Deploy Site with GCP Console ClickOps

Objective

This guide provides instructions on how to create a customer edge (CE) site using the Google Cloud Provider (GCP) Console and deploy to a GCP VPC. For more information on sites, see F5® Distributed Cloud Site.

Site Types and Scenarios

The scenarios below in the table have been tested successfully. The Network Address Translation Gateway (NAT GW) device in Table 1 references the GCP NAT Gateway. However, technically this should also work with third-party firewalls.

Note: In the Number of Nodes column, 1/3 indicates 1 or 3 nodes. An App Stack site can be configured with up to 128 worker nodes total.

Considerations for Sites Behind NAT Gateway

In a regular deployment, each CE node has an External IP address associated with the Site Local Outside (SLO) interface, and the SLO route table routes the outgoing traffic via the Internet Gateway using the External IP address as the NAT IP address. But for scenarios where there is a requirement to have the CE site deployed without a public IP address, you can place the CE site behind a NAT Gateway. This can be the GCP Cloud NAT or any third-party instance, like a firewall used as a NAT gateway.

If you are deploying a site in this scenario, there are a few differences to note:

• There is no public IP association with the CE(s).

• You must ensure the CE can get to the Internet through its SLO interface.

• From the GCP side, ensure that the routing table from the SLO subnet has a default route 0.0.0.0/0 that points to the NAT Gateway.

• The NAT Gateway is a zonal object. In other words, it belongs to one availability zone. Therefore, in the case of a three-node CE cluster, you might want to deploy additional NAT Gateways for high availability.

Prerequisites

The following prerequisites apply:

• A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

• An account with GCP. See Required Access Policies for permissions needed to deploy site. To create a cloud credentials object, see Cloud Credentials.

• An official F5 Distributed Cloud Services GCP image.

• Resources required per node: Minimum 4 vCPUs and 14 GB RAM.

• F5 assumes that the resource group exists with a virtual network, including a minimum of two subnets: one for the Site Local Outside (SLO) and one for the Site Local Inside (SLI). The CE generally references the SLO interface as eth0 and the SLI interface as eth1.

• For a single-NIC deployment (ingress gateway/Mesh or App Stack), only a single subnet (SLO) is required.

• Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Procedure

This procedure provides instructions for creating a Secure Mesh Site with two interfaces (ingress/egress) on a GCP VPC using GCP Console. Most of the objects and configurations are the same for single-node and multi-node sites.

Create GCP VPC Networks

Create two VPC networks to attach to the Site Local Outside (SLO) and Site Local Inside (SLI), respectively. Each of the VPC networks must have one subnet.

• In GCP Console, navigate to your VPC network.

• Click CREATE VPC NETWORK.

• In the Name field, enter a name for the outside network subnet, and then click ADD SUBNET.

• Configure the outside subnet details, and then click DONE.

• Keep other configuration parameters as default and click CREATE to finish.

• Perform the same procedure for the inside (SLI) network.

Create Firewall Rules

Create ingress and egress firewall rules for both inside and outside VPC networks (from the previous section).

Step 1: Configure ingress rules for SLI.

• For your VPC, locate and select the SLI network.

• Select the FIREWALLS tab, and then click ADD FIREWALL RULE.

• Create Ingress rule for the inside network that allows traffic from the 0.0.0.0/0 network to any target with tag: f5-ce (create any tag name, as it will be used to identify the VM instance).

• Under Protocols and port, select Allow all and click CREATE.

Step 2: Configure egress rules for SLI.

• Select the FIREWALLS tab, and then click ADD FIREWALL RULE.

• Create Egress rule for the inside network that allows traffic to the 0.0.0.0/0 network from target with tag: f5-ce.

• Under Protocols and port, select Allow all and click CREATE.

• Verify the rules.

Step 3: Configure ingress/egress rules for SLO.

• Select the outside network and repeat steps 1 and 2 above to create the same ingress and egress rules for SLO.

• Verify the rules.

Import and Configure F5 CE Image

Import the official F5 CE image file into GCP, and then configure its parameters.

Step 2: Upload and configure image.

• In GCP Console, navigate to Images under Storage section in Compute Engine.

• Click CREATE IMAGE.

• For the Mesh Multi-NIC image, use the following as an example:

  • Enter a Name. This example uses rhel9-20240216075746-multi-voltmesh-us-west2.

  • For Source, select Cloud Storage file.

  • Use the Cloud Storage file option to browse for and select the image file. This example uses ves-images/rhel9-20240216075746-multi-voltmesh.tar.gz.

  • For Location, select an option. This example uses Regional.

  • For Select location, select your desired location. This example uses us-west2.

  • For the Encryption option, select Google-managed encryption key.

• Click CREATE.

Create Site Token

Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes. To create the token, see the Create Site Token guide.

Configure User Data for Virtual Machine

Below is the cloud config user data example for the GCP VM instance that configures the VM.

          #cloud-config
ssh_authorized_keys:
  - "ssh-rsa XXXXXXXX mypublic-rsa"
write_files:
  - path: /etc/hosts
    content: |
      # IPv4 and IPv6 localhost aliases
      127.0.0.1         localhost
      ::1               localhost
      127.0.1.1         vip
      169.254.169.254   metadata.google.internal
    permissions: 0644
    owner: root
  - path: /etc/vpm/config.yaml
    owner: root
    content: |
      Vpm:
        ClusterName: <site_name>
        ClusterType: ce
        Token: <site_token>
        MauricePrivateEndpoint: https://register-tls.ves.volterra.io
        MauriceEndpoint: https://register.ves.volterra.io
        CertifiedHardwareEndpoint: https://vesio.blob.core.windows.net/releases/certified-hardware/gcp.yml

      Kubernetes:
        EtcdUseTLS: True
        Server: vip
        

• Change the following mandatory fields:

  • ssh_authorized_keys: Enter your SSH public key.

  • ClusterName: Enter the site name for the site object created on F5 Distributed Cloud Console. This can be an App Stack Site or Secure Mesh Site.

  • Token: Enter the value for the site token created on F5 Distributed Cloud Console. This value is used to identify the tenant.

Deploy Multi-Node Site

Follow these steps to create a multi-node Secure Mesh Site.

Reserve External IP Addresses

Create three external IP addresses and give each a name. These IP addresses are used later for the virtual machine instances.

• In VPC network, navigate to IP addresses. Then click RESERVE EXTERNAL STATIC IP ADDRESS.

• Enter a Name.

• Under Network Service Tier, select an option.

• Confirm Region and other parameters are configured correctly.

• Repeat the above steps to create two more External Static IP addresses. For example, create f5-ce-esip-02 and f5-ce-esip-03 for node two and node three of your site.

Create the F5 Customer Edge Node Instances

Create the F5 CE VM instances in GCP.

• In Compute Engine, under Virtual machines, click VM instances.

• Click CREATE INSTANCE.

• Use the following table help with the example parameters:

• Enter VM name with desired region and zone. For machine configuration, N1 series is selected and the Machine Type is n1-standard-4.

• Select default values for Availability policies, Confidential VM service and Container.

• Click CHANGE to configure Boot disk. Select CUSTOM IMAGES tab and use the previously uploaded F5 CE image with Boot disk type as Standard persistent disk.

• Select default values for Identity and API access and empty firewall configuration.

• For Network tags, use the network tag created during the VPC network configuration. Enable IP forwarding.

• In Network interfaces page, first configure the Site Local Outside network that has Internet connectivity. Use the previously configured external static IP addresses for this interface. This interface will be discovered as eth0 on the VM.

• Add another network interface for Site Local Inside network. This interface will be discovered as eth1 on the VM. The SLI network does not require Internet connectivity.

• In Security, configure the SSH Key that was also used during user data configuration in a previous step.

• In Management, add the two key-value pairs per the table above.

• Click CREATE.

• Repeat the above steps to create two more VM instances for node two and node three, respectively. Ensure that you are naming the instances (f5-ce-node-2 and f5-ce-node-3), their zones, and the external IP addresses correctly.

Deploy Single-Node Site

Follow these steps to create a single-node Secure Mesh Site.

Reserve External IP Address

Create an external IP address and give it a name. This IP address is used later for the virtual machine instance.

• In VPC network, navigate to IP addresses. Then click RESERVE EXTERNAL STATIC IP ADDRESS.

• Enter a Name.

• Under Network Service Tier, select an option.

• Confirm Region and other parameters are configured correctly.

Create the F5 Customer Edge Node Instance

Create the F5 CE VM in GCP.

• In Compute Engine, under Virtual machines, click VM instances.

• Click CREATE INSTANCE.

• Use the following table help with the example parameters:

• Enter VM name with desired region and zone. For machine configuration, N1 series is selected and the Machine Type is n1-standard-4.

• Select default values for Availability policies, Confidential VM service and Container.

• Click CHANGE to configure Boot disk. Select CUSTOM IMAGES tab and use the previously uploaded F5 CE image with Boot disk type as Standard persistent disk.

• Select default values for Identity and API access and empty firewall configuration.

• For Network tags, use the network tag created during the VPC network configuration. Enable IP forwarding.

• In Network interfaces page, first configure the Site Local Outside network that has Internet connectivity. Use the previously configured external static IP Address for this interface. This interface will be discovered as eth0 on the VM.

• Add another network interface for Site Local Inside network. This interface will be discovered as eth1 on the VM. The SLI network does not require Internet connectivity.

• In Security, configure the SSH Key that was also used during user data configuration in a previous step.

• In Management, add the two key-value pairs per the table above.

• Click CREATE.

Create and Register Site

Follow the Secure Mesh or App Stack site creation guides to create a site object on F5 Distributed Cloud Console.

Troubleshooting

For troubleshooting and opening a support case, see the Troubleshooting Manual Site Deployment Registration Issues guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to Distributed Cloud published Terraform errors, networking and security misconfiguration, or CE internal process issues. The guide also provides instructions for contacting the F5 Distributed Cloud Support Team if you are unable to resolve the issue.

Concepts

• System Overview
• Core Concepts
• Networking
• F5 Distributed Cloud Site

References

• GCP VPC Permissions
• Create GCP Site