Deploy Secure Mesh Site v2 in Azure (ClickOps)

Published April 5, 2023 | Last modified December 12, 2024

Objective

This guide provides instructions on how to create a customer edge (CE) site in Microsoft Azure using the new Secure Mesh Site and Microsoft Azure Console. For more information on a CE Site, refer to F5 Distributed Cloud - Customer Edge.

Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.

General Prerequisites

The following general prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • An account with Microsoft Azure. See Required Access Policies for permissions needed to deploy site.

  • Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

  • F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as eth0 and the SLI interface as eth1. For three-node clusters, it is recommended to have three different subnets in three different availability zones.

  • For a single-NIC deployment (ingress gateway), only a single subnet (SLO) is required.

  • The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Procedure

This guide will show you how to create a single-node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can follow to successfully deploy an Azure CE Site in any supported combination of nodes and interfaces.

Create Site Object

  • Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.

  • Set the Provider Name option to Azure.

Figure: Provider Type

Figure: Provider Type

Create Network Security Group

The CE site’s instance security is internally managed by the CE data path. Therefore, you must configure a Network Security Group with allow-all rules for both inbound and outbound traffic to be used with the site deployment.

Step 1: Navigate to security group creation page.

In Azure Console, navigate to the Network security groups service.

Figure: Network Security Groups

Figure: Network Security Groups

Step 2: Create and configure security group.

  • Click Create.

  • Assign the new security group to your resource group. This procedure uses f5xc-ce-resource-group as an example.

  • Give the network security group an indicative name. In this procedure, it is f5-ce-external-network-security-group.

  • Click Review + create.

  • After you create the network security group, click on it to set up the inbound and outbound rules.

Figure: Network Security Group

Figure: Network Security Group

Step 3: Create inbound rules.

Make sure you add rules for the following:

  • Allowed SSH from the instance. Azure will figure out the public IP address that a user is configuring from and allows it. You can also use the custom option and enter your corporate public address space.
  • Allowed ICMP for troubleshooting.
  • Allowed TCP Port 65500 for the local UI on the CE.
  • For three-node clusters, ensure that traffic is allowed between the nodes.

Note: When creating load balancers to publish applications, you will need to add additional rules in your network security group to accept the traffic that comes to your virtual IP address (VIP).

Figure: Inbound Rules

Figure: Inbound Rules

Step 4: Create outbound rules.

Create an allow-all policy for egress traffic. This is the default configuration.

Figure: Outbound Rules

Figure: Outbound Rules

Step 5: Verify rules created.

In the overview section for your network security group, you can see all the rules that have been created. Confirm the rules are as desired.

Figure: Confirm Policy

Figure: Confirm Policy

Create SSH Key Pair

You need to create a key pair for SSH login into the virtual machine for troubleshooting purposes.

Step 1: Navigate to SSH key creation page.

  • In Azure Console, navigate to the SSH keys service.

  • Click Create.

Step 2: Configure key pair.

  • Verify the Subscription and Resource group are correctly selected.

  • In the Key pair name field, enter a name.

  • Click Review + create.

Figure: Create SSH Key Pairs

Figure: Create SSH Key Pairs

  • After successful validation, click Create.

  • Click Download private key and create resource to download the key pair locally to your machine since the pair will not be saved in Azure. You will need the key pair to log into the CE Site node. The private key pair file is named f5xc-ce-ssh-keys.pem as an example.

Existing Resource Group Details

In this procedure, we are deploying dual interface single-node and multi-node CE sites. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.

Note: Azure subnets are not zonal constructs, so the same subnets can be used for deploying nodes in different availability zones for a multi-node site.

Figure: View Subnets

Figure: View Subnets

Create Public IP Address

In Azure Console, create a public IP address. You will need to create one public IP address for each node that is being deployed for the CE site. In other words, for a single-node CE Site, you will create one public IP and for a CE Site with high availability (HA), you will need to create three public IP addresses.

  • Navigate to the Public IP addresses creation page and click Create.
Figure: Create Public IP

Figure: Create Public IP

  • Under Configuration details, in the Name field, enter a name for the public IP.

  • Leave the remaining options with their default values.

  • Click Review + create.

  • After validation passes, click Create.

  • For a multi-node site, repeat the steps above to create public IP addresses for nodes two and three.

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

  • In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

  • Navigate to Manage > Site Management > Secure Mesh Sites v2.

  • For your site, click ... > Generate Node Token.

Figure: Node Token

Figure: Node Token

  • Click Copy.

  • Save the value locally. This token will be used later. The token value is hidden for security purposes.

Figure: Copy Node Token

Figure: Copy Node Token

  • Click Close.

  • Generate one token per node you intend to deploy.

Create Azure Virtual Machine

Create the instance virtual machine (VM) using the parameters previously created.

This section guides you through the procedure to deploy directly from Azure Marketplace using an image. But, in case you want to use a local image to create the VMs, Distributed Cloud also provides an option to download the image file so that you can upload it to your Azure account. See the Download and Create Node Image (Optional).

This procedure uses Standard_B4ms as an example. To find your right size and requirements, refer to the Customer Edge Site Sizing Reference guide.

Important: The name of the VM should not have . in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. If configuring a multi-node site, each node hostname must be unique.

Step 1: Create new virtual machine.

  • In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

  • Navigate to Manage > Site Management > Secure Mesh Sites v2.

  • For your site, click ... > Launch Instance. This action will open the CE image listing on Azure Marketplace in a new browser tab.

Figure: Launch Instance VM

Figure: Launch Instance VM

  • Click Create to launch a new CE virtual machine.
Figure: Create Instance VM - Azure Marketplace

Figure: Create Instance VM - Azure Marketplace

Step 2: Configure new virtual machine.

  • Enter a VM name.

  • Ensure the correct region and availability zone are selected.

Figure: Configure VM

Figure: Configure VM

  • From the Size menu, choose the instance type. This procedure uses Standard_B4ms as an example.
Figure: Configure VM Size

Figure: Configure VM Size

  • From the SSH public key source menu, assign the previously created SSH key pair.

  • In the Username field, enter cloud-user as the default user to SSH log into the CE instance.

Figure: Configure VM SSH

Figure: Configure VM SSH

  • Click Next:Disk.

  • From the OS disk size menu, select 128 GiB (P10). The minimum disk requirement is 80 GB. However, for Azure, we are using the 128 GB option as there is no 80 GB option available by default.

Step 3: Configure virtual machine networking.

  • Click Next: Networking.

  • Ensure the following parameters for network interface configuration:

    • From the Virtual network menu, select the network.
    • From the Subnet menu, select the external interface.

Important: You cannot create/assign the internal interface to the virtual machine in this step. It will be added at a later step.

  • From the Public IP menu, select the IP address previously created.

  • For the NIC network security group option, select Advanced. This option is needed so that you can select the network security group.

  • From the Configure network security group menu, select the security group previously created.

  • Select the Delete NIC when VM is deleted option.

Figure: Configure VM Networking

Figure: Configure VM Networking

Step 4: Configure advanced settings.

  • Click the Advanced tab to skip the management and monitoring configuration.

  • In the Custom data field, paste the cloud-init information (which includes the site token) copied from the Generate Node Token section.

Figure: Configure VM User Data

Figure: Configure VM User Data

Step 5: Complete creation.

Click Review + create. After validation process completes successfully, click Create.

Download and Create Node Image (Optional)

The CE VM can be directly created from the images listed on Azure Marketplace. But, in case you want to use a local image to create the VMs, Distributed Cloud Console also provides an option to download the image file so that you can upload it to your Azure account. This can be useful if you are deploying in a government cloud, where the community images are not supported.

Step 1: Download and unzip file.

  • Navigate to Manage > Site Management > Secure Mesh Sites v2.

  • For your site, click ... > Download Image. This action will start downloading the f5xc-ce-<version>.vhd.gz file onto your local machine.

Figure: Download Node Image

Figure: Download Node Image

  • After the download is complete, unzip the f5xc-ce-<version>.vhd.gz file.
Step 2: Upload file to Azure portal.

  • In Azure portal, navigate to the Storage Accounts creation page.

  • Click Create.

  • Select your resource group and provide a name for your storage account. Leave all other default settings.

Figure: Upload Node Image

Figure: Upload Node Image

  • Click Review + create.

  • After validation passes, click Create.

  • After the storage account is created, click Upload to upload VHD file. Select the file from your local device.

  • If the container does not exist, create the container as f5xc-azure-ce. Upload the VHD file to the container.

  • Under Advanced Options, select blob type as Page Blob.

Figure: Page Blob

Figure: Page Blob

  • After the VHD file upload is complete, confirm the file appears as shown below.
Figure: Confirm Upload

Figure: Confirm Upload

Step 3: Create image using the VHD file uploaded.

  • Navigate to the Images creation page and click Create.

  • Select your resource group and provide a name for your image.

  • Select the OS type as Linux.

  • Browse to the VHD image just uploaded to provide the path to the storage blob location.

  • Select Account type as Standard SSD.

Figure: Create Image Parameters

Figure: Create Image Parameters

  • Click Review + create.

  • After the validation passes, click Create.

Verify CE Site Registration

  • In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.

  • Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Figure: Confirm Site Health

Figure: Confirm Site Health

Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.

Add Second Interface (SLI) to Node

Add the second interface to the CE Site for a dual interface configuration. The second interface is as an SLI.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. All nodes in a given CE site should have the same number of network interfaces attached. Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE site has three nodes, each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 should also be in the SLI VRF.

When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

  • In Azure portal, select your VM and click Stop.

  • After the VM stops, click Network settings. Then click Attach network interface.

Figure: Add Second Interface

Figure: Add Second Interface

  • Click Create and attach the network interface.

  • Select the resource group previously created for this VM.

  • In the Name field, enter a new name for this second interface.

  • In the Subnet field, select the internal subnet created earlier. Make sure to reference that this is an internal interface since the external interface was previously created.

Figure: Add Second Interface

Figure: Add Second Interface

  • Click Create.
Figure: Second Interface

Figure: Second Interface

  • After the second interface is attached to your VM, start the VM.

Note: Use the steps above to create and attach additional interfaces to this VM.

  • After the site is back online, click Manage Configuration. Then, in the wizard, click Edit Configuration.

  • Under the Interfaces subsection, click the pencil icon under Actions to edit. In the current release, additional interfaces, including SLI interface, need to be configured with a static IP address which in this case must be same as that allocated by Azure.

Figure: Edit Interface

Figure: Edit Interface

  • Select Static IP as the IPv4 Interface Address Method.

  • Enter the IPv4 address with prefix length. This must be same as that allocated by Azure.

  • Click Apply.

Figure: Edit Interface

Figure: Edit Interface

  • Click Save and Exit.

  • Visually verify the same information from the Distributed Cloud Console by navigating to Multi-Cloud Network Connect > Overview > Sites and selecting the site name. Select the Infrastructure tab and view the Interfaces table.

Figure: Verify Interface

Figure: Verify Interface

Additional Settings for Application Traffic Flow to Work

For services like network connectivity, application connectivity, and delivery to work correctly, you need to enable additional settings for Azure CE nodes. You need to enable the IP forwarding setting on each NIC of the Azure CE node.

  • In Azure portal, navigate to Network settings for the CE node.

  • Click the NIC for the CE node.

Figure: Node NIC Settings

Figure: Node NIC Settings

Select Settings > IP configurations and enable the Enable IP forwarding checkbox.

Figure: Enable IP Forwarding

Figure: Enable IP Forwarding

Troubleshooting

For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.

Concepts

References

On this page: