Create GCP Site

Objective

This guide provides instructions on how to create a site using F5® Distributed Cloud Console (Console) and deploy to Google Cloud Platform (GCP). For more information on sites, see F5 Distributed Cloud Site.

Using the instructions provided in this guide, you can deploy a GCP VPC ingress gateway site or ingress/egress gateway site. For more information, see Network Topology of a Site.


Design

GCP VPC Site automates the deployment of F5® Distributed Cloud Services sites in GCP. As part of the GCP VPC Site configuration, you can indicate that new VPC, subnets, and route tables need to be created. Alternatively, you can choose to provide existing VPC and subnet information, and the creation of VPC and subnet resources will be skipped.

Note: By default, a Site deployed in GCP supports Google Cloud Storage. You can configure storage within the Site creation form or using a Fleet. This document provides steps to configure storage using the Site configuration form. See Configure Storage in Fleet document for more information on using the Fleet method.

GCP VPC Site Deployment Types

A site can be deployed in two different modes with the GCP VPC Site workflow. Those modes are:

  1. Ingress Gateway (One Interface): In this deployment mode, the site is attached to a single VPC and single subnet. It can provide discovery of services and endpoints reachable from this subnet to any other site configured in the Distributed Cloud Services tenant.

  2. Ingress/Egress Gateway (Two Interfaces): In this deployment mode, the site is attached to a single VPC with at least two interfaces on different subnets. One subnet is labeled Outside, and the other is labeled Inside. In this mode, the site provides security and connectivity needs for virtual machines and subnets via default gateway through the site Inside interface.

Note: Each VPC network has a Maximum Transmission Unit (MTU) preset. If you set your site's VPC to use L3 Mode Enhanced Performance, then you must manually modify the VPC MTU rate prior to support jumbo frames. To accomplish this, you must create any required VPC on the GCP Console and set the MTU to 8896 bytes. Use these VPCs to deploy your site from Console using the Existing VPC ID field. After the site is up and running, you can configure other site settings normally using the steps outlined below. For more information, see Change the MTU setting of a VPC network.

Ingress Gateway (One Interface)

In this deployment mode, the F5® Distributed Cloud Mesh (Mesh) needs one interface attached. Services running on the node connect to the Internet using this interface. Also, this interface is used to discover other services and virtual machines and expose them to other sites in the same tenant. For example, in the below figure, TCP or HTTP services on the DevOps or Dev GCP VM instances can be discovered and exposed via reverse proxy remotely.

As shown in the below figure, the interface is on the outside subnet, which is associated with the VPC main routing table, whose default route is pointing to the Internet gateway. This is how traffic coming from the outside interface can reach the Internet, along with other subnets associated with this routing-table object. In case of other subnets (for example, Dev or DevOps), these are associated with the VPC main routing table, which means that any newly created subnet in this VPC is automatically associated with this routing table.

Figure
Figure: GCP VPC Site Deployment - Ingress Gateway (One Interface)

Ingress/Egress Gateway (Two Interfaces)

In this deployment scenario, the Mesh nodes need two interfaces attached. The first interface is the outside interface through which services running on the node can connect to the Internet. The second interface is the inside interface which will become the default gateway IP address for all the application workloads and services present in the private subnets.

As shown in the below figure, the outside interface is on the outside subnet, which is associated with the outside subnet route table, whose default route is pointing to the Internet gateway. This is how traffic coming from the outside interface can reach the Internet. In case of inside subnets, these are associated with the inside subnet route table which is also the main route table for this VPC. This means that any newly created subnet in this VPC is automatically associated with the inside subnet route table. This private subnet route table has a default route pointing to the inside IP address of the Mesh node (192.168.0.186).

Figure
Figure: GCP VPC Site Deployment - Ingress/Egress Gateway (Two Interfaces) - Single AZ

Once the Mesh site comes online, the inside network of the node will be connected to the outside network through a forward proxy and SNAT enabled on the outside interface. All traffic coming on the inside interface will be forwarded to the Internet over the forward proxy and SNAT happening on the outside interface. All the workloads on private subnets can reach the Internet through Mesh site.

Firewall Policies

The site can be your ingress/egress security policy enforcement point, as all the traffic coming from private subnets will flow through the Distributed Cloud Services site. If the traffic does not match the type defined in firewall policy, then the default action will be to deny it.

You can define which endpoint/subnet by using the firewall policy. You can define the egress policy by adding the egress rules from the point of endpoint to deny/allow specific traffic patterns based on intent, and you can also add ingress rules to deny/allow traffic coming toward the endpoint.

Forward Proxy Policy

Using a forward proxy policy, you can specify allowed/denied TLS domains or HTTP URLs. The traffic from workloads on private subnets toward the Internet via the GCP VPC site is allowed or denied accordingly.

More details on how to configure this is captured in the rest of this document.


Prerequisites

The following prerequisites apply:

Note: By proceeding with the installation, download and/or access and use, as applicable, of the Distributed Cloud Services software, and/or Distributed Cloud Services platform, you acknowledge that you have read, understand, and agree to be bound by this agreement.

  • Resources required per node: Minimum 4 vCPUs and 14 GB RAM.

  • UDP port 6080 needs to be opened between all the nodes of the site.


Deploy Using Console

You can create and manage a GCP VPC site in Console by first creating the site object using the guided wizard and then deploying it using the automated method.

Create GCP VPC Site Object

The guided wizard to create the GCP VPC site object guides you through the steps for required configuration.

Step 1: Start site object creation.
  • Log into Console.

  • Click Multi-Cloud Network Connect.

Figure
Figure: Console Homepage
  • Click Manage > Site Management > GCP VPC Sites.
Figure
Figure: GCP VPC Sites
  • Click Add GCP VPC Site.

  • In the Name field, enter a name for the VPC object.

Step 2: Configure GCP VPC region.
  • In the Site Type Selection section, perform the following:

    • From the GCP Region drop-down menu, click See Common Values to select a region.
Step 3: Set and configure VPC interface.
  • From the Select Ingress Gateway or Ingress/Egress Gateway drop-down menu, select an option:

    • Ingress Gateway (One Interface)

    • Ingress/Egress Gateway (Two Interface)

    • App Stack Cluster (One Interface)

Ingress Gateway (one interface)
  • For the Ingress Gateway (One Interface) option, click Configure.

  • From the GCP zone names list, click See Suggestions to select an option that matches the configured GCP Region.

  • From the Number of main nodes menu, select the number of nodes for this site.

Note: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site.

Figure
Figure: Main Nodes
  • From the VPC Network for Local Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC name is automatically generated.

    • For the Specify VPC Network Name option, enter the name in the GCP VPC Network Name field.

    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.

  • From the Subnet for Local Interface menu, perform one of the following:

    • For the New Subnet Parameters option, enter a name for the subnet in the VPC Subnet Name field and a subnet prefix in the IPv4 Subnet Prefix field.

    • For the Existing Subnet option, enter the existing subnet name in the VPC Subnet Name field.

  • In the Advanced Options section, enable the Show Advanced Fields section and perform the following:

    • From the Performance Mode menu, select an option:

    • L7 Enhanced: This option optimizes the site for Layer 7 traffic processing.

    • L3 Mode Enhanced Performance: This option optimizes the site for Layer 3 traffic processing.

  • Click Apply.

Ingress/Egress Gateway (two interfaces)
  • For the Ingress/Egress Gateway (Two Interface) option, click Configure.

  • From the GCP zone names list, click See Suggestions to select an option that matches the configured GCP Region.

  • From the Number of main nodes menu, select the number of nodes for this site.

Note: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site.

  • From the VPC Network for Inside Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC name is automatically generated.

    • For the Specify VPC Network Name option, enter the name in the GCP VPC Network Name field.

    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.

  • From the Subnet for Inside Interface menu, perform one of the following steps:

    • For the New Subnet Parameters option, enter the name in the VPC Subnet Name field, and enter an IP address prefix in the IPv4 Subnet Prefix field.

    • For the Existing Subnet option, enter an existing VPC network name in the VPC Subnet Name field.

  • From the VPC Network for Outside Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC name is automatically generated.

    • For the Specify VPC Network Name option, enter a name in the GCP VPC Network Name field.

    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.

  • From the Subnet for Outside Interface menu, perform one of the following steps:

    • For the New Subnet Parameters option, enter the name in the VPC Subnet Name field, and enter an IP address prefix in the IPv4 Subnet Prefix field.

    • For the Existing Subnet option, enter an existing VPC network name in the VPC Subnet Name field.

  • In the Site Network Firewall section, optionally select an option from the Manage Firewall Policy menu.

    • If you select Active Firewall Policies, select an existing firewall policy, or select Add Item to create and apply a firewall policy.

    • If you select Active Enhanced Firewall Policies, click Configure to select the policy from the drop-down menu. Click Apply.

  • From the Manage Forward Proxy menu, select an option:

    • Disable Forward Proxy

    • Enable Forward Proxy with Allow All Policy

    • Enable Forward Proxy and Manage Policies: Select an existing forward proxy policy, or select Add Item to create and apply a forward proxy policy.

  • In the Advanced Options section, optionally enable Show Advanced Fields.

  • From the Select DC Cluster Group menu, select an option to set your site in a DC cluster group:

    • Not a Member of DC Cluster Group: Default option.

    • Member of DC Cluster Group via Outside Network: Select the DC cluster group from the Member of DC Cluster Group via Outside Network menu to connect your site using an outside network.

    • Member of DC Cluster Group via Inside Network: Select the DC cluster group from the Member of DC Cluster Group via Inside Network menu to connect your site using an inside network.

Note: For more information, see the Configure DC Cluster Group guide.

  • From the Performance Mode menu, select an option:

    • L7 Enhanced: This option optimizes the site for Layer 7 traffic processing.

    • L3 Mode Enhanced Performance: This option optimizes the site for Layer 3 traffic processing.

  • Click Apply.

App Stack Cluster (one interface)
  • For the App Stack Cluster (One Interface) option, click Configure.

  • From the GCP zone names list, click See Suggestions to select an option that matches the configured GCP Region.

  • From the Number of main Nodes menu, select the number of nodes for this side.

Note: Either a single master node site or a multi-node site with three (3) master nodes is supported. Therefore, if you are adding more than one node, ensure that there are three (3) master nodes for your site.

  • From the VPC Network for Local Interface menu, perform one of the following steps:

    • Autogenerate VPC Network Name: Default option. The VPC name is automatically generated.

    • For the Specify VPC Network Name option, enter the name in the GCP VPC Network Name field.

    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.

  • From the Subnet for Local Interface menu, perform one of the following:

    • For the New Subnet Parameters option, enter a name for the subnet in the VPC Subnet Name field and a subnet prefix in the IPv4 Subnet Prefix field.

    • For the Existing Subnet option, enter the existing subnet name in the VPC Subnet Name field.

  • Optionally, configure more settings in the Advanced Options section:

    • From the Select DC Cluster Group menu, select an option to set your site in a DC cluster group:

      • Not a Member: Default option.

      • Member of DC Cluster Group via Outside Network: Select the DC cluster group from the Member of DC Cluster Group via Outside Network menu to connect your site using an outside network.

Note: For more information, see the Configure DC Cluster Group guide.

  • Optionally, enable local K8s API access:

    • In the Advanced Options section, from the Site Local K8s API access menu, select Enable Site Local K8s API access and then select a K8s cluster.

Note: Distributed Cloud Services support both mutating and validating webhooks for managed K8s. Webhook support can be enabled in the K8s configuration. Navigate to Manage > Manage K8s > K8s Clusters. For more information, see Create K8s Cluster in the Advanced K8s cluster security settings section.

  • In the Site Network Firewall section, optionally select an option from the Manage Firewall Policy menu.

    • If you select Active Firewall Policies, select an existing firewall policy, or select Add Item to create and apply a firewall policy.

    • If you select Active Enhanced Firewall Policies, click Configure to select the policy from the drop-down menu. Click Apply.

  • In the Storage Configuration section, enable the Show Advanced Fields option.

  • From the Select Configuration for Storage Classes menu, select Add Custom Storage Class.

  • Click Add Item.

  • In the Storage Class Name field, enter a name for the storage class as it will appear in Kubernetes.

  • Optionally, enable the Default Storage Class option to make this new storage class the default class for all clusters.

  • In the Storage Device section:

    • In the Replication field, enter a number to set the replication factor for the PV.

    • From the Storage Size field, set the storage in gigabyte (GB) for each node.

  • Click Apply.

  • Click Apply.

Step 4: Select cloud credentials.

Refer to the Cloud Credentials guide for more information. Ensure that the GCP credentials are applied with required access policies per the Policy Requirements document.

  • From the Cloud Credentials menu, select your existing GCP credentials object, or click Add Item to load the credential creation wizard.

  • To create new credentials, use the following guidelines:

    • Enter a name in the Metadata section.

    • Optionally, set labels and enter a description.

    • From the Select Cloud Credential Type menu, select GCP Credentials.

    • Click Configure.

    • Select an option for the Secret Info:

      • If you select Blindfold Secret, enter the secret in the field, and then click Blindfold.

      • If you select Clear Secret, enter the secret in one of the formats displayed.

    • Click Apply.

Step 5: Set the site node parameters.
  • In the Site Node Parameters section, enable the Show Advanced Fields option.

  • From the GCP Instance Type for Node menu, select the instance type using See Common Values.

  • In the Public SSH key box, enter the public key used for SSH purposes.

  • Optionally, add a geographic address and enter the latitude and longitude values.

Step 6: Configure the advanced options.
  • In the Advanced Configuration section, enable the Show Advanced Fields option.

  • From the Logs Streaming menu, select an option. If you select Enable Logs Streaming, you must select a log receiver or create a new receiver with Add Item.

  • From the F5XC Software Version menu, select an option. If you select F5XC Software Version, you must enter a version to use.

  • From the Operating System Version menu, select an option. If you select Operating System Version, you must enter an OS version to use.

  • From the Offline Survivability Mode menu, select Enable Offline Survivability Mode. This action will restart all pods for your site. For more information, see the Manage Site Offline Survivability guide.

Step 6.1: Optionally, configure private link.
  • From the Private Connectivity To Site drop-down menu, select an option:

    • Disable Private Connectivity: Default option.

    • Enable Private Connectivity: Enables a private link to your cloud site. For more information, see the CloudLink guide.

Step 6.2: Configure blocked services from site.
  • From the Services to be blocked on site menu, select Custom Blocked Services Configuration. If you select Allow access to DNS, SSH services on Site, no further configuration is needed.

  • Click Add Item.

  • From the Blocked Services Value Type menu, select the service to block:

    • DNS port

    • SSH port

  • From the Network Type menu, select the type of network in which this service is blocked from your site.

  • Click Apply.

Step 7: Complete the site object creation.

Click Save and Exit to complete creating the site object. The Status field for the site object displays Generated.

Note: QUEUED state references action in process by user in Sites > Status. Site will remain in QUEUED state until terraform executes APPLY/PLAN/DESTROY command in backend, and updates new status when reported back to console.


Deploy Site

Creating the GCP VPC site object in Console generates the Terraform parameters.

Note: Site upgrades may take up to 10 minutes per site node. Once site upgrade has completed, you must apply the Terraform parameters to site via Action menu on cloud site management page.

Step 1: Deploy site.
  • Navigate to the GCP VPC site object by clicking Manage > Site Management > GCP VPC Sites.

  • Find your GCP VPC site object and click Apply under the Status column. The Status column for the site object changes to Apply Planning.

Note: Optionally, you can perform Terraform plan activity before the deployment. Find your GCP VPC site object and click ... > Plan (Optional) to generate the execution plan for Terraform.

  • Wait for the status to change to Applied.

  • To check the status for the apply action, click ... > Terraform Parameters for site object, and select the Apply Status tab.

Step 2: Confirm site deployed and online.
  • Navigate to Multi-Cloud Network Connect > Sites.

  • Verify status is Online. It takes a few minutes for the site to deploy and status to change to Online.

Note: You cannot add worker nodes. You can use SSH to log in to your node with username cloud-user and your private key.


Delete GCP VPC Site

Perform the following to delete the site:

Note: If you scale down the GCP instance size from the GCP UI and revert it to original number, ensure that you create the instance in the instance group with the same instance name using the create-instance command from the gcloud CLI.

  • Navigate to Manage > Site Management > GCP VPC Sites.

  • Locate the site object.

  • Select ... > Delete.

  • Click Delete in the confirmation window.

Note: Deleting the VPC site object deletes the sites and nodes from the VPC and deletes the VPC. If the delete operation does not remove the object and returns an error, check the error from the status, fix the error, and then re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the ... > Terraform Parameters > Apply status option.


Deploy Site Using Terraform

This chapter provides instructions on how to create a single-node or multi-node site on GCP with Terraform.

Perform the following procedure to deploy a site using Terraform:

Step 1: Confirm Terraform is installed.

In a terminal, enter terraform version. If you need to install, follow the instructions at the official guide.

Step 2: Create API credentials file.

Log into Console and create an API 12 certificate file and then download it. Use the instructions at Credentials for more help.

Step 3: Create a new directory on your system to place files for deployment.

Create a new directory on your system to place files for deployment.

Step 4: Create the deployment file.
  • Create a file and name it main.tf file, and place it in the newly created directory.

  • Copy and paste the following information into the file:

          terraform {
  required_version = ">= 0.13.1"
  required_providers {
    volterra = {
      source = "volterraedge/volterra"
    }
  }
}
variable "site_name" {}
variable "gcp_cred_file" {}
variable "gcp_instance_type" {
  default = "n1-standard-4"
}
variable "gcp_region" {
  default = "us-east1"
}
variable "gcp_az" {
  default = "us-east1-b"
}
variable "outside_subnet_cidr_block" {
  default = "192.168.0.0/25"
}
resource "volterra_cloud_credentials" "gcp_cred" {
  name      = format("%s-cred", var.site_name)
  namespace = "system"
  gcp_cred_file {
    credential_file {
      clear_secret_info {
        url = format("string:///%s", base64encode(file(var.gcp_cred_file)))
      }
    }
  }
}
resource "volterra_gcp_vpc_site" "site" {
  name      = var.site_name
  namespace = "system"
  ssh_key   = "ssh-rsa XXXX"
  cloud_credentials {
    name      = volterra_cloud_credentials.gcp_cred.name
    namespace = "system"
  }
  gcp_region    = var.gcp_region
  instance_type = var.gcp_instance_type
  ingress_gw {
    gcp_certified_hw = "gcp-byol-voltmesh"
    gcp_zone_names   = [var.gcp_az]
    local_network {
      new_network {
        name = "outside-network"
      }
    }
    node_number = 1
    local_subnet {
      new_subnet {
        primary_ipv4 = var.outside_subnet_cidr_block
        subnet_name  = "outside-subnet"
      }
    }
  }
  lifecycle {
    ignore_changes = [labels]
  }
}
resource "volterra_tf_params_action" "apply_gcp_vpc" {
  site_name        = volterra_gcp_vpc_site.site.name
  site_kind        = "gcp_vpc_site"
  action           = "apply"
  wait_for_action  = true
  ignore_on_update = true
}
        
  • Open the file and configure any necessary fields. You can change the parameters for your particular setup.

  • Save the changes and then close the file.

Step 5: Create file for variables.
  • In the same directory, create another file for variables and name it terraform.tfvars.

  • Create and assign the following variables:

    • For your site name, type a name within double quotes: site_name = "<site-name>"

    • For the GCP region, type the name within double quotes: gcp_region = "<region-name>"

    • For the GCP availability zone, type the name within double quotes: gcp_az = "<gcp-az-name>"

    • For the credential file, type the name within double quotes: gcp_cred_file = "<gcp-credential-file-location>"

          site_name = <site-name>
gcp_region = <region-name>
gcp_az = <gcp-az-name>
gcp_cred_file = <gcp-credential-file-location>
        
Step 6: Create and export variables for credentials and secret keys.
  • In the terminal, create and export the following variables:

    • Create this variable and assign it your API credentials password: export VES_P12_PASSWORD=<credential-password>

    • Create this variable and assign it the path to the API credential file previously created and downloaded from Console: export VOLT_API_P12_FILE=<path-to-local-p12-file>

    • Create this variable and assign it the URL for your tenant. For example: export VOLT_API_URL=https://example.console.ves.volterra.io/api

Note: You can also create and save these variables in the terraform.tfvars file. However, this may pose a security risk. Use caution when working with your credentials and secret keys.

          export VES_P12_PASSWORD=<credential-password>
export VOLT_API_P12_FILE=<path-to-local-p12-file>
export VOLT_API_URL=https://example.console.ves.volterra.io/api
        
Step 7: Initiate Terraform process.

Enter terraform init.

Step 8: Apply Terraform process.
  • Enter terraform apply.

  • If prompted for the access key and secret key encoded in Base64, enter both.

  • Enter yes to confirm. This may take a few minutes to complete. After the process is complete, the output will state Apply complete!.

  • In Console, navigate to the list of sites and confirm the site was applied.


Destroy Site

Perform the following procedure to destroy the site using Terraform:

  • Enter terraform destroy.

  • If prompted for the access key and secret key encoded in Base64, enter both.

  • Enter yes to confirm. This may take a few minutes to complete. After the process is complete, the output will state Destroy complete!.

  • In Console, navigate to the list of sites and confirm the site was destroyed.


Concepts