F5 Distributed Cloud Customer Edge on F5 rSeries – Reference Architecture
Purpose
Traditionally, to advertise an application to the internet or to connect applications across multi-cloud environments enterprises must configure and manage multiple networking and security devices from different vendors in the DMZ of the data center. This can be made much easier by connecting the F5 rSeries appliance to the F5 Distributed Cloud (XC) by installing a Customer Edge (CE) site on it. This will also provide security services like API protection, Web Application Firewall, DDoS protection, Bot Mitigation, and more. CE on F5 rSeries is a single-vendor, converged solution for enterprise multi-cloud application connectivity and security needs.
This guide describes the reference architecture for deploying a Customer Edge site on F5 rSeries hardware. It explains the deployment options and the general use cases that benefit from connecting the rSeries appliance to the F5 Distributed Cloud Platform.
Audience
This guide is for current and prospective F5 rSeries customers who have applications load balanced by BIG-IP on rSeries and want to publish them to the internet using F5 Global Network or to other networks/clouds in a hybrid or edge use case and enable F5 XC distributed cloud services for these applications. This is also targeted for the technical readers, including NetOps and Solution Architect teams who want to better understand various options for deploying a highly available F5 Distributed Cloud Customer Edge (CE) site on a rSeries appliance.
The guide assumes that the reader is familiar with basic concepts like routing protocols, DNS, and VLANs. Also, the reader is familiar with various F5 XC concepts such as Load Balancing, BGP configuration, Sites and Virtual Sites, and Site Local Inside (SLI) and Site Local Outside (SLO) interfaces.
Introduction
F5 rSeries appliance is a next-generation hardware platform that delivers a highly scalable, microservices-based architecture to power your mission-critical applications and network deployments. It provides a consolidated platform that supports BIG-IP app delivery services and F5 XC Multi-Cloud App Connect and security services using F5 XC Customer Edge.
BIG-IP keeps apps available through all kinds of traffic demands to ensure that your users can access the apps they need anytime. By using both static and dynamic load balancing to eliminate single points of failure, BIG-IP can help your org maintain the application's high availability and reliability through any scenario.
By cloud-connecting the rSeries appliance by deploying CE on it, users can enable seamless application delivery and connectivity across hybrid cloud or edge/branch locations or easily publish apps to the internet over F5 XC Global Network and leverage the Regional Edges to offload security services like DDoS protection, Web App and API Protection (WAAP), etc.
Use Cases
Publishing Applications to the Internet
If a virtual server on BIG-IP must be advertised to the internet, traditionally, you will have to configure and manage multiple networking and security devices in the DMZ of the data center to perform operations like NAT translation from public IP to the virtual server’s private IP, DDoS protection, firewall, DNS resolution, etc. This can be greatly simplified by cloud-connecting the rSeries appliance by installing a CE site on it.
Using the F5 XC console, users can configure a distributed load balancer (HTTP or TCP) to add the BIG-IP virtual server to its pool and publish it to the internet. F5 XC automatically publishes the virtual server using an anycast IP address on REs across all PoP locations on its global network. It adds the domain to the public DNS zone, and provides an auto-certificate for HTTPs endpoints. Users can also enable security features like WAF, DDoS protection, API Discovery, etc. from the same central console. Users can also leverage other F5 XC services like DNS LB and CDN for public applications.
Figure: Publishing BIG-IP virtual server to the internet
Hybrid Cloud Application Delivery
As applications are moving from on-prem data centers to the public cloud, we need hybrid cloud networking and security to ensure business continuity. Traditionally, this is achieved using private connectivity to the cloud, SD-WANs, or VPN. But this exposes entire networks across clouds and needs additional security devices like firewalls to restrict IP address access. As IP addresses can be ephemeral and apps are dynamic, managing security in this traditional architecture is challenging.
Users can simplify application connectivity using F5 XC’s distributed load balancer using the cloud-connected rSeries appliance. Users can use F5 XC’s console to add the BIG-IP virtual server to its pool and publish it to one or more public cloud sites. This allows them to advertise only the required apps and APIs to other networks/clouds without directly connecting the networks. This makes management simple and reduces the attack surface for the application.
In addition, users can enable security services like WAF, API discovery, etc. for these applications using the F5 XC console.
Figure: Hybrid cloud application delivery
Edge Application Delivery
For edge applications that need access to services in the data center (e.g. branch apps accessing on-prem databases), the traditional solution is to use SD-WAN or VPN to interconnect the networks. But this comes with many challenges like IP address overlap and managing hundreds of VPN connections. Also, branch locations are inherently less secure, so securing these hundreds of connections is an operational challenge.
Users can simplify this using F5 XC App Connect to take the on-prem virtual server on BIG-IP and advertise it to all edge sites using a single distributed LB configuration. The BIG-IP virtual server can be added to a pool and associated with the Virtual Site on rSeries appliances on-prem and advertised to a Virtual Site consisting of all branches. This way any change to the LB automatically gets applied to all branches simultaneously keeping it consistent and easy to manage. Also, only the required APIs and apps are advertised this way, which reduces the attack surface. Additional F5 XC security services can also be enabled on the load balancer and applied to all branches with a few clicks.
Figure: Publishing BIG-IP virtual server to branch locations
Benefits
In each of the above use cases, F5 Distributed Cloud (XC) and BIG-IP complement each other to provide an enhanced multi-cloud application delivery experience using the consolidated solution on the F5 rSeries platform. The benefits of using this better-together solution are:
- Ease of connecting applications across multiple clouds
- Overcoming the issue of IP address overlap between different connected networks
- Custom traffic management with iRules
- Authentication with APM and additional API Gateway functionalities
- Advanced security features like API protection, Web Application Firewall, DDoS protection, Bot Mitigation, etc
- Support for delivering legacy applications across clouds
- Enabling features not natively supported in XC, such as payload rewrite, service profiles, etc.
- Single vendor solution for all application security, connectivity, and load balancing requirements in a multi-cloud environment. Customers do not have to work with different vendors for support cases.
CE Deployment Topologies
An F5 rSeries appliance can have multiple virtual appliances deployed on it. Each instance of a virtual appliance (like BIG-IP, BIG-IP Next, or CE) is called a tenant. F5 recommends configuring dual rSeries appliances with identically configured tenants and maintaining HA relationships at the tenant level. There is no redundancy between rSeries appliances at the F5OS platform layer. The appliances themselves are unaware of the other appliances and there is no HA communication at this level; it’s the tenants that form the HA relationship. rSeries does not support tenant HA within the same appliance; it must be configured between tenants in separate appliances.
For details on tenant networking on the F5 rSeries appliance, see rSeries Networking. rSeries appliance has an out-of-band management network that the tenants can use. But CE does not have a management interface, so its interfaces are connected to regular in-band VLANs as shown in the below topologies.
1. Virtual Site on Two or More rSeries Devices
If you have two rSeries appliances, you can deploy a single-node CE Mesh site on each appliance. The CEs must be grouped into a Virtual Site. The SLO and SLI interfaces of the CEs must be connected to appropriate VLANs as shown below. Other tenants can also be deployed on the same appliance, for example, BIG-IP is shown in the figure below deployed in an active-standby pair.
The BIG-IP VLAN must be reachable from SLI VLAN.
Figure: CE Mesh sites and BIG-IP on rSeries
If you have more than two rSeries appliances, CEs can be deployed on more of them. It is not necessary to deploy a CE on every rSeries appliance.
2. Single node CE on One rSeries Device
If high availability is not a concern and you only have one rSeries appliance, you can deploy one single-node CE on it. Since we have only one CE site, it's not required to add it to a Virtual Site.
Figure: CE Mesh site on single rSeries
3. CE Only on Two or More rSeries Devices
If there are no other tenants deployed on your rSeries appliance (e.g. there are no BIG-IPs deployed), all available resources can be allocated to the CE site deployed on it. The CEs must be grouped into a Virtual Site.
Figure: CE-only deployment on rSeries
Virtual Sites and Redundancy
Generally, a CE site with a three-node cluster is the recommended deployment topology. But for CE deployment on the F5 rSeries appliance, it is recommended to deploy a single-node CE site on each rSeries appliance and group them into a Virtual Site. A Virtual Site provides a mechanism to perform operations simultaneously on multiple sites, avoiding the need to repeat the same set of operations for each site. Each single-node site connects to two geographically nearest REs, so it has two tunnels for redundancy. Hence the total number of tunnels per Virtual Site is twice the number of CEs in it. This provides a simple way to scale the RE-CE bandwidth by adding the required number of CEs.
Figure: Virtual Site
Benefits:
- Horizontally scalable. A large number of sites can be a part of a Virtual Site.
- Increased throughput capacity. Each site in the Virtual Site has 2 CE-RE tunnels.
- Configurations like load balancers and security policies can be applied once to the Virtual Site and automatically get realized on each site in it.
- Sites can be upgraded one at a time to avoid application downtime.
Even for an on-prem app accessing a SaaS app over an F5 distributed cloud, the SaaS app can be advertised to the SLI of the on-prem Virtual Site and the SLI IP addresses can be added to the pool of the BIG-IPs. This way the BIG-IPs spread the traffic over all CEs in the Virtual Site and redundancy is maintained.
Figure: Access SaaS App over SMG
E.g. the above figure shows the AWS Lambda app advertised to the on-prem Virtual Site and load balanced by the BIG-IPs to the on-prem app. The sites are connected using Hub-Spoke Site Mesh Group (SMG) in this example with the 3-node AWS CE being the Hub. In this mode, each CE from the Spoke will form a tunnel to each of the control nodes of the Hub Site. Hence each CE in the Virtual Site has 3 tunnels to the hub site on AWS.
Version Support
This functionality of cloud-connecting rSeries appliance using F5 XC Customer Edge is supported with:
- F5 rSeries appliances: 5600 / 5800 / 5900/ 10600 / 10800 / 10900 / 12600 / 12800 / 12900
- F5OS: v1.8.0 release or greater.
- F5 XC CE: July 2024 release or later.
CE sizing guideline:
The minimum resource requirements for each CE node are 4 vCPUs, 14 GB RAM, and 80 GB disk.
F5 recommends three sizes of nodes according to the performance requirements:
- Small: 4 vCPUs 16 GB RAM
- Medium: 8vCPUs 32 GB RAM
- Large: 16vCPUs 64 GB RAM
Figure: Cloud-connected F5 rSeries appliance with BIG-IP instance
Although the above sizes are recommended, a CE can be created to use additional vCPUs on the platform depending on the performance needs. The number of vCPUs available for tenants on the rSeries platform varies by its SKU. See rSeries platform vCPU sizing for more details.
Related Articles
Deploy Secure Mesh Site on F5 rSeries Appliance
Site-to-Site Connectivity in F5 Distributed Cloud Network Connect
Published Aug 12, 2024
Version 1.0
bhushanpai
Employee
Employee
KayvanEmployee
Employee
ffiveuserNimbostratus
Hi bhushanpai,
Great article! For RE - CE connection, if CE is behind corporate nat router and firewall, which ports needs to be opened?
tcp 500,4500, 4510,4511?
Thank you.
- bhushanpai
The ports and protocols allow list is given here: https://docs.cloud.f5.com/docs-v2/platform/reference/network-cloud-ref?searchQuery=firewall#:~:text=Public%20IPv4%20Subnet%20Ranges%20for%20F5%20Regional%20Edges
