Site Mesh Group

Published April 5, 2023 | Last modified March 20, 2025

Objective

This document presents information and provides instructions on how to configure site mesh group in F5® Distributed Cloud Services. The site mesh group is used to directly connect F5® Distributed Cloud Console CE sites to other arbitrary CE sites using IPsec. Using the site mesh group, connectivity between the CE sites can be direct and not via the RE sites. For more conceptual information on site mesh group, see Site to Site Connectivity.

F5® Distributed Cloud Console supports connecting the CE sites in the following modes:

  • Hub-Spoke - A hub site routes traffic between the spoke sites.

  • Full Mesh - All sites have direct connectivity to each other.

Using the instructions provided in this guide, you can configure site mesh group objects and select sites for them.

Prerequisites

The following prerequisites apply:

  • Two or more registered sites in the enterprise tenant.
  • Virtual site.
  • Note: If you do not have a virtual site, see Virtual Site.
  • Port 4500 should be open on the CE sites for ingress traffic.

Restrictions

The following apply:

  • A spoke can form IPsec tunnels with multiple hubs.

  • A hub site can be a spoke site for another site mesh group.

  • A site can be member of either a hub group or a spoke group but not both in the same hub-spoke relation.

  • Only IPsec tunnel type is supported.

  • Path MTU (PMTU) discovery is not supported over the site mesh group.

Configure Hub-Spoke Site Mesh Group

In the Hub-Spoke model, two site mesh groups are required. One group is for the hub sites and the other is for the spoke sites. The spoke sites establish tunnels with all the hub sites. The hub sites form full mesh connectivity with each other. The sites for each mesh group are selected using the virtual site functionality.

Creating hub-spoke site mesh group requires you to first set the site to site tunnel IP address in the configuration of hub sites. After that, create a hub site mesh group and spoke site mesh group. The steps provided in this guide configure site mesh between two CE sites with one as a hub and other as spoke.

Features can be viewed, and managed in multiple services.

This example shows Site Mesh Group setup in Multi-Cloud Network Connect.

Note: Only one virtual site can be added.

Step 1: Open F5 Distributed Cloud Console, set site IP for hub sites.
  • Open F5 Distributed Cloud Console > select Multi-Cloud Network Connect box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: Homepage

Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage > Site Management.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select AWS VPC Sites in Cloud Sites section.
Figure: Site List

Figure: Site List

Note: Open Cloud Sites option that your site is in to edit.

  • Identify Site, underlined name, you want to add Site to Site Tunnel IP for Hub.

  • Select ... on site.

  • Select Manage Configuration in pop-up options window.

Figure: Site List

Figure: Site List

  • Select Edit Configuration to open site to edit.
Figure: Edit Site

Figure: Edit Site

  • Get VPC site public IPs from site ... > terraform parameters in Apply Status.
Figure: Site List

Figure: Site List

Note: You get VPC site public IPs from terraform parameters - site mesh group between VPC sites.

Figure: Site To Site Tunnel IP

Figure: Site To Site Tunnel IP

Note: The IP address is the public IP of your CE site.

  • Select Save and Exit button.
Step 2: Create site mesh group for hub sites.
  • In Multi-Cloud Network Connect box.
Figure: Homepage

Figure: Homepage

  • Select Manage > Networking > select Site Mesh Groups in options.
  • Select Add Site Mesh Group button.
Figure: Navigate to Site Mesh Group

Figure: Navigate to Site Mesh Group

  • Enter Name for your site mesh group object.

  • Select Virtual Site (Sites in this group) drop-down menu option to select the virtual sites that are to be part of this hub group.

Note: You can also create a virtual site.

  • Select Hub in Mesh Choice box.
  • Select Save and Exit button.
Figure: Hub Site Mesh Group

Figure: Hub Site Mesh Group

Step 3: Create site mesh group for spoke sites.
  • Open Console > select Multi-Cloud Network Connect box.
Figure: Homepage

Figure: Homepage

  • Select Manage > Networking in the System namespace and select Site Mesh Groups in the options.

  • Select Add site mesh group.

  • Enter Name for your site mesh group object.

  • Enter Labels and Description as needed.

  • Select Virtual Site (Sites in this group) drop-down menu option to select the virtual sites that are to be part of this hub group.

Note: You can also create a virtual site.

  • Select Spoke in Mesh Choice drop-down menu.
Figure: Spoke Site Mesh Group

Figure: Spoke Site Mesh Group

  • Select Hub_mesh_group (site mesh group) created in Step 2.

  • Select Select hub object to apply the hub to the spoke group configuration.

Note: The Tunnel Type field is populated as IPsec by default.

  • Select Save and Exit button.

Configure Full Site Mesh Group

Perform the following in F5 Distributed Cloud Console:

Step 1: Start creating full site mesh group object.
  • Open F5 Distributed Cloud Console > select Multi-Cloud Network Connect box.
Figure: Homepage

Figure: Homepage

  • Select Manage > Networking in the System namespace, and select Site Mesh Groups in the options.

  • Select Add Site Mesh Group button.

Figure: Navigate to Site Mesh Group

Figure: Navigate to Site Mesh Group

Step 2: Define sites that are part of the full mesh.

  • Enter Name for your site mesh group object.

  • Select Virtual Site (Sites in this group) drop-down menu option to select the virtual sites that are to be part of this group.

  • Select virtual site object to apply the virtual sites to the mesh group configuration.

Figure: Virtual Site Site Mesh Group

Figure: Virtual Site Site Mesh Group

Step 3: Set mesh group type as full mesh.
  • Select Full mesh in the Site Mesh Group Type drop-down menu.
Figure: Full Mesh - Site Mesh Group

Figure: Full Mesh - Site Mesh Group

Note: Leave the Hub (site mesh group) section, if selected, empty as it is only applicable for the spoke mesh group.

Step 4: Complete creating the full mesh group.

Select Save and Exit button to create the full mesh group of sites.

Note: The Tunnel Type field is populated as IPsec by default.

Verification

The site status shows the status of the IPsec tunnel between the CEs. Apart from connected REs, you can monitor all CE sites that it connects to using IPsec.

Step 1: Open Site.

  • Log into F5 Distributed Cloud Console > select Multi-Cloud Network Connect.

  • Select Sites > Site List.

  • Select Sites Name that is underlined to open dashboard.
Figure: Site List

Figure: Site List

Step 2: Open status objects in site dashboard.
  • Select > to scroll to more tab options in upper-right of page.
Figure: Site Tab Navigation

Figure: Site Tab Navigation

  • Select Status Objects tab.
Figure: Site Status Objects

Figure: Site Status Objects

  • Select CE named object with Status ID containing string SiteStatusMgr.
Step 3: Confirm tunnel status in JSON.

  • JSON format pop-up window appears to left of page.

  • Check for site_tunnel_status section in the displayed JSON.

  • Verify that the state field of the tunnel towards the other CE is TUNNEL_UP.

Concepts

API References

On this page: