Create GCP Site
On This Page:
Objective
This document provides instructions on how to install an F5® Distributed Cloud Services node or cluster (multi-node) on Google Cloud Platform (GCP) using a custom GCP image. For more information on sites and nodes, see Site.
You can deploy a GCP VPC site using F5® Distributed Cloud Console (Console) by creating a VPC site object and performing site deployment using either automatic mode or assisted mode. With assisted mode, you are required to download the terraform parameters generated in Console for the VPC site object. Using the generated terraform parameters and the Distributed Cloud Services terraform container, you can perform deployment from your computer. The automatic mode of deployment can be performed directly from Console.
Note: Configuring the site mesh group is not supported for the sites deployed from Console.
Using the instructions provided in this guide, you can deploy an GCP VPC ingress gateway site or ingress/egress gateway site. For more information, see Network Topology of a Site.
Design
GCP VPC Site automates the deployment of Distributed Cloud Services sites in GCP. As part of the GCP VPC Site configuration, you can indicate that new VPC, subnets, and route tables need to be created. Alternatively, you can choose to provide existing VPC and subnet information, and the creation of VPC and subnet resources will be skipped.
Note: By default, a site deployed in GCP supports Google Cloud Storage. See Configure Storage in Fleet.
GCP VPC Site Deployment Types
A site can be deployed in two different modes with the GCP VPC Site workflow. Those modes are:
-
Ingress Gateway (One Interface): In this deployment mode, the site is attached to a single VPC and single subnet. It can provide discovery of services and endpoints reachable from this subnet to any other site configured in the Distributed Cloud Services tenant.
-
Ingress/Egress Gateway (Two Interfaces): In this deployment mode, the site is attached to a single VPC with at least two interfaces on different subnets. One subnet is labeled
Outside
, and the other is labeledInside
. In this mode, the site provides security and connectivity needs for virtual machines and subnets via default gateway through the site Inside interface.
Ingress Gateway (One Interface)
In this deployment mode, the F5® Distributed Cloud Mesh (Mesh) needs one interface attached. Services running on the node connect to the Internet using this interface. Also, this interface is used to discover other services and virtual machines and expose them to other sites in the same tenant. For example, in the below figure, TCP or HTTP services on the DevOps or Dev GCP VM instances can be discovered and exposed via reverse proxy remotely.
As shown in the below figure, the interface is on the outside subnet, which is associated with the VPC main routing table, whose default route is pointing to the Internet gateway. This is how traffic coming from the outside interface can reach the Internet, along with other subnets associated with this routing-table object. In case of other subnets (for example, Dev or DevOps), these are associated with the VPC main routing table, which means that any newly created subnet in this VPC is automatically associated with this routing table.
Ingress/Egress Gateway (Two Interfaces)
In this deployment scenario, the Mesh nodes need two interfaces attached. The first interface is the outside interface through which services running on the node can connect to the Internet. The second interface is the inside interface which will become the default gateway IP address for all the application workloads and services present in the private subnets.
As shown in the below figure, the outside interface is on the outside subnet, which is associated with the outside subnet route table, whose default route is pointing to the Internet gateway. This is how traffic coming from the outside interface can reach the Internet. In case of inside subnets, these are associated with the inside subnet route table which is also the main route table for this VPC. This means that any newly created subnet in this VPC is automatically associated with the inside subnet route table. This private subnet route table has a default route pointing to the inside IP address of the Mesh node (192.168.0.186).
Once the Mesh site comes online, the inside network of the node will be connected to the outside network through a forward proxy and SNAT enabled on the outside interface. All traffic coming on the inside interface will be forwarded to the Internet over the forward proxy and SNAT happening on the outside interface. All the workloads on private subnets can reach the Internet through Mesh site.
Network Policies
The site can be your ingress/egress security policy enforcement point, as all the traffic coming from private subnets will flow through the Distributed Cloud Services site. If the traffic does not match the type defined in network policy, then the default action will be to deny it.
You can define which endpoint/subnet by using the network policy. You can define the egress policy by adding the egress rules from the point of endpoint to deny/allow specific traffic patterns based on intent, and you can also add ingress rules to deny/allow traffic coming toward the endpoint.
Forward Proxy Policy
Using a forward proxy policy, you can specify allowed/denied TLS domains or HTTP URLs. The traffic from workloads on private subnets toward the Internet via the GCP VPC site is allowed or denied accordingly.
More details on how to configure this is captured in the rest of this document.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
A GCP account. See Required Access Policies for permissions needed to deploy a GCP VPC site.
Note: By proceeding with the installation, download and/or access and use, as applicable, of the Distributed Cloud Services software, and/or Distributed Cloud Services platform, you acknowledge that you have read, understand, and agree to be bound by this agreement.
- Resources required per site: Minimum 4 vCPUs and 14 GB RAM.
Deploy Using Console
The following video shows the GCP VPC site creation and site deployment workflow using Console:
GCP VPC site creation and management requires performing the following sequence of actions:
Phase | Description |
---|---|
Create GCP VPC Site Object | Create the GCP VPC site object in Console using the guided wizard. |
Deploy Site | Deploy the sites configured in the GCP VPC site object using automated or assisted method. |
Create GCP VPC Site Object
The wizard to create the GCP VPC site object guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.
Step 1: Start GCP VPC site object creation.
-
Log into Console.
-
Click
Cloud and Edge Sites
.
- Click
Manage
>Site Management
>GCP VPC Sites
.
-
Click
Add GCP VPC Site
. -
In the
Name
field, enter a name for your VPC object.
Step 2: Configure the VPC and site settings.
In the Site Type Selection
section, perform the following:
Step 2.1: Set region and configure VPC.
-
From the
GCP Region
drop-down menu, select a region. -
From the
Select Ingress Gateway or Ingress/Egress Gateway
drop-down menu, select an option and perform the following:
Ingress Gateway (one interface):
-
For the
Ingress Gateway (One Interface)
option, clickConfigure
. -
From the
GCP Certified Hardware
menu, select an option. This option is set togcp-byol-voltmesh
by default. -
From the
List of Gcp zone name
menu, select an option that matches the configuredGCP Region
. -
From the
Number of main nodes
menu, select the number of nodes for this side.
-
From the
VPC Network for Local Interface
menu, perform one of the following steps:-
For the
Specify VPC Network Name
option, enter the name in theGCP VPC Network Name
field. -
For the
Existing VPC Network
option, enter an existing VPC network name in theGCP VPC Network Name
field.
-
-
From the
Subnet for Local Interface
menu, perform one of the following:-
For the
New Subnet Parameters
option, enter a name for the subnet in theVPC Subnet Name
field and a subnet prefix in theIPv4 Subnet Prefix
field. -
For the
Existing Subnet
option, enter the existing subnet name in theVPC Subnet Name
field.
-
-
Click
Apply
.
Ingress/Egress Gateway (two interfaces)
-
For the
Ingress/Egress Gateway (Two Interface)
option, clickConfigure
. -
From the
GCP Certified Hardware
menu, select an option. This option is set togcp-byol-multi-nic-voltmesh
by default. -
From the
List of Gcp zone name
menu, select an option that matches the configuredGCP Region
. -
From the
Number of main nodes
menu, select the number of nodes for this side. -
From the
VPC Network for Inside Interface
menu, perform one of the following steps:-
For the
Specify VPC Network Name
option, enter the name in theGCP VPC Network Name
field. -
For the
Existing VPC Network
option, enter an existing VPC network name in theGCP VPC Network Name
field.
-
-
From the
Subnet for Inside Interface
menu, perform one of the following steps:-
For the
New Subnet Parameters
option, enter the name in theVPC Subnet Name
field, and enter an IP address prefix in theIPv4 Subnet Prefix
field. -
For the
Existing Subnet
option, enter an existing VPC network name in theVPC Subnet Name
field.
-
-
From the
VPC Network for Outside Interface
menu, perform one of the following steps:-
For the
Specify VPC Network Name
option, enter a name in theGCP VPC Network Name
field. -
For the
Existing VPC Network
option, enter an existing VPC network name in theGCP VPC Network Name
field.
-
-
From the
Subnet for Outside Interface
menu, perform one of the following steps:-
For the
New Subnet Parameters
option, enter the name in theVPC Subnet Name
field, and enter an IP address prefix in theIPv4 Subnet Prefix
field. -
For the
Existing Subnet
option, enter an existing VPC network name in theVPC Subnet Name
field.
-
-
Click
Apply
.
F5® Distributed Cloud App Stack Cluster (one interface)
-
For the
Voltstack Cluster (One Interface)
option, clickConfigure
. -
From the
GCP Certified Hardware
menu, select an option. This option is set togcp-byol-voltstack-combo
by default. -
From the
List of Gcp zone name
menu, select an option that matches the configuredGCP Region
. -
From the
Number of main nodes
menu, select the number of nodes for this side. -
From the
VPC Network for Local Interface
menu, perform one of the following steps:-
For the
Specify VPC Network Name
option, enter the name in theGCP VPC Network Name
field. -
For the
Existing VPC Network
option, enter an existing VPC network name in theGCP VPC Network Name
field.
-
-
From the
Subnet for Local Interface
menu, perform one of the following:-
For the
New Subnet Parameters
option, enter a name for the subnet in theVPC Subnet Name
field and a subnet prefix in theIPv4 Subnet Prefix
field. -
For the
Existing Subnet
option, enter the existing subnet name in theVPC Subnet Name
field.
-
-
Optionally enable local K8s API access. In the
Advanced Options
section, turn onShow Advanced fields
. In theSite Local K8s API access
field, selectEnable Site Local K8s API access
and then select a K8s cluster.
Note: The Distributed Cloud Platform supports both mutating and validating webhooks for managed K8s. To Webhook support can be enabled in the K8s configuraion (Manage -> Manage K8s -> K8s Clusters). For more information, see Create K8s Cluster in the
Advanced K8s cluster security settings
section.
- Click
Apply
.
Step 2.2: Set the deployment type.
-
From the
Select Automatic or Assisted Deployment
menu, select an option per the following guidelines:-
For the
Automatic Deployment
option, select your existing GCP credentials object, or clickCreate new cloud credentials
to load the credential creation wizard. Create the new credentials per the following guidelines:-
Enter a name in the
Metadata
section. -
Optionally, set labels and enter a description.
-
From the
Select Cloud Credential Type
menu, selectGCP Credentials
. -
Click
Configure
. -
Select an option for the
Secret Info
:-
If you select
Blindfold Secret
, enter the secret in the field, and then clickBlindfold
. -
If you select
Clear Secret
, enter the secret in one of the formats displayed.
-
-
Click
Apply
.
-
-
Click
Continue
.
-
Note: Refer to the Cloud Credentials guide for more information. Ensure that the GCP credentials are applied with required access policies per the Policy Requirements document.
- For the
Assisted Deployment
option, obtain the GCP parameters after the GCP VPC site object is created in Console and perform the site deployment per the instructions in the Deploy Site chapter.
Step 3: Set the site node parameters.
-
In the
Site Node Parameters
section, perform the following:-
Set the GCP instance type by selecting an option from the
GCP Instance Type for Node
menu usingSee Common Values
. -
Enter your SSH key in the
Public SSH key
field.
-
Step 4: Configure the advanced options.
-
In the
Advanced Configuration
section, clickShow Advanced Fields
. -
From the
Logs Streaming
menu, select an option. If you selectEnable Logs Streaming
, you must select a log receiver or create a new receiver withCreate new log receiver
. -
From the
Select Volterra Software Version
menu, select an option. If you selectVolterra Software Version
, you must enter a version to use. -
From the Select
Operating System Version
menu, select an option. If you selectOperating System Version
, you must enter an OS version to use.
Step 5: Configure the site tunnel IP.
In the Site To Site Tunnel IP
section, enter a value for the tunnel IP.
Step 6: Complete the GCP VPC site object creation.
Click Save and Exit
to complete creating the GCP VPC site object. The Status
field for the GCP VPC site object displays Generated
.
Deploy Site
You can deploy the site using automatic or assisted deployment, depending on your GCP VPC site object configuration above.
Automatic Deployment
Perform this procedure if you created the VPC object with the Automatic Deployment
option.
-
Navigate to the GCP VPC site object by clicking
Manage
>Site Management
>GCP VPC Sites
. -
Find your GCP VPC site object and click
Apply
under theStatus
column. TheStatus
column for your GCP VPC object changes toApply Planning
.
Note: Optionally, you can perform terraform plan activity before the deployment. Find your GCP VPC site object and click
...
>Plan (Optional)
to generate the execution plan for terraform.
- Wait for the status to change to
Applied
.
Note: You can check the status for the apply action. Click
...
>Terraform Parameters
for your GCP VPC site object and then click theApply Status
tab.
- Navigate to
Sites
>Sites List
and find your site from the displayed list to verify that the status isONLINE
.
Note: It may take a few minutes for the site to deploy and the status to change to
ONLINE
.
Assisted Deployment
Perform this procedure if you created the VPC object with the Assisted Deployment
option.
-
Download the terraform variables JSON file for assisted deployment:
-
Click
...
>Terraform Parameters
. -
Click
Download Params
.
-
-
Navigate to the GCP VPC site object by clicking
Manage
>Site Management
>GCP VPC Sites
. -
Find your GCP VPC site object and then click
...
>Terraform Parameters
. -
Copy the parameters to a file on your local machine.
-
Download the
volt-terraform
container:
docker pull gcr.io/volterraio/volt-terraform
- Run the terraform container:
docker run --entrypoint tail --name terraform-cli -d -it \
-w /terraform/templates \
-v ${HOME}/.ssh:/root/.ssh \
gcr.io/volterraio/volt-terraform:latest \
-f /dev/null
- Copy the downloaded terraform variables file to the container.
The following example copies to the /var/tmp
folder on the container:
docker cp /Users/ted/Downloads/system-gcp-vpc-a.json terraform-cli:/var/tmp
- Download the API certificate from Console and copy it to the container:
docker cp /Users/ted/Downloads/playground.console.api-creds.p12 terraform-cli:/var/tmp
Note: See the Generate API Certificate guide for information on API credentials.
- Download GCP credentials and copy to the Docker container. GCP credentials are used for authentication.
This example shows copying a credentials file named gcp-creds.json
:
docker cp /Users/ted/Downloads/gcp-creds.json terraform-cli:/var/tmp
Note: For more information on GCP project and credentials, refer to GCP Project and GCP Authentication.
- Enter the terraform container:
docker exec -it terraform-cli sh
- Export variables for GCP credentials and project.
This example shows exporting gcp-creds.json
file for credentials and project1
for GCP project:
export TF_VAR_google_credentials=/var/tmp/gcp-creds.json
export TF_VAR_google_project=project1
- Change to the VPC template directory:
cd /terraform/templates/views/assisted/gcp-volt-node
-
Set the following environment variables required for the Distributed Cloud Services provider:
-
VOLT_API_P12_FILE
: This is for the path to API certificate file. -
VES_P12_PASSWORD
: This variable is for API credentials password. This is the password which you set while downloading the API certificate. -
VOLT_API_URL
: This is for the tenant URL.
-
Change the values per your setup. See the following examples:
export VOLT_API_P12_FILE="/var/tmp/playground.console.api-creds.p12"
export VES_P12_PASSWORD=<api_cred_password>
export VOLT_API_URL="https://playground.console.ves.volterra.io/api"
export TF_VAR_akar_api_url=$VOLT_API_URL
- Deploy the nodes by executing the terraform commands:
terraform init
terraform apply -var-file=/var/tmp/system-gcp-vpc-a.json
Note: The
terraform init
command downloads the terraform providers defined in the module. When theterraform apply
command is executed, it prompts for user input to proceed.
-
Enter
yes
to begin deploying the node(s) and wait for the deployment to complete. -
Navigate to
Sites
>Sites List
. -
Find your site from the displayed list and verify that the status is
ONLINE
. It may take a few minutes for the site to deploy and the status to change toONLINE
.
Note: In case of network issues, GCP allows enabling serial console using the following command:
gcloud compute instances add-metadata <<instance_name>> --metadata serial-port-enable=TRUE --project <<project>>
Delete GCP VPC Site
Depending on the method with which the GCP VPC site was deployed, perform one of the following:
Automatic Deployment
Perform the following to delete the GCP VPC site object from Console:
-
Navigate to the GCP VPC site object by clicking
Manage
>Site Management
>GCP VPC Sites
. -
Find your GCP VPC site object and click
...
>Delete
. -
Click
Delete
in the confirmation window.
Note: Deleting the VPC site object deletes the sites and nodes from the VPC and deletes the VPC. If the delete operation does not remove the object and returns an error, check the error from the status, fix the error, and then re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the
...
>Terraform Parameters
>Apply status
option.
Assisted Deployment
Delete the terraform deployment made in assisted mode and then delete the site in Console.
Step 1: Delete the terraform deployment.
- Enter the terraform container:
docker exec -it terraform-cli sh
- Change to the GCP VPC site template directory:
cd /terraform/templates/views/assisted/gcp-volt-node
- Destroy the site objects from GCP by executing the terraform commands:
terraform init
terraform destroy -var-file=/var/tmp/system-gcp-vpc-a.json
Note: When the
terraform destroy
command is executed, it prompts for user input to proceed. Enteryes
and wait for the destroy process to complete.
Step 2: Delete the site from Console.
Perform the following to delete the VPC site object:
-
Navigate to the GCP VPC site object by clicking
Manage
>Site Management
>GCP VPC Sites
. -
Find your GCP VPC site object and click
...
>Delete
. -
Click
Delete
in the confirmation window.
Note: If you scale down the GCP instance size from the GCP UI and revert it to original number, ensure that you create the instance in the instance group with the same instance name using the create-instance command from the
gcloud
CLI.