Deploy Secure Mesh Site v2 in Azure (ClickOps)

Objective

This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console and Microsoft Azure Console and deploy to an Azure VNet. For more information, see F5® Distributed Cloud Site.

As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site to an Azure VNet.

Important: This guide does not provide instructions to deploy an F5® App Stack Site.

General Prerequisites

The following general prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
An account with Microsoft Azure. See Required Access Policies for permissions needed to deploy site.
Resources required per node: Minimum 4 vCPUs and 14 GB RAM. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide.
F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as eth0 and the SLI interface as eth1. For three-node clusters, it is recommended to have three different subnets in three different availability zones.
For a single-NIC deployment (ingress gateway), only a single subnet (SLO) is required.
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Configuration Overview

To create a Secure Mesh Site, here are the high-level steps:

Site object creation: Configure the site within F5 Distributed Cloud Console.
Node creation prerequisites: Create objects that will be associated to the nodes...
Image management:
Node management:
Interface management: Add additional interfaces on the nodes, if necessary.

Procedure

This guide will show you how to create a single-node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can follow to successfully deploy an Azure CE Site in any supported combination of nodes and interfaces.

Create Site Object

Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.
Set the Provider Name option to Azure.

Figure: Provider Type

Create Network Security Group

The CE site’s instance security is internally managed by the CE data path. Therefore, you must configure a Network Security Group with allow-all rules for both inbound and outbound traffic to be used with the site deployment.

Step 1: Navigate to security group creation page.

In Azure Console, navigate to the Network security groups service.

Figure: Network Security Groups

Step 2: Create and configure security group.

Click Create.
Assign the new security group to your resource group. This procedure uses f5xc-ce-resource-group as an example.
Give the network security group an indicative name. In this procedure, it is f5-ce-external-network-security-group.
Click Review + create.
After you create the network security group, click on it to set up the inbound and outbound rules.
Add an allow-all rule to the inbound security rules. The default outbound rules already allow Internet traffic, so there is no need to change anything.

Step 3: Verify rules created.

In the overview section for your network security group, you can see all the rules that have been created. Confirm the rules are as desired.

Figure: Network Security Groups

Create SSH Key Pair

You need to create a key pair for SSH login into the virtual machine for troubleshooting purposes.

Step 1: Navigate to SSH key creation page.

In Azure Console, navigate to the SSH keys service.
Click Create.

Step 2: Configure key pair.

Verify the Subscription and Resource group are correctly selected.
In the Key pair name field, enter a name.
Click Review + create.

Figure: Create SSH Key Pairs

After successful validation, click Create.
Click Download private key and create resource to download the key pair locally to your machine since the pair will not be saved in Azure. You will need the key pair to log into the CE Site node. The private key pair file is named f5xc-ce-ssh-keys.pem as an example.

Existing Resource Group Details

In this procedure, we are deploying dual interface single-node and multi-node CE sites. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.

Note: Azure subnets are not zonal constructs, so the same subnets can be used for deploying nodes in different availability zones for a multi-node site.

Figure: Existing Virtual Networks

Create Public IP Address

In Azure Console, create a public IP address. You will need to create one public IP address for each node that is being deployed for the CE site. In other words, for a single-node CE Site, you will create one public IP and for a CE Site with high availability (HA), you will need to create three public IP addresses.

Navigate to the Public IP addresses creation page and click Create.

Figure: Create Public IP

Under Configuration details, in the Name field, enter a name for the Public IP.
Leave the remaining options with their default values.
Click Review + create.
After validation passes, click Create.
For a multi-node site, repeat the steps above to public IP addresses for nodes two and three.

Create Node Image

Download the node image to instantiate a CE node.

Download the Node Image

Step 1: Download and unzip file.

Navigate to Manage > Site Management > Secure Mesh Sites.
For your site, click ... > Download Image. This action will start downloading the f5xc-ce-<version>.vhd.gz file onto your local machine.

Figure: Download Node Image

After the download is complete, unzip the f5xc-ce-<version>.vhd.gz file.

Step 2: Upload file to Azure portal.

In Azure portal, navigate to the Storage Accounts creation page.
Click Create.
Select your resource group and provide a name for your storage account. Leave all other default settings.

Figure: Upload Node Image

Click Review + create.
After validation passes, click Create.
After the storage account is created, under Blob service, select containers to upload VHD file.

Figure: Upload Node Image

If the container does not exist, create the container as f5xc-azure-ce-vhd. Upload the VHD file to the container.

Figure: Create Container

Select the VHD file from local device. Under Advanced Options, select blob type as Page Blob.

Figure: Page Blob

After the VHD file upload is complete, confirm the file appears as shown below.

Figure: Confirm Upload

Step 3: Create image using the VHD file uploaded.

Navigate to the Images creation page and click Create.
Select your resource group and provide a name for your image.
Select the OS type as Linux.
Browse to the VHD image just uploaded to provide the path to the storage blob location.
Select Account type as Standard SSD.

Figure: Create Image Parameters

Click Review + create.
After the validation passes, click Create.

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

In Distributed Cloud Console, select the Multi-Cloud Network Connect service.
Navigate to Manage > Site Management > Secure Mesh Sites.
For your site, click ... > Generate Node Token.

Figure: Node Token

Click Copy.
Save the value locally. This token will be used later. The token value is hidden for security purposes.

Figure: Copy Node Token

Click Close.

Create Azure Virtual Machine

Create the instance virtual machine (VM). You can create a table with pre-filled parameters to help you configure the VM.

This procedure uses Standard_DS4_v2 as an example. To find your right size and requirements, refer to the Customer Edge Site Sizing Reference guide.

Important: The name of the VM should not have . in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported.

Step 1: Create new virtual machine.

In Azure console, navigate to the image you created in the previous section and click Create VM.

Figure: Create VM

Step 2: Configure new virtual machine.

Enter a VM name.
Ensure the correct region and availability zone are selected.

Figure: Configure VM

From the Size menu, choose the instance type. This procedure uses Standard_DS4_v2 as an example.

Figure: Configure VM Size

From the SSH public key source menu, assign the previously created SSH key pair.
In the Username field, enter cloud-user as the default user to SSH log into the CE instance.

Figure: Configure VM SSH

Click Next:Disk.
From the OS disk size menu, select 128 GiB (P10).

Step 3: Configure virtual machine networking.

Click Next: Networking.
Ensure the following parameters for network interface configuration:
- From the Virtual network menu, select the network.
- From the Subnet menu, select the external interface.

Important: You cannot create/assign the internal interface to the virtual machine in this step. It will be added at a later step.

From the Public IP menu, select the IP address previously created.
For the NIC network security group option, select Advanced. This option is needed so that you can select the network security group.
From the Configure network security group menu, select the security group previously created.
Select the Delete NIC when VM is deleted option.

Figure: Configure VM Networking

Step 4: Configure advanced settings.

Click the Advanced tab to skip the management and monitoring configuration.
In the Custom data field, copy and paste the user data file information (which includes the site token). Copy the information below into an editor of your choice and replace the token value with the token corresponding to your specific site.

#cloud-config
write_files:
- path: /etc/vpm/user_data
  content: |
    token: <token>
  owner: root
  permissions: '0644'

Copied!

Figure: Configure VM User Data

Step 5: Complete creation.

Click Review + create. After validation process completes successfully, click Create.

Register CE Site

In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Sites.
Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Figure: Confirm Site Health

Add Second SLI Network Interface

Add the second interface to the CE Site.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down.

When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

In Azure portal, select your VM and click Stop.
After the VM stops, click Network settings. Then click Attach network interface.

Figure: Add Second Interface

Click Create and attach the network interface.
Select the resource group previously created for this VM.
In the Name field, enter a new name for this second interface.
In the Subnet field, select the internal subnet created earlier. Make sure to reference that this is an internal interface since the external interface was previously created.