Extending F5 ADSP: Multi-Tailnet Egress

To help answer the question, think of this particular use-case as an enhanced Tailscale Funnel service.

You can expose your Tailscale nodes or services to the internet, with the following additional benefits:

• Choice of URL, service name, and ports (instead of being tied to defaults).
• Load balancing across Tailscale nodes, across tailnets, or even non-Tailscale backends.
• Application security controls (WAAP, DDoS, bot defense, API enforcement) built in.

In terms of performance and resiliency, when you attach tailnet-reachable services as origin pools behind an F5 XC Load Balancer, you gain:

• Global Anycast entry: traffic lands at the closest XC Regional Edge (RE).
• Distributed Cloud backbone: once inside the XC fabric, traffic rides over F5’s private global backbone, a highly-optimized network interconnecting Regional Edges and Core Sites. This means predictable latency, stronger SLAs, and resilience even across geographies.
• WAAP + policies: TLS termination, L7 inspection, and rate limiting before traffic hits your service.
• Health-based failover: automatic removal of unhealthy endpoints and redirection to healthy pool members, even across different tailnets or regions, without client changes.

Performance considerations:

• For tailscale nodes/services, end-to-end latency is mostly dictated by network distance and tailnet path quality.
• XC adds a small per-request overhead (WAAP, TLS, L7 features) but often reduces overall latency thanks to:
  • RE/CE locality (nearest entry point)
  • Optimized routing across the XC backbone (avoiding unpredictable public internet paths)

Failover behavior:

• Deterministic and fast. If a node or path fails health checks, it’s removed immediately, and traffic is shifted to healthy nodes.
• Because failover can leverage the global backbone, users are seamlessly redirected to healthy origins in other regions, without client-side DNS changes.