Deploy Secure Mesh Site v2 in Equinix (ClickOps)

Objective

This guide provides instructions on how to create a Customer Edge (CE) Site using the F5® Distributed Cloud Console for Equinix Network Edge.

Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.

---

Planning

Read the following documents before deploying a Secure Mesh Site in any provider environment:

• Understanding F5 Distributed Cloud - Customer Edge (CE)
• CE Datasheet
• CE Supported Platforms Guide
• Customer Edge Site Sizing Reference
• CE Performance Guide: Contact your account representative on CE performance-related information.
• Proxy for CE Registration and Upgrades Reference
• Secure Mesh Sites v2 Frequently Asked Questions
• Customer Edge Registration and Upgrade Reference
• F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings

---

General Prerequisites

The following general prerequisites apply:

• A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.

• Resources required per node: Minimum 8 vCPUs, 32 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

• Customer Edge (CE) deployments require connectivity to F5 Distributed Cloud. See the F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings guide for the list of IP addresses and domain names that need to be allowed.

• F5 assumes that an existing IPv4 subnet exists with Internet connectivity to attach to the node.

• The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.

• If you are deploying the CE site with High Availability (HA) enabled, Internet Control Message Protocol (ICMP) must be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

---

Configuration Overview

To create a Secure Mesh Site with Equinix, here are the high-level steps:

• Site object configuration: Create and configure a Secure Mesh Site object using F5 Distributed Cloud Console.
• Image management: The CE node image as it is already available on Equinix portal and can be used directly from there to deploy CE nodes. Each CE node is a virtual machine (VM).

Important: The first interface of a CE node must be mapped to the Site-Local Outside (SLO) VRF which should allow connectivity to the F5 Distributed Cloud.

Setting up VIPs on the SLO interface is not supported.

---

Procedure

In this guide, the procedure demonstrates the steps to deploy a single-node site.

Create Site Object

• Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site v2 guide.

• Set the Provider Name option to Equinix.

• For High Availability, choose an option. If it is Disabled, then the CE Site only supports one node. If it is Enabled, the CE Site requires three nodes. Additional nodes can only be added to CE sites when HA is Enabled.

Important: The High Availability mode cannot be changed after the CE Site is created.

Note: On the Equinix portal for high availability, you must create three separate nodes in the same metro location.

• Leave the other options with default values. These options have intelligent default values and do not need further configuration. Refer to the Create Secure Mesh Site v2 guide for more information on these options.

• Expand the Site Management section.

• Under Public SSH key, enter your public key.

• Under Admin Password, click Configure. Configure your admin password settings, and then click Apply.

• Click Add Secure Mesh Site.

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

The token is included in the cloud-init information under the Content variable.

• In Distributed Cloud Console, select the Multi-Cloud Network Connect workspace.

• Navigate to Manage > Site Management > Secure Mesh Sites v2.

• For your site, click ... > Generate Node Token.

• Click Copy Token.

• Save the value locally. This token is used later. The token value is hidden for security purposes.

• Click Close.

• Generate one token per node you intend to deploy.

Note: There is no need to download the CE node image as it is already available on Equinix portal.

Create Equinix Network Edge Site

Step 1: Launch VM instance.

• To open the Equinix portal, click ... > Launch Instance. Afterward, you are redirected to the Equinix Network Edge Portal. This requires you to have an active account on the Equinix portal and a valid contract to create Network Edge devices. After authentication, you are redirected to add a new Network Edge Device.

Figure: Launch Instance

• Click Network Edge > Create Virtual Device.

Figure: Equinix Network Edge Portal

Step 2: Create VM instance.

• Navigate to the F5 Networks card and click Select and Continue.

Figure: Select and Continue

• Click Begin Creating Edge Devices.

Figure: Begin Creating Device

• Under the Select Edge Device Location section, select the location where you want the CE deployed.

Important: For a three-node cluster, you must create three (3) single devices within the same location.

The name of the VM should not have "." in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. Your node VM name must adhere to DNS-1035 label requirements. This means the name must consist of lower case alphanumeric characters or “-“, start with an alphabetic character, and end with an alphanumeric character.

If configuring a multi-node Site, each node hostname must be unique.

After you configure the SLO interface with a static IP address, DHCP will still be displayed in the Console. However, your static IP configuration is well taken into account. Also, remember that you cannot modify SLO parameters once the node is registered and deployed.

Figure: Select Location for Device

Step 3: Configure billing.

In the Select Billing Account section, select a billing account from the Your accounts in this metro drop-down menu.

Important: Metro selection is linked to your billing account country. For example, if you select Sydney for the deployment metro, you must have a billing account in Australia. If you need to deploy the CE Site to a different metro, such as Tokyo, you must create a billing account in Japan. If you do not have a billing account for the selected metro, a message is displayed, with an option to navigate to the Account Management page, where you can create a new billing account. Without selecting an account, you cannot create your device. For more information, see Billing Account Management in the Equinix product documentation.

Figure: Select Billing Account

Step 4: Configure device details.

• Click Next: Device Details. Under Device Details, the Licensing option is set to Bring Your Own License.

• In the Device Resources section, select the desired core and memory options from the following:

  • Medium: 8 vCPUs and 32 GB RAM​
  • Large: 16 vCPUs and 64 GB RAM

• For the Software Package option, ensure Standard is selected.

• For the Software Version option, ensure the software version is set.

Figure: Device Details

• In the Device Details section, configure the following fields:

  • Device Name: The device name that is used to identify it in the portal.
  • Primary Hostname: The host name for the device.
  • Node Token: Enter the previously copied node token generated in F5 Distributed Cloud Console.

• In the Interfaces section, keep the default number of interfaces available on the VNF (8 Interfaces).

• In the Device Status Notifications section, enter the email addresses that should receive email notifications regarding device status.

• In the Optional Details section, enter the Purchase Order Number and Order (Optional).

• In the Term Length drop-down menu, select a term length. The corresponding Pricing Overview is displayed.

Figure: Device Details Continued

Step 5: Configure additional services.

• Click Next: Additional Services.

Figure: Additional Services

• Under Access Control List Templates, create a new security list or use an existing list. F5 strongly recommends that for egress traffic you allow only SSH access (TCP 22) for restricted IP addresses for management.

Note: Since exposing the VIPs on the SLO interface to the public Internet is not supported, then there is no need to allow any other ports for externally incoming traffic.

Figure: Inbound Rules

• Under Default and Additional Bandwidth, enter the amount of bandwidth required in addition to the included 15 Mbps. F5 recommends you increase the bandwidth an additional minimum of 100 Mbps for the initial deployment. This amount can be adjusted after deployment.

Figure: Additional Bandwidth

Step 6: Review details and complete instance creation.

• Click Next: Review.

• Review the details displayed.

Figure: Review Details

Figure: Review Details

• Click Create Virtual Device. Your request is submitted. The provisioning page displays. After the device is provisioned, the new device displays in the inventory list.

Figure: Device Provisioned

• Navigate to Network Edge > Virtual Device Inventory.

Figure: Device Inventory

Verify CE Site Registration

• In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.

• Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

• Select the Infrastructure tab and view the Interfaces table.

Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.

---

Day 2 Operations

• To monitor your Site, see the Monitor Site guide.
• To manage your Site software and OS updates, see the Manage Site guide.
• For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
• For the latest on Distributed Cloud Services releases, see Changelogs.

Related Guides

To create a load balancer on the CE Site, see the HTTP Load Balancer or the TCP Load Balancer guides.

---

Concepts

• System Overview
• Core Concepts
• Networking
• F5 Distributed Cloud - Customer Edge

---