Deploy Secure Mesh Site v2 in AWS (ClickOps)

Objective

This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console and Amazon Web Services (AWS) Console and deploy to an AWS virtual private cloud (VPC). For more information on a CE Site, refer to F5 Distributed Cloud - Customer Edge.

As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site to an AWS VPC.

Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.

---

Planning

Read the following documents before deploying a Secure Mesh Site in any provider environment:

• Understanding F5 Distributed Cloud - Customer Edge (CE)
• CE Datasheet
• CE Supported Platforms Guide
• Customer Edge Site Sizing Reference
• CE Performance Guide: Contact your account representative on CE performance-related information.
• Proxy for CE Registration and Upgrades Reference
• Secure Mesh Sites v2 Frequently Asked Questions
• Customer Edge Registration and Upgrade Reference
• Firewall and Proxy Server Allowlist Reference

---

General Prerequisites

The following general prerequisites apply:

• A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.

• An account with AWS with an IAM user with the IAM permissions mentioned in the AWS VPC Policies and Permissions Reference guide.

• Resources required per node: Minimum 4 vCPUs, 16 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

• Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

• F5 assumes that the VPC exists with a minimum of a single subnet where the CE Site node will be deployed. For three-node clusters, it is recommended to have three different subnets in three different Availability Zones (AZs).

• The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.

• Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

---

Configuration Overview

To create a Secure Mesh Site, here are the high-level steps:

1. Site object creation: Configure the site within F5 Distributed Cloud Console.
2. Node creation prerequisites: Create objects that will be associated to the nodes (AWS EC2 instances) including, security groups, key pairs, and more.
3. Image management: Gather all the information required to find the Amazon Machine Image (AMI).
4. Node management: Use the AMI found in the previous step to create the EC2 instances (in other words, the nodes that constitute the CE Site).
5. Interface management: Add additional interfaces on the nodes, if necessary.

---

Procedure

In this guide, the procedure demonstrates the steps to deploy a single-node secure mesh site with dual interfaces. However, this guide will also explain the necessary deviations from this specific model where necessary, making it flexible to adjust to different node and interface requirements.

Create Site Object

• Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.

• Set the Provider Name option to AWS.

Create Security Group

Create the security group that will be attached to the F5 CE Site EC2 instance. Note that this security group will be used for the Site Local Outside (SLO) interface. Any other interfaces can use the default security group of the VPC, which allows all traffic in both directions.

Step 1: Create security group.

• In AWS Console, navigate to the EC2 service.

• From the left panel, under Network & Security, click Security Groups.

Figure: Security Groups

• Click Create security group.

Figure: Security Groups

• Enter a name. In this example, f5-ce-security-group is the name for the security group.

Step 1.1: Create inbound rules.

• For the inbound rules, ensure the following:

  • Allowed SSH from the machine’s public address. This is where AWS will figure out the public IP address that a user is configuring from and allows it. You can also use custom and put your corporate public address space.

  • Allowed ICMP for troubleshooting.

  • Allowed TCP Port 65500 for the local UI on the CE Site.

  • In the case of a multiple-node setup, add a rule that shows security group referencing, which means that Distributed Cloud allows communication from the other nodes, as all the nodes will have the same security group attached.

Important: If you configure an HTTP load balancer listening on HTTPs, make sure you add a rule that allows HTTPs traffic from any source. You can also restrict the sources if there is a need.

Figure: AWS Security Group Referencing Example

Step 1.2: Create outbound rules.

You can choose to use an "allow any" egress policy or a restricted egress policy. For the restricted egress policy, the CE firewall rules, both given by prefix and by domain, are the minimal requirement for CE operations. See the Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

• For outbound traffic, create an allow all policy.

• After you finish, click Create security group.

Figure: Security Groups Rules Created

Step 2: Verify rules created.

Confirm rules created successfully. Use the Inbound rules and Outbound rules tabs to list the rules.

Figure: Verify Security Groups Rules

Figure: Verify Security Groups Rules

Create SSH Key Pair

Create the key pair that will be used to SSH login to the EC2 instance for troubleshooting purposes, if needed.

Step 1: Create key pair.

• In AWS console, navigate to Network & Security > Key Pairs.

• Click Create key pair.

• Enter a name, and select the type of key pair.

Figure: Create SSH Key

• Click Create key pair.

Step 2: Verify key pair.

Verify the SSH key pair was created.

Figure: Verify SSH Key

Existing VPC Details

In this procedure, a dual interface single-node CE site is being deployed. Since the site has two interfaces, two subnets are required. One for SLI and the other for SLO. Both subnets are in the same AWS Availability Zone (AZ). In this example, us-west-1c is the AZ where the SLI and SLO subnets are located.

The workload subnet is generally used, but it is not required to deploy a node for the CE Site.

Create Elastic IP Address

Create an Elastic IP (EIP) address to attach to the CE Site.

• In AWS console, navigate to Network & Security > Elastic IPs.

• Click Allocate Elastic IP address.

• Ensure Name is selected for Key and enter a name for the EIP address in the Value field. This example uses f5-ce-eip.

---

Find AMI

• For your site, click ... under Actions.

• Click Copy Image Name. This action will copy the AMI name within AWS. It is important to note that the AMI name for the CE Site node images will be the same regardless of the chosen AWS region.

Note: The AMI name follows the naming convention of f5xc-ce-<version>. For example, f5xc-ce-9.2. The copied image name is used to find the AMI in AWS Console.

• In AWS Console, navigate to the EC2 service.

• From the left panel, click Images > AMIs.

• Select Public images.

• In the search box, paste the AMI name. You should have one matching entry. The AMI name to look for is f5xc-ce-<version> where version consists of numbers only.

• Click Launch instance from AMI.

Workaround: Unable to find the AMI in local region.

While the AMIs are published across all global regions, there might be cases where the AMI does not exist (for example: a new region just went online). If you already found the AMI in the previous section, you can skip this section. This section explains how you can still deploy CE sites in regions where the AMIs do not exist.

You can use the functionality within AWS that is documented here. Switch to us-east-1 in the AWS Console and locate the AMI by its name as described above. In this example, the AMI is being copied to São Paulo (South America) region. It is highly recommended keeping the name and description matching to the original name or at a minimum, provide meaningful names that will help you distinguish the AMI. It is important to realize that this copy is now a Private AMI. In other words, it is only accessible to your account whereas the original AMI is a public AMI for all other customers to consume.

Figure: Copy AMI to Target Region

Figure: Copy AMI to Target Region

---

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

The token is included in the cloud-init information under the Content variable. Also included are two variables commented out: slo_ip and slo_gateway. These variables can be commented out if you are using your own DNS service and not the default DNS service provided by F5.

• In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

• Navigate to Manage > Site Management > Secure Mesh Sites v2.

• For your site, click ... > Generate Node Token.

• Click Copy cloud-init.

• Save the value locally. This token will be used later. The token value is hidden for security purposes.

• Click Close.

• Generate one token per node you intend to deploy.

---

Create AWS EC2 Instance

Create the EC2 instance virtual machine (VM).

Important: The name of the VM should not have . in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. If configuring a multi-node site, each node hostname must be unique.

• In AWS console, launch an EC2 instance.

• Click Add additional tags. Add the following two tags: ves-io-site-name (equals the site name) and kubernetes.io/cluster/ (the value after /cluster/ is the site name).

• For the instance type, select t3.xlarge. This is the minimum instance type required to run F5 CE Site software.

• Select the SSH key pair previously created.

• Select the VPC, Subnet (SLO), and security group created previously. The subnet chosen in this is the subnet for Network Interface 1 (SLO). Labeling the subnets helps here so that you can easily place the interface in the SLO subnet.

• Ensure that Auto-assign public IP is disabled as the Elastic IP address is used instead.

• Configure the storage requirement (80 GiB).

• For the User data field, paste the cloud-init information (which includes the site token) copied from the Generate Node Token section.

• Complete creating the EC2 instance.

Associate the Elastic IP Address to SLO Interface

After the is created, you need to allocate the previously created Elastic IP address. However, take note of the SLO Interface ID by navigating to the networking tab under the F5 CE Site instance and getting the ENI ID of the SLO. Keep it handy as you will need to leverage it when assigning the Elastic IP address to the interface.

Verify CE Site Registration

• In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.

• Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.

---

Manage Network Interfaces (Optional)

After the CE Site registers successfully, you can add additional network interfaces, if necessary, to meet your requirements. Ensure that you connect another network interface to the VM.

Important: Note the following when changing network interfaces on CE nodes:

• Adding or removing network interfaces will cause the data plane services on the CE node to restart. Therefore, it is strongly recommended performing this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels to F5 Distributed Cloud REs going down.

• All CE nodes in a given CE site should have the same number of network interfaces attached. CE nodes with non-homogenous interfaces within a CE Site might cause issues.

• Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE Site has three nodes, with each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 must also be in the SLI VRF.

Important: When new interfaces are added, they will be auto-discovered. You can configure the interface (for example: place the interface in the appropriate VRF) from the CE Site configuration. The first interface of the CE nodes should not be removed or modified.

For AWS sites, to add another network interface to the CE, you need to create a new network interface as part of the same VPC in a different subnet with auto-assigned addresses preferably and attach a security group to the interface. In the example below, the default VPC security group allows traffic in both directions, as this is an internal-only interface. You can also provision additional security groups with more restrictive policies on the non-SLO interfaces if required and provided you have a full understanding on the nature of traffic that will traverse the interfaces. Tagging the interface with the instance name is a good practice to easily understand the reason behind this interface.

Step 1: Attach interface to instance.

• Power down the VM prior to adding any new interfaces or modifying any existing interfaces.

• After the interface is created, attach it to the particular instance. Select the particular interface you created and click Actions > Attach.

Figure: Attach to Instance

• Specify the correct details of the VPC and instance and then click Attach.

Figure: Attach to Instance

• In Console, navigate to your site and edit the node configuration.

Figure: Edit Interface

• For the desired interface, click the pencil button.

• Ensure you set the IPv4 Interface Address Method as DHCP Client.

• Click Apply, and then click Save and Exit.

Step 2: Verify changes in AWS Console.

Verify from the AWS Console EC2 Instance under the Networking tab that the instance now has two interfaces.

Figure: Verify Instance in AWS

Step 3: Verify changes in Console.

• Power back up the VM.

• You can also verify the same information from Distributed Cloud Console by navigating to the site Dashboard under Multi-Cloud Network Connect > Overview > Sites and choosing the site name. Navigate to the Infrastructure tab to see the Interfaces table.

Figure: Verify Instance in Console

Stop Source/Destination Checks

In AWS, the source/destination check is a feature that ensures that an EC2 instance is only responsible for traffic that it sends or receives. By default, this check is enabled for all EC2 instances, meaning that each instance is expected to handle only the network traffic that originates from or is destined to its own IP address.

In the case of an F5 CE Site, the instance is a Network Virtual Appliance (NVA) that outgoing and incoming traffic needs to transit through, and therefore we need to disable the source/destination check on the F5 CE EC2 instance.

• For you EC2 instance, navigate to Actions > Networking > Change source/destination check.

• Check the box for Stop.

• Click Save.

Modify Interface Attributes

Important: The IP address for the SLO interface cannot be modified. In addition, you cannot modify any MAC addresses for any interfaces.

• Power down the VM prior to adding any new interfaces or modifying any existing interfaces.

• To modify any interface attributes, click Manage Configuration. Then, in the wizard, click Edit Configuration.

• Under the Nodes subsection, click the pencil icon under Actions to edit.

• Choose one of the interfaces to edit. This example uses ens6.

• Change the settings as required. In this example, the interface is being placed in the prod-segment. Therefore, the setting from the original Site Local Inside (Local VRF) to Segment was changed. Then the required segment is selected.

• Click Save and Exit.

• Power back up the VM.

---

Day 2 Operations

• To monitor your Site, see the Monitor Site guide.
• To manage your Site software and OS updates, see the Manage Site guide.
• For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
• For the latest on Distributed Cloud Services releases, see Changelogs.

Related Guides

To create a load balancer on the CE Site, see the HTTP Load Balancer or the TCP Load Balancer guides.

---

Concepts

• System Overview
• Core Concepts
• Networking
• F5 Distributed Cloud - Customer Edge

---