Deploy Secure Mesh Site v2 in OCI (ClickOps)

Objective

This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console to deploy to Oracle Cloud Infrastructure (OCI). For more information, see F5® Distributed Cloud Site.

As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site using OCI.

Important: This guide does not provide instructions to deploy an F5® App Stack Site.

General Prerequisites

The following general prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
Resources required per node: Minimum 4 vCPUs and 14 GB RAM. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide.
F5 assumes that an existing subnet exists with Internet connectivity to attach to the node.
The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Configuration Overview

To create a Secure Mesh Site, here are the high-level steps:

Site object creation: Configure the site within F5 Distributed Cloud Console.
Node management: Create and configure the objects associated with each node, including security lists, and much more.
Image management: Gather all the information required to find and load the custom OCI QCOW2 installation image.
Instance management: Use the image from the previous step to constitute the site.
Interface management: Add additional interfaces on the nodes, if necessary.

Procedure

In this guide, the procedure demonstrates the steps to deploy a single-node site with dual interfaces (ingress/egress). However, this guide will also explain the necessary deviations from this specific model where necessary, making it flexible to adjust to different node and interface requirements.

Create Site Object

Create a secure mesh site object in Distributed Cloud Console. Refer to the Create Secure Mesh Site guide.
Set the Provider Name option to OCI.

Figure: Provider Type

Click Save and Exit.

Confirm Existing Virtual Cloud Network Details

In this procedure, we are deploying a dual interface single-node site. Therefore, we need two subnets: SLI (Site Local Inside) and SLO (Site Local Outside). Note that workload subnets are generally used but are not a requirement to deploy a CE site.

To view your virtual cloud network, navigate to Networking and select Virtual cloud networks.

Figure: View Existing Network

Click on your virtual cloud network to see the available subnets.

Figure: View Existing Subnets

View the following parameters:
- Virtual Cloud Network name: oci-clickops-virtual-cloud-network
- Site Local Outside (external) subnet: oci-clickops-external-subnet
- Site Local Inside (internal) subnet: oci-clickops-internal-subnet

Create Security List

Create a security list that will be attached to the F5 CE OCI instance. Note that this security list will be used for the Site Local Outside (SLO) interface. Any other interfaces can use the default security list of the virtual cloud network, which should allow all traffic in both directions. By default, a security list only allows ICMP and SSH communication.

Step 1: Create security list.

Navigate to your virtual cloud network and click Security Lists.

Figure: View Security Lists

Click Create Security List.

Figure: Create Security List

Enter an indicative name. This example uses f5-ce-security-list.

Step 2: Create ingress rules.

Use the following for the ingress rules:
- Allowed SSH from the machine’s public address. This is where OCI will figure out the public IP address that a user is configuring from and allows it. You can also use custom and enter your corporate public address space.
- Allowed ICMP for troubleshooting.
- Allowed TCP port 65500 for the local UI on the CE. For three-node CE sites, ensure that traffic is allowed between the nodes by IP address or, better, by referencing the same security list as an allowed source.

Important: For connections to the instance, it is a best practice to restrict access by source and not let any external IP address connect to the instance. When creating load balancers to publish applications, you will need to add additional rules in your security list to accept the traffic that comes to your virtual IP address (VIP).

Step 3: Create egress rules.

For egress rules, use an allow-all policy.
After you finish, click Create Security List.

Step 4: Validate rules.

Validate that the list was created successfully.

Figure: Validate Security List

Navigate to the inbound/outbound rules to verify that they have been configured correctly.

Figure: Validate Ingress Rules

Figure: Validate Egress Rules

Step 5: Assign security list to subnet.

By adding the security list to a subnet, it will include those ingress/egress rules into its filtering policy.

Navigate to Networking and select Virtual cloud networks.
Click on the subnet unused for the Site Local Outside (SLO) interface.

Figure: List of Subnets

Click Add Security List and select the custom security list created previously.

Figure: Select Custom Security List

Confirm the security list is added to the desired subnet.

Figure: Confirm Security List Selected for Subnet

Download Node Image

Download the qcow2 image from Distributed Cloud Console. This image file will be uploaded in your OCI account.

Step 1: Create bucket in OCI.

Navigate to the list of sites and then click ... > Download Image.

Figure: Download Node Image

After the image downloads, in the OCI Console, navigate to Storage > Buckets.
Create a bucket to upload the node image file:
- Click Create Bucket and give the bucket a name. This example uses smsv2-oci-bucket.

Figure: Create Bucket

Step 2: Upload image file to bucket.

Click on the newly created bucket, and then click Upload.
Select the node image file and then click Upload.

Figure: Upload Image File to Bucket

Verify the image was properly uploaded by checking the Objects list.

Figure: Verify Image File in Bucket

Step 3: Create custom image file.

Create a custom image based on the qcow2 image.

In the OCI Console, navigate to Compute > Custom Images.
Click Import image.

Figure: Upload Custom Image File

Use the following parameters:
- For the Name, enter smsv2-oci-image.
- For the Operating system, select RHEL.
- Select Import from an Object Storage Bucket and specify the previously created bucket (smsv2-oci-bucket).
- Select the previously uploaded qcow2 image.
- For Image type, select QCOW2.
- For Launch mode, select Paravirtualized mode.

Figure: Custom Image Parameters

After you finish, click Import image. Wait for the image creation to be finalized. This process may take a few minutes.

Figure: Custom Image In-Progress

Figure: Custom Image Complete

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site. A token is valid for 24 hours. Make sure that the CE node is deployed soon after the token is generated.

In Distributed Cloud Console, select the Multi-Cloud Network Connect service.
Navigate to Manage > Site Management > Secure Mesh Sites.
For your site, click ... > Generate Node Token.

Figure: Generate Node Token

Click Copy.
Save the value locally. This token will be used later. The token value is hidden for security purposes.

Figure: Copy Node Token

Click Close.
Generate one token per node you intend to deploy.

Create OCI VM Instance

Create the instance leveraging the previously created parameters.

Important: The name of the VM should not have . in it. For example, the hostname can be node-0 or node0, but it cannot be node.f5.com since it is not supported.

Step 1: Create instance.

To create the instance, click Create instance.

Figure: Create Instance

Specify a name. This example uses smsv2-oci-instance.
Choose the instance type. This example uses VM.Standard3.Flex with Intel and 2 OCPUs. Note that this is the minimum instance type required to run the F5 CE software.

Figure: Instance Type

Step 2: Configure instance network.

Select the virtual cloud network and subnet (oci-clickops-external-subnet). The subnet chosen is the subnet for Network Interface 1 (Site Local Outside/external). You can decide on whether the IP address is allocated automatically or manually.
Select the configuration for the private and public IP addresses.

Figure: Instance Network

Step 3: Configure instance advanced options.

Select the Advanced options tab and change the launch options to Paravirtualized networking.

Figure: Instance Advanced Options

Add your public SSH key to use after the site is provisioned. The username is cloud-user.

Figure: Instance SSH

At the bottom of the page, Click Show advanced options to copy and paste a cloud init script.
Copy the information below into an editor of your choice and replace the token value with the token corresponding to your specific node.

#cloud-config
write_files:
- path: /etc/vpm/user_data
  content: |
    token: <token>
  owner: root
  permissions: '0644'

Copied!

Figure: Cloud Init Script

Click Create.

Register CE Site

In Distributed Cloud Console, navigate to Multi-Cloud Network Connect > Overview > Sites.
Select the site. The Dashboard tab should clearly show that the CE Site has registered successfully with the System Health of 100% as well as Data Plane/Control Plane both being up.

Figure: Confirm Site Health

Add New Network Interface

After the CE Site registers successfully, you might want to add additional interfaces to cater to different customer requirements.

Important: Adding a new network interface will cause the data plane services to restart. Therefore, it is strongly recommended to perform this operation during maintenance windows. As data plane services restart, traffic drops are expected, as well as tunnels going down.

When adding interfaces, it is important to make sure that the interfaces are added to each node in the cluster. Nodes with non-homogenous interfaces within a CE Site might cause issues. Therefore, each node in a given CE Site should have the same number of interfaces placed in the same VRFs.

For OCI sites, to add a new network interface to the CE Site, you need to use the same Virtual Cloud Network but a different. This example uses subnet oci-clickops-internal-subnet.

Figure: Internal Subnet

Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
Navigate to Compute > Instances and click on the CE instance name.
Click Attached VNICs and then click Create VNIC.

Figure: Create VNIC

Specify a name for the new VNIC. Assign it to your Virtual Cloud Network and select the relevant subnet. Leave the other options with their default values.

Figure: Create VNIC

Click on the new VNIC to review its configuration.

Figure: Review VNIC Configuration

Power back on the VM.

Modify NIC Attributes

Once the VNIC is attached, we need to update the SLI configuration in Distributed Cloud Console. This process is valid if you need to modify any other interface attributes.

Power down the VM prior to adding any new interfaces or modifying any existing interfaces.
In Console, navigate to the Dashboard tab of your Secure Mesh Site.

Figure: View Dashboard

Click Manage Configuration and then click Edit Configuration.

Figure: Edit Site

Under the Nodes subsection, click the pencil icon under Actions to edit.

Figure: Edit Interface

Choose one of the interfaces to edit by clicking the pencil icon. This example uses ens5.