f5xc-aws-ce-natgtwy

This is a non-official F5 repository. This repo is not supported by F5 or DevCentral!

This repo will provide a solution for deploying F5 XC Secure Mesh via a NAT Gateway in AWS.

Distributed Cloud AWS Secure Mesh via NaGateway Deployment

The goal of this solution is to provide the infrastructure for a working demo to deploy F5 Distributed Cloud Secure Mesh CE in AWS without a EIP on SLO of CE and through a NAT Gateway.

• F5 Distributed Cloud AWS Secure Mesh Nat Gateway Deployment
  • Prerequisites
  • F5 Distributed Cloud Configuration(s)
  • API Certificate
  • Terraform
  • To do
  • High Level Topology
  • Requirements
  • Inputs
  • Deployment
  • Troubleshooting
  • Support
  • Community Code of Conduct
  • License
  • Copyright
  • F5 Networks Contributor License Agreement

Prerequisites

• A Distributed Cloud Services Account.

F5 Distributed Cloud Configuration(s)

Within F5 Distributed Cloud (F5XC), you will need to create yourself an API Certificate. We will be be using the F5 XCS Terraform Provider.

API Certificate

1. Log in to your F5 XC Console.
2. In the upper right-hand corner, click the User Account Icon.
3. Then click "Account Settings"

4. Click Add Credentials
5. Enter a Credential Name
6. Verify that Credential Type is set to 'API Certificate'
7. Set a password
8. Set an Expiration date
9. Download your Key Pair

Terraform

Credentials: Before we get to the Terraform variables, there is an example prep script provided, this CAN be used to map API Certificate and password to ENV Vars, but you can use whatever method you are comfortable with for secrets.

export VOLT_API_P12_FILE=/creds/api-creds.p12
export VES_P12_PASSWORD=12345678

Run the script to map creds.

. ./prep.sh

Alternatively, you may extract the SSL certificate and key into separate files for use, vs using environment variables.

Extract Private Key

openssl pkcs12 -in <F5XC-tenant>.console.ves.volterra.io.api-creds.p12 -legacy -nodes -nocerts -out f5xc-api.key

Extract Certificate

openssl pkcs12 -in <F5XC-tenant>.console.ves.volterra.io.api-creds.p12 -legacy -nodes -out f5xc-api.cer

To do

• Steps to deploy using this repo:
  • Apply
    • In aws_infra directory, make a copy of the 'terraform.tfvars.example' file and save it as terraform.tfvars
    • Update variables within terraform.tfvars file to match your environment
      • Run (first time only - terraform init) then terraform plan. Validate the output is what you expected, then run terraform apply
      • Get all relevant info for XC Site build
        • natgateway-id
        • subnet-id's
          • Inside (SLI)
          • OutSide (SLO)
          • Workload
        • vpc-id
        • security-group-id
    • Change directories to xc_site
      • Export p12 file and password
        • export VES_P12_PASSWORD=password
        • export VOLT_API_P12_FILE=path/to/p12/file
      • Make a copy of the 'terraform.tfvars.example' file and save it as terraform.tfvars
      • Update variables.tf or terraform.tfvars file
      • Add aws cloud credentials to Distributed Cloud tenant
        • • F5 Distributed Cloud AWS Pre-reqs
        • • F5 Distributed Cloud Upload AWS Cloud Credentials
      • Run (first time only - terraform init) then terraform plan. Validate the output if it is what is expected then run terraform apply
  • Destroy / Clean Up
    • From xc_site directory
      • run terraform destroy
      • Validate from XC console the Secure Mesh site was destroyed go into AWS VPC Site and Delete the site
    • Change directories to aws_infra
      • run terraform destroy
      • Validate from the AWS console all AWS resources have been destroyed

Topology

• High Level Topology

Requirements

Name	Version
terraform	>= 0.13
aws	~> 4.0
http	2.1.1
volterrarm	0.11.28

Inputs

Name	Description	Type	Default

Deployment

For manual deployment you can do the traditional terraform commands.

terraform init
terraform fmt
terraform plan
terraform apply --auto-approve
terraform destroy --auto-approve

Troubleshooting

Please refer to the following:

• F5 Distributed Cloud
  • F5 Distributed Cloud
• Terraform
  • F5 Distributed Cloud Terraform Registry.

Support

For support, please open a GitHub issue. Note, the code in this repository is community supported and is not supported by F5 Networks. For a complete list of supported projects please reference SUPPORT.md.

Community Code of Conduct

Please refer to the F5 DevCentral Community Code of Conduct.

License

GNU License 3.0

Copyright

Copyright 2014-2023 F5 Networks Inc.

F5 Networks Contributor License Agreement

Before you start contributing to any project sponsored by F5 Networks, Inc. (F5) on GitHub, you will need to sign a Contributor License Agreement (CLA).

If you are signing as an individual, we recommend that you talk to your employer (if applicable) before signing the CLA since some employment agreements may have restrictions on your contributions to other projects. Otherwise by submitting a CLA you represent that you are legally entitled to grant the licenses recited therein.

If your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5.

If you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein. You represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA.