Check out the new F5 Distributed Cloud Technical Knowledge Hub

Deploy Site with AWS Console ClickOps

Objective

This guide provides instructions on how to create a customer edge (CE) site using the Amazon Web Services (AWS) Console and deploy to an AWS VPC. For more information on sites, see F5® Distributed Cloud Site.

This guide will show you how to create a single node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can successfully deploy an AWS CE Site using both Mesh or App Stack and in any supported combination of nodes and interfaces.

Site Types and Scenarios

The scenarios below in the table have been tested successfully. The Network Address Translation Gateway (NAT GW) device in Table 1 references the AWS NAT Gateway. However, technically this should also work with third-party firewalls.

Note: In the Number of Nodes column, 1/3 indicates 1 or 3 nodes. IGW references Internet Gateway.

Provider	Site Type	Number of Nodes	Gateway Type	Interfaces	Scenario
AWS	Mesh	1/3	Ingress/Egress	2	Behind IGW
AWS	Mesh	1/3	Ingress	1	Behind IGW
AWS	App Stack	1/3	-	1	Behind IGW
AWS	Mesh	1/3	Ingress/Egress	2	Behind NAT GW
AWS	Mesh	1/3	Ingress	1	Behind NAT GW
AWS	App Stack	1/3	-	1	Behind NAT GW

Site Differences

This chapter explains the difference between the deployment of a single-node site with a single interface and three-node sites with multi-NIC interfaces.

One Node Single Interface Site Differences (Mesh/App Stack)

Both the F5 Distributed Cloud App Stack and single-NIC Mesh sites have a single interface and are therefore similar when it comes to deployment.

Important: It is the same procedure for one node single-NIC Mesh and App Stack sites.

For single-NIC Mesh sites, the following are key differences:

Amazon Machine Image (AMI).
Certified hardware image name.
Only SLO is needed/required instead of both the SLO and SLI. No need to add a second network interface.
The Elastic IP address assignment becomes easier since you can directly assign the address to the instance. No need to configure the SLO for a two-NIC configuration.
For an App Stack Site, you need to add the Site using Multi-Cloud Network Connect > Manage > Site Management > App Stack Sites page and not through the Secure Mesh Sites page.
For an App Stack Site, F5 recommends 100 GB for storage.

Three Node Cluster Site Differences

Important: It is the same procedure for three-node multi-NIC Mesh and three-node App Stack sites.

The following are key differences:

When creating the instance, consider leveraging the Number of instances option to automatically create three instances. This avoids the hassle of repeating the process for each instance and ensures uniform configuration.
Ensure each instance has a unique name to make operation easier.
The security group must allow communication between the nodes (intra-cluster communication). In this procedure, the security group is updated to enable this communication. However, you can also use IP-based rules.
Same tagging structure.
Three pending registration requests appear in Console. As for the case with single node configurations, you must create the Secure Mesh Site object and add the internal interface to each F5 CE virtual machine before accepting those registration requests.
A Secure Mesh Site has the same configuration as a single-node site, with the only difference being three nodes. Note that the node name can be whatever you decide. For an App Stack Site, you must add the site using Multi-Cloud Network Connect > Manage > Site Management > App Stack Sites page and not through the Secure Mesh Sites page.
You must approve the three pending registration requests one by one. Each cluster name (site name) must be the same. It is important to update the cluster size to 3. This must be repeated for each of the three registration requests.
For the tags, ensure that all three instances share the same tags, except the Name which does not provide any value for registration. This is the same procedure for single node sites.

Sites Behind AWS NAT Gateway

For scenarios where there is a requirement to have the CE site deployed without a public IP address, you can place the CE behind a NAT Gateway.

If you are deploying a site in this scenario, there are a few differences to note:

There is no public IP association with the CE(s).
You must ensure the CE can get to the Internet through its SLO interface.
From the AWS side, ensure that the routing table from the SLO subnet has a default route 0.0.0.0/0 that points to the NAT Gateway.
The NAT Gateway is a zonal object. In other words, it belongs to one availability zone. Therefore, in the case of a three-node CE cluster, you might want to deploy additional NAT Gateways for high availability.

Prerequisites

The following prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
An account with AWS. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.
Resources required per node: Minimum 4 vCPUs and 14 GB RAM.
F5 assumes that the VPC exists with a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as eth0 and the SLI interface as eth1.
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Procedure

The following procedure provides instructions for deploying a single-node Mesh site with dual interfaces (ingress/egress) to an AWS VPC using the AWS Console.

Create IAM Policy and Role

You must create an IAM role that will be attached to the CE site, with minimal permissions configured for that role using an IAM policy.

Step 1: Navigate to policy creation page.

In AWS Console, navigate to the IAM service.
Under Access management, click Policies and then click Create policy.

Step 2: Create and configure IAM policy.

From the Service menu, select EC2.
In the Filter Actions box, search for and select the DescribeInstances and DescribeTags permissions.

Alternatively, you can also add the tags using the JSON option.

          {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}

Click Next.
Enter a Policy name and an optional short description.
Click Create policy.
Confirm the policy was created.

Step 3: Create and configure IAM role.

Under Access management, click Roles and then click Create role.
Confirm AWS service is selected.
From the Service or use case menu, select EC2. Then click Next.

In the search box, find and select the policy previously created.
Click Next.
Enter a Role name and short description. Ensure that the role name and description clearly relate to the policy.

Click Create role.

Create CE Security Group

You must create a security group that will attach to the CE site.

Step 1: Navigate to security group creation page.

Navigate to the EC2 service.
In AWS Console, under Network & Security, click Security Groups.
Click Create security group.

Step 2: Create and configure security group.

Enter a Security group name and short description.

Step 2.1: Create inbound rules.

Under the Inbound rules section, click Add rule. Ensure you add rules for the following:
- Allowed SSH from the EC2 machine’s public address. This is where AWS will figure out the public IP address that a user is configuring from and allows it. You can also use the custom option and enter your corporate public address space.
- Allowed ICMP for troubleshooting.
- Allowed TCP Port 65500 for the local UI on the CE.
- For three node clusters, ensure that traffic is allowed between the nodes.

Important: When creating load balancers to publish applications, you will need to add additional rules in your security group to accept the traffic that comes to your virtual IP address (VIP).

Step 2.2: Create outbound rules.

For the Outbound rules section, select the All traffic option to create an allow-all policy for egress traffic.
Click Create security group. Afterwards, verify the rules were created properly.

Create SSH Key Pairs

You need to create key pairs for SSH login into the EC2 instance for troubleshooting purposes.

Step 1: Navigate to SSH key creation page.

In AWS Console, under Network & Security, click Key Pairs.
Click Create key pair.

Step 2: Configure SSH key pairs.

Enter a key pair name.
Select the key pair type.
Select the key pair format.
After you finish, click Create key pair.
Afterwards, verify that the keys were created properly.
Download the key pair locally to your machine. You will need the key pair to log into the CE node.

Locate AMI ID and Hardware Image

Specific information is required to deploy a CE site. For example, you will need to your site type, number of interfaces, and region. This information will help determine and locate the F5 Distributed Cloud Services certified hardware image and Amazon Machine Image (AMI) ID. Note that the AMI ID corresponds to a certified hardware image.

Only this information is required to derive the AMI ID:

Cloud provider (AWS) in which you are deploying the Site.
Whether you are deploying a Mesh Site or App Stack Site?
For a Mesh Site, single or Multi-NIC?
The cloud provider region in which you plan to deploy the CE nodes.

As an example, if you are deploying a multi-NIC node in us-west-1:

Region: us-west-1
Site Type: Mesh

For the example above, the AMI ID of ami-0858c196c17ebf057 corresponds to the F5 Distributed Cloud Services hardware image of aws-byol-multi-nic-voltmesh.

To locate and download the AMI file, navigate to F5 Distributed Cloud Services AMI.
In the table, use the Region and AMI columns to search for your AMI file.

Existing VPC Details

In this example, a dual interface single node CE site is being deployed. Since site has two interfaces, two subnets are required. One for SLI and the other for SLO. Both of these subnets will be in the same Availability Zone (AZ), which is us-west-1c.

Note that workload subnets are generally used but are not a requirement to deploy a CE site.

Create Elastic IP

Create an Elastic IP to attach to the site.

Step 1: Navigate to Elastic IP creation page.

Under Virtual private cloud, select Elastic IPs.
Click Allocate Elastic IP address.

Step 2: Configure Elastic IP address(es).

Click Add new tag.
Enter a key name and an optional name for the value.
Click Allocate.

Create Site Token

Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes. To create the token, see the Create Secure Mesh Site guide.

Modify the EC2 User Data File

Download the raw .yml file to your machine and input the value of the site token into the Token field. See GitHub User Data File for more information. Afterwards, save the file on your machine as you will need it for the user data when creating the F5 CE virtual machine.

          #cloud-config
#only value to be modified is token
write_files:
- path: /etc/hosts
  content: |
    # IPv4 and IPv6 localhost aliases 
    127.0.0.1 localhost
    127.0.0.1 vip
  permissions: 0644
  owner: root
- path: /etc/vpm/config.yaml
  permissions: 0644
  owner: root
  content: |
    Vpm:
      ClusterType: ce
      Token: #token value here
      MauricePrivateEndpoint: https://register-tls.ves.volterra.io
      MauriceEndpoint: https://register.ves.volterra.io
      CertifiedHardwareEndpoint: https://vesio.blob.core.windows.net/releases/certified-hardware/aws.yml
    Kubernetes:
      EtcdUseTLS: True
      Server: vip

Create the CE Virtual Machine

Create the F5 CE EC2 instance using the previously created parameters. It is recommended that you create a table and fill it with the information prior to deploying the CE EC2 instance.

See table below for example parameters and explanations used for this procedure.

Parameter	Value	Notes
Name	`f5-ce`	Name of CE site.
Region	`us-west-1`	Name of AWS region in which site is deployed.
AMI ID	`ami-0b91438f4f4bc1af9`	This is the AMI ID.
Certified Hardware Name	`aws-byol-multi-nic-voltmesh`	This is the certified hardware name.
Instance Type	t3.xlarge	Minimum instance requirements: 4 vCPUs, 14 GB RAM, 80 GB storage for Mesh nodes, and 100 GB storage for App Stack.
VPC Name	`f5-ce-vpc`	Name of the AWS VPC in which the site is deployed.
VPC ID	`vpc-03d062399d80cc2d1`	Existing VPC.
SLO Subnet ID	`subnet-0783f900a3e4d3023`	Existing subnet.
SLI Subnet ID	`subnet-04eb734ccad49fa88`	Existing subnet.
Key Pair	`f5-ce-keypair`	Key pair created in AWS Console.
Security Groups	`f5-ce-security-group`	Name of security group created in AWS Console.
IAM Instance Profile	`f5-ce-iam-role`	Name of IAM profile created in AWS Console.
Elastic IP Address	`f5-ce-ip`	Name of Elastic IP address created in AWS Console.
Tag: site name	`f5-ce`	Optional tag.
Tag: ves-io-site-name	`f5-ce-demo`	Mandatory tag (equals site name).
Tag without site name: `kubernetes.io/cluster/<value-of-sitename>` / tag with site name: `kubernetes.io/cluster/f5-ce-demo`	Owned.	Mandatory tag note that the value after `/cluster/` is the site name.
Site Name	`f5-ce-demo`	Equals `ves-io-site-name` value.
Token	Confidential. Value varies.	Value for site token ID generated in F5 Console.
Storage	80 GiB/100 GiB (App Stack) recommended.	Minimum disk space that is required.

Step 1: Configure tags.

After you have set the site name, click Add additional tags to add the required tags.

Note: Without the tags labeled as mandatory, the site will not register.

Step 2: Configure instance type.

Select the AMI per the parameters in the table above.
Select the instance type. Note that t3.xlarge is the minimum instance type required to run the F5 CE software.
Select the key pair.

Step 3: Configure network interface(s).

Select the VPC, subnet (SLO), security groups, which are referenced in the parameters' table above. The subnet chosen is the subnet for Network interface 1 (SLO). Labeling the subnets helps so that you can easily place the interface in the SLO subnet. Ensure that Auto-assign public IP is disabled as an Elastic IP address is used instead.

Under Advanced network configuration, enter a description for the SLO interface. Network interface 1 is SLO and is placed in the SLO subnet.

Similarly, enter a description for the SLI interface. Network interface 2 is SLI and is placed in the SLI subnet.

Ensure that the same security group applies to both interfaces.

Step 4: Configure network storage.

Configure the storage requirement (80 GiB) and select the IAM instance profile (Role) per the parameters' table above.
Copy and paste the modified user data file into the User data box.

Associate the Elastic IP Address to SLO Interface

After the EC2 instance is created, you need to allocate the previously created Elastic IP per the parameters table.

Step 1: Note down information.

Note down the SLO interface ID by navigating to the Networking tab under the f5-ce instance and getting the elastic network interface (ENI) ID of the SLO. Keep this information as you will need it to assign the Elastic IP to the interface.

Step 2: Associate IP address to interface.

Select the Elastic IP address and then navigate to Actions > Associate Elastic IP address.

Enter the ENI ID.
Click Associate.

Register Site

In Distributed Cloud Console, perform additional site registration configuration and create secure mesh site.

Step 1: Visually confirm requests appear.

In Distributed Cloud Console, navigate to the site registrations page.
Under the Pending Registrations tab, confirm the registration request appears but do not accept it.
If you cannot see the Cluster Name, check under the Other Registrations tab.

Step 2: Create secure mesh site.

Navigate to Manage > Site Management > Secure Mesh Sites.
Click Add Secure Mesh Site.
In the form, add a name for the site. Ensure that the Name is the same as the tag value for ves-io-site-name.

For the Generic Server Certified Hardware value, copy the value from the parameters' table above.
For the master node configuration, enter a name. The node name can be any name you desire.
Enter values for Longitude and Latitude that reflect the CE’s location and ensures the CE registers to the nearest regional edge (RE).
After you finish with configuration, click Save and Exit.

Step 3: Change fields to match site name.

On the site Registrations page, for your site, change the Cluster Name to match the Site Name and ves-io-site-name. All three values must match.

Click Save and Exit. After a few minutes, the site status changes to ADMITTED.

Troubleshooting

For troubleshooting and opening a support case, see the Troubleshooting Manual Site Deployment Registration Issues guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to Distributed Cloud published Terraform errors, networking and security misconfiguration, or CE internal process issues. The guide also provides instructions for contacting the F5 Distributed Cloud Support Team if you are unable to resolve the issue.