Deploy Secure Mesh Site v2 in Azure (ClickOps)
Objective
This guide provides instructions on how to create a customer edge (CE) site in Microsoft Azure using the new Secure Mesh Site and Microsoft Azure Console. For more information on a CE Site, refer to F5 Distributed Cloud - Customer Edge.
Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.
General Prerequisites
The following general prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An account with Microsoft Azure. See Required Access Policies for permissions needed to deploy site.
-
Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
-
Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.
-
F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as
eth0
and the SLI interface aseth1
. For three-node clusters, it is recommended to have three different subnets in three different availability zones. -
For a single-NIC deployment (ingress gateway), only a single subnet (SLO) is required.
-
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
Procedure
This guide will show you how to create a single-node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can follow to successfully deploy an Azure CE Site in any supported combination of nodes and interfaces.
Create Site Object
-
Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.
-
Set the
Provider Name
option toAzure
.
Figure: Provider Type
Create Network Security Group
The CE site’s instance security is internally managed by the CE data path. Therefore, you must configure a Network Security Group with allow-all rules for both inbound and outbound traffic to be used with the site deployment.
Step 1: Navigate to security group creation page.
In Azure Console, navigate to the Network security groups
service.
Figure: Network Security Groups
Step 2: Create and configure security group.
-
Click
Create
. -
Assign the new security group to your resource group. This procedure uses
f5xc-ce-resource-group
as an example. -
Give the network security group an indicative name. In this procedure, it is
f5-ce-external-network-security-group
. -
Click
Review + create
. -
After you create the network security group, click on it to set up the inbound and outbound rules.
Figure: Network Security Group
Step 3: Create inbound rules.
Make sure you add rules for the following:
- Allowed SSH from the instance. Azure will figure out the public IP address that a user is configuring from and allows it. You can also use the custom option and enter your corporate public address space.
- Allowed ICMP for troubleshooting.
- Allowed TCP Port 65500 for the local UI on the CE.
- For three-node clusters, ensure that traffic is allowed between the nodes.
Note: When creating load balancers to publish applications, you will need to add additional rules in your network security group to accept the traffic that comes to your virtual IP address (VIP).
Figure: Inbound Rules
Step 4: Create outbound rules.
Create an allow-all policy for egress traffic. This is the default configuration.
Figure: Outbound Rules
Step 5: Verify rules created.
In the overview section for your network security group, you can see all the rules that have been created. Confirm the rules are as desired.
Figure: Confirm Policy
Create SSH Key Pair
You need to create a key pair for SSH login into the virtual machine for troubleshooting purposes.
Step 1: Navigate to SSH key creation page.
-
In Azure Console, navigate to the
SSH keys
service. -
Click
Create
.
Step 2: Configure key pair.
-
Verify the
Subscription
andResource group
are correctly selected. -
In the
Key pair name
field, enter a name. -
Click
Review + create
.
Figure: Create SSH Key Pairs
-
After successful validation, click
Create
. -
Click
Download private key and create resource
to download the key pair locally to your machine since the pair will not be saved in Azure. You will need the key pair to log into the CE Site node. The private key pair file is namedf5xc-ce-ssh-keys.pem
as an example.
Existing Resource Group Details
In this procedure, we are deploying dual interface single-node and multi-node CE sites. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.
Note: Azure subnets are not zonal constructs, so the same subnets can be used for deploying nodes in different availability zones for a multi-node site.
Figure: View Subnets
Create Public IP Address
In Azure Console, create a public IP address. You will need to create one public IP address for each node that is being deployed for the CE site. In other words, for a single-node CE Site, you will create one public IP and for a CE Site with high availability (HA), you will need to create three public IP addresses.
- Navigate to the
Public IP addresses
creation page and clickCreate
.
Figure: Create Public IP
-
Under
Configuration details
, in theName
field, enter a name for the public IP. -
Leave the remaining options with their default values.
-
Click
Review + create
. -
After validation passes, click
Create
. -
For a multi-node site, repeat the steps above to create public IP addresses for nodes two and three.
Download and Create Node Image
Download the node image to instantiate a CE node.
Step 1: Download and unzip file.
-
Navigate to
Manage
>Site Management
>Secure Mesh Sites v2
. -
For your site, click
...
>Download Image
. This action will start downloading thef5xc-ce-<version>.vhd.gz
file onto your local machine.
Figure: Download Node Image
- After the download is complete, unzip the
f5xc-ce-<version>.vhd.gz
file.
Step 2: Upload file to Azure portal.
-
In Azure portal, navigate to the
Storage Accounts
creation page. -
Click
Create
. -
Select your resource group and provide a name for your storage account. Leave all other default settings.
Figure: Upload Node Image
-
Click
Review + create
. -
After validation passes, click
Create
. -
After the storage account is created, click
Upload
to upload VHD file. Select the file from your local device. -
If the container does not exist, create the container as
f5xc-azure-ce
. Upload the VHD file to the container. -
Under
Advanced Options
, select blob type asPage Blob
.
Figure: Page Blob
- After the VHD file upload is complete, confirm the file appears as shown below.
Figure: Confirm Upload
Step 3: Create image using the VHD file uploaded.
-
Navigate to the
Images
creation page and clickCreate
. -
Select your resource group and provide a name for your image.
-
Select the
OS type
asLinux
. -
Browse to the VHD image just uploaded to provide the path to the storage blob location.
-
Select
Account type
asStandard SSD
.
Figure: Create Image Parameters
-
Click
Review + create
. -
After the validation passes, click
Create
.
Generate Node Token
A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.
-
In Distributed Cloud Console, select the
Multi-Cloud Network Connect
service. -
Navigate to
Manage
>Site Management
>Secure Mesh Sites v2
. -
For your site, click
...
>Generate Node Token
.
Figure: Node Token
-
Click
Copy
. -
Save the value locally. This token will be used later. The token value is hidden for security purposes.
Figure: Copy Node Token
- Click
Close
.
Create Azure Virtual Machine
Create the instance virtual machine (VM) using the parameters previously created.
This procedure uses Standard_DS4_v2
as an example. To find your right size and requirements, refer to the Customer Edge Site Sizing Reference guide.
Important: The name of the VM should not have
.
in it. For example, the hostname can benode-0
ornode0
, but it cannot benode.f5.com
since it is not supported.
Step 1: Create new virtual machine.
In Azure console, navigate to the image you created in the previous section and click Create VM
.
Figure: Create VM
Step 2: Configure new virtual machine.
-
Enter a VM name.
-
Ensure the correct region and availability zone are selected.
Figure: Configure VM
- From the
Size
menu, choose the instance type. This procedure usesStandard_DS4_v2
as an example.
Figure: Configure VM Size
-
From the
SSH public key source
menu, assign the previously created SSH key pair. -
In the
Username
field, entercloud-user
as the default user to SSH log into the CE instance.
Figure: Configure VM SSH
-
Click
Next:Disk
. -
From the
OS disk size
menu, select128 GiB (P10)
. The minimum disk requirement is 80 GB. However, for Azure, we are using the 128 GB option as there is no 80 GB option available by default.
Step 3: Configure virtual machine networking.
-
Click
Next: Networking
. -
Ensure the following parameters for network interface configuration:
- From the
Virtual network
menu, select the network. - From the
Subnet
menu, select the external interface.
- From the
Important: You cannot create/assign the internal interface to the virtual machine in this step. It will be added at a later step.
-
From the
Public IP
menu, select the IP address previously created. -
For the
NIC network security group
option, selectAdvanced
. This option is needed so that you can select the network security group. -
From the
Configure network security group
menu, select the security group previously created. -
Select the
Delete NIC when VM is deleted
option.
Figure: Configure VM Networking
Step 4: Configure advanced settings.
-
Click the
Advanced
tab to skip the management and monitoring configuration. -
In the
Custom data
field, copy and paste the user data file information (which includes the site token). Copy the information below into an editor of your choice and replace the token value with the token corresponding to your specific site.
#cloud-config
write_files:
- path: /etc/vpm/user_data
content: |
token: <token>
owner: root
permissions: '0644'
Figure: Configure VM User Data
Step 5: Complete creation.
Click Review + create
. After validation process completes successfully, click Create
.
Verify CE Site Registration
-
In Distributed Cloud Console, navigate to
Multi-Cloud Network Connect
>Overview
>Sites
. -
Select the site. The
Dashboard
tab should clearly show that the CE Site has registered successfully with theSystem Health
of 100% as well asData Plane
/Control Plane
both being up.
Figure: Confirm Site Health
Add Second Interface (SLI) to Node
Add the second interface to the CE Site for a dual interface configuration. The second interface is as an SLI.
Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down.
When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.
-
In Azure portal, select your VM and click
Stop
. -
After the VM stops, click
Network settings
. Then clickAttach network interface
.
Figure: Add Second Interface
-
Click
Create
and attach the network interface. -
Select the resource group previously created for this VM.
-
In the
Name
field, enter a new name for this second interface. -
In the
Subnet
field, select the internal subnet created earlier. Make sure to reference that this is an internal interface since the external interface was previously created.
Figure: Add Second Interface
- Click
Create
.
Figure: Second Interface
- After the second interface is attached to your VM, start the VM.
Note: Use the steps above to create and attach additional interfaces to this VM.
-
After the site is back online, click
Manage Configuration
. Then, in the wizard, clickEdit Configuration
. -
Under the
Interfaces
subsection, click the pencil icon underActions
to edit. In the current release, additional interfaces, including SLI interface, need to be configured with a static IP address which in this case must be same as that allocated by Azure.
Figure: Edit Interface
-
Select
Static IP
as theIPv4 Interface Address Method
. -
Enter the IPv4 address with prefix length. This must be same as that allocated by Azure.
-
Click
Apply
.
Figure: Edit Interface
-
Click ‘Save and Exit’.
-
Visually verify the same information from the Distributed Cloud Console by navigating to
Multi-Cloud Network Connect
>Overview
>Sites
and selecting the site name. Select theInfrastructure
tab and view theInterfaces
table.
Figure: Verify Interface
Additional Settings for Application Traffic Flow to Work
For services like network connectivity, application connectivity, and delivery to work correctly, you need to enable additional settings for Azure CE nodes. You need to enable the IP forwarding
setting on each NIC of the Azure CE node.
-
In Azure portal, navigate to
Network settings
for the CE node. -
Click the NIC for the CE node.
Figure: Node NIC Settings
Select Settings
> IP configurations
and enable the Enable IP forwarding
checkbox.
Figure: Enable IP Forwarding
Troubleshooting
For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
Concepts
References
On this page:
- Objective
- General Prerequisites
- Procedure
- Create Site Object
- Create Network Security Group
- Create SSH Key Pair
- Existing Resource Group Details
- Create Public IP Address
- Download and Create Node Image
- Generate Node Token
- Create Azure Virtual Machine
- Verify CE Site Registration
- Add Second Interface (SLI) to Node
- Additional Settings for Application Traffic Flow to Work
- Troubleshooting
- Concepts
- References