F5 Distributed Cloud – Why You Should Never Block Regional Edge IPs on Your Firewall
This article explains why blocking F5 Distributed Cloud (F5 XC) Regional Edge (RE) IP addresses on your origin firewall is a critical misconfiguration that will cause health check failures, traffic disruption, and degraded application availability. Because the F5 XC architecture is fully distributed by design, every RE independently monitors your origin — and blocking even a subset of RE IPs will break this mechanism.
Introduction
A common mistake when onboarding a public-facing application onto F5 Distributed Cloud (XC) is to restrict which source IP addresses can reach the origin server. Network and security teams, following a traditional “deny all / allow what you need” approach, sometimes allow only a handful of F5 XC Regional Edge IPs through their firewall — or worse, block RE IPs entirely because they see unfamiliar traffic hitting the origin from IP ranges they don’t recognize.
This article explains why this is fundamentally incompatible with how F5 Distributed Cloud works, and what the consequences are.
Understanding Distributed Architecture
When you expose an application through F5 Distributed Cloud, the platform advertises your application’s FQDN via an Anycast IP address across all Regional Edges worldwide. As of the latest updates, this means your application is reachable through multiple REs across the Americas, Europe, and Asia-Pacific.
Each RE acts as an independent proxy and point of presence. End users are routed to the closest RE based on BGP peering and network proximity. This is the core of F5 XC’s distributed model — there is no single centralized proxy.
How Health Checks Work: Each RE Monitors Independently
This is the critical point that is often misunderstood.
When you configure a Health Check and an Origin Pool with your application’s public IP, every Regional Edge independently performs its own health check against your origin server. Each RE uses its own local internet breakout to reach your application — health check traffic does not traverse the F5 Global Network.
This means:
- If you have an origin server with a public IP, and your Origin Pool is configured with “Public IP” (the default), then all REs will send health-check probes to your origin.
- Each RE maintains its own independent view of your origin’s health status.
- On the F5 XC console, you will see the same origin IP listed multiple times — once per RE — each with its own health status.
The source IPs of these health checks come from the RE subnet ranges published in the official F5 documentation: F5 Distributed Cloud IP Address and Domain Reference.
What Happens When You Block Some RE IPs
Suppose you allow only a few RE IP ranges (for example, only European REs) but block the rest. Here is what happens:
- REs whose IPs are allowed will successfully complete health checks, and your origin will appear as UP from those locations.
- REs whose IPs are blocked will see health check failures, and your origin will be marked as DOWN from those locations.
The immediate and most visible consequence is on the F5 XC console itself. Because a majority of REs report the origin as DOWN, the console will display a degraded application health status — showing poor availability and performance metrics. This gives a misleading picture of your application’s actual state: your origin is perfectly healthy, but the console reflects a largely unhealthy deployment simply because most REs cannot reach it through the firewall. This can trigger unnecessary troubleshooting, false alerts, and erode confidence in the platform’s monitoring data.
Now, when an end user connects through a blocked RE (for example, a user in Asia hitting a Singapore RE), the platform behavior depends on the Endpoint Selection policy configured in your Origin Pool:
| Endpoint Selection Policy | Behavior When Local RE Shows Origin as DOWN |
|---|---|
| Local Endpoints Only | Traffic is dropped. The user gets an error. No fallback. |
| Local Endpoints Preferred (default) | Traffic is forwarded via the F5 Global Network to a RE that has the origin marked as UP. This adds some latency. |
| All Endpoints | Same as Local Preferred — traffic is rerouted to a healthy RE over the Global Network. This can add major latency if the responding RE is far away from the origin. |
In the Local Endpoints Only case, users connecting through blocked REs will experience a complete outage for your application — even though the origin is healthy and reachable.
In the Local Preferred or All Endpoints cases, the platform will attempt to reroute traffic through the F5 Global Network to a RE that has a healthy view of the origin. While the application will still be reachable, this introduces several problems:
- Increased latency: Traffic must travel from the ingress RE to a remote egress RE over the internal F5XC fabric before reaching your origin, instead of egressing locally to the internet.
- Suboptimal routing: A user in Tokyo may end up having their traffic routed through Paris because only European REs can reach the origin — defeating the purpose of a globally distributed edge.
- Reduced resilience: You’ve effectively reduced the number of egress points that can serve traffic, creating bottlenecks and potential single points of failure.
The Correct Default Approach: Allowlist All RE IP Ranges
The F5 official documentation is clear on this point: you should allowlist all F5 Distributed Cloud RE subnet ranges on your origin firewall. The published IP ranges are organized by region (Americas, Europe, Asia) and are available on the official F5 Distributed Cloud documentation page.
Ideally, your origin firewall should be configured to only allow the F5 Distributed Cloud subnets for your application’s listening port. This ensures that:
- All RE health checks succeed, giving the platform an accurate and complete view of your origin’s health.
- Traffic egresses locally from the closest RE, providing the lowest latency path to your users.
- Only traffic routed through F5 XC can reach your origin, preventing attackers from bypassing the F5 XC security stack (WAAP, DDoS, Bot Protection, etc.) by hitting the origin directly.
What If You Want to Limit Which REs Perform Health Checks?
If you have a legitimate reason to reduce the number of REs performing health checks (for example, to reduce health check traffic on the origin or because your application is regionally scoped), F5 XC provides a built-in mechanism for this.
Instead of using “Public IP” in the Origin Pool member configuration, select “IP Address of Origin Server on Given Sites” and then assign a Virtual Site that includes only the REs you want. For example, you could create a Virtual Site that includes only European REs, reducing your health check sources from all worldwide REs down to just the ones in that region.
Conclusion
F5 Distributed Cloud is architected as a fully distributed system. Health monitoring is not performed from a central location — it is performed independently by every Regional Edge. This design is what enables the platform to provide low-latency, resilient application delivery worldwide.
Blocking RE IPs on your origin firewall fundamentally breaks this distributed health monitoring model. It causes health checks to fail, triggers suboptimal traffic routing, and potentially increases latency.
The correct and recommended approach is to allowlist all F5 Distributed Cloud RE IP ranges on your origin firewall, and use the platform’s built-in Virtual Site mechanism if you need to control which REs perform health checks.
Employee