Deploy Site in GCP (ClickOps)

Objective

This guide provides instructions on how to create a customer edge (CE) site using the Google Cloud Provider (GCP) Console and deploy to a GCP VPC. For more information on sites, see F5® Distributed Cloud Site.

Site Types and Scenarios

The scenarios below in the table have been tested successfully. The Network Address Translation Gateway (NAT GW) device in Table 1 references the GCP NAT Gateway. However, technically this should also work with third-party firewalls.

Note: In the Number of Nodes column, 1/3 indicates 1 or 3 nodes. An App Stack site can be configured with up to 128 worker nodes total.

ProviderSite TypeNumber of Master NodesGateway TypeInterfacesScenario
GCPMesh1/3Ingress1Mesh Single-NIC
GCPMesh1/3Ingress/Egress2Mesh Multi-NIC
GCPApp Stack1/3-1App Stack Combo

Considerations for Sites Behind NAT Gateway

In a regular deployment, each CE node has an External IP address associated with the Site Local Outside (SLO) interface, and the SLO route table routes the outgoing traffic via the Internet Gateway using the External IP address as the NAT IP address. But for scenarios where there is a requirement to have the CE site deployed without a public IP address, you can place the CE site behind a NAT Gateway. This can be the GCP Cloud NAT or any third-party instance, like a firewall used as a NAT gateway.

If you are deploying a site in this scenario, there are a few differences to note:

  • There is no public IP association with the CE(s).

  • You must ensure the CE can get to the Internet through its SLO interface.

  • From the GCP side, ensure that the routing table from the SLO subnet has a default route 0.0.0.0/0 that points to the NAT Gateway.

  • The NAT Gateway is a zonal object. In other words, it belongs to one availability zone. Therefore, in the case of a three-node CE cluster, you might want to deploy additional NAT Gateways for high availability.

Prerequisites

The following prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • An account with GCP. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.

  • An official F5 Distributed Cloud Services GCP image.

  • Resources required per node: Minimum 4 vCPUs and 14 GB RAM.

  • F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as eth0 and the SLI interface as eth1.

  • For a single-NIC deployment (ingress gateway/Mesh or App Stack), only a single subnet (SLO) is required.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Procedure

This procedure provides instructions for creating a Secure Mesh Site with two interfaces (ingress/egress) on a GCP VPC using GCP Console. Most of the objects and configurations are the same for single-node and multi-node sites.

Create GCP VPC Networks

Create two VPC networks to attach to the Site Local Outside (SLO) and Site Local Inside (SLI), respectively. Each of the VPC networks must have one subnet.

  • In GCP Console, navigate to your VPC network.
Figure

Figure

  • Click CREATE VPC NETWORK.
Figure

Figure

  • In the Name field, enter a name for the outside network subnet, and then click ADD SUBNET.
Figure

Figure

  • Configure the outside subnet details, and then click DONE.
Figure

Figure

  • Keep other configuration parameters as default and click CREATE to finish.
Figure

Figure

  • Perform the same procedure for the inside (SLI) network.
Figure

Figure

Create Firewall Rules

Create ingress and egress firewall rules for both inside and outside VPC networks (from the previous section).

Step 1: Configure ingress rules for SLI.
  • For your VPC, locate and select the SLI network.
Figure

Figure

  • Select the FIREWALLS tab, and then click ADD FIREWALL RULE.
Figure

Figure

  • Create Ingress rule for the inside network that allows traffic from the 0.0.0.0/0 network to any target with tag: f5-ce (create any tag name, as it will be used to identify the VM instance).
Figure

Figure

  • Under Protocols and port, select Allow all and click CREATE.
Figure

Figure

Step 2: Configure egress rules for SLI.

  • Select the FIREWALLS tab, and then click ADD FIREWALL RULE.

  • Create Egress rule for the inside network that allows traffic to the 0.0.0.0/0 network from target with tag: f5-ce.

Figure

Figure

  • Under Protocols and port, select Allow all and click CREATE.
Figure

Figure

  • Verify the rules.
Figure

Figure

Step 3: Configure ingress/egress rules for SLO.

  • Select the outside network and repeat steps 1 and 2 above to create the same ingress and egress rules for SLO.

  • Verify the rules.

Figure

Figure

Import and Configure F5 CE Image

Import the official F5 CE image file into GCP, and then configure its parameters.

Step 1: Download official image.
Image TypeImageCloud Storage File
Mesh Single-NICrhel9-20240216075746-single-voltmeshves-images/rhel9-20240216075746-single-voltmesh.tar.gz
Mesh Multi-NICrhel9-20240216075746-multi-voltmeshves-images/rhel9-20240216075746-multi-voltmesh.tar.gz
App Stack Comborhel9-20240216075746-voltstack-comboves-images/rhel9-20240216075746-voltstack-combo.tar.gz
Step 2: Upload and configure image.
  • In GCP Console, navigate to Images under Storage section in Compute Engine.
Figure

Figure

  • Click CREATE IMAGE.
Figure

Figure

  • For the Mesh Multi-NIC image, use the following as an example:

    • Enter a Name. This example uses rhel9-20240216075746-multi-voltmesh-us-west2.

    • For Source, select Cloud Storage file.

    • Use the Cloud Storage file option to browse for and select the image file. This example uses ves-images/rhel9-20240216075746-multi-voltmesh.tar.gz.

    • For Location, select an option. This example uses Regional.

    • For Select location, select your desired location. This example uses us-west2.

    • For the Encryption option, select Google-managed encryption key.

  • Click CREATE.

Figure

Figure

Step 3: Verify image uploaded successfully.

Verify image uploaded and status is a green checkmark.

Create Site Token

Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes. To create the token, see the Create Site Token guide.

Configure User Data for Virtual Machine

Below is the cloud config user data example for the GCP VM instance that configures the VM.

#cloud-config
#Only values to be inserted are token and cluster name. Insert as is without parenthesis
write_files:
- path: /etc/hosts
  content: |
    # IPv4 and IPv6 localhost aliases
    127.0.0.1         localhost
    ::1               localhost
    127.0.1.1         vip
    169.254.169.254   metadata.google.internal
  permissions: 0644
  owner: root
- path: /etc/vpm/config.yaml
  permissions: 0644
  owner: root
  content: |
    Vpm:
      ClusterType: ce
      ClusterName: #### TO BE REPLACED BY THE F5XC SECURE MESH SITE NAME ####
      Token: #### TO BE REPLACED BY F5XC API TOKEN ####
      MauricePrivateEndpoint: https://register-tls.ves.volterra.io
      MauriceEndpoint: https://register.ves.volterra.io
      CertifiedHardwareEndpoint: https://vesio.blob.core.windows.net/releases/certified-hardware/gcp.yml
    Kubernetes:
      EtcdUseTLS: True
      Server: vip
      CloudProvider: disabled
Copied!

  • Change the following mandatory fields:

    • ssh_authorized_keys: Enter your SSH public key.

    • ClusterName: Enter the site name for the site object created on F5 Distributed Cloud Console. This can be an App Stack Site or Secure Mesh Site.

    • Token: Enter the value for the site token created on F5 Distributed Cloud Console. This value is used to identify the tenant.

Deploy Multi-Node Site

Follow these steps to create a multi-node Secure Mesh Site.

Reserve External IP Addresses

Create three external IP addresses and give each a name. These IP addresses are used later for the virtual machine instances.

  • In VPC network, navigate to IP addresses. Then click RESERVE EXTERNAL STATIC IP ADDRESS.
Figure: Reserve External IP Address

Figure: Reserve External IP Address

  • Enter a Name.

  • Under Network Service Tier, select an option.

  • Confirm Region and other parameters are configured correctly.

Figure: Reserve External IP Address

Figure: Reserve External IP Address

  • Repeat the above steps to create two more External Static IP addresses. For example, create f5-ce-esip-02 and f5-ce-esip-03 for node two and node three of your site.

Create the F5 Customer Edge Node Instances

Create the F5 CE VM instances in GCP.

  • In Compute Engine, under Virtual machines, click VM instances.
Figure

Figure

  • Click CREATE INSTANCE.
Figure

Figure

  • Use the following table help with the example parameters:
ParameterValueNotes
Namef5-ce-node-01, f5-ce-node-02, f5-ce-node-03Names of nodes for CE site.
Regionus-west2Region from GCP.
Zoneus-west2-a, us-west2-b, us-west2-cZones from GCP.
Machine Configuration/Machine Typen1-standard-4Recommended instance types are n1-standard-4 (4 vCPU, 15 GB RAM), n1-standard-8 (8 vCPU, 30 GB RAM), n1-standard-16 (16 vCPU, 60 GB RAM).
Certified Hardware Namesingle NIC: gcp-byol-voltmesh / multi-NIC: gcp-byol-multi-nic-voltmeshThis is the certified hardware name.
VM Provisioning ModelStandardKeep the default value.
Confidential VM ServiceDisabledKeep the default value.
ContainerDisabledKeep the default value.
Boot Disk: Custom Imagesrhel9-20240216075746-multi-voltmesh-us-west2Select CUSTOM IMAGES and use the image uploaded on the previous step.
Boot Disk: TypeStandard persistent disk.
Boot Disk: Size80 GBMinimum disk space required is 45 GiB for Mesh site and 100 GiB for App Stack Site.
Identity and API access: Service AccountCompute Engine default service account.Keep the default value.
Identity and API access: Access ScopesAllow default access.
Networking: Network Tagsf5-ceUse the one created for the egress network firewall rule.
Networking: IP ForwardingEnable
SLO Network Interfaces: Networkf5-ce-outside-networkOutside network for eth0.
SLO Network Interfaces: Subnetworkf5-ce-outside-subnetOutside subnet created for outside network.
SLO Network Interfaces: IP Stack TypeIPv4
SLO Primary Internal IPv4 AddressEphemeral (Automatic)Use automatic IP addressing.
SLO External IPv4 Addressesf5-ce-esip-01, f5-ce-esip-02, f5-ce-esip-03Use the addresses created for the external IP address step.
SLI Network Interfaces: Networkf5-ce-inside-networkInside network for eth1.
SLI Network Interfaces: Subnetworkf5-ce-inside-subnetInside subnet created for inside network.
SLI Network Interfaces: IP Stack TypeIPv4
SLI Primary Internal IPv4 AddressEphemeral (Automatic)Use automatic IP addressing.
SLI External IPv4 AddressNoneNo external IP address for eth1.
Security: SSH key1<your_ssh_public_key>Add your SSH public key to access the site admin CLI.
Management: MetadataKey 1: VmDnsSetting with Value 1: ZonePreferredZonal DNS mitigates the risk of cross-regional outages and improves the overall reliability of the VM.
Management: MetadataKey 2: user-data with Value 2: <cloud-config>Use the cloud config user data created previously.
  • Enter VM name with desired region and zone. For machine configuration, N1 series is selected and the Machine Type is n1-standard-4.
Figure

Figure

  • Select default values for Availability policies, Confidential VM service and Container.
Figure

Figure

  • Click CHANGE to configure Boot disk. Select CUSTOM IMAGES tab and use the previously uploaded F5 CE image with Boot disk type as Standard persistent disk.
Figure

Figure

  • Select default values for Identity and API access and empty firewall configuration.
Figure

Figure

  • For Network tags, use the network tag created during the VPC network configuration. Enable IP forwarding.
Figure

Figure

  • In Network interfaces page, first configure the Site Local Outside network that has Internet connectivity. Use the previously configured external static IP addresses for this interface. This interface will be discovered as eth0 on the VM.
Figure

Figure

  • Add another network interface for Site Local Inside network. This interface will be discovered as eth1 on the VM. The SLI network does not require Internet connectivity.
Figure

Figure

Figure

Figure

  • In Security, configure the SSH Key that was also used during user data configuration in a previous step.
Figure

Figure

  • In Management, add the two key-value pairs per the table above.
Figure

Figure

  • Click CREATE.

  • Repeat the above steps to create two more VM instances for node two and node three, respectively. Ensure that you are naming the instances (f5-ce-node-2 and f5-ce-node-3), their zones, and the external IP addresses correctly.

Deploy Single-Node Site

Follow these steps to create a single-node Secure Mesh Site.

Reserve External IP Address

Create an external IP address and give it a name. This IP address is used later for the virtual machine instance.

  • In VPC network, navigate to IP addresses. Then click RESERVE EXTERNAL STATIC IP ADDRESS.
Figure: Reserve External IP Address

Figure: Reserve External IP Address

  • Enter a Name.

  • Under Network Service Tier, select an option.

  • Confirm Region and other parameters are configured correctly.

Figure: Reserve External IP Address

Figure: Reserve External IP Address

Create the F5 Customer Edge Node Instance

Create the F5 CE VM in GCP.

  • In Compute Engine, under Virtual machines, click VM instances.
Figure

Figure

  • Click CREATE INSTANCE.
Figure

Figure

  • Use the following table help with the example parameters:
ParameterValueNotes
Namef5-ceName of site.
Regionus-west2Region from GCP.
Zoneus-west2-aZone from GCP.
Machine Configuration/Machine Typen1-standard-4Recommended instance types are n1-standard-4 (4 vCPU, 15 GB RAM), n1-standard-8 (8 vCPU, 30 GB RAM), n1-standard-16 (16 vCPU, 60 GB RAM).
VM Provisioning ModelStandardKeep the default value.
Confidential VM ServiceDisabledKeep the default value.
ContainerDisabledKeep the default value.
Boot Disk: Custom Imagesrhel9-20240216075746-multi-voltmesh-us-west2Select CUSTOM IMAGES and use the image uploaded on the previous step.
Boot Disk: TypeStandard persistent disk.
Boot Disk: Size80 GBMinimum disk space required is 45 GiB for Mesh site and 100 GiB for App Stack Site.
Identity and API access: Service accountCompute Engine default service account.Keep the default value.
Identity and API access: Access scopesAllow default access.
Networking: Network tagsf5-ceUse the one created for the egress network firewall rule.
Networking: IP forwardingEnable
SLO Network Interfaces: Networkf5-ce-outside-networkOutside network for eth0.
SLO Network Interfaces: Subnetworkf5-ce-outside-subnetOutside subnet created for outside network.
SLO Network Interfaces: IP stack typeIPv4
SLO Primary internal IPv4 addressEphemeral (Automatic)Use automatic IP addressing.
SLO External IPv4 addressf5-ceUse the address created for the external IP address step.
SLI Network Interfaces: Networkf5-ce-inside-networkInside network for eth1.
SLI Network Interfaces: Subnetworkf5-ce-inside-subnetInside subnet created for inside network.
SLI Network Interfaces: IP stack typeIPv4
SLI Primary internal IPv4 addressEphemeral (Automatic)Use automatic IP addressing.
SLI External IPv4 addressNoneNo external IP address for eth1.
Security: SSH key1<your_ssh_public_key>Add your SSH public key to access the site admin CLI.
Management: MetadataKey 1: VmDnsSetting with Value 1: ZonePreferredZonal DNS mitigates the risk of cross-regional outages and improves the overall reliability of the VM.
Management: MetadataKey 2: user-data with Value 2: <cloud-config>Use the cloud config user data created previously.
  • Enter VM name with desired region and zone. For machine configuration, N1 series is selected and the Machine Type is n1-standard-4.
Figure

Figure

  • Select default values for Availability policies, Confidential VM service and Container.
Figure

Figure

  • Click CHANGE to configure Boot disk. Select CUSTOM IMAGES tab and use the previously uploaded F5 CE image with Boot disk type as Standard persistent disk.
Figure

Figure

  • Select default values for Identity and API access and empty firewall configuration.
Figure

Figure

  • For Network tags, use the network tag created during the VPC network configuration. Enable IP forwarding.
Figure

Figure

  • In Network interfaces page, first configure the Site Local Outside network that has Internet connectivity. Use the previously configured external static IP Address for this interface. This interface will be discovered as eth0 on the VM.
Figure

Figure

  • Add another network interface for Site Local Inside network. This interface will be discovered as eth1 on the VM. The SLI network does not require Internet connectivity.
Figure

Figure

Figure

Figure

  • In Security, configure the SSH Key that was also used during user data configuration in a previous step.
Figure

Figure

  • In Management, add the two key-value pairs per the table above.
Figure

Figure

  • Click CREATE.

Create and Register Site

Follow the Secure Mesh or App Stack site creation guides to create a site object on F5 Distributed Cloud Console.

Troubleshooting

For troubleshooting and opening a support case, see the Troubleshooting Manual Site Deployment Registration Issues guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to Distributed Cloud published Terraform errors, networking and security misconfiguration, or CE internal process issues. The guide also provides instructions for contacting the F5 Distributed Cloud Support Team if you are unable to resolve the issue.

Concepts

References

On this page: