Create Secure Mesh Site v2

• In the Multi-Cloud Network Connect workspace, navigate to Manage > Site Management > Secure Mesh Sites v2.

• Select Add Secure Mesh Site to open the configuration form.

• In the Metadata section, enter a name for the Site.

• Optionally, select labels and add a description.

• From the Provider Name menu, select the infrastructure provider from the options available. Refer to provider-specific documentation links below to bring up infrastructure in that provider:

  • VMware
  • KVM
  • Baremetal
  • AWS
  • Azure
  • GCP
  • OCI
  • Nutanix
  • OpenStack
  • Equinix
  • OpenShift Virtualization

• For High Availability, choose an option. If it is disabled, your CE Site can only support one node. If it is enabled, then your CE Site requires three nodes. Additional nodes can only be added to CE sites when High Availability is set to Enable.

Important: You cannot change the High Availability option after your CE Site object is created and deployed.

Use the following steps to configure the regional edge (RE) Site settings in the Regional Edge section. Your CE Site connects to the RE Site for registration purposes.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

• From the Regional Edge Selection drop-down menu, select the RE geography to use. By default, the Based on Geo-proximity option selects the closest RE to where you are deploying your CE. However, you have the option to select any RE that suits your geographical needs by selecting Specific Geography. If you select Specific Geography, ensure that you select the primary and backup RE, which must be different. The Primary RE Geography and Backup RE Geography options cannot be the same.

• Optionally, select the Site-to-Site tunnel encryption type from the Tunnel Type menu. The default option is IPsec/SSL. When IPsec/SSL is used, IPsec takes priority.

• Optionally, configure the timeout value for Site tunneling from the Tunnel Dead Timeout (msec) menu. The default option is zero (0) milliseconds.

• Optionally, enable the offline survivability feature from the Offline Survivability Mode menu. For more information, see the Manage Site Offline Survivability guide.

Use the following steps to configure the CE Site networking settings in the Site Networking section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

• Site Local Outside Network (SLO) is used to connect the CE node with the F5 Distributed Cloud Regional Edges (REs). It can also work as a public/WAN network. This network typically requires connectivity to the Internet (see note below for exception). If a custom DNS server or static routes need to be added into this network, then from the Site Local Outside Network menu, choose Configure Site Local Outside Network. Then click View Configuration. Here you can add custom static routes, common VIP for load balancers (this can be overridden on a per load balancer basis in the Advertisement Policy), or DNS servers for the SLO network. Secondary DNS servers are supported on SLO network. To configure secondary DNS servers, ensure that you are on version crt-20251001-0189. See the official releases notes guide for more information.

Note: After you configure the SLO interface with a static IP address, DHCP displays in the Console. However, your static IP configuration is well taken into account. Also, remember that you cannot modify SLO parameters once the node is registered and deployed.

The CE Site can be connected to a private underlay that connects with F5 Distributed Cloud Regional Edges (REs) in which case the SLO need not have Internet-bound connectivity. Connectivity to the REs uses this private underlay.

• Site Local Inside Network (SLI) represents the internal network (LAN). If a custom DNS server or static routes need to be added into this network, then from the Site Local Inside Network menu, choose Configure Site Local Inside Network. Then click Configure. Here you can add custom static routes, common VIP for load balancers (this can be overridden on a per load balancer basis in the Advertisement Policy), or DNS servers for the SLI network. Secondary DNS servers are supported on SLI network. To configure secondary DNS servers, ensure that you are on version crt-20251001-0189. See the official releases notes guide for more information.

Note: Site Local Inside is an optional network. Consider using Network Segments from Multi-Cloud Network Connect > Networking > Segments for internal networks. Network segments are flexible and can be used to keep networks isolated within an environment. In other words, they are restricted to a single CE Site or can be also used for seamless extension of networks across multiple hybrid/multi-cloud environments (across multiple CE sites).

• Optionally, configure any network settings for each of the segments that are enabled on the CE. Under Segment VRF Settings, click Add Item. Perform the following:

  • From the Segment (Global VRF) menu, select your segment.
  • From the Manage Static Routes menu, choose whether to enable static routes with Manage Static routes. Click Add Item for each route you want to add. Configure the route settings, and then click Apply.
  • Optionally, add DNS and secondary DNS servers for this new segment. This helps ensure that your CE Site can resolve origins that are defined by name, by acting as a DNS client and sending DNS requests within the segment to the defined DNS server. Note that DNS and secondary DNS for a segment are supported only for single-node CE sites (non-cluster mode). Ensure that you are on version crt-20251001-0189. See the official releases notes guide for more information.
  • Click Apply.

• To enable virtual IP address (VIP) redundancy when operating load balancers advertised on a CE in L2 adjacency mode: From the Load Balancer Settings section, select Enable VRRP for VIP(s) from the VRRP Mode drop-down menu.

Use the following steps to configure the CE Site networking settings in the Site To Site Connectivity section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

• To connect your Site to other sites using the SLO network: From the Connect using SLO Local VRF drop-down menu, select an option:

  • Site Mesh Group: This option connects your Site to other Sites in a mesh network. You can connect using a public IP or a private IP. For more information, see the Configure Site Mesh Group guide.

  • Member of DC Cluster Group: This option places your Site within a Direct Connect (DC) Cluster Group. For more information, see the Configure DC Cluster Group guide.

• To connect your Site to other sites using the SLI network, from the Connect using SLI Local VRF menu, select Member of DC Cluster Group. For more information, see the Configure DC Cluster Group guide.

Use the following steps to configure the CE Site networking security settings in the Network Security section.

Note: The configuration options in this section are set to standard default values. Therefore, it may not be necessary to customize any of the options unless you need customization only for advanced deployments.

• From the Network Firewall menu, choose to enable an enhanced firewall. Select the firewall from the drop-down menu. Use Add Item to add more than one firewall. For more information, see the Create Network Firewall guide.

• From the Forward Proxy menu, choose to enable a forward proxy. Select the policy from the drop-down menu. Use Add Item to add more than one policy. The network traffic is processed based on the order set. For more information, see the Create Forward Proxy Policies guide.

Use the following steps to configure the CE Site performance mode in the Services & Resources section.

Note: The configuration option in this section is set to standard default values. Therefore, it may not be necessary to customize it unless you need customization only for advanced deployments.

• In the Services & Resources section, from the Performance Mode menu, select an option:

  • L7 Enhanced: This option optimizes the CE Site for Layer 7 traffic processing and is the default option. Jumbo frames for L7 Enhanced mode can only be enabled on single-node sites (non-cluster deployments). Multi-node sites (clusters) currently require jumbo frames to be disabled. You can enable jumbo frames for your HTTP and TCP load balancers that are deployed on your CEs. Note that enabling jumbo frames on an existing single-node CE Site may cause the Site to restart, and therefore, F5 recommends you make mode changes during a maintenance window.

  • L3 Enhanced: This option optimizes the CE Site for Layer 3 traffic processing. If you choose this option, then no L7 functionality is provided for your Site, such as load balancing. If you are using this mode, select whether to use this mode with or without jumbo frames. If L3 Enhanced mode is not enabled on all CE sites in a Site Mesh Group, then the MTU configured on the Site-to-Site tunnel interfaces will not be consistent. Therefore, F5 recommends that you enable L3 Enhanced mode on all CE sites participating in a Site Mesh Group.

Important: To enable jumbo frames for L7 Enhanced mode, ensure that you are on version crt-20251001-0189. See the official releases notes guide for more information.

Click Add Secure Mesh Site to complete creating the Site. The Status field for the Site object displays Validation in progress. After validation, the field displays Validation Succeeded.

Important: There are certain settings that cannot be changed after the CE Site object is created. Make sure that all settings for your CE Site are configured as required before clicking Add Secure Mesh Site to avoid re-creating the CE Site object and re-deploying the CE nodes.