For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

F5 BIG-IP deployment with OpenShift - platform and networking options

Introduction This article is an architectural overview on how F5 BIG-IP can be used with Red Hat OpenShift. Several topics are covered, including: 1-tier or 2-tier arrangements, where the BIG-I...
Screenshot 2023-09-29 at 09.06.41.png
Updated Feb 22, 2024
Version 2.0
application delivery
cloud
devops
Ulises_Alonso's avatar
Icon for Employee rankEmployee
Solutions architect in Business Development with focus in automation and integration with partner's technologies. Prior to this role I was consultant in Professional Services and escalations engineer in Technical Support. Outside F5, I worked in mobile and wired network operators as network engineer. I started my career in academic research. In all these years, no matter what I've been doing Linux has been always the best tool. Not the one in the picture :-)
View Profile
Chup4Chups's avatar
Chup4Chups
Icon for Nimbostratus rankNimbostratus
Apr 13, 2025

Thanks for the article which is very insightful.
"Using ClusterIP Service type" -> When deploying CIS with ClusterIP, The BIG-IP directly try to communicate with the pod network. I have observed that CIS attempt to configure static routes on the BIG-IP but this step fails because the BIG-IP doesn't have a network interface in the same openshift cluster network.
Does the ClusterIP mode requires the BIG-IP to be in the same network as openshift cluster ? (which would be strange in term of architecture). 

Ulises_Alonso's avatar
Ulises_Alonso
Icon for Employee rankEmployee
Nov 14, 2025

Sorry, I overlooked this comment before.

Yes, the BIG-IP needs to be in the same subnet in order to achieve direct to POD communication 

The solution is to use a two tier architecture, two options:

- If (like OpenShift Router/HA-proxy in on-prem) the in-cluster ingress controller uses hostNetwork: true, a Service of type ClusterIP does expose the IP of the node where the OpenShfit Router/HA-proxy is running.

- Using Service Type: NodePort