LTM in front of HSM

Question

We have some Safenet Luna HSM's that require the connecting host to be in an ACL on the HSM. It doesn't use http or a common protocol. The problem we're running into is that the ACL only holds 16 ip addresses. Fine for prod, but not good for dev and qa. &nbsp;
When I asked Safenet about supporting a load balancer their support responded with "unless the Load balancer encapsulate the data packets and make HSM to believe that request is only for a single host in the list of IPs , After receiving reply from HSM load balancer would distributes to designated host".&nbsp;
I'm a newbie on the LTM outside of setting up virtual servers to front web server pools so I'm asking for help. Would this be NAT'ing the request? Can anyone give me some pointers on how to set this up on an LTM, if it's even possible?&nbsp;

vijay_e · Answer

You can use SNAT (automap or snatpool). However, each SNAT IP will provide you with 65K connections. Even if you use all the SNAT IP in the ACL (16 in total) in HSM, you will have a theoretical limitation of 16*65K (1,040 K) connections, if my understanding is right. You will hit limits as far as scale is concerned. &nbsp;
sol7820: Overview of SNAT features &nbsp;

Forum Discussion

LTM in front of HSM

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

error code 503 redirect irule

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

OWA File Upload URIs for WAF Bypass

F5 AWAF/ASM learning only from Trusted traffic?

F5OS VLAN naming length restrictions

Related Content

SAML - LTM in front of SP

The State Of HTTP/2 With F5 LTM

F5 BIG-IP and ENTRUST nShield HSM SSL key/cert auto synchronization between HA peers with iCall

LTM Policy

iControl REST Cookbook - LTM policy (ltm policy)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS