App Stack, the "iRule" of F5 Distributed Cloud
Today, F5 Distributed Cloud boasts myriad security capabilities, ranging from
- Web Application Firewall
- API security
- DDoS Mitigation
- Bot Detection
- Application Infrastructure Protection
And more. As the platform continues to grow, the number of security, networking, and application management capabilities is only going to increase over time.
But, what if you need certain capabilities that do not exist today on the platform? SaaS offerings are easy to consume, but can be opinionated in how capabilities are provided, if at all. The best course of action is to raise a feature request. In the meantime, allow me to introduce a superpower hidden in plain sight:
A brief primer on Distributed Cloud App Stack
Described as a SaaS to enable lifecycle management of applications across distributed infrastructure, Distributed Cloud App Stack lets users run Kubernetes applications in any location or environment, without needing to manage Kubernetes clusters. This could be on any of the Distributed Cloud Regional Edges (RE), or Customer Edges (CE) deployed in the users' private environment.
An application deployed on App Stack runs like a Kubernetes application, and can be advertised via HTTP or TCP Load Balancers for clients to consume its services. In other words, an application running on App Stack can be treated as an origin server in the context of a Load Balancer on F5 Distributed Cloud.
Enhancing Distributed Cloud with App Stack
If F5 Distributed Cloud Load Balancer is missing certain capabilities you require today, one option is to use App Stack to deploy another proxy running on the REs, and have the proxy perform the required capabilities instead. Some use cases that I have been exploring include (click on the links to see code examples!):
- Injecting client certificate details into a HTTP header for a mutual TLS connection
- Parsing a PROXY protocol header
- Validating a claim in a JSON Web Token
For those who have experience with F5 BIG-IP, these might feel similar to using an iRule to perform custom logic not natively supported on BIG-IP. Given enough time and requests, some of these might even make it into the platform as a native capability, akin to how some BIG-IP modules/features today were born from commonly used iRules in the past.
It is also worth noting that proxies deployed in the examples above can further forward the traffic to another HTTP or TCP Load Balancer on F5 Distributed Cloud, allowing you to take advantage of other capabilities on the platform. Again, this should ring a bell for those who are aware of the VIP targeting VIP concept in BIG-IP.
I hope this article has provided you with a new perspective on F5 Distributed Cloud App Stack. F5 Distributed Cloud is constantly evolving, and will continue to introduce more capabilities, but for what is missing now, have a look at implementing it with App Stack.