 RE tunnels by choosing Enable from the Use for RE Tunnels menu.

Important: When Use for RE Tunnels is enabled, the CE site will always establish a connection to Regional Edges using SSL tunnel encapsulation, even if the Regional Edge tunnel type is set to IPSec and SSL. After the site comes online, the tunnel type setting in the Regional Edge section (Step 3 above) is automatically changed to SSL. When RE tunnels are formed via a custom proxy, IPsec cannot be supported because Internet Key Exchange (IKE), which is UDP-based, cannot be routed via a custom proxy. Therefore, the site setting is changed to disable IPsec and only uses SSL.

Step 8.6: Configure site DNS and NTP server settings.

  • Optionally, choose to configure a custom DNS server:

    • From the DNS Servers menu, select Custom. Click Add Item and enter a domain.

  • Optionally, choose to configure a custom NTP server:

    • From the NTP Servers menu, select Custom. Click Add Item and enter a domain.
Step 9: Complete the site object creation.

Click Save and Exit to complete creating the site. The Status field for the site object displays Validation in progress. After validation, the field displays Validation Succeeded.

Deploy and Register Site

Refer to provider-specific documentation links below to deploy and register site:

Day 2 Operations

To create a load balancer on the CE Site, see the HTTP Load Balancer or the TCP Load Balancer guides.

Concepts

On this page: