Deploy Secure Mesh Site v2 in OCI (ClickOps)
Objective
This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console to deploy to Oracle Cloud Infrastructure (OCI). For more information on a CE Site, refer to F5 Distributed Cloud - Customer Edge.
As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site using OCI.
Important: This guide does not provide instructions on how to deploy an F5® App Stack Site. This functionality is in Early Access (EA) and can be used for PoC/PoV deployments. This will be made Generally Available (GA) over the next couple of releases. Please reach out to your account representative for more information.
General Prerequisites
The following general prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
-
Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.
-
F5 assumes that an existing subnet exists with Internet connectivity to attach to the node.
-
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
Configuration Overview
To create a Secure Mesh Site, here are the high-level steps:
- Site object creation: Configure the site within F5 Distributed Cloud Console.
- Node management: Create and configure the objects associated with each node, including security lists, and much more.
- Image management: Gather all the information required to find and load the custom OCI QCOW2 installation image.
- Instance management: Use the image from the previous step to constitute the site.
- Interface management: Add additional interfaces on the nodes, if necessary.
Procedure
In this guide, the procedure demonstrates the steps to deploy a single-node site with dual interfaces (ingress/egress). However, this guide will also explain the necessary deviations from this specific model where necessary, making it flexible to adjust to different node and interface requirements.
Create Site Object
-
Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.
-
Set the
Provider Name
option toOCI
.
Figure: Provider Type
- Click
Save and Exit
.
Confirm Existing Virtual Cloud Network Details
In this procedure, we are deploying a dual interface single-node site. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.
- To view your virtual cloud network, navigate to
Networking
and selectVirtual cloud networks
.
Figure: View Existing Network
- Click on your virtual cloud network to see the available subnets.
Figure: View Existing Subnets
-
View the following parameters:
- Virtual Cloud Network name:
oci-clickops-virtual-cloud-network
- Site Local Outside (external) subnet:
oci-clickops-external-subnet
- Site Local Inside (internal) subnet:
oci-clickops-internal-subnet
- Virtual Cloud Network name:
Create Security List
Create a security list that will be attached to the F5 CE OCI instance. Note that this security list will be used for the Site Local Outside (SLO) interface. Any other interfaces can use the default security list of the virtual cloud network, which should allow all traffic in both directions. By default, a security list only allows ICMP and SSH communication.
Step 1: Create security list.
- Navigate to your virtual cloud network and click
Security Lists
.
Figure: View Security Lists
- Click
Create Security List
.
Figure: Create Security List
- Enter an indicative name. This example uses
f5-ce-security-list
.
Step 2: Create ingress rules.
-
Use the following for the ingress rules:
- Allowed SSH from the machine’s public address. This is where OCI will figure out the public IP address that a user is configuring from and allows it. You can also use custom and enter your corporate public address space.
- Allowed ICMP for troubleshooting.
- Allowed TCP port 65500 for the local UI on the CE. For three-node CE sites, ensure that traffic is allowed between the nodes by IP address or, better, by referencing the same security list as an allowed source.
Important: For connections to the instance, it is a best practice to restrict access by source and not let any external IP address connect to the instance. When creating load balancers to publish applications, you will need to add additional rules in your security list to accept the traffic that comes to your virtual IP address (VIP).
Step 3: Create egress rules.
-
For egress rules, use an allow-all policy.
-
After you finish, click
Create Security List
.
Step 4: Validate rules.
- Validate that the list was created successfully.
Figure: Validate Security List
- Navigate to the inbound/outbound rules to verify that they have been configured correctly.
Figure: Validate Ingress Rules
Figure: Validate Egress Rules
Step 5: Assign security list to subnet.
By adding the security list to a subnet, it will include those ingress/egress rules into its filtering policy.
-
Navigate to
Networking
and selectVirtual cloud networks
. -
Click on the subnet unused for the Site Local Outside (SLO) interface.
Figure: List of Subnets
- Click
Add Security List
and select the custom security list created previously.
Figure: Select Custom Security List
- Confirm the security list is added to the desired subnet.
Figure: Confirm Security List Selected for Subnet
Download Node Image and Create OCI Compute Image
Download the qcow2 image from Distributed Cloud Console. This image file will be uploaded in your OCI account.
Step 1: Create bucket in OCI.
-
In Distributed Cloud Console, select the
Multi-Cloud Network Connect
service. -
Navigate to
Manage
>Site Management
>Secure Mesh Sites v2
. -
For your site, click
...
>Download Image
.
Figure: Download Node Image
-
After the image downloads, in the OCI Console, navigate to
Storage
>Buckets
. -
Create a bucket to upload the node image file:
- Click
Create Bucket
and give the bucket a name. This example usessmsv2-oci-bucket
.
- Click
Figure: Create Bucket
Step 2: Upload image file to bucket.
-
Click on the newly created bucket, and then click
Upload
. -
Select the node image file and then click
Upload
.
Figure: Upload Image File to Bucket
- Verify the image was properly uploaded by checking the
Objects
list.
Figure: Verify Image File in Bucket
Step 3: Create custom image file.
Create a custom image based on the qcow2 image.
-
In the OCI Console, navigate to
Compute
>Custom Images
. -
Click
Import image
.
Figure: Upload Custom Image File
-
Use the following parameters:
-
For the
Name
, entersmsv2-oci-image
. -
For the
Operating system
, selectRHEL
. -
Select
Import from an Object Storage Bucket
and specify the previously created bucket (smsv2-oci-bucket
). -
Select the previously uploaded qcow2 image.
-
For
Image type
, selectQCOW2
. -
For
Launch mode
, selectParavirtualized mode
.
-
Figure: Custom Image Parameters
- After you finish, click
Import image
. Wait for the image creation to be finalized. This process may take a few minutes.
Figure: Custom Image In-Progress
Figure: Custom Image Complete
Generate Node Token
A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.
The token is included in the cloud-init information under the Content
variable. Also included are two variables commented out: slo_ip
and slo_gateway
. These variables can be commented out if you are using your own DNS service and not the default DNS service provided by F5.
-
In Distributed Cloud Console, select the
Multi-Cloud Network Connect
service. -
Navigate to
Manage
>Site Management
>Secure Mesh Sites v2
. -
For your site, click
...
>Generate Node Token
.
Figure: Node Token
-
Click
Copy cloud-init
. -
Save the value locally. This token will be used later. The token value is hidden for security purposes.
Figure: Copy Node Token
-
Click
Close
. -
Generate one token per node you intend to deploy.
Create OCI VM Instance
Create the instance leveraging the previously created parameters.
Important: The name of the VM should not have
.
in it. For example, the hostname can benode-0
ornode0
, but it cannot benode.f5.com
since it is not supported. If configuring a multi-node site, each node hostname must be unique.
Step 1: Create instance.
- To create the instance, click
Create instance
.
Figure: Create Instance
-
Specify a name. This example uses
smsv2-oci-instance
. -
Choose the instance type. This example uses
VM.Standard3.Flex
with Intel and 2 OCPUs. Note that this is the minimum instance type required to run the F5 CE software.
Figure: Instance Type
Step 2: Configure instance network.
-
Select the virtual cloud network and subnet (
oci-clickops-external-subnet
). The subnet chosen is the subnet for Network Interface 1 (Site Local Outside/external). You can decide on whether the IP address is allocated automatically or manually. -
Select the configuration for the private and public IP addresses.
Figure: Instance Network
Step 3: Configure instance advanced options.
- Select the
Advanced options
tab and change the launch options toParavirtualized networking
.
Figure: Instance Advanced Options
- Add your public SSH key to use after the site is provisioned. The username is
cloud-user
.
Figure: Instance SSH
-
At the bottom of the page, Click
Show advanced options
to copy and paste a cloud init script. -
In the
Cloud-init script
text box, paste the cloud-init information (which includes the site token) copied from the Generate Node Token section.
Figure: Cloud Init Script
- Click
Create
.
Verify CE Site Registration
-
In Distributed Cloud Console, navigate to
Multi-Cloud Network Connect
>Overview
>Infrastructure
>Sites
. -
Select the site. The
Dashboard
tab should clearly show that the CE Site has registered successfully with theSystem Health
of 100% as well asData Plane
/Control Plane
both being up.
Figure: Confirm Site Health
Note: For more information on the site registration process, see the Customer Edge Registration and Upgrade Reference guide.
Add New Network Interface
After the CE Site registers successfully, you might want to add additional interfaces to cater to different customer requirements.
Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down. All nodes in a given CE site should have the same number of network interfaces attached. Each node in the CE site should have interfaces with the same VRFs assigned. For example: If a CE site has three nodes, each node having two interfaces - the first interface on each node will be auto-configured to be in the SLO VRF (to connect to F5 Distributed Cloud). If the second interface on node-1 is in the SLI VRF, then the second interface on node-2 and node-3 should also be in the SLI VRF.
When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.
For OCI sites, to add a new network interface to the CE Site, you need to use the same Virtual Cloud Network. This example uses subnet oci-clickops-internal-subnet
.
Figure: Internal Subnet
-
Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
-
Navigate to
Compute
>Instances
and click on the CE instance name. -
Click
Attached VNICs
and then clickCreate VNIC
.
Figure: Create VNIC
- Specify a name for the new VNIC. Assign it to your Virtual Cloud Network and select the relevant subnet. Leave the other options with their default values.
Figure: Create VNIC
Figure: Create VNIC
- Click on the new VNIC to review its configuration.
Figure: Review VNIC Configuration
- Power back on the VM.
Modify NIC Attributes
Once the VNIC is attached, we need to update the SLI configuration in Distributed Cloud Console. This process is valid if you need to modify any other interface attributes.
-
Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
-
In Console, navigate to the
Dashboard
tab of your Secure Mesh Site.
Figure: View Dashboard
- Click
Manage Configuration
and then clickEdit Configuration
.
Figure: Edit Site
- Under the
Nodes
subsection, click the pencil icon underActions
to edit.
Figure: Edit Interface
- Choose one of the interfaces to edit by clicking the pencil icon. This example uses
ens5
.
Figure: Edit Interface
- Update the interface settings and specify the IP address associated with the new VNIC (for example, 10.0.1.203/24).
Figure: Edit Interface IP Address
-
Save the changes.
-
Power back on the VM.
-
Confirm your site to validate that the changes were applied successfully.
Figure: Confirm New VNIC
Troubleshooting
For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.
Concepts
On this page:
- Objective
- General Prerequisites
- Configuration Overview
- Procedure
- Create Site Object
- Confirm Existing Virtual Cloud Network Details
- Create Security List
- Download Node Image and Create OCI Compute Image
- Generate Node Token
- Create OCI VM Instance
- Verify CE Site Registration
- Add New Network Interface
- Modify NIC Attributes
- Troubleshooting
- Concepts