Can I use XC as a TCP proxy and DDoS Protection?

Question

Hello, experts!I’m a longtime BIG-IP user but a complete newbie to XC. I have a task and would love some guidance on the best way to approach it. The goal is to use XC as a TCP proxy and for DDoS protection.The scenario: A client has a distributed network of ATMs that connect to a server. XC should sit in front of the server as a TCP proxy. The requests come in via IP.A few questions:Which XC product should I use for this?TCP Load Balancer requires requests to come via a domain name, correct?Would I need a dedicated IP from XC in this case?Can DDoS protection be applied in this setup?Am I thinking about this correctly?Any insights or recommendations would be greatly appreciated!

kevin_reynolds · Answer

TCP LBs in XC can be unique ip:port combinations or can be routed by domain using SNI (assuming the traffic is TLS). Your XC tenant has a single default "tenant IP" that is advertised via anycast globally (you can purchase additional IPs or BYO routed block if you need to).Re: DDOSThere's platform level DDOS applied to all internet advertised VIPs in XC -- but I wouldn't consider this a "DDOS service". Like all cloud vendors, this is largely a platform protection mechanism and it's not configurable. For HTTP LBs XC offers "L7 DDOS" which is behavioral based but this, obviously, isn't applicable to TCP LBs as the platform is not doing protocol parsing.&nbsp;XC offers a routed DDOS solution (ie. a newer incarnation of the "Silverline" platform). For this service you'd route your ARIN allocation to the service via BGP (either conditionally or always-on) and we'd scrub the traffic and redeliver it via GRE tunnels to your DCs. This is outside the scope of advertising a handful of TCP LBs to the internet (ie. we'd not carve out network space inside your routed block for XC LBs).&nbsp;Let us know what you're trying to do and maybe someone here can make a more informed recommendation.&nbsp;

nikoolayy1 · Answer

I think I saw a customer setup where there was transit dos service (the origin server ip customer owned ip addresses) with HTTP lb and TCP lb (F5 owned ip addresses) combined but better double check with the F5 sales/solutions or your account manager.

aantat · Answer

Hi,&nbsp;1. Seems like TCP LB will work perfectly in my case with IP:port combination. So on my origin side, requests will come from tenant IP or from this list? If yes, what about custom ports?2. Routed DDoS solution is not fitting in this case, so VIP is basically protected from DDoS, but I don't have any chance to configure it?&nbsp;