Create Secure Mesh Site v2

Published April 5, 2023 | Last modified June 24, 2025

Objective

This document provides instructions on how to deploy an F5 Distributed Cloud Customer Edge (CE) across all supported providers: on-premises providers, such as VMware, Nutanix, OpenStack, and more. Also, public cloud providers, such as AWS, Azure, GCP, and OCI.

This new and simplified workflow also includes enhancements to remove certified hardware, a single endpoint for CE Site registration, and much more.

Important: The following providers are Generally Available (GA): VMware, AWS, Azure, GCP, OCI, Nutanix, and OpenStack. The following providers are Early Access (EA): KVM and Baremetal.

Planning

Read the following documents before deploying a Secure Mesh Site in any provider environment:

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

General Prerequisites

  • An F5 Distributed Cloud Account. If you do not have an account, see Getting Started with Console.

  • One or more devices or virtual machines (VMs) consisting of interfaces with Internet reachability for Site deployment.

  • Resources required per node: Minimum 8 vCPUs, 32 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

  • Configure your firewall or proxy server to allow connections from and to the IP addresses listed in the Distributed Cloud Services Firewall and Proxy Server Allowlist Reference guide.

Configuration Overview

Use the following sequence of actions to create a CE Site in your provider:

  • (1) Choose the provider where your Secure Mesh Site is being deployed:

Configure additional parameters as required. Apart from the provider, all parameters are optional.

Important: It is important to review all optional parameters while configuring the Site to make sure the CE deployment is in adherence with your environment. There are a few properties which cannot be changed after the CE Site is created. If any changes are required to these, then the CE Site would need to be redeployed.

  • (2) Prepare to launch nodes. For the following providers: VMware, OpenStack, Nutanix, KVM, Baremetal, and OCI download the CE image from the F5 Distributed Cloud Console. For the following providers: Azure and GCP simply use the Launch Instance action to deploy the instance from marketplace. For AWS, use the Copy Image Name.

  • (3) When launching a node, check out a node token. Each node requires a unique token generated in F5 Distributed Cloud Console.

Important: Tokens are ephemeral and expire within 7 days, so it is recommended to generate a node token while launching a node and not pre-stage them.

  • (4) Launch nodes. If HA is disabled, the CE Site only supports one (1) node. If HA is enabled, the CE Site requires three (3) nodes. Additional nodes can only be added to CE sites with HA enabled.

Important: HA mode cannot be changed after the CE Site is created.

  • (5) Add additional interfaces to each node as required.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended performing this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

Each node must be powered off when adding new interfaces or modifying existing ones.

Create Secure Mesh Site

Log into F5 Distributed Cloud Console to create a secure mesh site.

Step 1: Enter metadata information for Site.

  • In Multi-Cloud Network Connect service, navigate to Manage > Site Management > Secure Mesh Sites v2.

  • Select Add Secure Mesh Site to open the configuration form.

  • In the Metadata section, enter a name for the Site.

  • Optionally, select labels and add a description.

Step 2: Select the infrastructure provider settings for Site.

  • From the Provider Name menu, select the infrastructure provider from the options available. Refer to provider-specific documentation links below to bring up infrastructure in that provider:

  • For the Orchestration Mode menu option, select Not Managed By F5XC. With this option, Distributed Cloud Services will not automate any infrastructure provisioning (like node bring up). You are expected to bring up infrastructure using the provider-specific manual workflows or using the provider specific automation tools, like Terraform.

  • For High Availability, choose an option. If it is Disabled, the CE Site will only support one node. If it is Enabled, the CE Site requires three nodes. Additional nodes can only be added to CE sites when HA is Enabled.

Important: The HA mode cannot be changed after the CE Site is created.

Step 3: Configure RE Site options.

Use the following steps to configure the regional edge (RE) Site settings in the Regional Edge section. Your CE Site will connect to the RE Site for registration purposes.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • From the Regional Edge Selection menu, select the RE geography to use. The default option is use the geographically-closest RE Site to where you are deploying your CE Site.

  • Optionally, select the Site-to-Site tunnel encryption type from the Tunnel Type menu. The default option is IPsec/SSL. When IPsec/SSL is used, IPsec takes priority.

  • Optionally, configure the timeout value for Site tunneling from the Tunnel Dead Timeout (msec) menu. The default option is zero (0) milliseconds.

  • Optionally, enable the offline survivability feature from the Offline Survivability Mode menu. For more information, see the Manage Site Offline Survivability guide.

Step 4: Configure Site networking options.

Use the following steps to configure the CE Site networking settings in the Site Networking section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • Site Local Outside Network (SLO) is used to connect the CE node with the F5 Distributed Cloud Regional Edges (REs). It can also work as a public/WAN network. This network typically requires connectivity to the Internet (see note below for exception). If a custom DNS server or static routes need to be added into this network, then from the Site Local Outside Network menu, choose Configure Site Local Outside Network. Then click View Configuration. Here you can add custom static routes, common VIP for load balancers (this can be overridden on a per load balancer basis in the Advertisement Policy), or DNS servers for the SLO network.

Note: The CE Site can be connected to a private underlay that connects with F5 Distributed Cloud Regional Edges (REs) in which case the SLO need not have Internet-bound connectivity. Connectivity to the REs will use this private underlay.

  • Site Local Inside Network (SLI) represents the internal network (LAN). If a custom DNS server or static routes need to be added into this network, then from the Site Local Inside Network menu, choose Configure Site Local Inside Network. Then click View Configuration. Here you can add custom static routes, common VIP for load balancers (this can be overridden on a per load balancer basis in the Advertisement Policy), or DNS servers for the SLI network.

Note: Site Local Inside is an optional network. Consider using Network Segments from Multi-Cloud Network Connect > Networking > Segments for internal networks. Network segments are flexible and can be used to keep networks isolated within an environment. In other words, they are restricted to a single CE Site or can be also used for seamless extension of networks across multiple hybrid/multi-cloud environments (across multiple CE sites).

  • To enable virtual IP address (VIP) redundancy when operating load balancers advertised on a CE in L2 adjacency mode: From the Load Balancer Settings section, select Enable VRRP for VIP(s) from the VRRP Mode setting.
Step 5: Configure Site to Site connectivity options.

Use the following steps to configure the CE Site networking settings in the Site To Site Connectivity section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • To connect the Site to other sites using the SLO network, from the Connect using SLO Local VRF menu, select an option:

    • Site Mesh Group: This option connects your Site to other Sites in a mesh network. You can connect using a public IP or a private IP. For more information, see the Site Mesh Group guide.

    • Member of DC Cluster Group: This option places your Site within a Direct Connect (DC) Cluster Group. For more information, see the Configure DC Cluster Group guide.

  • To connect the Site to other sites using the SLI network, from the Connect using SLI Local VRF menu, select Member of DC Cluster Group. For more information, see the Configure DC Cluster Group guide.

Step 6: Configure network security for Site.

Use the following steps to configure the CE Site networking security settings in the Network Security section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

  • From the Network Firewall menu, choose to enable an enhanced firewall. Select the firewall from the drop-down menu. Use Add Item to add more than one firewall. For more information, see the Network Firewall guide.

  • From the Forward Proxy menu, choose to enable a forward proxy. Select the policy from the drop-down menu. Use b to add more than one policy. The network traffic will be processed based on the order set. For more information, see the Forward Proxy Policies guide.

Step 7: Configure performance mode.

Use the following steps to configure the CE Site performance mode in the Services & Resources section.

Note: The configuration option in this section is set to standard default values. Therefore, it may not be necessary to customize it unless you need customization only for advanced deployments.

  • In the Services & Resources section, from the Performance Mode menu, select an option:

    • L7 Enhanced: This option optimizes the Site for Layer 7 traffic processing and is the default option.

    • L3 Enhanced: This option optimizes the Site for Layer 3 traffic processing. When chosen, this CE Site will not provide any L7 functionality, such as load balancing. If you are using L3 Enhanced mode, select whether to use this feature with or without jumbo frames.

Important: If L3 Enhanced mode is not enabled on all CE sites in a Site Mesh Group, the MTU configured on the Site-to-Site tunnel interfaces will not be consistent. Therefore, it is recommended to enable L3-focused performance mode on all sites participating in a Site Mesh Group.

Step 8: Configure Site management options.

Enable the Show Advanced Fields option.

Step 8.1: Configure software settings.

  • From the F5XC Software Version menu, keep the default selection of Latest SW Version or select F5XC Software Version to specify an older version number.

  • From the Operating System Version menu, keep the default selection of Latest OS Version or select Operating System Version to specify an older version number.

Step 8.2: Configure node upgrade settings.

From the Node by Node Upgrade menu, select how each worker node is upgraded. Note that this configuration does not apply to the control node(s). Optionally, configure Upgrade Wait Time, Node Batch Size, and Node Batch Size Count.

Step 8.3: Configure admin credentials.

  • Under Admin Password, click Configure. Configure the options for Secret Type, Action, and Policy Type. Enter your password in the Secret to Blindfold text box. Click Apply.

  • Enter your public SSH key.

Step 8.4: Configure node services, monitoring, and log streaming.

By default, the local web UI, SSH, and DNS services on the nodes in the CE Site are enabled.

  • To disable any of these services, from the Node Local Services menu, select Disable. Click Add Item for each service you want to disable. By default, these services are enabled to help with Site troubleshooting.

  • From the Logs Streaming menu, select Enable to configure a log receiver. Keep Disable selected if log streaming is not required.

Step 8.5: Configure enterprise proxy server settings.

By default, all CE sites use the F5 Enterprise Proxy, which is hosted by F5 in the F5 Global Network to register with F5 Distributed Cloud.

  • If you want to use a custom proxy hosted in your enterprise environment:
    • From the Enterprise Proxy menu, choose Custom Enterprise Proxy and provide your enterprise proxy settings, such as Proxy IPv4 Address, Proxy Port, Username, and Password. In addition, you can choose to use this custom enterprise for proxy-to-proxy tunnels from the nodes of this CE Site to the F5 Distributed Cloud Regional Edges (REs) by choosing to Enable from the Use for RE Tunnels menu.

Important: When Use for RE Tunnels is enabled, the CE Site will always establish a connection to the F5 Distributed Cloud Regional Edges (REs) using SSL tunnel encapsulation, even if the RE tunnel type is set to IPsec and SSL. After the Site comes online, the tunnel type setting in the RE section (Step 3 above) is automatically changed to SSL. When RE tunnels are formed via a custom proxy, IPsec cannot be supported because Internet Key Exchange (IKE), which is UDP-based, cannot be routed via a custom proxy. Therefore, the Site setting is changed to disable IPsec and only uses SSL.

Important: Use for RE Tunnels cannot be changed after the CE Site is created. Make sure to set this field while creating the CE Site object. Changing this property will require creation of a new CE Site and re-deployment of all nodes.

Step 8.6: Configure DNS and NTP server settings.

  • Optionally, choose to configure custom DNS servers:

    • From the DNS Servers menu, select Custom. Click Add Item and enter a server. Note that multiple DNS servers can be added.

  • Optionally, choose to configure custom NTP servers:

    • From the NTP Servers menu, select Custom. Click Add Item and enter a server. Note that multiple NTP servers can be added.
Step 9: Complete the Site object creation.

Click Save and Exit to complete creating the Site. The Status field for the Site object displays Validation in progress. After validation, the field displays Validation Succeeded.

Important: There are certain settings that cannot be changed after the CE Site is created. Make sure that all settings for your CE Site are configured as required before clicking Save and Exit to avoid re-creating the CE Site and re-deploying the CE nodes.

Deploy and Register Site

Refer to provider-specific documentation links below to deploy and register Site:

Day 2 Operations

To create a load balancer on the CE Site, see the HTTP Load Balancer or the TCP Load Balancer guides.

Concepts

On this page: