To deploy an F5XC Customer Edge (CE) in SMSv2 mode with the help of automation, it is necessary to follow the three main steps below:

1. Verify the prerequisites at the technical architecture level for the environment in which the CE will be deployed (public cloud or datacenter/private cloud)
2. Create the necessary objects at the F5XC platform level
3. Deploy the CE instance in the target environment

We will provide more details for all the steps as well as the simplest Terraform skeleton code to deploy an F5XC CE in the main cloud environments (AWS, GCP and Azure).

 

Step 1: verification of architecture prerequisites

To be deployed, a CE must have an interface (which is and will always be its default interface) that has Internet access. This access is necessary to perform the installation steps and provide the "control plane" part to the CE. The name of this interface will be referred to as « Site Local Outside or SLO ».

This Internet access can be provided in several ways:

"Cloud provider" type site:

• Public IP address directly on the interface
• Private IP address on the interface and use of a NAT Gateway as default route
• Private IP address on the interface and use of a security appliance (firewall type, for example) as default route
• Private IP address on the interface and use of an explicit proxy

Datacenter or "private cloud" type site:

• Private IP address on the interface and use of a security appliance (firewall type, for example) or router as default route
• Private IP address on the interface and use of an explicit proxy
• Furthermore, public IP addresses on the interface and "direct" routing to Internet

It is highly recommended (not to say required) to add at least a second interface during the site first deployment. Because depending on the infrastructure (for example, GCP) it is not possible to add network interfaces after the creation of the VM. Even on platforms where adding a network interface is possible, a reboot of the F5XC CE is needed. An F5XC SMSv2 CE can have up to eight interfaces overall.

Additional interfaces are (most of the time) used as “Site Local Inside or SLI” interfaces or "Segment interfaces" (that specific part will be covered in another article).

 

Basic CE matrix flow.

For advanced details regarding IPs and domains used for:

• Registration / software upgrade
• Tunnels establishment towards F5XC infrastructure

Please refer to: https://docs.cloud.f5.com/docs-v2/platform/reference/network-cloud-ref#new-secure-mesh-v2-sites

 

Step 2: creation of necessary objects at the F5XC platform level

This step will be performed by the Terraform script by:

• Creating an SMSv2 token
• Creating an F5XC site of SMSv2 type

API certificate and terraform variables

First, it is necessary to create an API certificate. Please follow the instructions in our official documentation here: https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/Credentials#generate-api-certificate-for-my-credentials

or here: https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/Credentials#generate-api-certificate-for-service-credentials

Depending on the type of API certificate you want to create and use (user credential or service credential).

In the Terraform variables, those are the ones that you need to modify:
The “location of the api key” should be the full path where your API P12 file is stored.

variable "f5xc_api_p12_file" {
  type        = string
  description = "F5XC tenant api key"
  default     = "<location of the api key>"
}

If your F5XC console URL is https://mycompany.console.ves.volterra.io then the value for the f5xc_api_url will be https://mycompany.console.ves.volterra.io/api

variable "f5xc_api_url" {
  type    = string
  default = "https://<tenant name>.console.ves.volterra.io/api"
}

When using terraform, you will also need to export the P12 certificate password as an environment variable. 

export VES_P12_PASSWORD=<password of P12 cert>

Creation of the SMSv2 token.

This is achieved with the following Terraform code and with the “type = 1” parameter.

#
#F5XC objects creation
#
resource "volterra_token" "smsv2-token" {
  depends_on = [volterra_securemesh_site_v2.site]
  name       = "${var.f5xc-ce-site-name}-token"
  namespace  = "system"
  type       = 1
  site_name  = volterra_securemesh_site_v2.site.name
}

Creation of the F5XC SMSv2 site.

This is achieved with the following Terraform code (example for GCP). This is where you need to configure all the options you want to be applied at site creation.

resource "volterra_securemesh_site_v2" "site" {
  name                    = format("%s-%s", var.f5xc-ce-site-name, random_id.suffix.hex)
  namespace               = "system"
  block_all_services      = false
  logs_streaming_disabled = true
  enable_ha               = false

  labels = {
    "ves.io/provider" = "ves-io-GCP"
  }

  re_select {
    geo_proximity = true
  }

  gcp {
    not_managed {}
  }
}

For instance, if you want to use a corporate proxy and have the CE tunnels passing through the proxy, the following should be added:

custom_proxy {
      enable_re_tunnel = true
      proxy_ip_address = "10.154.32.254"
      proxy_port = 8080
    }

And if you want to force CE to REs connectivity with SSL, the following should be added:

tunnel_type = "SITE_TO_SITE_TUNNEL_SSL"

 

Step 3: creation of the CE instance in the target environment

This step will be performed by the Terraform script by:

• Generating a cloud-init file
• Creating the F5XC site instance in the environment based on the marketplace images or the available F5XC images

 

How to list F5XC available images in Azure:

az vm image list --all --publisher f5-networks --offer f5xc_customer_edge --sku f5xccebyol --output table | sort -k4 -V

And check in the output, the one with the highest version.

x64             f5xc_customer_edge  f5-networks  f5xccebyol    f5-networks:f5xc_customer_edge:f5xccebyol:9.2025.17    9.2025.17
x64             f5xc_customer_edge  f5-networks  f5xccebyol    f5-networks:f5xc_customer_edge:f5xccebyol:2024.40.1    2024.40.1
x64             f5xc_customer_edge  f5-networks  f5xccebyol    f5-networks:f5xc_customer_edge:f5xccebyol:2024.40.2    2024.40.2
x64             f5xc_customer_edge  f5-networks  f5xccebyol    f5-networks:f5xc_customer_edge:f5xccebyol:2024.44.1    2024.44.1
x64             f5xc_customer_edge  f5-networks  f5xccebyol_2  f5-networks:f5xc_customer_edge:f5xccebyol_2:2024.44.2  2024.44.2
Architecture    Offer               Publisher    Sku           Urn                                                    Version
--------------  ------------------  -----------  ------------  -----------------------------------------------------  ---------

We are going to re-use some of the parameters in the Terraform script, to instruct the Terraform code which image it should use.

source_image_reference {
    publisher = "f5-networks"
    offer     = "f5xc_customer_edge"
    sku       = "f5xccebyol"
    version   = "9.2025.17"
}

Also, for Azure, it’s needed to accept the legal terms of the F5XC CE image. This needs to be performed only once by running the following commands:

Select the Azure subscription in which you are planning to deploy the F5XC CE:

az account set -s <subscription-id>

Accept the terms and conditions for the F5XC CE for this subscription:

az vm image terms accept --publisher f5-networks --offer f5xc_customer_edge --plan f5xccebyol

 

How to list F5XC available images in GCP:

gcloud compute images list --project=f5-7626-networks-public --filter="name~'f5xc-ce'" --sort-by=~creationTimestamp --format="table(name,creationTimestamp)"

And check in the output, the one with the highest version.

NAME                                               CREATION_TIMESTAMP

f5xc-ce-crt-20250701-0123                          2025-07-09T02:15:08.352-07:00

f5xc-cecrt-20250701-0099-9                         2025-07-02T01:32:40.154-07:00

f5xc-ce-202505151709081                            2025-06-25T22:31:23.295-07:00

 

How to list F5XC available images in AWS:

aws ec2 describe-images \
  --region eu-west-3 \
  --filters "Name=name,Values=*f5xc-ce*" \
  --query "reverse(sort_by(Images, &CreationDate))[*].{ImageId:ImageId,Name:Name,CreationDate:CreationDate}" \
  --output table

And check in the output, the ami with the latest creation date.

Also, for AWS, it’s needed to accept the legal terms of the F5XC CE image. This needs to be performed only once.

Go to this page in your AWS Console

Then select "View purchase options" and then select "Subscribe".

Putting everything together:

Global overview

We are going to use Azure as the target environment to deploy the F5XC CE.

The CE will be deployed with two NICs, the SLO being in a public subnet and a public IP will be attached to the NIC.

We assume that all the prerequisites from step 1 are met.

Terraform skeleton for Azure is available here: https://github.com/veysph/Prod-TF/

It's not intended to be the perfect thing, just an example of the minimum basic things to deploy an F5XC SMSv2 CE with automation. Changes and enhancements based on the different needs you might have are more than welcome. It's really intended to be flexible and not too strict.

Structure of the terraform directory:

• provider.tf contains everything that is related to the needed providers
• variables.tf contains all the variables used in the terraform files
• f5xc_sites.tf contains everything that is related to the F5XC objects creation
• main.tf contains everything to start the F5XC CE in the target environment

Deployment

Make all the relevant changes in variables.tf.

Don't forget to export your P12 password as an environment variable (see Step 2, API certificate and terraform variables)!

Then run,

terraform init
terraform plan
terraform apply

Should everything be correct at each step, you should get a CE object in the F5XC console, under 

Multi-Cloud Network Connect --> Manage --> Site Management --> Secure Mesh Sites v2