F5 Distributed Cloud - Traffic Steering based on Client IP Address

When the ability to route client traffic to specific origin server based on the IP address is required, F5 Distributed Cloud Services allows us to control traffic as required in canary deployments or where resources in one location are more appropriate to process requests from some clients.

This solution uses the Origin Server Subset Rules feature, which provides the ability to create match conditions for incoming traffic to the HTTP Load Balancer using country, ASN, F5 Regional Edge (RE), IP address, or client label selectors for selection of destination (origin servers).

This example uses origin servers in two different locations connected through F5XC Customer Edges using IPsec tunnels. Location 1 hosts application version 1 and Location 2 hosts application version 2. The goal is to forward requests from specific IP addresses to Location 2 and requests from all other IP addresses to Location 1.

 

 

Configuration

1. Create a Known Label

A known label is a key-value pair that can be attached to objects for referencing the objects using the label.

  • Go to Home > Shared Configuration > Manage > Labels > Known Keys
  • Click on Add Known Key and provide a Label Key and the Label values:

After adding Click on Add key

To verify that the labels are created, go to Manage > Labels > Known Labels.

 

2. Add the labels to the origin servers

 

  • Go to Home > Multi-Cloud App Connect or Web App & API Protection > Manage > Load Balancers > Origin Pools
  • Identify the Origin Pool to configure, click the three-dot menu (•••) on the right, and select Manage Configuration
  • Edit the configuration for each origin server to add the label:

 

 

Select Show Advanced Fields and from the Origin Server Labels select the created Label and the value:

 

This is the configuration after the labels are added to each Origin Server:

 

3. Enable Subset Load Balancing

 

In the Other Settings section of the Origin Pool configuration, click on Configure and from the Enable/Disable Subset Load Balancing menu, select Enable Subset Load Balancing and then click on Configure:

 

 

From the Subset Classes section, click on Add Item to add the label key created in step 1:

 

 

This is the result after adding the label key:

 

 

Click Apply twice and save the configuration of the Origin Pool.

 

4. Create an IP Prefix Set

 

An IP Prefix Set contains an ordered list of IP prefixes. It will be used to forward traffic to a specific origin server using origin server subset rules.

IP Prefix Sets can be created on multiple workspaces: Web App & API Protection, Multi-Cloud App Connect or Shared Configuration.

 

  • Go to Home > Shared Configuration > Security > Shared Objects > IP Prefix Sets
  • Click on Add IP Prefix Set, enter a name and description as needed:

 

 

After adding all the IP addresses, click on Add IP prefix set.

 

5. Configure the Load Balancer

 

  • Go to Home > Multi-Cloud App Connect or Web App & API Protection > Manage > Load Balancers > HTTP Load Balancers
  • Identify the Load Balancer to configure, click the three-dot menu (•••) on the right and select Manage Configuration and then Edit Configuration.
  • Edit the configuration for each origin server to add the label:
  • In the Origins section, add the origin pool configured in step 2.

 

 

  • Click on Show Advanced Fields and then on Configure in the Origin Server Subset Rules section:

 

 

  • Click on Add Item to add the rules:

   

 

  • Provide a name, an optional description and from the Action menu, select the created Label key and the appropriate key value:

 

 

 

  • From the Clients section, click on Source IPv4 Match and select IPv4 Prefix List

 

 

  • Click Add Item to add the IP Prefix Set created in step 4:

 

 

This is the first rule to forward traffic to origin servers where the application v2 is hosted:

 

 

  • Click Apply and repeat the same steps to forward the traffic of all other IP addresses to the origin server where v1 of the application is hosted. For this rule, add a name, an optional description, select the label key and app-v1 for the key value and for Source IPv4 Match keep the default value; Any Source IP:

 

 

These are the Server Subset Rules created:

 

 

Click on Apply and then on Save HTTP Load Balancer.

 

6. Validate the Solution

 

When requests from IP addresses that are part of the IP Prefix Set (For example, 187.188.10.147) reach the HTTP Load Balancer, these are forwarded to the origin server 2 in f5xc-aws-ce Customer Edge, which hosts application v2. All other traffic is forwarded to origin server 1 in f5xc-onprem-ce Customer Edge, which hosts the application v1.

 

 

Conclusion

F5 Distributed Cloud features can perform traffic management based on various criteria to route requests to the most optimal path for improved user experience and for multiple use cases like canary deployments.

 

Published Jan 21, 2026
Version 1.0
application delivery
cloud
security
No CommentsBe the first to comment