Create Secure Mesh Site v2
Objective
This document provides instructions on how to deploy an F5 Distributed Cloud Customer Edge site using the non-orchestrated method with the new and simplified workflow of secure mesh site. This workflow can be used to deploy CE sites on-premises (VMware, KVM, and bare metal) and public clouds (AWS, Azure, GCP, and OCI) using the cloud provider’s console or the cloud provider's Terraform. Additionally, this new workflow can be used to deploy CE sites on the F5 Big-IP rSeries next-generation hardware platform.
This new and simplified workflow also includes enhancements to remove certified hardware, a single endpoint for CE site registration, and much more.
Note: These providers are Generally Available (GA): VMware, AWS, and Azure. These providers are Early Access (EA): F5 rSeries, GCP, OCI, Nutanix, OpenStack, KVM, and Baremetal.
Planning
Please read the following documents before deploying a secure mesh site in any provider environment:
- Understanding F5 Distributed Cloud - Customer Edge (CE)
- CE Datasheet
- CE Supported Platforms Guide
- Customer Edge Site Sizing Reference
- CE Performance Guide: Please contact your account representative on CE performance-related information.
- Proxy for CE Registration and Upgrades Reference
- Secure Mesh Sites v2 Frequently Asked Questions
- Customer Edge Registration and Upgrade Reference
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
Prerequisites
-
An F5 Distributed Cloud Account. If you do not have an account, see Create an Account.
-
One or more devices or virtual machines (VMs) consisting of interfaces with Internet reachability for site deployment.
-
Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
-
Configure your firewall or proxy server to allow connections from and to the IP addresses listed in the Distributed Cloud Services Firewall and Proxy Server Allowlist Reference guide.
Configuration Overview
Use the following sequence of actions to create a secure mesh site:
-
Choose the provider where your secure mesh site is being deployed:
-
For high availability (HA): When High availability (HA) is disabled, the site supports only one node, which is a control node. Worker nodes cannot be added. When High availability (HA) is enabled, the site must have at least three nodes as control nodes and any additional nodes can be added as worker nodes.
-
Configure any additional parameters.
-
-
For on-premises providers (VMware, KVM, and bare metal), download the image file. For cloud providers (AWS, GCP, and OCI), use
Copy Image URL
. For Azure, useLaunch Instance
. Each node in a CE site must be brought up using the same image. -
When launching a node, check out a node token. Each node requires a unique token generated in F5 Distributed Cloud Console.
-
Add additional site nodes as required by initial configuration of site object.
-
Add additional interfaces to each node as required.
Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.
Each node must be powered off when adding new interfaces or modifying existing ones.
Create Secure Mesh Site
Log into F5 Distributed Cloud Console to create a secure mesh site.
Step 1: Enter metadata information for site.
-
In
Multi-Cloud Network Connect
service, navigate toManage
>Site Management
>Secure Mesh Sites v2
. -
Select
Add Secure Mesh Site
to open the configuration form. -
In the
Metadata
section, enter a name for the site. -
Optionally, select labels and add a description.
Step 2: Select the infrastructure provider settings for site.
-
From the
Provider Name
menu, select the infrastructure provider from the options available. Refer to provider-specific documentation links below to bring up infrastructure in that provider: -
For the
Orchestration Mode
menu option, selectNot Managed By F5XC
. With this option, Distributed Cloud Services will not automate any infrastructure provisioning (like node bring up). You are expected to bring up infrastructure using the provider-specific manual workflows or using the provider specific automation tools, like Terraform. -
For the
High Availability
menu, choose an option. When disabled, the site supports only one node, which is a control node. Worker nodes cannot be added. When enabled, the site must have at least three nodes as control nodes and any additional nodes can be added as worker nodes.
Step 3: Configure RE site options.
Use the following steps to configure the regional edge (RE) site settings in the Regional Edge
section. Your CE site will connect to the RE site for registration purposes.
Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.
-
From the
Regional Edge Selection
menu, select the RE geography to use. The default option is use the geographically-closest RE site to where you are deploying your CE site. -
Optionally, select the site-to-site tunnel encryption type from the
Tunnel Type
menu. The default option is IPsec/SSL. When IPsec/SSL is used, IPsec takes priority. -
Optionally, configure the timeout value for site tunneling from the
Tunnel Dead Timeout (msec)
menu. The default option is zero (0) milliseconds. -
Optionally, enable the offline survivability feature from the
Offline Survivability Mode
menu. For more information, see the Manage Site Offline Survivability guide.
Step 4: Configure site networking options.
Use the following steps to configure the CE site networking settings in the Site Networking
section.
Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.
-
From the
Site Local Outside Network
menu, choose to keep the default option for theSite Local Outside
interface. The SLO is required for workloads that connect to the public Internet/WAN. To configure the default SLO network, selectConfigure Site Local Outside Network
and then clickView Configuration
. This uses static routes, the load balancer, and DNS server for that network. -
From the
Site Local Inside Network
menu, choose to keep the default option for theSite Local Inside
interface. A Site Local Inside (SLI) interface is optional and is used for workloads on a private LAN. It is not enabled by default. To add an SLI network, selectConfigure Site Local Inside Network
and then clickView Configuration
. This uses static routes, the load balancer, and DNS server for that network. -
To enable virtual IP address (VIP) redundancy when operating a CE in L2 mode: From the
VRRP Mode
menu, selectEnable VRRP for VIP(s)
.
Step 5: Configure site to site connectivity options.
Use the following steps to configure the CE site networking settings in the Site To Site Connectivity
section.
Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.
-
To connect the site to other sites using the SLO network, from the
Connect using SLO Local VRF
menu, select an option:-
Site Mesh Group
: This option connects your site to other sites in a mesh network. You can connect using a public IP or a private IP. For more information, see the Site Mesh Group guide. -
Member of DC Cluster Group
: This option places your site within a Direct Connect (DC) Cluster Group. For more information, see the Configure DC Cluster Group guide.
-
-
To connect the site to other sites using the SLI network, from the
Connect using SLI Local VRF
menu, selectMember of DC Cluster Group
. For more information, see the Configure DC Cluster Group guide.
Step 6: Configure network security for site.
Use the following steps to configure the CE site networking security settings in the Network Security
section.
Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.
-
From the
Network Firewall
menu, choose to enable an enhanced firewall. Select the firewall from the drop-down menu. UseAdd Item
to add more than one firewall. For more information, see the Network Firewall guide. -
From the
Forward Proxy
menu, choose to enable a forward proxy. Select the policy from the drop-down menu. UseAdd Item
to add more than one policy. The network traffic will be processed based on the order set. For more information, see the Forward Proxy Policies guide.
Step 7: Configure performance mode.
Use the following steps to configure the CE site performance mode in the Services & Resources
section.
Note: The configuration option in this section is set to standard default values. Therefore, it may not be necessary to customize it unless you need customization only for advanced deployments.
-
From the
Performance Mode
menu, select an option:-
L7 Enhanced
: This option optimizes the site for Layer 7 traffic processing. -
L3 Enhanced
: This option optimizes the site for Layer 3 traffic processing. Only choose this option if the site is used for L3 connectivity and not any L7 features. Select whether to use this feature with or without jumbo frames.
-
Important: The
L3 Enhanced
feature works on CE sites with a minimum of 5 cores and a minimum of 3 GB memory. Jumbo frames (Ethernet frames with a larger payload than the Ethernet standard maximum transmission unit of 1,500 bytes) are supported forL3 Enhanced
. IfL3 Enhanced
is not enabled on all CE sites in a Site Mesh Group, the MTU configured on the site-to-site tunnel interfaces will not be consistent. Therefore, it is recommended to enable L3-focused performance mode on all sites participating in a Site Mesh Group.
Step 8: Configure site management options.
Enable the Show Advanced Fields
option.
Step 8.1: Configure software settings.
-
From the
F5XC Software Version
menu, keep the default selection ofLatest SW Version
or selectF5XC Software Version
to specify an older version number. -
From the
Operating System Version
menu, keep the default selection ofLatest OS Version
or selectOperating System Version
to specify an older version number.
Step 8.2: Configure node upgrade settings.
From the Node by Node Upgrade
menu, select how each worker node is upgraded. Note that this configuration does not apply to the control node(s). Optionally, configure Upgrade Wait Time
, Node Batch Size
, and Node Batch Size Count
.
Step 8.3: Configure admin credentials.
-
Under
Admin Password
, clickConfigure
. Configure the options forSecret Type
,Action
, andPolicy Type
. Enter your password in theSecret to Blindfold
text box. ClickApply
. -
Enter your public SSH key.
Step 8.4: Configure node services, monitoring, and log streaming.
-
To disable the web, SSH, and DNS services for your site, from the
Node Local Services
menu, selectDisable
. ClickAdd Item
for each service you want to disable. By default, these services are enabled to help with site troubleshooting. -
From the
Logs Streaming
menu, selectEnable
to configure the syslog server, and then add the log receiver. KeepDisable
selected if streaming is not required. -
From the
Proactive Monitoring
menu, select an option to allow the streaming of debug logs to Distributed Cloud Console. The debug logs are used for troubleshooting purposes. By default, this option is enabled. However, you can choose to disable this option.
Step 8.5: Configure enterprise proxy server settings.
Optionally, choose to use a custom enterprise proxy server from the Enterprise Proxy
menu. By default, all CE sites use the F5 Enterprise Proxy
. If you choose Custom Enterprise Proxy
, you will be required to provide your own proxy by specifying an IPv4 address and port number. In addition, you can choose to have your internal proxy use F5 RE tunnels by choosing Enable
from the Use for RE Tunnels
menu.
Important: When
Use for RE Tunnels
is enabled, the CE site will always establish a connection to Regional Edges using SSL tunnel encapsulation, even if theRegional Edge
tunnel type is set toIPSec and SSL
. After the site comes online, the tunnel type setting in theRegional Edge
section (Step 3 above) is automatically changed toSSL
. When RE tunnels are formed via a custom proxy, IPsec cannot be supported because Internet Key Exchange (IKE), which is UDP-based, cannot be routed via a custom proxy. Therefore, the site setting is changed to disable IPsec and only uses SSL.
Step 8.6: Configure site DNS and NTP server settings.
-
Optionally, choose to configure a custom DNS server:
- From the
DNS Servers
menu, selectCustom
. ClickAdd Item
and enter a domain.
- From the
-
Optionally, choose to configure a custom NTP server:
- From the
NTP Servers
menu, selectCustom
. ClickAdd Item
and enter a domain.
- From the
Step 9: Complete the site object creation.
Click Save and Exit
to complete creating the site. The Status
field for the site object displays Validation in progress
. After validation, the field displays Validation Succeeded
.
Deploy and Register Site
Refer to provider-specific documentation links below to deploy and register site: