Customer-driven Site Deployment Using AWS and F5 Distributed Cloud Terraform Modules

Introduction and Problem Scope

F5 Distributed Cloud Mesh’s Secure Networking provides connectivity and security services for your applications running on the Edge, Private Clouds, or Public Clouds. This simplifies the deployment and configuration of connectivity and security services for your Multi-Cloud and Edge Cloud deployment needs across heterogeneous environments.

F5 Distributed Cloud Services leverages the “Site” construct to deploy our Secure Mesh or AppStack Site instances to manage workloads. A Site could be a customer location like AWS, Azure, GCP (Google Cloud Platform), private cloud, or an edge site. To run F5 Distributed Cloud Services, the site needs to be deployed with one or more instances of F5 Distributed Cloud Node, a software appliance that is managed by F5 Distributed Cloud Console. This site is where customer applications and F5 Distributed Cloud services are running.

To deploy a Node, different options are available: 


Customer deployment topology description

We will explain the above steps in the context of a greenfield deployment, the Terraform scripts of which are available here. The corresponding logical topology view of this deployment is shown in Fig.2.

This deployment scenario instantiates the following resources:

  • Single-node CE cluster
  • AWS SLO interface
  • AWS SLO interface subnet
  • AWS route tables
  • AWS Internet Gateway
  • Assign AWS EIP to SLO

The objective of this deployment is to create a Site with a single CE node in a new VPC for the provided AWS region and availability zone. The CE will be created as an AWS EC2 instance. An AWS subnet is created within the VPC. CE Site Local Outside (SLO) interface will be attached to VPC subnet and the created EC2 instance. SLO is a logical interface of a site (CE node) through which reachability is achieved to external (e.g. Internet or other services outside the public cloud site). To enable reachability to the Internet, the default route of the CE node will point to the AWS Internet gateway. Also, the SLO will be configured with an AWS External IP address (Elastic IP).

Fig.2. Customer Deployment Topology in AWS

List of terraform input parameters provided in vars file

Parameters must be customized to adapt to the customer environment. The definition of the parameters in the “terraform.tfvars” show in below table.






Identifies the email of the IT manager used to authenticate to the AWS system 


Prefix that will be used to identify the resource objects in AWS and XC. 


The suffix that will be used to identify the site’s resources in AWS and XC 


Local file system’s path to ssh public key file 


Full F5XC tenant name 


F5XC API url 


Name of the Cluster 


Local file system path to api_cert_file (downloaded from XC Console) 


AWS region for the XC Site 


Existing VPC ID (brownfield) 


CIDR Block of the VPC 


AWS Availability Zone (a) 


AWS Subnet in the VPC for the SLO subnet 


Configuring other environmental variables

Export the following environment variables in the working shell, setting it to customer’s deployment context. 

Environment Variables 



AWS Access key for authentication 


AWS Secret key for authentication 


XC P12 Password from Console 




Deploy Topology

Deploy the topology with: 

  • terraform init 
  • terraform plan 
  • terraform deploy –auto-approve 

And monitor the status of the Sites on the F5 Distributed Cloud Services Console.  

Created site object will be available in Secure Mesh Site section of the F5 Distributed Cloud Services Console. 

Video-based description of the deployment Scenario

This demonstration video shows the procedure for provisioning the deployment topology described above in three steps.


Published Jun 26, 2024
Version 1.0

Was this article helpful?

No CommentsBe the first to comment