Optimize Edge deployments for Secure Mesh Site Networking in Distributed Cloud

In the modern world of hybrid and multi-cloud networking, and edge compute, many solutions provide a Swiss-army knife set of features. Having a myriad of features available makes sense when each site has a unique set of needs, and the deployment footprint is small. As an organization’s cloud and edge footprint grows, many begin to standardize on which product is used for each set of features. While having every feature available makes sense in small and medium sized deployments, the cost associated with having everything available all the time can begin to add up as the footprint grows. As the organization grows, its needs become more unique, it begins to make more sense to standardize smaller sets of features and divide them between multiple and often separate products. When deployed at scale, organizations often standardize using multiple vendors, each for its unique set of features, such as a common ingress firewall, VPN, web app and API security, and even the management of its microservices.

The F5 Advantage

When deployed at scale, there’s substantial opportunity to tune performance while reducing cost by optimally choosing which features to use in each product, eliminating overlap where possible. With F5 Distributed Cloud Network Connect, customer edge (CE) sites can be deployed either with all the features enabled, or with a select focus of L3 networking. Choosing the mode of deployment provides the flexibility to eliminate compute overhead. This capability, already available to CE sites deployed in public-cloud environments, is now available to CE’s that run on-prem and in datacenters.

Secure Mesh Site for customer edge sites, a new feature in Network Connect for deployments in private-cloud environments, provides the additional customization needed by organizations. By eliminating redundant compute where possible and focusing on high performance multi-site networking with security, organizations can use L3-optimized CE’s at the entry point to their sites or networks, and then leverage compute-enabled CE’s in sites where compute and microservices management is needed. This feature enhances Distributed Cloud’s mesh networking capability by optionally using tunnels to connect non-public cloud CE’s in a site mesh group, using either an existing private network or public one to bridge the CE’s. Additionally, this feature now supports CE’s in a site mesh group running on hardware that isn’t the same. Note: Previously, it was required to have all CE’s in a site mesh group run on the same set of hardware.

Secure Mesh Site capabilities for datacenter and on-prem CE’s include support for:

  • L3 network-optimized performance
  • Internal DHCP servers
  • Multiple inside and outside NICs
  • NIC bonding
  • Offline Survivabiliy
  • Multi-tunnel networking Site Mesh Groups for public & private IPs

Deployment Configuration

To deploy a Secure Mesh Site CE, log in to the Distributed Cloud Console, and navigate to Multi-Cloud Network Connect > Site Management > Secure Mesh Sites, then Add Secure Mesh Site.


Name the site and choose the hardware platform.


Enter the name for the master node(s) and any worker node(s). Note that the “Public IP” entered here is the IP address that other Site Mesh Group CE’s use to connect to this CE. If the Site Mesh Group (SMG) will use a public network for connectivity, then this IP address will be an externally available public address. Otherwise, if connectivity between SMG CE’s will use internal private networks, then this IP will be in a non-public IP address, for example, any IP in the CIDR blocks 10/8, 172.16/12, 192.168/16, and fc00::/7.


The following options configure interface bonding, interface network mapping, whether to use the F5 Global Network, and if using public or private IP’s optionally for connecting to other CE’s in a site mesh group. Enabling Survivability Mode allows CE-to-CE routing via the Site Mesh Group when uplink connectivity to the F5 Regional Edge (RE) and Global Controller drops.


The final steps to deploy the site includes generating the site token and registering the site in Distributed Cloud. The following How To illustrates the final steps to onboard the CE.

Conclusion

The Distributed Cloud Network Connect feature for Secure Mesh Sites provides extreme flexibility to organizations when choosing the footprint that the CEs use. Using Secure Mesh Sites for non-cloud CE’s when compute services aren’t needed eliminates compute cycles to services that would otherwise not be utilized. This allows organizations to fine tune CE’s not running in public clouds, allowing for greater flexibility and specificity.

Additional Resources

Product Information: https://www.f5.com/cloud/products/network-connect

Product Documentation (How To): https://docs.cloud.f5.com/docs/how-to/site-management/create-secure-mesh-site

Published Jun 16, 2023
Version 1.0
  • When adding a VM/baremetal CE, it can either be registered as an AppStack CE or a Secure Mesh CE. Secure Mesh Sites are L3-networking optimized and support the all the same services as AppStack Sites except:

    • Storage Interfaces, Devices and Classes
    • Site Local K8s API access
    • USB devices
    • VM support (running VMs on the Site)
  • Hi Dave,

    Is it supported, having in the same physical CE:  App Stack + Secure mesh site features ?

    Thanks.