Customer-driven Site Deployment Using AWS and F5 Distributed Cloud Terraform Modules

Introduction and Problem Scope

F5 Distributed Cloud Mesh’s Secure Networking provides connectivity and security services for your applications running on the Edge, Private Clouds, or Public Clouds. This simplifies the deployment and configuration of connectivity and security services for your Multi-Cloud and Edge Cloud deployment needs across heterogeneous environments.

F5 Distributed Cloud Services leverages the “Site” construct to deploy our Secure Mesh or AppStack Site instances to manage workloads. A Site could be a customer location like AWS, Azure, GCP (Google Cloud Platform), private cloud, or an edge site. To run F5 Distributed Cloud Services, the site needs to be deployed with one or more instances of F5 Distributed Cloud Node, a software appliance that is managed by F5 Distributed Cloud Console. This site is where customer applications and F5 Distributed Cloud services are running.

To deploy a Node, different options are available:

Customer deployment topology description

We will explain the above steps in the context of a greenfield deployment, the Terraform scripts of which are available here. The corresponding logical topology view of this deployment is shown in Fig.2.

This deployment scenario instantiates the following resources:

Single-node CE cluster
AWS SLO interface
AWS VPC
AWS SLO interface subnet
AWS route tables
AWS Internet Gateway
Assign AWS EIP to SLO

The objective of this deployment is to create a Site with a single CE node in a new VPC for the provided AWS region and availability zone. The CE will be created as an AWS EC2 instance. An AWS subnet is created within the VPC. CE Site Local Outside (SLO) interface will be attached to VPC subnet and the created EC2 instance. SLO is a logical interface of a site (CE node) through which reachability is achieved to external (e.g. Internet or other services outside the public cloud site). To enable reachability to the Internet, the default route of the CE node will point to the AWS Internet gateway. Also, the SLO will be configured with an AWS External IP address (Elastic IP).

Fig.2. Customer Deployment Topology in AWS

List of terraform input parameters provided in vars file

Parameters must be customized to adapt to the customer environment. The definition of the parameters in the “terraform.tfvars” show in below table.

Parameters	Definitions
owner	Identifies the email of the IT manager used to authenticate to the AWS system
project_prefix	Prefix that will be used to identify the resource objects in AWS and XC.
project_suffix	The suffix that will be used to identify the site’s resources in AWS and XC
ssh_public_key_file	Local file system’s path to ssh public key file
f5xc_tenant	Full F5XC tenant name
f5xc_api_url	F5XC API url
f5xc_cluster_name	Name of the Cluster
f5xc_api_p12_file	Local file system path to api_cert_file (downloaded from XC Console)
aws_region	AWS region for the XC Site
aws_existing_vpc_id	Existing VPC ID (brownfield)
aws_vpc_cidr_block	CIDR Block of the VPC
aws_availability_zone	AWS Availability Zone (a)
aws_vpc_slo_subnet_node0	AWS Subnet in the VPC for the SLO subnet

Configuring other environmental variables

Export the following environment variables in the working shell, setting it to customer’s deployment context.

Environment Variables	Definitions
AWS_ACCESS_KEY	AWS Access key for authentication
AWS_SECRET_ACCESS_KEY	AWS Secret key for authentication
VES_P12_PASSWORD	XC P12 Password from Console
TF_VAR_f5xc_api_p12_cert_password	Same as VES_P12_PASSWORD