Deploy Site with AWS Console ClickOps
On This Page:
- Objective
- Site Types and Scenarios
- Site Differences
- One Node Single Interface Site Differences (Mesh/App Stack)
- Three Node Cluster Site Differences
- Sites Behind AWS NAT Gateway
- Prerequisites
- Procedure
- Create IAM Policy and Role
- Create CE Security Group
- Create SSH Key Pairs
- Locate AMI ID and Hardware Image
- Create Elastic IP
- Create Site Token
- Modify the EC2 User Data File
- Create the CE Virtual Machine
- Associate the Elastic IP Address to SLO Interface
- Register Site
- Troubleshooting
- Concepts
- References
Objective
This guide provides instructions on how to create a customer edge (CE) site using the Amazon Web Services (AWS) Console and deploy to an AWS VPC. For more information on sites, see F5® Distributed Cloud Site.
This guide will show you how to create a single node mesh site with dual interfaces (ingress/egress gateway). However, this guide will also incorporate the differences that you can successfully deploy an AWS CE Site using both Mesh or App Stack and in any supported combination of nodes and interfaces.
Site Types and Scenarios
The scenarios below in the table have been tested successfully. The Network Address Translation Gateway (NAT GW) device in Table 1 references the AWS NAT Gateway. However, technically this should also work with third-party firewalls.
Note: In the
Number of Nodes
column,1/3
indicates 1 or 3 nodes.IGW
references Internet Gateway.
Provider | Site Type | Number of Nodes | Gateway Type | Interfaces | Scenario |
---|---|---|---|---|---|
AWS | Mesh | 1/3 | Ingress/Egress | 2 | Behind IGW |
AWS | Mesh | 1/3 | Ingress | 1 | Behind IGW |
AWS | App Stack | 1/3 | - | 1 | Behind IGW |
AWS | Mesh | 1/3 | Ingress/Egress | 2 | Behind NAT GW |
AWS | Mesh | 1/3 | Ingress | 1 | Behind NAT GW |
AWS | App Stack | 1/3 | - | 1 | Behind NAT GW |
Site Differences
This chapter explains the difference between the deployment of a single-node site with a single interface and three-node sites with multi-NIC interfaces.
One Node Single Interface Site Differences (Mesh/App Stack)
Both the F5 Distributed Cloud App Stack and single-NIC Mesh sites have a single interface and are therefore similar when it comes to deployment.
Important: It is the same procedure for one node single-NIC Mesh and App Stack sites.
For single-NIC Mesh sites, the following are key differences:
-
Only SLO is needed/required instead of both the SLO and SLI. No need to add a second network interface.
-
The Elastic IP address assignment becomes easier since you can directly assign the address to the instance. No need to configure the SLO for a two-NIC configuration.
-
For an App Stack Site, you need to add the Site using
Multi-Cloud Network Connect
>Manage
>Site Management
>App Stack Sites
page and not through theSecure Mesh Sites
page. -
For an App Stack Site, F5 recommends 100 GB for storage.
Three Node Cluster Site Differences
Important: It is the same procedure for three-node multi-NIC Mesh and three-node App Stack sites.
The following are key differences:
-
When creating the instance, consider leveraging the
Number of instances
option to automatically create three instances. This avoids the hassle of repeating the process for each instance and ensures uniform configuration. -
Ensure each instance has a unique name to make operation easier.
-
The security group must allow communication between the nodes (intra-cluster communication). In this procedure, the security group is updated to enable this communication. However, you can also use IP-based rules.
-
Same tagging structure.
-
Three pending registration requests appear in Console. As for the case with single node configurations, you must create the Secure Mesh Site object and add the internal interface to each F5 CE virtual machine before accepting those registration requests.
-
A Secure Mesh Site has the same configuration as a single-node site, with the only difference being three nodes. Note that the node name can be whatever you decide. For an App Stack Site, you must add the site using
Multi-Cloud Network Connect
>Manage
>Site Management
>App Stack Sites
page and not through theSecure Mesh Sites
page. -
You must approve the three pending registration requests one by one. Each cluster name (site name) must be the same. It is important to update the cluster size to
3
. This must be repeated for each of the three registration requests. -
For the tags, ensure that all three instances share the same tags, except the
Name
which does not provide any value for registration. This is the same procedure for single node sites.
Sites Behind AWS NAT Gateway
For scenarios where there is a requirement to have the CE site deployed without a public IP address, you can place the CE behind a NAT Gateway.
If you are deploying a site in this scenario, there are a few differences to note:
-
There is no public IP association with the CE(s).
-
You must ensure the CE can get to the Internet through its SLO interface.
-
From the AWS side, ensure that the routing table from the SLO subnet has a default route 0.0.0.0/0 that points to the NAT Gateway.
-
The NAT Gateway is a zonal object. In other words, it belongs to one availability zone. Therefore, in the case of a three-node CE cluster, you might want to deploy additional NAT Gateways for high availability.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An account with AWS. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.
-
Resources required per node: Minimum 4 vCPUs and 14 GB RAM.
-
F5 assumes that the VPC exists with a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as
eth0
and the SLI interface aseth1
. -
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Procedure
The following procedure provides instructions for deploying a single-node Mesh site with dual interfaces (ingress/egress) to an AWS VPC using the AWS Console.
Create IAM Policy and Role
You must create an IAM role that will be attached to the CE site, with minimal permissions configured for that role using an IAM policy.
Step 1: Navigate to policy creation page.
-
In AWS Console, navigate to the
IAM
service. -
Under
Access management
, clickPolicies
and then clickCreate policy
.
Step 2: Create and configure IAM policy.
-
From the
Service
menu, selectEC2
. -
In the
Filter Actions
box, search for and select theDescribeInstances
andDescribeTags
permissions.
- Alternatively, you can also add the tags using the JSON option.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
-
Click
Next
. -
Enter a
Policy name
and an optional short description. -
Click
Create policy
. -
Confirm the policy was created.
Step 3: Create and configure IAM role.
-
Under
Access management
, clickRoles
and then clickCreate role
. -
Confirm
AWS service
is selected. -
From the
Service or use case
menu, selectEC2
. Then clickNext
.
-
In the search box, find and select the policy previously created.
-
Click
Next
. -
Enter a
Role name
and short description. Ensure that the role name and description clearly relate to the policy.
- Click
Create role
.
Create CE Security Group
You must create a security group that will attach to the CE site.
Step 1: Navigate to security group creation page.
-
Navigate to the
EC2
service. -
In AWS Console, under
Network & Security
, clickSecurity Groups
. -
Click
Create security group
.
Step 2: Create and configure security group.
Enter a Security group name
and short description.
Step 2.1: Create inbound rules.
-
Under the
Inbound rules
section, clickAdd rule
. Ensure you add rules for the following:-
Allowed SSH from the EC2 machine’s public address. This is where AWS will figure out the public IP address that a user is configuring from and allows it. You can also use the custom option and enter your corporate public address space.
-
Allowed ICMP for troubleshooting.
-
Allowed TCP Port 65500 for the local UI on the CE.
-
For three node clusters, ensure that traffic is allowed between the nodes.
-
Important: When creating load balancers to publish applications, you will need to add additional rules in your security group to accept the traffic that comes to your virtual IP address (VIP).
Step 2.2: Create outbound rules.
-
For the
Outbound rules
section, select theAll traffic
option to create an allow-all policy for egress traffic. -
Click
Create security group
. Afterwards, verify the rules were created properly.
Create SSH Key Pairs
You need to create key pairs for SSH login into the EC2 instance for troubleshooting purposes.
Step 1: Navigate to SSH key creation page.
-
In AWS Console, under
Network & Security
, clickKey Pairs
. -
Click
Create key pair
.
Step 2: Configure SSH key pairs.
-
Enter a key pair name.
-
Select the key pair type.
-
Select the key pair format.
-
After you finish, click
Create key pair
. -
Afterwards, verify that the keys were created properly.
-
Download the key pair locally to your machine. You will need the key pair to log into the CE node.
Locate AMI ID and Hardware Image
Specific information is required to deploy a CE site. For example, you will need to your site type, number of interfaces, and region. This information will help determine and locate the F5 Distributed Cloud Services certified hardware image and Amazon Machine Image (AMI) ID. Note that the AMI ID corresponds to a certified hardware image.
Only this information is required to derive the AMI ID:
-
Cloud provider (AWS) in which you are deploying the Site.
-
Whether you are deploying a Mesh Site or App Stack Site?
-
For a Mesh Site, single or Multi-NIC?
-
The cloud provider region in which you plan to deploy the CE nodes.
As an example, if you are deploying a multi-NIC node in us-west-1
:
-
Region:
us-west-1
-
Site Type: Mesh
For the example above, the AMI ID of ami-0858c196c17ebf057
corresponds to the F5 Distributed Cloud Services hardware image of aws-byol-multi-nic-voltmesh
.
-
To locate and download the AMI file, navigate to F5 Distributed Cloud Services AMI.
-
In the table, use the
Region
andAMI
columns to search for your AMI file.
Existing VPC Details
In this example, a dual interface single node CE site is being deployed. Since site has two interfaces, two subnets are required. One for SLI and the other for SLO. Both of these subnets will be in the same Availability Zone (AZ), which is us-west-1c
.
Note that workload subnets are generally used but are not a requirement to deploy a CE site.
Create Elastic IP
Create an Elastic IP to attach to the site.
Step 1: Navigate to Elastic IP creation page.
-
Under
Virtual private cloud
, selectElastic IPs
. -
Click
Allocate Elastic IP address
.
Step 2: Configure Elastic IP address(es).
-
Click
Add new tag
. -
Enter a key name and an optional name for the value.
-
Click
Allocate
.
Create Site Token
Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes. To create the token, see the Create Secure Mesh Site guide.
Modify the EC2 User Data File
Download the raw .yml
file to your machine and input the value of the site token into the Token
field. See GitHub User Data File for more information. Afterwards, save the file on your machine as you will need it for the user data when creating the F5 CE virtual machine.
#cloud-config
#only value to be modified is token
write_files:
- path: /etc/hosts
content: |
# IPv4 and IPv6 localhost aliases
127.0.0.1 localhost
127.0.0.1 vip
permissions: 0644
owner: root
- path: /etc/vpm/config.yaml
permissions: 0644
owner: root
content: |
Vpm:
ClusterType: ce
Token: #token value here
MauricePrivateEndpoint: https://register-tls.ves.volterra.io
MauriceEndpoint: https://register.ves.volterra.io
CertifiedHardwareEndpoint: https://vesio.blob.core.windows.net/releases/certified-hardware/aws.yml
Kubernetes:
EtcdUseTLS: True
Server: vip
Create the CE Virtual Machine
Create the F5 CE EC2 instance using the previously created parameters. It is recommended that you create a table and fill it with the information prior to deploying the CE EC2 instance.
See table below for example parameters and explanations used for this procedure.
Parameter | Value | Notes |
---|---|---|
Name | f5-ce | Name of CE site. |
Region | us-west-1 | Name of AWS region in which site is deployed. |
AMI ID | ami-0b91438f4f4bc1af9 | This is the AMI ID. |
Certified Hardware Name | aws-byol-multi-nic-voltmesh | This is the certified hardware name. |
Instance Type | t3.xlarge | Minimum instance requirements: 4 vCPUs, 14 GB RAM, 80 GB storage for Mesh nodes, and 100 GB storage for App Stack. |
VPC Name | f5-ce-vpc | Name of the AWS VPC in which the site is deployed. |
VPC ID | vpc-03d062399d80cc2d1 | Existing VPC. |
SLO Subnet ID | subnet-0783f900a3e4d3023 | Existing subnet. |
SLI Subnet ID | subnet-04eb734ccad49fa88 | Existing subnet. |
Key Pair | f5-ce-keypair | Key pair created in AWS Console. |
Security Groups | f5-ce-security-group | Name of security group created in AWS Console. |
IAM Instance Profile | f5-ce-iam-role | Name of IAM profile created in AWS Console. |
Elastic IP Address | f5-ce-ip | Name of Elastic IP address created in AWS Console. |
Tag: site name | f5-ce | Optional tag. |
Tag: ves-io-site-name | f5-ce-demo | Mandatory tag (equals site name). |
Tag without site name: kubernetes.io/cluster/<value-of-sitename> / tag with site name: kubernetes.io/cluster/f5-ce-demo | Owned. | Mandatory tag note that the value after /cluster/ is the site name. |
Site Name | f5-ce-demo | Equals ves-io-site-name value. |
Token | Confidential. Value varies. | Value for site token ID generated in F5 Console. |
Storage | 80 GiB/100 GiB (App Stack) recommended. | Minimum disk space that is required. |
Step 1: Configure tags.
After you have set the site name, click Add additional tags
to add the required tags.
Note: Without the tags labeled as mandatory, the site will not register.
Step 2: Configure instance type.
-
Select the AMI per the parameters in the table above.
-
Select the instance type. Note that
t3.xlarge
is the minimum instance type required to run the F5 CE software. -
Select the key pair.
Step 3: Configure network interface(s).
- Select the VPC, subnet (SLO), security groups, which are referenced in the parameters' table above. The subnet chosen is the subnet for
Network interface 1
(SLO). Labeling the subnets helps so that you can easily place the interface in the SLO subnet. Ensure thatAuto-assign public IP
is disabled as an Elastic IP address is used instead.
- Under
Advanced network configuration
, enter a description for the SLO interface.Network interface 1
is SLO and is placed in the SLO subnet.
- Similarly, enter a description for the SLI interface.
Network interface 2
is SLI and is placed in the SLI subnet.
- Ensure that the same security group applies to both interfaces.
Step 4: Configure network storage.
-
Configure the storage requirement (80 GiB) and select the
IAM instance profile
(Role) per the parameters' table above. -
Copy and paste the modified user data file into the
User data
box.
Associate the Elastic IP Address to SLO Interface
After the EC2 instance is created, you need to allocate the previously created Elastic IP per the parameters table.
Step 1: Note down information.
Note down the SLO interface ID by navigating to the Networking
tab under the f5-ce
instance and getting the elastic network interface (ENI) ID of the SLO. Keep this information as you will need it to assign the Elastic IP to the interface.
Step 2: Associate IP address to interface.
- Select the Elastic IP address and then navigate to
Actions
>Associate Elastic IP address
.
-
Enter the ENI ID.
-
Click
Associate
.
Register Site
In Distributed Cloud Console, perform additional site registration configuration and create secure mesh site.
Step 1: Visually confirm requests appear.
-
In Distributed Cloud Console, navigate to the site registrations page.
-
Under the
Pending Registrations
tab, confirm the registration request appears but do not accept it. -
If you cannot see the
Cluster Name
, check under theOther Registrations
tab.
Step 2: Create secure mesh site.
-
Navigate to
Manage
>Site Management
>Secure Mesh Sites
. -
Click
Add Secure Mesh Site
. -
In the form, add a name for the site. Ensure that the
Name
is the same as the tag value forves-io-site-name
.
-
For the
Generic Server Certified Hardware
value, copy the value from the parameters' table above. -
For the master node configuration, enter a name. The node name can be any name you desire.
-
Enter values for
Longitude
andLatitude
that reflect the CE’s location and ensures the CE registers to the nearest regional edge (RE). -
After you finish with configuration, click
Save and Exit
.
Step 3: Change fields to match site name.
- On the site
Registrations
page, for your site, change theCluster Name
to match theSite Name
andves-io-site-name
. All three values must match.
- Click
Save and Exit
. After a few minutes, the site status changes toADMITTED
.
Troubleshooting
For troubleshooting and opening a support case, see the Troubleshooting Manual Site Deployment Registration Issues guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to Distributed Cloud published Terraform errors, networking and security misconfiguration, or CE internal process issues. The guide also provides instructions for contacting the F5 Distributed Cloud Support Team if you are unable to resolve the issue.