Deploy Secure Mesh Site v2 in Azure (ClickOps)
Objective
This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console and Microsoft Azure Console and deploy to an Azure VNet. For more information, see F5® Distributed Cloud Site.
As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site to an Azure VNet.
Important: This guide does not provide instructions to deploy an F5® App Stack Site.
General Prerequisites
The following general prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An account with Microsoft Azure. See Required Access Policies for permissions needed to deploy site.
-
Resources required per node: Minimum 4 vCPUs and 14 GB RAM. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide.
-
F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as
eth0
and the SLI interface aseth1
. For three-node clusters, it is recommended to have three different subnets in three different availability zones. -
For a single-NIC deployment (ingress gateway), only a single subnet (SLO) is required.
-
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
Configuration Overview
To create a Secure Mesh Site, here are the high-level steps:
- Site object creation: Configure the site within F5 Distributed Cloud Console.
- Node creation prerequisites: Create objects that will be associated to the nodes...
- Image management:
- Node management:
- Interface management: Add additional interfaces on the nodes, if necessary.
Procedure
This guide will show you how to create a single-node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can follow to successfully deploy an Azure CE Site in any supported combination of nodes and interfaces.
Create Site Object
-
Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.
-
Set the
Provider Name
option toAzure
.
Figure: Provider Type
Create Network Security Group
The CE site’s instance security is internally managed by the CE data path. Therefore, you must configure a Network Security Group with allow-all rules for both inbound and outbound traffic to be used with the site deployment.
Step 1: Navigate to security group creation page.
In Azure Console, navigate to the Network security groups
service.
Figure: Network Security Groups
Step 2: Create and configure security group.
-
Click
Create
. -
Assign the new security group to your resource group. This procedure uses
f5xc-ce-resource-group
as an example. -
Give the network security group an indicative name. In this procedure, it is
f5-ce-external-network-security-group
. -
Click
Review + create
. -
After you create the network security group, click on it to set up the inbound and outbound rules.
-
Add an allow-all rule to the inbound security rules. The default outbound rules already allow Internet traffic, so there is no need to change anything.
Step 3: Verify rules created.
In the overview section for your network security group, you can see all the rules that have been created. Confirm the rules are as desired.
Figure: Network Security Groups
Create SSH Key Pair
You need to create a key pair for SSH login into the virtual machine for troubleshooting purposes.
Step 1: Navigate to SSH key creation page.
-
In Azure Console, navigate to the
SSH keys
service. -
Click
Create
.
Step 2: Configure key pair.
-
Verify the
Subscription
andResource group
are correctly selected. -
In the
Key pair name
field, enter a name. -
Click
Review + create
.
Figure: Create SSH Key Pairs
-
After successful validation, click
Create
. -
Click
Download private key and create resource
to download the key pair locally to your machine since the pair will not be saved in Azure. You will need the key pair to log into the CE Site node. The private key pair file is namedf5xc-ce-ssh-keys.pem
as an example.
Existing Resource Group Details
In this procedure, we are deploying dual interface single-node and multi-node CE sites. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.
Note: Azure subnets are not zonal constructs, so the same subnets can be used for deploying nodes in different availability zones for a multi-node site.
Figure: Existing Virtual Networks
Create Public IP Address
In Azure Console, create a public IP address. You will need to create one public IP address for each node that is being deployed for the CE site. In other words, for a single-node CE Site, you will create one public IP and for a CE Site with high availability (HA), you will need to create three public IP addresses.
- Navigate to the
Public IP addresses
creation page and clickCreate
.
Figure: Create Public IP
-
Under
Configuration details
, in theName
field, enter a name for the Public IP. -
Leave the remaining options with their default values.
-
Click
Review + create
. -
After validation passes, click
Create
. -
For a multi-node site, repeat the steps above to public IP addresses for nodes two and three.
Create Node Image
Download the node image to instantiate a CE node.
Download the Node Image
Step 1: Download and unzip file.
-
Navigate to
Manage
>Site Management
>Secure Mesh Sites
. -
For your site, click
...
>Download Image
. This action will start downloading thef5xc-ce-<version>.vhd.gz
file onto your local machine.
Figure: Download Node Image
- After the download is complete, unzip the
f5xc-ce-<version>.vhd.gz
file.
Step 2: Upload file to Azure portal.
-
In Azure portal, navigate to the
Storage Accounts
creation page. -
Click
Create
. -
Select your resource group and provide a name for your storage account. Leave all other default settings.
Figure: Upload Node Image
-
Click
Review + create
. -
After validation passes, click
Create
. -
After the storage account is created, under
Blob service
, selectcontainers
to upload VHD file.
Figure: Upload Node Image
- If the container does not exist, create the container as
f5xc-azure-ce-vhd
. Upload the VHD file to the container.
Figure: Create Container
- Select the VHD file from local device. Under
Advanced Options
, select blob type asPage Blob
.
Figure: Page Blob
- After the VHD file upload is complete, confirm the file appears as shown below.
Figure: Confirm Upload
Step 3: Create image using the VHD file uploaded.
-
Navigate to the
Images
creation page and clickCreate
. -
Select your resource group and provide a name for your image.
-
Select the
OS type
asLinux
. -
Browse to the VHD image just uploaded to provide the path to the storage blob location.
-
Select
Account type
asStandard SSD
.
Figure: Create Image Parameters
-
Click
Review + create
. -
After the validation passes, click
Create
.
Generate Node Token
A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.
-
In Distributed Cloud Console, select the
Multi-Cloud Network Connect
service. -
Navigate to
Manage
>Site Management
>Secure Mesh Sites
. -
For your site, click
...
>Generate Node Token
.
Figure: Node Token
-
Click
Copy
. -
Save the value locally. This token will be used later. The token value is hidden for security purposes.
Figure: Copy Node Token
- Click
Close
.
Create Azure Virtual Machine
Create the instance virtual machine (VM). You can create a table with pre-filled parameters to help you configure the VM.
This procedure uses Standard_DS4_v2
as an example. To find your right size and requirements, refer to the Customer Edge Site Sizing Reference guide.
Important: The name of the VM should not have
.
in it. For example, the hostname can benode-0
ornode0
, but it cannot benode.f5.com
since it is not supported.
Step 1: Create new virtual machine.
In Azure console, navigate to the image you created in the previous section and click Create VM
.
Figure: Create VM
Step 2: Configure new virtual machine.
-
Enter a VM name.
-
Ensure the correct region and availability zone are selected.
Figure: Configure VM
- From the
Size
menu, choose the instance type. This procedure usesStandard_DS4_v2
as an example.
Figure: Configure VM Size
-
From the
SSH public key source
menu, assign the previously created SSH key pair. -
In the
Username
field, entercloud-user
as the default user to SSH log into the CE instance.
Figure: Configure VM SSH
-
Click
Next:Disk
. -
From the
OS disk size
menu, select128 GiB (P10)
.
Step 3: Configure virtual machine networking.
-
Click
Next: Networking
. -
Ensure the following parameters for network interface configuration:
- From the
Virtual network
menu, select the network. - From the
Subnet
menu, select the external interface.
- From the
Important: You cannot create/assign the internal interface to the virtual machine in this step. It will be added at a later step.
-
From the
Public IP
menu, select the IP address previously created. -
For the
NIC network security group
option, selectAdvanced
. This option is needed so that you can select the network security group. -
From the
Configure network security group
menu, select the security group previously created. -
Select the
Delete NIC when VM is deleted
option.
Figure: Configure VM Networking
Step 4: Configure advanced settings.
-
Click the
Advanced
tab to skip the management and monitoring configuration. -
In the
Custom data
field, copy and paste the user data file information (which includes the site token). Copy the information below into an editor of your choice and replace the token value with the token corresponding to your specific site.
#cloud-config
write_files:
- path: /etc/vpm/user_data
content: |
token: <token>
owner: root
permissions: '0644'
Figure: Configure VM User Data
Step 5: Complete creation.
Click Review + create
. After validation process completes successfully, click Create
.
Register CE Site
-
In Distributed Cloud Console, navigate to
Multi-Cloud Network Connect
>Overview
>Sites
. -
Select the site. The
Dashboard
tab should clearly show that the CE Site has registered successfully with theSystem Health
of 100% as well asData Plane
/Control Plane
both being up.
Figure: Confirm Site Health
Add Second SLI Network Interface
Add the second interface to the CE Site.
Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down.
When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.
-
In Azure portal, select your VM and click
Stop
. -
After the VM stops, click
Network settings
. Then clickAttach network interface
.
Figure: Add Second Interface
-
Click
Create
and attach the network interface. -
Select the resource group previously created for this VM.
-
In the
Name
field, enter a new name for this second interface. -
In the
Subnet
field, select the internal subnet created earlier. Make sure to reference that this is an internal interface since the external interface was previously created.
Figure: Add Second Interface
- Click
Create
.
Figure: Second Interface
- After the second interface is attached to your VM, start the VM.
Note: Use the steps above to create and attach additional interfaces to this VM.
- Optionally, visually verify the same information from the Distributed Cloud Console by navigating to
Multi-Cloud Network Connect
>Overview
>Sites
and selecting the site name. Select theInfrastructure
tab and view theInterfaces
table.
Troubleshooting
For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
Concepts
References
On this page:
- Objective
- General Prerequisites
- Configuration Overview
- Procedure
- Create Site Object
- Create Network Security Group
- Create SSH Key Pair
- Existing Resource Group Details
- Create Public IP Address
- Create Node Image
- Download the Node Image
- Generate Node Token
- Create Azure Virtual Machine
- Register CE Site
- Add Second SLI Network Interface
- Troubleshooting
- Concepts
- References