Create AWS Site with TGW
On This Page:
- Objective
- Design
- AWS TGW - Site Deployment & TGW Creation
- AWS TGW - VPC Attachments
- Network Policies
- Network Policies Between Attached VPCs (East-West Traffic)
- Network Policies for Ingress/Egress Traffic
- Forward Proxy Policy for Attached VPCs
- AWS Direct Connect Orchestration
- Site Status Descriptions
- Prerequisites
- Deploy Using Console
- Create AWS TGW Site Object
- Deploy Site
- Delete VPC Site
- Deploy Site Using Terraform
- Destroy Site
- Concepts
- API References
Objective
This guide provides instructions on how to create an F5® Distributed Cloud Services Amazon Web Services (AWS) Transit Gateway (TGW) site using F5® Distributed Cloud Console (Console). For more information on sites, see F5 Distributed Cloud Site.
Using the instructions provided in this guide, you can create an AWS TGW site object in Console and deploy the virtual private cloud (VPC) with TGW site using the object.
Design
The AWS TGW Site is a way to orchestrate/automate the deployment and management of AWS TGW related resources and other resources needed to deploy an F5® Distributed Cloud Services AWS site on a new or existing VPC, which is called a Services VPC.
AWS TGW - Site Deployment & TGW Creation
An AWS TGW site does the following:
-
Automates the creation of the TGW resource, the TGW route table, and the VPN connection between the TGW and Distributed Cloud Services site.
-
Attaches the VPN connection to the TGW.
-
Adds the default routes to the main route table of the attached VPCs.
There are two TGW route tables which are created:
-
VPC route table.
-
Services route table.
The VPC route table is where all the VPC attachments will be attached, and the route will be propagated from the site via BGP over VPN attachment. The site advertised default route will be installed in the VPC route table so that it can attract all the traffic coming from the VPC attachments attached to the VPC route table.
The Services route table is where the VPN connection to the site is attached; the routes of VPC attached to the TGW will be propagated into the services route table. The same VPC CIDR routes will be learned by the site via the BGP connection to the TGW.
The following shows North-South traffic from the Spoke VPC, as indicated in Figure: AWS TGW - Services VPC + TGW + Single VPC Attachment.
-
Egress FROM Spoke VPC (HR): Traffic originating from source
192.168.100.0/22
lands in VPC route table. Traffic destined toANY
will match the0.0.0.0/0
route pointing to an Equal Cost Multi-Path (ECMP) toward interfacesvpn-att-4
andvpn-att-5
(which are the Distributed Cloud Services nodes installed in the service VPC), and is eventually sent out toward the TGW (after F5® Distributed Cloud Mesh features and policies are applied). -
Ingress TO Spoke VPC (HR): Traffic originating from source (anywhere) landing in the services route table will match on destination
192.168.100.0/22
. This has a matching interface ofvpc-att-3
. Traffic is then forwarded to the spoke VPC.
AWS TGW - VPC Attachments
You can create a VPC attachment of spoke VPC to TGW not only while creating the initial AWS TGW Site but also after the site is deployed. You can go to the VPC attachments section and add vpc-id, and then you can assign a key-value label for each vpc-id. These labels can be used while creating network policy to allow traffic between the VPCs and to the Internet.
Once VPC attachments are added to the AWS TGW Site and apply action is completed, all these VPCs will be attached to the TGW. These VPC attachments will be associated with the VPC route table so that all traffic coming from the VPC will be routed to the site because of the default route pointing to the VPN attachment. Same VPC attachments will be added to the services route table in a way that VPC CIDR routes are propagated to the Customer Edge (CE).
Site deployment workflow will create a default route pointing to the transit gateway in the main route table of all VPCs attached to the TGW.
East-West Traffic:
-
From the main route table of the VPC, the traffic will be directed toward the transit gateway because of the default route.
-
In the transit gateway’s VPC route table, a route lookup is done and moves to the site, which is the next hop (NH).
-
In the site’s route table, it will have all the VPC routes learned from TGW. The NH is set as TGW.
-
Next, the lookup is done in the services route table and goes to the destination VPC using the attachment.
North-South Traffic:
The following is the ingress/egress traffic flow from VPC to the Internet:
-
From the main route table of the VPC, the traffic will be directed toward the transit gateway because of the default route.
-
In the transit gateway’s VPC route table, a route lookup is done and then moves to the site, which is the next hop.
-
In the site route table, the default route points to the forward proxy, which connects the inside network to outside network. SNAT is performed on the outside interface and traffic is sent to the Internet.
Network Policies
The site can be your ingress/egress and East/West security policy enforcement point, as all the traffic coming from attached VPCs will flow through the site. If the traffic does not match the type defined in your network policy, then the default action will be to deny it.
Network Policies Between Attached VPCs (East-West Traffic)
It is a common use case for enterprises to have workloads of one department or environment spread across multiple VPCs, and one must be able to create a single network policy which could be applied for multiple VPCs attached.
For such scenarios, you can assign the same labels to group the VPCs attached to the TGW. The exact same labels can be used as the label selector while selecting an endpoint during network policy. You can then define ingress and egress policies with respect to that endpoint. This network policy will be applied for all traffic going towards or coming from the VPCs which match the label selector labels.
Network Policies for Ingress/Egress Traffic
Even for ingress/egress traffic, you can continue using a label selector to select the VPCs for which you are defining the network policy. You can define the egress policy by adding the egress rules from the point of VPC to deny/allow a specific traffic pattern. You can also add ingress rules to deny/allow traffic coming toward the endpoint based on the intent.
Forward Proxy Policy for Attached VPCs
Using a forward proxy policy, you can specify allowed/denied TLS domains or HTTP URLs. The traffic from workloads on private subnets toward the Internet via the AWS TGW site is allowed or denied accordingly.
AWS Direct Connect Orchestration
Cloud to On-Premises Traffic
Direct Connect enables you to privately connect your on-premise data centers to a VPC. Distributed Cloud Services automatically discovers the on-premise data center routes advertised by on-premise routers connected to AWS routers via Direct Connect. These routes will be learned on the inside network of the Site. There are two supported modes of Direct Connect private Virtual Interface (VIF).
Note: The major prerequisite is that the Direct Connect connection (dedicated or hosted) is managed by the user. This includes complete cross connects, the creation of a private VIF, and the creation of link aggregation groups (LAGs), if needed, between the customer on-premise location and Direct Connect COLO.
Standard VIF: In this mode, site orchestration creates the Direct Connect gateway (DCGW) and Virtual Private Gateway (VGW). Ensure that you connect one or multiple VIFs to the DCGW.
Hosted VIF: In this mode, site orchestration accepts the configured list of VIFs delegated from the Direct Connect connection owner account to the hosted VIF acceptor account. You can set a list of VIF IDs to be accepted. The site orchestration then creates the DCGW, VGW, and connects the VIFs to the DCGW.
In the diagram below, either VPC-A or VPC-B can communicate with the on-premises network using the global physical network for AWS Direct Connect. For example, if VPC-A wants to communicate with the on-premises network, the AWS TGW will push the request to the Services VPC, and then to the AWS VGW. The AWS VGW will send the request to the DCGW using the VIF. Then through the AWS Direct Connect, and then finally to the on-premises network.
If there needs to be inter-VPC communication, for example between VPC-A and VPC-B, then the AWS TGW will send the VPC-A request to the F5 Distributed Cloud Services Mesh CE, and then back out to the AWS TGW before finally landing at the VPC-B destination.
East-West Traffic
East-West communication (for example, between a VPC1 in region 1 and a VPC2 in region 2): These are Spoke VPCs and this VPC to VPC communication will only work if there is a DC Cluster Group between Site 1 and Site 2. These connections are made using Direct Connect to the F5 Distributed Cloud Services backbone. If Layer 3 network connectivity is required, then you need to have a global network.
Traffic example:
-
Originator sends a request from VPC1, which lands on TGW1 object.
-
TGW1 forwards to F5 Distributed Cloud Services TGW Site1.
-
The TGW Site1 forwards to VGW1.
-
VGW1 sends the packets to the DCGW1.
-
The DCGW1 routes the packets (with Standard VIF or Hosted VIF) onto the Direct Connect link.
-
Packets on the Direct Connect link are received using VIFs at DCGW2.
-
DCGW2 sends to VGW2.
-
VGW2 to sends to TGW Site2 which, in turn, routes to its own TGW2 object.
-
The TGW2 sends packets to its VPC2.
Site Status Descriptions
PLANNING
: Site resources are being planned for creation.
PLAN_INIT_ERRORED
: Planning of site resources failed at init stage.
PLAN_ERRORED
: Planning of site failed with errors.
PLAN_QUEUED
: Planning of site resources queued to be implemented.
APPLIED
: Site resources are created, and site is waiting to come online.
APPLY_ERRORED
: Creation of site resources failed with errors.
APPLY_INIT_ERRORED
: Creation of site resources failed with errors at initial stage.
APPLYING
: Site creation is in progress.
APPLY_PLANNING
: Site resources are being planned.
APPLY_PLAN_ERRORED
: Planning of site failed with errors.
APPLY_QUEUED
: Creation of site resources queued to be implemented.
DESTROYED
: Site resources are destroyed and site is OFFLINE.
DESTROY_ERRORED
: Destroying of site resources failed with errors.
DESTROYING
: Destroying of site resources in progress.
DESTROY_QUEUED
: Destroying of site resources queued to be destroyed.
GENERATED
: Site Object created in F5DC database as per configuration.
TIMED_OUT
: Creation/Destroying of site resources is failed with a timeout.
ERRORED
: Creation/Destroying of site resources is failed with errors.
PROVISIONING
: Site resources are created and waiting for site to come online.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An AWS Account. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.
-
Resources required per node: Minimum 4 vCPUs and 14 GB RAM.
-
There should be no pre-existing Site Local Outside, Site Local Inside, and Workload subnet association when attaching an existing VPC.
-
If Internet Gateway (IGW) is attached with the VPC, at least one of the routes should point to IGW in any route table of the VPC.
-
UDP port 6080 needs to be opened between all the nodes of the site.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Deploy Using Console
The following video shows the AWS TGW site object creation and deployment workflow using Console:
You can create and manage an AWS TGW site in Console by first creating the site object using the guided wizard and then deploying it using the automated method.
Create AWS TGW Site Object
The wizard to create the AWS TGW site object guides you through the steps for required configuration.
Step 1: Start site object creation.
-
Log into Console.
-
Click
Multi-Cloud Network Connect
.
-
Click
Manage
>Site Management
>AWS TGW Sites
. -
Click
Add AWS TGW Site
.
- In the
Metadata
section, enter a name for the TGW site object.
Step 2: Configure the TGW and VPC settings.
-
In the
AWS Resources
section, clickConfigure
. -
From the
Credential Reference
menu, select an existing AWS credentials object or clickAdd Item
to load the new credential creation wizard. Refer to the Cloud Credentials guide for more information. Ensure that the AWS credentials are applied with required access policies in accordance with the Policy Requirements document. -
From the
AWS Region
menu, select the region based on your AWS account.
Step 2.1: Configure services VPC.
-
From the
New/Existing Services VPC
menu, select an option and configure per the following guidelines:-
For the
New VPC
option, select an option from theNew VPC
menu. TheAutogenerate VPC Name
option is selected by default. If you select theChoose VPC Name
option, enter a VPC name in theExisting VPC Name
field. If you are using an existing VPC, ensure that you enable theEnable DNS hostnames
checkbox in AWS Management Console (underEdit VPC settings
). -
Enter the Classless Inter-Domain Routing (CIDR) block in the
Primary IPv4 CIDR block
field. -
From the
Security Group
menu, select the security group option to attach to the SLO/SLI network interfaces.
-
Step 2.2: Configure the TGW settings.
-
In the
Transit Gateway
section, select an option from theNew/Existing Transit Gateway
menu, and configure per the following guidelines:-
For the
New Transit Gateway
option, select an option for theSelect BGP ASN
menu. If you selectAutomatic
, Distributed Cloud Services assign the ASNs for the TGW and site. For theUser will assign ASN for TGW and F5XC Site
option, enter the ASNs forEnter TGW ASN
andEnter F5XC Site ASN
fields. The supported ASN range is from 64513 to 65534. -
For the
Existing TGW
option, enter the TGW ID in theExisting TGW ID
field. Enter the ASNs forEnter TGW ASN
andEnter F5XC Site ASN
fields.
-
Step 2.3: Configure site node parameters.
-
In the
Site Node Parameters
section, configure per the following guidelines:-
From the
AWS Instance Type for Node
menu, select an option. -
In the
Public SSH key
box, enter the public key used for SSH purposes. -
In the
Ingress/Egress Gateway (two Interface) Nodes in AZ
field, clickAdd Item
.
-
Note: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site. Use
Add Item
to add more master nodes.
-
Select an option from the
AWS AZ Name
menu that matches the configuredAWS Region
. -
From the
Workload Subnet
menu, selectNew Subnet
orExisting Subnet ID
.
Note: Workload subnet is the network where your application workloads are hosted. For successful routing toward applications running in workload subnet, an inside static route to the workload subnet CIDR needs to be added on the respective site object.
-
Enter a subnet address in the
IPv4 Subnet
field or a subnet ID inExisting Subnet ID
field. -
From the
Subnet for Outside Interface
menu, selectNew Subnet
orExisting Subnet ID
. -
Enter a subnet address in the
IPv4 Subnet
field or a subnet ID in theExisting Subnet ID
field. -
From the
Subnet for Inside Interface
menu, selectAutogenerate Subnet
orSpecify Subnet
. -
Enter a new subnet address in the
IPv4 Subnet
field or a subnet ID in theExisting Subnet ID
field. -
Click
Apply
.
Step 2.4: Configure worker nodes.
In the Worker Nodes
section, select an option to add more nodes based on site or availability zone (AZ) from the Desired Worker Nodes for the site
menu. The default option sets the amount to 0.
Step 2.5: Configure advertise VIP.
-
In the
Advertise VIPs
section, select whether to enable advertising the site IP to the Internet from theAdvertise VIPs to Internet on Site
menu. -
Click
Apply
.
Step 3: Optionally, configure VPC attachments.
-
In the
VPC Attachments
section, perform the following: -
Click
Add Item
. -
Enter the VPC ID in the
VPC ID
field. Select labels from theLabels For VPC ID
usingAdd Label
.
Note: If you are deploying a new AWS VPC site into an existing VPC, the deployment will fail if the AWS subnet has the hostname type set to the resource name. In AWS Management Console, ensure that the hostname is in
ip-*
format.
- Click
Apply
to apply the VPC settings.
Note: You can add multiple VPC attachments using the
Add Item
button. You can add VPC attachments during AWS TGW site creation, or you can edit an existing TGW site configuration to add VPC attachments.
Step 4: Optionally, perform site network configuration.
-
In the
Site Network and Security
section, clickConfigure
forSite Networking
. -
From the
Select Global Networks to Connect
menu, select an option. To connect your inside network to a global network, selectConnect Global Networks
and then perform the following:-
Click
Add Item
. -
From the
Select Network Connection Type
menu, select an option for connecting the network (inside or outside) and method to connect. -
From the
Global Virtual Network
menu, select the virtual network. -
Click
Apply
.
-
-
From the
Site Mesh Group Connection Type
menu, select an option to connect a site mesh group. -
From the
Select DC Cluster Group
menu, select an option to set your site in a DC cluster group:-
Not a Member of DC Cluster Group
: Default option. -
Member of DC Cluster Group via Outside Network
: Select the DC cluster group from theMember of DC Cluster Group via Outside Network
menu to connect your site using an outside network. -
Member of DC Cluster Group via Inside Network
: Select the DC cluster group from theMember of DC Cluster Group via Inside Network
menu to connect your site using an inside network.
-
Note: For more information, see the Configure DC Cluster Group guide.
-
From the
Manage Static Routes for Inside Network
menu, selectManage Static Routes
and perform configuration per the following guidelines:-
Click
Add Item
. -
Select
Simple Static Route
and enter a static route in theSimple Static Route
field. Or, selectCustom Static Route
and then clickConfigure
and perform the following steps:-
In the
Subnets
section, clickAdd Item
and then selectIPv4 Subnet
orIPv6 Subnet
from theVersion
menu. Enter a prefix and prefix length for your subnet. ClickApply
. -
Select a next-hop type from the
Type
menu. SelectIPv4 Address
orIPv6 Address
from theVersion
menu in theNexthop
section, and enter an IP address accordingly. -
From the
Network Interface
menu, select a network interface or clickAdd Item
to create and apply a new network interface. -
In the
Static Route Labels
section, select supported labels usingAdd Label
. You can select more than one from this list. -
In the
Attributes
section, select supported attributes from theAttributes
menu. You can select more than one from this list. -
Click
Apply
to add the custom route. -
Click
Apply
.
-
-
-
Select
Manage Static routes
from theManage Static Routes for Outside Network
menu, and clickAdd Item
. Follow the same procedure as that of managing the static routes for inside network. -
If needed, use the
Add Item
button to add multiple inside and outside networks. -
In the
Allowed Ports
section, optionally configure theAllowed VIP Port Configuration
andAllowed VIP Port Configuration for Inside Network
options. -
Click
Apply
to apply the site network configuration.
Step 5: Optionally, perform site security configuration.
-
In the
Site Network and Security
section, clickConfigure
forSite Security
. -
From the
Manage Forward Proxy
menu, select a forwarding policy:-
Disable Forward Proxy
: This is the default option and will not forward traffic. -
Enable Forward Proxy with Allow All Policy
: This option forwards all traffic. -
Enable Forward Proxy and Manage Policies
: This option forwards traffic based on the policy you select or specify. From theForward Proxy Policies
menu, select an existing proxy or selectAdd Item
to create a new policy.
-
-
From the
Manage Firewall Policy
menu, add a firewall policy by selectingActive Firewall Policies
orActive Enhanced Firewall Policies
. Select an existing firewall policy, or selectAdd Item
to create and apply a firewall policy orConfigure
for an enhanced version. -
From the
Manage East-West Service Policy
menu, select a policy:-
Disable East-West Service Policy
: This is the default option and will not use a proxy for East-West traffic. -
Enable East-West Service Policy
: This option uses a proxy for East-West traffic. ClickAdd Item
to create a policy. -
Enable East-West traffic Proxy with Allow All Policy
: This option sends all East-West traffic through a proxy for monitoring.
-
-
Click
Apply
.
Step 6: Optionally, configure private link or Direct Connect.
You can configure these options under the Private Connectivity
section.
-
From the
Private Connectivity To Site
drop-down menu, select an option:-
Disable Private Connectivity
: Default option. -
Enable Private Connectivity via CloudLink
: Enables a private link to your cloud site. For more information, see the CloudLink guide. -
Enable Private Connectivity via Direct Connect (Legacy))
: ClickView Configuration
to configure for your site.
-
Direct Connect (Legacy)
-
To view and change the default settings:
-
Click
View Configuration
. -
From the
AWS Direct Connect VIF Configuration
drop-down menu, select an option for the Virtual Interface (VIF):-
Hosted VIF mode
: With this mode, F5 will provision an AWS Direct Connect Gateway and a Virtual Private Gateway. The hosted VIP you provide will be automatically associated and will set up BGP peering. -
Standard VIF mode
: With this mode, F5 will provision an AWS Direct Connect Gateway and a Virtual Private Gateway, a user associate VIP, and will set up BGP peering.
-
-
For the
Hosted VIF mode
option:-
Click
Add Item
. -
Enter a VIF ID.
-
Select the
Region of the VIF
.
-
-
Click
Apply
. -
From the
Site Registration & Connectivity to RE
menu, select how the tunneling will traffic data between site and regional edge (RE). If you select the AWS option, provide the CloudLink ADN name. -
From the
ASN Configuration
menu, select whether to assign a custom autonomous system number (ASN) or use the default option. -
Click
Apply
.
-
Step 7: Optionally, configure software information.
-
In the
Software Version
section, perform the following:-
From the
F5XC Software Version
menu, select an option. -
From the
Operating System Version
menu, select an option.
-
Step 8: Optionally, configure more advanced settings.
-
In the
Advanced
section, enable theShow Advanced Fields
option. -
From the
Logs Streaming
menu, selectEnable Logs Streaming
and then select a log receiver or create a new log receiver. -
Configure the site coordinates using
Latitude
andLongitude
fields. -
To block specific services from the site:
- From the
Services to be blocked on site
menu, selectCustom Blocked Services Configuration
. If you selectAllow access to DNS, SSH services on Site
, no further configuration is needed. ClickAdd Item
. Select the service to block and then select the network. After you finish, clickApply
.
- From the
-
To enable the offline survivability feature for your site:
- From the
Offline Survivability Mode
menu, selectEnable Offline Survivability Mode
. This action will restart all pods for your site. For more information, see the Manage Site Offline Survivability guide.
- From the
-
From the
Performance Mode
menu, select an option:-
L7 Enhanced
: This option optimizes the site for Layer 7 traffic processing. -
L3 Mode Enhanced Performance
: This option optimizes the site for Layer 3 traffic processing.
-
Step 9: Complete the site object creation.
New VPC Site
Click Save and Exit
to complete creating the site. The Status
field for the site object displays Validation in progress
. After validation, the field displays Validation Succeeded
.
Existing VPC Site
If you used an existing VPC, Console will validate whether certain existing objects are available and valid. This provides current information to help troubleshoot and fix any potential issues without having to wait until the full site deployment process completes.
After you click Save and Exit
, the validation process begins and is displayed as Validation in progress
.
If the site deployment validation failed, a message with Validation Failed
will be displayed. Click on the tooltip to display a popup message with the error.
If the site deployment validation succeeded, a message with Validation Succeeded
will be displayed.
Note: The
QUEUED
state references site status action that is in process. The site status will remain inQUEUED
state until the backend service is ready to executeApply
/Plan
/Destroy
commands. The site status (under theStatus
column) is updated on the Console once the execution begins. After a maximum duration of 15 minutes, the site will stay in theQUEUED
state until the status times out after which a new state is set asPROVISION_TIMEOUT
.
Deploy Site
Creating the AWS TGW site object in Console generates the Terraform parameters.
Note: Site upgrades may take up to 10 minutes per site node. Once site upgrade has completed, you must apply the Terraform parameters to site via
Action
menu on cloud site management page.
Step 1: Deploy site.
-
Navigate to the AWS TGW site object by clicking
Manage
>Site Management
>AWS TGW Sites
. -
Find your AWS TGW site object and click
Apply
under theStatus
column. TheStatus
column for the site object changes first toQueued
and then toApplying
.
Note: Optionally, you can perform Terraform plan activity before deployment. Find your AWS TGW site object and click
...
>Plan
to start the action of Terraform plan. This creates the execution plan for Terraform.
-
Wait for the status to change to
Applied
. -
To check the status for the apply action, click
...
>Terraform Parameters
for site object, and select theApply Status
tab.
Step 2: Confirm site deployed and online.
-
Navigate to
Multi-Cloud Network Connect
>Overview
>Sites
. -
Verify status is
Online
. It takes a few minutes for the site to deploy and status to change toOnline
.
Note: When you update worker nodes for a site object, the Terraform
Apply
button is enabled. ClickApply
. You can use SSH to log in to your node with usernamecloud-user
and your private key.
Delete VPC Site
You have two options when deleting a site in Console. You delete the site entirely, with all its resources and configuration. Or you can simply delete the site, its resources, but maintain the existing configuration (so that it can be re-applied at a later time).
Note: Deleting the VPC object deletes the sites, nodes, the VPC, and other objects created in the cloud for the site. This action also removes the site object from Console and cannot be undone.
Destroying a site deployed on an existing VPC will leave the subnets used for Site Local Outside, Site Local Inside, and Workload subnets without any explicit route associations.
Delete Site Completely
-
Navigate to
Manage
>Site Management
>AWS TGW Sites
. -
Locate the site object.
-
Select
...
>Delete
. -
Click
Delete
in pop-up confirmation window. In case the delete operation does not remove the object and returns any error, check the error from the status, fix the error, and re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the...
>Terraform Parameters
>Apply status
option.
Delete Site but Maintain Configuration
-
Navigate to
Manage
>Site Management
>AWS TGW Sites
. -
Locate the site object.
-
Click
Destroy
for your site. Alternately, click...
>Destroy
. -
In the pop-up window, type
DELETE
. -
Click
Destroy
to confirm the action. On successful operation, the site status will showDestroyed
and theApply
button will appear on the row of your site. This can be used to create the site again at later time, if required. The site object is no longer required and can be removed from Console by clickingDelete
in theActions
menu for the site.
Deploy Site Using Terraform
This chapter provides instructions on how to create a single-node or multi-node site on Amazon Elastic Compute Cloud (EC2) using a custom Amazon Machine Image (AMI) with Terraform.
Perform the following procedure to deploy a site using Terraform:
Step 1: Confirm Terraform is installed.
In a terminal, enter terraform version
. If you need to install, follow the instructions at the official guide.
Step 2: Create API credentials file.
Log into Console and create an API 12 certificate file and then download it. Use the instructions at Credentials for more help.
Step 3: Create a new directory on your system to place files for deployment.
Create a new directory on your system to place files for deployment.
Step 4: Download the deployment file.
-
Download the
main.tf
file from the official repository and place it in the newly created directory. -
Open the file and configure any necessary fields.
-
Save the changes.
Step 5: Create file for variables.
In the same directory, create another file for variables and name it terraform.vars
.
Step 6: Create and assign values for variables.
-
In the
terraform.vars
, create and assign the following variables:-
For your site name, type a name within double quotes:
site_name = "<site-name>"
-
For the region, type the name within double quotes:
aws_region = "<region>"
-
For the region subtype, type the name within double quotes:
aws_az = "<region-subtype>"
-
Step 7: Create and export variables for credentials and secret keys.
-
In the terminal, create and export the following variables:
-
Create this variable and assign it your API credentials password:
export VES_P12_PASSWORD=<credential password>
-
Create this variable and assign it the path to the API credential file previously created and downloaded from Console:
export VOLT_API_P12_FILE=<path to your local p12 file>
-
Create this variable and assign it the URL for your tenant. For example:
export VOLT_API_URL=https://example.console.ves.volterra.io/api
-
Create this variable and assign it your AWS secret key:
export aws_access_key=<access key>
-
Create this variable and assign it your AWS secret key that has been encoded with Base64:
export b64_aws_secret_key=<base64 encoded value>
-
Note: You can also create and save these variables in the
terraform.vars
file. However, this may pose a security risk. Use caution when working with your credentials and secret keys.
Step 8: Initiate Terraform process.
Enter terraform init
.
Step 9: Apply Terraform process.
-
Enter
terraform apply
. -
If prompted for the secret key and secret key encoded in Base64, enter both.
-
Enter
yes
to confirm. This may take a few minutes to complete. After the process is complete, the output will stateApply complete!
. -
In Console, navigate to the list of sites and confirm the site was applied.
Destroy Site
Perform the following procedure to destroy the site using Terraform:
-
Enter
terraform destroy
. -
If prompted for the secret key and secret key encoded in Base64, enter both.
-
Enter
yes
to confirm. This may take a few minutes to complete. After the process is complete, the output will stateDestroy complete!
. -
In Console, navigate to the list of sites and confirm the site was destroyed.