Deploy Secure Mesh Site v2 in GCP (ClickOps)
Objective
This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console and Google Cloud Platform (GCP) Console and deploy to a GCP virtual private cloud (VPC). For more information on a CE Site, refer to F5 Distributed Cloud - Customer Edge.
As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site to a GCP VPC.
Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.
Planning
Read the following documents before deploying a Secure Mesh Site in any provider environment:
- Understanding F5 Distributed Cloud - Customer Edge (CE)
- CE Datasheet
- CE Supported Platforms Guide
- Customer Edge Site Sizing Reference
- CE Performance Guide: Contact your account representative on CE performance-related information.
- Proxy for CE Registration and Upgrades Reference
- Secure Mesh Sites v2 Frequently Asked Questions
- Customer Edge Registration and Upgrade Reference
- F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings
General Prerequisites
The following general prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.
-
An account with GCP with permissions to create objects in Compute Engine, VPC Networks, Network Services, and Cloud Storage services. See Policies and Permissions Reference for permissions needed to deploy site.
-
A GCP Storage Bucket where the CE image file can be uploaded.
-
Resources required per node: Minimum 8 vCPUs, 32 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
-
Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings guide for the list of IP addresses and domain names.
-
The new Secure Mesh Site workflow enables you to have up to eight (8) interfaces. However, these interfaces should be in different VPCs. Therefore, make sure you have the required VPC with subnets with non-overlapping CIDRs available before creating the CE Site nodes.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
IAM Required Roles
To perform the steps provided in this guide and launch a CE instance on GCP, you must be part of the Service Account that has the following roles:
- roles/config.agent
- roles/compute.admin
- roles/iam.serviceAccountUser
You must also have the following roles:
- Editor
- ComputeInstanceAdmin(v1)
Configuration Overview
To create a Secure Mesh Site, here are the high-level steps:
- Site object creation: Configure the site within F5 Distributed Cloud Console.
- Node creation prerequisites: Create objects that will be associated to the nodes (VM instances) including image download and token generation from Distributed Cloud Console, and VM image, VPCs, subnets, firewall rules, external IP addresses, and more on GCP.
- Node management: Create the VM instances for the CE Site nodes.
- Interface management: Add additional interfaces on the nodes, if necessary.
Procedure
In this guide, the procedure demonstrates the steps to deploy a single-node secure mesh site with dual interfaces. However, this guide will also explain the necessary deviations from this specific model where necessary, making it flexible to adjust to different node and interface requirements.
Create Site Object
The steps below show the minimum required configurations for creating a GCP Site. To understand the complete set of configuration options, refer to the Create Secure Mesh Site guide.
Step 1: Open the site creation wizard.
-
In the Multi-Cloud Network Connect workspace, navigate to Manage > Site Management > Secure Mesh Sites v2.
-
Select Add Secure Mesh Site to open the configuration form.
Step 2: Enter metadata information for your Site.
-
In the Metadata section, enter a name for your Site.
-
Optionally, select labels and add a description.
Step 3: Select the infrastructure provider settings for Site.
Set the Provider Name option to GCP.

Figure: Provider Type
Step 4: Save the configuration.
Click Add Secure Mesh Site.
Create VPC Networks and Subnets
Create two VPC networks, with one subnet each for the SLO and SLI interfaces. Note that this procedure creates a two-interface CE Site.
Create the SLO VPC and Subnet
- In GCP Console, navigate to VPC networks and click CREATE VPC NETWORK.

Figure: SLO Subnet
- In the Name field, specify the new network name. This example uses vpc-smsv2-slo.

Figure: SLO Subnet Name
-
For Subnet creation mode, select Custom.
-
Click New subnet.

Figure: SLO Subnet Custom
-
Enter a subnet name, select the region, and ensure IPv4 (single-stack) is selected.
-
Enter an IPv4 range.

Figure: SLO Subnet Custom
-
Skip the firewall rule configurations, as this will be configured in the next section.
-
Keep the rest of the default options.
-
Click CREATE.
Create the SLI VPC and Subnet
Repeat the previous steps to create the SLI VPC and subnet. However, use the following parameters:
- VPC name: vpc-smsv2-sli
- Subnet name: sub-smsv2-sli
- IPv4 range: 10.10.2.0/24
Add Additional VPCs and Subnets
If you need more than two interfaces for your CE Site, you must create new VPCs and subnets for each network interface. This is optional. The CE Site does not require additional interfaces for regular operations.
To create new interfaces, repeat the steps above and use a non-overlapping IP address range. As an example, you can use the following parameters:
- VPC name: vpc-smsv2-sli2
- Subnet name: sub-smsv2-sli2
- IPv4 range: 10.10.3.0/24
Configure Firewall Rules
The CE data path automatically manages the ports and protocols allowed on the interfaces. Therefore, you need to create allow-all rules to use with the CE Site nodes.
- In GCP Console, navigate to VPC networks and click on the new SLO network created previously.

Figure: SLO Subnet Selection
- In the Firewall tab, click ADD FIREWALL RULE and create any-to-any allow-all traffic ingress and egress rules as shown in image. Make sure you add a tag (for example, smsv2) to match the Targets where the rule will be applied. The network interfaces of the CE Site node will be configured with the same tag to apply the rules to it.

Figure: SLO Firewall Rules
- Repeat the steps above for the SLI VPC network and add allow-all rules.

Figure: SLI Firewall Rules
Reserve External IP Address
An external IP address is required to enable your CE to connect to the F5 Distributed Cloud Global Controller.
-
In GCP console, navigate to VPC networks > IP addresses.
-
Click RESERVE EXTERNAL STATIC IP ADDRESS.

Figure: Reserve External IP Address
-
Provide the name.
-
Select the Network Service Tier as Standard or Premium based on the project-level default.
-
Select the IP version as IPv4.
-
Select the Type as Regional and select the same region used to create the VPC network in the previous step.
-
Leave the Attached to field as blank as you will eventually attach the IP address to the CE when you launch the instance.

Figure: Configure the Reserve External IP Address
- Click Reserve.
Generate Node Token
A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.
The token is included in the cloud-init information under the Content variable. Also included are two variables commented out: slo_ip and slo_gateway. These variables can be commented out if you are using your own DNS service and not the default DNS service provided by F5.
-
In Distributed Cloud Console, select the Multi-Cloud Network Connect workspace.
-
Navigate to Manage > Site Management > Secure Mesh Sites v2.
-
For your site, click ... > Generate Node Token.

Figure: Generate Token Action
-
Click Copy Token.
-
Save the value locally. This token will be used later. The token value is hidden for security purposes.

Figure: Generated Token
-
Click Close.
-
Generate one token per node you intend to deploy.
Launch CE Virtual Machine
Create the instance virtual machine (VM) using the parameters previously created.
This section guides you through the procedure to deploy directly from Google Cloud Marketplace using a public image published by F5. But, in case you want to use a local image to create the VMs, Distributed Cloud also provides an option to download the image file so that you can upload it to your GCP account. See Create Node from Downloaded Image (Optional).
Important: The name of the VM should not have "." in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. If configuring a multi-node site, each node hostname must be unique.
Step 1: Create new virtual machine.
-
In Distributed Cloud Console, select the Multi-Cloud Network Connect workspace.
-
Navigate to Manage > Site Management > Secure Mesh Sites v2.
-
For your site, click ... > Launch Instance. This action will open the CE image listing on GCP Marketplace in a new browser tab.

Figure: Launch Instance for Marketplace Listing
- Click LAUNCH.

Figure: Launch Instance from Marketplace Listing
Step 2: Configure new virtual machine.
-
Configure the Deployment Name.
-
Select the service account that will be used to create the VM.
-
Select the Zone (the region is implicitly selected based on the zone).
-
Select the desired instance size.
Note: This procedure uses the default n4-standard-8 as an example for the CE VM size. To find your right size and requirements, refer to the Customer Edge Site Sizing Reference guide.
-
Update the boot disk option if required. The boot disk size is in GB and is set to 80 GB by default. The minimum required is 45 GB.
-
Under Network interfaces, expand the default interface and configure it as the SLO interface of the node with the following:
- Select the SLO VPC network.
- Select the SLO subnet.
- For the External IP, select the previously created External IP address for the SLO interface.
- Click Done.
-
Click ADD A NETWORK INTERFACE to configure the SLI for the node as below:
- Select the SLI VPC network.
- Select the SLI subnet.
- For the External IP, select None.
-
Under Network Tags, click Add Item and add the network tags to match the tags for the firewall rules.

Figure: Configure Network Tags
- Under Metadata, paste the token generated previously.

Figure: Configure Metadata
- Under SSH Keys, click ADD ITEM and paste your SSH public key in the text box. This will be used to SSH into the node for debugging, if required.

Figure: Configure SSH
- Click Deploy to create the VM.
Create Node from Downloaded Image (Optional)
The CE VM can be directly created from the images listed on GCP Cloud Marketplace. But, in case you want to use a local image to create the VMs, Distributed Cloud Console also provides an option to download the image file so that you can upload it to your GCP account. This can be useful if you are deploying in a government cloud, where the community images are not supported.
Import CE Site Image
In Distributed Cloud Console, you can either download the node image file or copy its image name. The image file can be used to create multiple nodes in the same GCP region.
-
Navigate to Manage > Site Management > Secure Mesh Sites v2.
-
For your site, click ... > Download Image.

Figure: Download Node Image
- In GCP Console, navigate to Storage Bucket and then click UPLOAD FILES to upload the node image file.

Figure: Upload Node Image
- Navigate to Compute Engine > Images. Click CREATE IMAGE.

Figure: Create Node Image in GCP Console
-
Enter a name for the image and select the Source as Cloud Storage File.
-
Click Browse to select the image file from Storage Bucket.

Figure: Create Node Image in GCP Console
-
Leave the rest of the options in their default configurations.
-
Click CREATE.
Create GCP Virtual Machine
Create the instance virtual machine (VM) using the parameters previously created.
This section guides you through the procedure to deploy directly from Google Cloud Marketplace using an image. But, in case you want to use a local image to create the VMs, Distributed Cloud also provides an option to download the image file so that you can upload it to your GCP account.
Important: The name of the VM should not have "." in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. If configuring a multi-node site, each node hostname must be unique.
Step 1: Create new virtual machine.
-
In GCP Console, navigate to Compute Engine > Images.
-
Click on the name of the image previously created.
-
Click CREATE INSTANCE.

Figure: Create Instance
Step 2: Configure new virtual machine.
-
Enter a name for the VM.
-
Select the region and where you want to deploy the node.

Figure: Create Instance
- Select the VM machine type. This procedure uses the default n4-standard-8 as an example for the CE VM size. To find your right size and requirements, refer to the Customer Edge Site Sizing Reference guide.

Figure: Select Instance Type
-
Under Boot disk, Click CHANGE and make the following changes:
- Set the Boot disk type to Standard persistent disk.
- Set the Size (GB) to 80 GB. The minimum required is 45 GB.

Figure: Select Instance Size
Step 3: Configure virtual machine networking.
-
Click on Advanced options to expand the configuration.
-
Under Networking, add network tags to match the tags for the firewall rules.
-
Do not add a hostname. Keep this field empty.
-
Enable IP forwarding.

Figure: Select Instance Tags
-
Under Network interfaces expand the default interface and configure it as the SLO interface of the node with the following:
- Select the SLO VPC network.
- Select the SLO subnet.
- Select Ephemeral (Automatic) for the Primary internal IPv4 address.

Figure: Configure Instance SLO Example
- For External IPv4 address, click on the drop-down menu. Click Reserve Static External IP address, provide a name, and then click Reserve.

Figure: Configure Instance SLO
-
Click ADD A NETWORK INTERFACE to configure the SLI for the node as below:
- Select the SLI VPC network.
- Select the SLI subnet.
- Select Ephemeral (Automatic) for the Primary internal IPv4 address.
- For External IPv4 address, select None.

Figure: Configure Instance SLI Example
Note: If additional interfaces are required, refer to the [#add-new-network-interface] section below before proceeding. You cannot add additional interfaces after the instance is created.
Step 4: Configure security settings.
-
Under the Security section, expand Manage access.
-
Under Add manually generated SSH keys, click Add item and paste your SSH public key in the text box. This will be used to SSH into the node for debugging, if required.

Figure: Configure SSH
-
Select Advanced from the left page, and then navigate down to the Metadata section.
-
Click Add item and use the following information to add two metadata key-value pairs:
Key | Value | Notes |
---|---|---|
VmDnsSetting | ZonePreferred | Zonal DNS mitigates the risk of cross-regional outages and improves the overall reliability of the VM. |
user-data | Copy and paste the cloud-init format along with node token information from above. | This allows the node token to be used for registration of the node. |
#cloud-config
write_files:
- path: /etc/vpm/user_data
permissions: 644
owner: root
content: |
token: # Paste the node token here

Figure: Configure Metadata
- Click CREATE to create the VM.
Verify CE Site Registration
-
In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.
-
Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Figure: Confirm Site Health
Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.
Add New Network Interface
Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. All nodes in a given CE site should have the same number of network interfaces attached. Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE site has three nodes, each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 should also be in the SLI VRF.
When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.
To add extra interfaces to an instance on GCP, ensure the following conditions are met:
- Additional interfaces can be applied to a VM only while creating it.
- GCP does not support adding new interfaces after the VM is created.
- Each interface must connect to a different VPC network.
Important: The IP address ranges of the two interfaces on the same instance must not overlap.
-
Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
-
Click ADD A NETWORK INTERFACE to configure an additional SLI for the node. Use the following parameters:
- Select the additional VPC network.
- Select the additional subnet.
- Select Ephemeral for the Primary internal IPv4 address.
- For External IPv4 address, select None.

Figure: Configure Additional SLI
Modify Interface Attributes
-
To modify any interface attributes, click Manage Configuration. Then, in the wizard, click Edit Configuration.
-
Under the Nodes subsection, click the pencil icon under Actions to edit.
-
Choose one of the interfaces to edit.
-
Change the settings as required. In this example, the interface is being placed in the prod-segment. Therefore, the setting from the original Site Local Inside (Local VRF) to Segment was changed. Then the required segment is selected.

Figure: Edit Interface

Figure: Edit Interface
-
Click Save Secure Mesh Site.
-
Power back up the VM.
Day 2 Operations
- To monitor your Site, see the Monitor Site guide.
- To manage your Site software and OS updates, see the Manage Site guide.
- For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
- For the latest on Distributed Cloud Services releases, see Changelogs.
Related Guides
To create a load balancer on the CE Site, see the HTTP Load Balancer or the TCP Load Balancer guides.
Concepts
On this page:
- Objective
- Planning
- General Prerequisites
- IAM Required Roles
- Configuration Overview
- Procedure
- Create Site Object
- Create VPC Networks and Subnets
- Configure Firewall Rules
- Reserve External IP Address
- Generate Node Token
- Launch CE Virtual Machine
- Create Node from Downloaded Image (Optional)
- Import CE Site Image
- Create GCP Virtual Machine
- Verify CE Site Registration
- Add New Network Interface
- Modify Interface Attributes
- Day 2 Operations
- Related Guides
- Concepts