App Stack, the "iRule" of F5 Distributed Cloud

Today, F5 Distributed Cloud boasts myriad security capabilities, ranging from

  • Web Application Firewall
  • API security
  • DDoS Mitigation
  • Bot Detection
  • Application Infrastructure Protection

And more. As the platform continues to grow, the number of security, networking, and application management capabilities is only going to increase over time.

But, what if you need certain capabilities that do not exist today on the platform? SaaS offerings are easy to consume, but can be opinionated in how capabilities are provided, if at all. The best course of action is to raise a feature request. In the meantime, allow me to introduce a superpower hidden in plain sight:

F5 Distributed Cloud App Stack

A brief primer on Distributed Cloud App Stack

Described as a SaaS to enable lifecycle management of applications across distributed infrastructure, Distributed Cloud App Stack lets users run Kubernetes applications in any location or environment, without needing to manage Kubernetes clusters. This could be on any of the Distributed Cloud Regional Edges (RE), or Customer Edges (CE) deployed in the users' private environment.

An application deployed on App Stack runs like a Kubernetes application, and can be advertised via HTTP or TCP Load Balancers for clients to consume its services. In other words, an application running on App Stack can be treated as an origin server in the context of a Load Balancer on F5 Distributed Cloud.

Enhancing Distributed Cloud with App Stack

If F5 Distributed Cloud Load Balancer is missing certain capabilities you require today, one option is to use App Stack to deploy another proxy running on the REs, and have the proxy perform the required capabilities instead. Some use cases that I have been exploring include (click on the links to see code examples!):

  1. Injecting client certificate details into a HTTP header for a mutual TLS connection

  2. Parsing a PROXY protocol header

  3. Validating a claim in a JSON Web Token


For those who have experience with F5 BIG-IP, these might feel similar to using an iRule to perform custom logic not natively supported on BIG-IP. Given enough time and requests, some of these might even make it into the platform as a native capability, akin to how some BIG-IP modules/features today were born from commonly used iRules in the past.

It is also worth noting that proxies deployed in the examples above can further forward the traffic to another HTTP or TCP Load Balancer on F5 Distributed Cloud, allowing you to take advantage of other capabilities on the platform. Again, this should ring a bell for those who are aware of the VIP targeting VIP concept in BIG-IP.


I hope this article has provided you with a new perspective on F5 Distributed Cloud App Stack. F5 Distributed Cloud is constantly evolving, and will continue to introduce more capabilities, but for what is missing now, have a look at implementing it with App Stack.


Related Content

Updated Mar 14, 2024
Version 5.0

Was this article helpful?


  • Leon_Seng love it!! Thanks for sharing, this is super helpful in not just the "iRule-ability" within distributed cloud, but also fleshing out some of the features that are there natively. Appreciate it!

  • In the BIG-IP world this analogy would have been a VIP-targeting-VIP type approach. Same same but different.

    Nice article Leon_Seng !

  • Nice article! I think thought that only Virtual Kubernetes (vk8s) is available as RE are used not CE.