Deploy Secure Mesh Site v2 in AWS (ClickOps)

Published April 5, 2023 | Last modified November 13, 2025

Objective

This guide provides instructions on how to create a Customer Edge (CE) Site using F5® Distributed Cloud Console and Amazon Web Services (AWS) Management Console and deploy to an AWS virtual private cloud (VPC).

Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.

Planning

Read the following documents before deploying a Secure Mesh Site in any provider environment:

Understanding F5 Distributed Cloud - Customer Edge (CE)
CE Datasheet
CE Supported Platforms Guide
Customer Edge Site Sizing Reference
CE Performance Guide: Contact your account representative on CE performance-related information.
Proxy for CE Registration and Upgrades Reference
Secure Mesh Sites v2 Frequently Asked Questions
Customer Edge Registration and Upgrade Reference
F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings

General Prerequisites

The following general prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.
An account with AWS with an IAM user with the IAM permissions mentioned in the AWS VPC Policies and Permissions Reference guide.
Resources required per node: Minimum 8 vCPUs, 32 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings guide for the list of IP addresses and domain names.
F5 assumes that the VPC exists with a minimum of a single subnet where the CE Site node is deployed. For three-node clusters, F5 recommends that you have three different subnets in three different Availability Zones (AZs).
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Configuration Overview

To create a Secure Mesh Site with AWS, here are the high-level steps:

Site object configuration: Create and configure a Secure Mesh Site object using F5 Distributed Cloud Console.
Node creation prerequisites: Create objects that are associated with the CE nodes, including security groups, SSH key pairs, and more.
Image management: Gather all the information required to find the Amazon Machine Image (AMI).
Node management: Use the AMI found in the previous step to create the CE nodes (EC2 instances). Each CE node is a virtual machine (VM).
Network interface management: Add additional interfaces on the nodes, if necessary.

Procedure

This procedure demonstrates the steps to deploy a single-node Site with dual interfaces. However, this procedure also explains the necessary deviations from this specific model where necessary, making it flexible to adjust to different node and interface requirements.

Create Site Object

Create the Site object that you associate with your nodes.

Create a Secure Mesh Site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.
Set the Provider Name option to AWS.
For High Availability, choose an option. If it is Disabled, then the CE Site only supports one node. If it is Enabled, the CE Site requires three nodes. Additional nodes can only be added to CE sites when HA is Enabled.

Important: The High Availability mode cannot be changed after the CE Site is created.

Figure: Provider Type

Leave the other options with their default values. These options have intelligent default values and do not need further configuration. Refer to the Create Secure Mesh Site guide for more information on these options.
Click Add Secure Mesh Site.

Create Security Group

Create the security group that is attached to your F5 CE Site EC2 instance (node). This security group is used for the Site Local Outside (SLO) interface. Any other interfaces can use the default security group for your VPC, which allows all traffic in both directions.

Step 1: Create security group.

In AWS Management Console, navigate to the EC2 service.
From the left panel, under Network & Security, click Security Groups.

Figure: Security Groups

Click Create security group.

Figure: Security Groups

Enter a name. In this example, f5-ce-security-group is the name for the security group.

Step 1.1: Create inbound rules.

For the inbound rules, refer to the F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings guide especially for multi-node CE Site requirements, Site Mesh Group, DC Cluster Group, eBGP peering, or External Connector. In addition, ensure that you cover the following:

Allowed SSH from the machine’s public IP address. This is where AWS figures out the public IP address that a user is configuring from and allows it. You can also use custom and put your corporate public address space.
Allowed TCP Port 65500 for the local UI on the CE Site.
Allowed ICMP for troubleshooting.
In the case of a multiple-node setup, add a rule that shows security group referencing, which means that Distributed Cloud allows communication from the other nodes, as all the nodes have the same security group attached.

Important: If you configure an HTTP load balancer listening on HTTPs, make sure you add a rule that allows HTTPs traffic from any source. You can also restrict the sources if there is a need.

Figure: Security Group: Inbound Rules

Step 1.2: Create outbound rules.

You can choose to implement either an "allow all" egress policy or a more restrictive one. While a restricted policy offers tighter control, it typically only accounts for the connectivity required for the CE Site to function. It does not automatically accommodate broader connectivity needs within your environment, such as workload access to external domains and IP addresses, CE inter-node communication, Site Mesh Group or DC Cluster Group traffic, BGP peering, or other external connectivity scenarios. If you decide to use a restrictive policy, see the F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings guide for the list of IP addresses and domain names.

For outbound traffic, create an allow all policy.
After you finish, click Create security group.

Figure: Security Group: Outbound Rules

Step 2: Verify rules created.

Confirm rules created successfully. Use the Inbound rules and Outbound rules tabs to list the rules.

Figure: Verify Security Group Rules

Create SSH Key Pair

Create the key pair that is used for SSH log in to the EC2 instance for troubleshooting purposes, if needed.

Step 1: Create key pair.

In AWS Management Console, navigate to Network & Security > Key Pairs.
Click Create key pair.
Enter a name, and select the type of key pair.

Figure: Create SSH Key

Click Create key pair.

Step 2: Verify key pair.

Verify the SSH key pair was created.

Figure: Verify SSH Key

Existing VPC Details

In this procedure, a dual interface single-node CE Site is being deployed. Since the Site has two interfaces, two subnets are required. One for SLI and the other for SLO. Both subnets are in the same AWS Availability Zone (AZ). In this example, us-west-1c is the AZ where the SLI and SLO subnets are located.

The workload subnet is generally used, but it is not required to deploy a node for the CE Site.

Figure: Existing VPC Details

Figure: Existing Subnet Details

Create Elastic IP Address

Create an Elastic IP (EIP) address to attach to the CE Site. The EIP acts as a static IP address for all nodes in your Site.

In AWS Management Console, navigate to Network & Security > Elastic IPs.
Click Allocate Elastic IP address.
Ensure Name is selected for Key.
Enter a name for the EIP address in the Value - optional field. This example uses f5-ce-eip.
Select Add new tag.
Select Allocate.

Figure: Configure EIP Address

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

The token is included in the cloud-init information under the Content variable. Also included are two variables commented out: slo_ip and slo_gateway. These variables can be commented out if you are using your own DNS service and not the default DNS service provided by F5.

In Distributed Cloud Console, select the Multi-Cloud Network Connect workspace.
Navigate to Manage > Site Management > Secure Mesh Sites v2.
For your Site, click ... > Generate Node Token.

Figure: Generate Node Token

Click Copy cloud-init.
Save the value locally. This token is used later. The token value is hidden for security purposes.

Figure: Copy Node Token

Click Close.
Generate one token per node you intend to deploy.

Create AWS EC2 Instance

You can use one of two methods to create the EC2 instance virtual machine (VM). You can (1) deploy directly from AWS Marketplace, or (2) deploy using a downloaded image file. Each VM is a node in your Site.

Important: The name of the VM should not have "." in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. Your node VM name must adhere to DNS-1035 label requirements. This means the name must consist of lower case alphanumeric characters or “-“, start with an alphabetic character, and end with an alphanumeric character.

If configuring a multi-node Site, each node hostname must be unique.

Launch Node VM Instance from AWS Marketplace

This section guides you through the procedure to deploy directly from AWS Marketplace using a public image published by F5. F5 recommends this method to deploy your CE Site nodes.

Step 1: Create node VM.

In Distributed Cloud Console, select the Multi-Cloud Network Connect workspace.
Navigate to Manage > Site Management > Secure Mesh Sites v2.
For your Site, click ... > Launch Instance. This action opens the CE image listing on AWS Marketplace, in a new browser tab.

Step 2: Configure node VM.

For the Launch Method drop-down menu, select Launch from EC2 Console.

Figure: Launch Instance From EC2 Console

Confirm the Version is as desired. By default, the most recent software version is selected. Use the drop-down menu to select another version, if needed.
Confirm the Region is as desired.
Click Launch from EC2. A new browser tab opens.

Figure: Launch Instance From EC2 Console

Under Name, enter a name for your VM. This is the node name.

Figure: Configure Node VM Settings

Keep Application and OS Images (Amazon Machine Image) set to the default AMI listing.

Step 2.1: Configure compute resources.

From the Instance Type menu, select the compute resources required for your node VM. F5 recommends using the m5.2xlarge option. This is the minimum instance type required to run F5 CE Site software. Refer to the Customer Edge Site Sizing Reference guide for more information.

Step 2.2: Select SSH key pair.

From the Key pair name - required menu, select the SSH key pair previously created in section Create SSH Key Pair.

Step 2.3: Configure VPC and subnet settings.

The subnet chosen in this step is the subnet for Network Interface 1 (SLO). Labeling the subnets helps so that you can easily place the interface in the SLO subnet.

Select Edit to configure subnets.
Ensure that Auto-assign public IP is disabled as the Elastic IP address is used instead.

Step 2.4: Configure firewall settings.

Under Firewall (security groups), select the security group created previously in section Create Security Group.

Figure: Add Security Group

Step 2.5: Configure node VM storage.

Under Configure storage, enter an amount. The minimum required is 80 GiB.

Step 2.6: Configure node VM user data.

Expand the Advanced details field.
Under User data - optional, paste your cloud-init script information (which includes the node token) from section Generate Node Token.

Step 3: Launch node VM.

After you complete the required configuration option settings, click Launch instance.

Launch Node VM Instance from Downloaded File (Optional)

This method is optional and can be used if you are not deploying directly from AWS Marketplace.

Step 1: Download image file.

In Distributed Cloud Console, select the Multi-Cloud Network Connect workspace.
Navigate to Manage > Site Management > Secure Mesh Sites v2.
For your Site, click ... > Download Image. This action downloads the node image file onto your local machine.

Figure: Download CE Node Image

In the side popout window, confirm the integrity of the downloaded file using the MD5 checksum value.
Afterwards, click Close.

Step 2: Upload image file.

Use the downloaded file and upload it to your AWS account as an EC2 instance.
Configure your node VM as per your requirements, and then launch the instance.

Associate Elastic IP Address to SLO Interface

After the EC2 instance VM is created, you need to allocate the previously created Elastic IP address. However, take note of the SLO interface ID by navigating to the Networking tab under the F5 CE Site instance and getting the ENI ID of the SLO. Keep it handy as you need to leverage it when assigning the Elastic IP address to the SLO interface.

In the EC2 Console, select Networking > Elastic IPs.
Search for your EIP address and then select it.
From the Actions drop-down menu, select Associate Elastic IP address.

Figure: Associate EIP Address

Select the Resource type and then click Associate.

Figure: Associate EIP Address

Verify CE Site Registration

In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.
Select your Site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Figure: Confirm Site Health

Note: For more information on the Site registration process, see the Customer Edge Registration and Upgrade Reference guide.

Manage Network Interfaces (Optional)

After your CE Site registers successfully, you might want to add additional network interfaces to meet your requirements. Ensure that you connect another network interface to the node VM.

Important: Adding or removing network interfaces causes the data plane services on the CE node to restart. Therefore, F5 strongly recommends that you perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels to F5 Distributed Cloud REs going down.

All CE nodes in a given CE Site should have the same number of network interfaces attached. CE nodes with non-homogenous interfaces within a CE Site might cause issues.

Each node in the CE Site should have interfaces with the same VRFs assigned. For example: If a CE Site has three nodes, with each node having two interfaces - the first interface on each node is auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 must also be in the SLI VRF.

When new interfaces are added, they are auto-discovered. You can configure the interface (for example: place the interface in the appropriate VRF) from the CE Site configuration.

The first interface of the CE nodes should not be removed or modified.

After you configure the SLO interface with a static IP address, DHCP will still be displayed in the Console. However, your static IP configuration is well taken into account. Also, remember that you cannot modify SLO parameters once the node is registered and deployed.

Add New Interface

For AWS sites, to add another network interface to the CE, you need to create a new network interface as part of the same VPC in a different subnet with auto-assigned addresses preferably and attach a security group to the interface.

In the example below, the default VPC security group allows traffic in both directions, as this is an internal-only interface. You can also provision additional security groups with more restrictive policies on the non-SLO interfaces if required and provided you have a full understanding on the nature of traffic that traverses the interfaces. Tagging the interface with the instance name is a good practice to easily understand the reason behind this interface.

Step 1: Create new network interface for EC2 instance.

In the EC2 service, navigate to Network & Security > Network Interfaces.
Select Create network interface.
Under the Description - optional field, enter a name for the new interface.
From the Subnet drop-down menu, select the subnet for this new interface.

Figure: Add New Interface

Add a name tag for this new interface.
Click Create network interface.

Figure: Add New Interface

Step 2: Attach new network interface to EC2 instance.

Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
After the interface is created, attach it to the particular instance. Select the particular interface you created and click Actions > Attach.

Figure: Attach to Instance

Specify the correct details of the VPC and instance and then click Attach.

Figure: Attach to Instance

In Console, navigate to your Site and edit the node configuration.

Figure: Edit Interface

For the desired interface, click the pencil button.
Ensure you set the IPv4 Interface Address Method as DHCP Client.
Click Apply, and then click Save Secure Mesh Site.

Step 3: Verify changes in AWS Management Console.

Verify in AWS Management Console that the EC2 instance, under the Networking tab, now has two interfaces.

Figure: Verify Instance in AWS

Step 4: Verify changes in Distributed Cloud Console.

Power back up the VM.
You can also verify the same information from Distributed Cloud Console by navigating to the Site Dashboard under Multi-Cloud Network Connect > Overview > Sites and choosing the Site name. Navigate to the Infrastructure tab to see the Interfaces table.

Figure: Verify Instance in Console

Stop Source/Destination Checks

In AWS, the source/destination check is a feature that ensures that an EC2 instance is only responsible for traffic that it sends or receives. By default, this check is enabled for all EC2 instances, meaning that each instance is expected to handle only the network traffic that originates from or is destined to its own IP address.

In the case of an F5 CE Site, the instance is a Network Virtual Appliance (NVA) that outgoing and incoming traffic needs to transit through. Therefore, you need to disable the source/destination check on the F5 CE EC2 instance.

In AWS Management Console, navigate to the EC2 service.
For your EC2 instance, navigate to Actions > Networking > Change source/destination check.

Figure: EC2 Instance Networking

Check the box for Stop.

Figure: Stop Checkbox

Click Save.

Modify Interface Attributes

Important: The IP address for the SLO interface cannot be modified. In addition, you cannot modify any MAC addresses for any interfaces.

Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
To modify any interface attributes, click Manage Configuration.

Figure: Edit Interface

Click Edit Configuration.

Figure: Edit Interface

Under the Nodes subsection, click the pencil icon under Actions to edit.

Figure: Edit Interface

Choose one of the interfaces to edit. This example uses ens6.

Figure: Edit Interface

Change the settings as required. In this example, the interface is being placed in the prod-segment. Therefore, the setting from the original Site Local Inside (Local VRF) to Segment (Global VRF) was changed. Then, the required segment is selected.

Figure: Edit Interface

Click Apply to apply the interface attribute changes.
Click Apply again to confirm interface attribute changes.
Click Save Secure Mesh Site.
In the AWS Management Console, power back up the node VM.

Troubleshooting for AMI Listings

While the AMIs are published across all global regions, there might be cases where the AMI does not exist (for example, a new region just went online). If you previously found the AMI listing above, you can skip this troubleshooting section. This section explains how you can still deploy CE Site nodes in regions where the official F5 AMI listing do not exist.

You can use the functionality within AWS by navigating to the official AWS documentation and following the required steps. Switch to us-east-1 in the AWS Management Console and locate the AMI by its name as described above.

In this example, the AMI name is copied to the São Paulo (South America) region. F5 recommends that you keep the name and description matching to the original name or, at a minimum, provide meaningful names that help you distinguish the AMI. It is important to realize that this copy is now a Private AMI. In other words, it is only accessible to your account, whereas the original AMI is a public AMI for all other customers to consume.

Figure: Copy AMI to Target Region

Day 2 Operations

To monitor your Site, see the Monitor Site guide.
To manage your Site software and OS updates, see the Manage Site guide.
For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
For the latest on Distributed Cloud Services releases, see Changelogs.

To create a load balancer on the CE Site, see the HTTP Load Balancer or the TCP Load Balancer guides.

Deploy Secure Mesh Site v2 in AWS (ClickOps)

Objective

Planning

General Prerequisites

Configuration Overview