Deploy Secure Mesh Site v2 in OCI (ClickOps)

Objective

This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console to deploy to Oracle Cloud Infrastructure (OCI). For more information on a CE Site, refer to F5 Distributed Cloud - Customer Edge.

As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site using OCI.

Important: This guide does not provide instructions on how to deploy an F5® App Stack Site.

---

General Prerequisites

The following general prerequisites apply:

• A Distributed Cloud Services Account. If you do not have an account, see Getting Started with Console.

• Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

• Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

• F5 assumes that an existing subnet exists with Internet connectivity to attach to the node.

• The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.

• Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

---

Configuration Overview

To create a Secure Mesh Site, here are the high-level steps:

1. Site object creation: Configure the site within F5 Distributed Cloud Console.
2. Node management: Create and configure the objects associated with each node, including security lists, and much more.
3. Image management: Gather all the information required to find and load the custom OCI QCOW2 installation image.
4. Instance management: Use the image from the previous step to constitute the site.
5. Interface management: Add additional interfaces on the nodes, if necessary.

---

Procedure

In this guide, the procedure demonstrates the steps to deploy a single-node site with dual interfaces (ingress/egress). However, this guide will also explain the necessary deviations from this specific model where necessary, making it flexible to adjust to different node and interface requirements.

Create Site Object

• Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.

• Set the Provider Name option to OCI.

• Click Save and Exit.

Confirm Existing Virtual Cloud Network Details

In this procedure, we are deploying a dual interface single-node site. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.

• To view your virtual cloud network, navigate to Networking and select Virtual cloud networks.

• Click on your virtual cloud network to see the available subnets.

• View the following parameters:

  • Virtual Cloud Network name: oci-clickops-virtual-cloud-network
  • Site Local Outside (external) subnet: oci-clickops-external-subnet
  • Site Local Inside (internal) subnet: oci-clickops-internal-subnet

Create Security List

Create a security list that will be attached to the F5 CE OCI instance. Note that this security list will be used for the Site Local Outside (SLO) interface. Any other interfaces can use the default security list of the virtual cloud network, which should allow all traffic in both directions. By default, a security list only allows ICMP and SSH communication.

Step 1: Create security list.

• Navigate to your virtual cloud network and click Security Lists.

Figure: View Security Lists

• Click Create Security List.

Figure: Create Security List

• Enter an indicative name. This example uses f5-ce-security-list.

Step 2: Create ingress rules.

• Use the following for the ingress rules:

  • Allowed SSH from the machine’s public address. This is where OCI will figure out the public IP address that a user is configuring from and allows it. You can also use custom and enter your corporate public address space.
  • Allowed ICMP for troubleshooting.
  • Allowed TCP port 65500 for the local UI on the CE. For three-node CE sites, ensure that traffic is allowed between the nodes by IP address or, better, by referencing the same security list as an allowed source.

Important: For connections to the instance, it is a best practice to restrict access by source and not let any external IP address connect to the instance. When creating load balancers to publish applications, you will need to add additional rules in your security list to accept the traffic that comes to your virtual IP address (VIP).

Step 3: Create egress rules.

• For egress rules, use an allow-all policy.

• After you finish, click Create Security List.

Step 4: Validate rules.

• Validate that the list was created successfully.

Figure: Validate Security List

• Navigate to the inbound/outbound rules to verify that they have been configured correctly.

Figure: Validate Ingress Rules

Figure: Validate Egress Rules

Step 5: Assign security list to subnet.

By adding the security list to a subnet, it will include those ingress/egress rules into its filtering policy.

• Navigate to Networking and select Virtual cloud networks.

• Click on the subnet unused for the Site Local Outside (SLO) interface.

Figure: List of Subnets

• Click Add Security List and select the custom security list created previously.

Figure: Select Custom Security List

• Confirm the security list is added to the desired subnet.

Figure: Confirm Security List Selected for Subnet

Download Node Image and Create OCI Compute Image

Download the qcow2 image from Distributed Cloud Console. This image file will be uploaded in your OCI account.

Step 1: Create bucket in OCI.

• In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

• Navigate to Manage > Site Management > Secure Mesh Sites v2.

• For your site, click ... > Download Image.

Figure: Download Node Image

• After the image downloads, in the OCI Console, navigate to Storage > Buckets.

• Create a bucket to upload the node image file:

  • Click Create Bucket and give the bucket a name. This example uses smsv2-oci-bucket.

Figure: Create Bucket

Step 2: Upload image file to bucket.

• Click on the newly created bucket, and then click Upload.

• Select the node image file and then click Upload.

Figure: Upload Image File to Bucket

• Verify the image was properly uploaded by checking the Objects list.

Figure: Verify Image File in Bucket

Step 3: Create custom image file.

Create a custom image based on the qcow2 image.

• In the OCI Console, navigate to Compute > Custom Images.

• Click Import image.

Figure: Upload Custom Image File

• Use the following parameters:

  • For the Name, enter smsv2-oci-image.

  • For the Operating system, select RHEL.

  • Select Import from an Object Storage Bucket and specify the previously created bucket (smsv2-oci-bucket).

  • Select the previously uploaded qcow2 image.

  • For Image type, select QCOW2.

  • For Launch mode, select Paravirtualized mode.

Figure: Custom Image Parameters

• After you finish, click Import image. Wait for the image creation to be finalized. This process may take a few minutes.

Figure: Custom Image In-Progress

Figure: Custom Image Complete

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

The token is included in the cloud-init information under the Content variable. Also included are two variables commented out: slo_ip and slo_gateway. These variables can be commented out if you are using your own DNS service and not the default DNS service provided by F5.

• In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

• Navigate to Manage > Site Management > Secure Mesh Sites v2.

• For your site, click ... > Generate Node Token.

• Click Copy cloud-init.

• Save the value locally. This token will be used later. The token value is hidden for security purposes.

• Click Close.

• Generate one token per node you intend to deploy.

Create OCI VM Instance

Create the instance leveraging the previously created parameters.

Important: The name of the VM should not have . in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported. If configuring a multi-node site, each node hostname must be unique.

Step 1: Create instance.

• To create the instance, click Create instance.

Figure: Create Instance

• Specify a name. This example uses smsv2-oci-instance.

• Choose the instance type. This example uses VM.Standard3.Flex with Intel and 2 OCPUs. Note that this is the minimum instance type required to run the F5 CE software.

Figure: Instance Type

Step 2: Configure instance network.

• Select the virtual cloud network and subnet (oci-clickops-external-subnet). The subnet chosen is the subnet for Network Interface 1 (Site Local Outside/external). You can decide on whether the IP address is allocated automatically or manually.

• Select the configuration for the private and public IP addresses.

Figure: Instance Network

Step 3: Configure instance advanced options.

• Select the Advanced options tab and change the launch options to Paravirtualized networking.

Figure: Instance Advanced Options

• Add your public SSH key to use after the site is provisioned. The username is cloud-user.

Figure: Instance SSH

• At the bottom of the page, Click Show advanced options to copy and paste a cloud init script.

• In the Cloud-init script text box, paste the cloud-init information (which includes the site token) copied from the Generate Node Token section.

Figure: Cloud Init Script

• Click Create.

Verify CE Site Registration

• In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Infrastructure > Sites.

• Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.

Add New Network Interface

After the CE Site registers successfully, you might want to add additional interfaces to cater to different customer requirements.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. All nodes in a given CE site should have the same number of network interfaces attached. Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE site has three nodes, each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 should also be in the SLI VRF.

When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

For OCI sites, to add a new network interface to the CE Site, you need to use the same Virtual Cloud Network. This example uses subnet oci-clickops-internal-subnet.

• Power down the VM prior to adding any new interfaces or modifying any existing interfaces.

• Navigate to Compute > Instances and click on the CE instance name.

• Click Attached VNICs and then click Create VNIC.

• Specify a name for the new VNIC. Assign it to your Virtual Cloud Network and select the relevant subnet. Leave the other options with their default values.

• Click on the new VNIC to review its configuration.

• Power back on the VM.

Modify NIC Attributes

Once the VNIC is attached, we need to update the SLI configuration in Distributed Cloud Console. This process is valid if you need to modify any other interface attributes.

• Power down the VM prior to adding any new interfaces or modifying any existing interfaces.

• In Console, navigate to the Dashboard tab of your Secure Mesh Site.

• Click Manage Configuration and then click Edit Configuration.

• Under the Nodes subsection, click the pencil icon under Actions to edit.

• Choose one of the interfaces to edit by clicking the pencil icon. This example uses ens5.

• Update the interface settings and specify the IP address associated with the new VNIC (for example, 10.0.1.203/24).

• Save the changes.

• Power back on the VM.

• Confirm your site to validate that the changes were applied successfully.

---

Troubleshooting

For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.

---

Concepts

• System Overview
• Core Concepts
• Networking
• F5 Distributed Cloud - Customer Edge
• F5 Distributed Cloud Site

---