Modern Applications-Demystifying Ingress solutions flavors

In this article, we explore the different ingress services provided by F5 and how those solutions fit within our environment. 

With different ingress services flavors, you gain the ability to interact with your microservices at different points, allowing for flexible, secure deployment. 

The ingress services tools can be summarized into two main categories,

• Management plane:
  • NGINX One
  • BIG-IP CIS
• Traffic plane:
  • NGINX Ingress Controller / Plus / App Protect / Service Mesh
  • BIG-IP Next for Kubernetes
  • Cloud Native Functions (CNFs)
  • F5 Distributed Cloud kubernetes deployment mode

 

Ingress solutions definitions

In this section we go quickly through the Ingress services to understand the concept  for each service, and then later move to the use cases’ comparison.

BIG-IP Next for Kubernetes

Kubernetes' native networking architecture does not inherently support multi-network integration or non-HTTP/HTTPS protocols, creating operational and security challenges for complex deployments. BIG-IP Next for Kubernetes addresses these limitations by centralizing ingress and egress traffic control, aligning with Kubernetes design principles to integrate with existing security frameworks and broader network infrastructure. This reduces operational overhead by consolidating cross-network traffic management into a unified ingress/egress point, eliminating the need for multiple external firewalls that traditionally require isolated configuration.

The solution enables zero-trust security models through granular policy enforcement and provides robust threat mitigation, including DDoS protection, by replacing fragmented security measures with a centralized architecture. Additionally, BIG-IP Next supports 5G Core deployments by managing North/South traffic flows in containerized environments, facilitating use cases such as network slicing and multi-access edge computing (MEC). These capabilities enable dynamic resource allocation aligned with application-specific or customer-driven requirements, ensuring scalable, secure connectivity for next-generation 5G consumer and enterprise solutions while maintaining compatibility with existing network and security ecosystems.

Cloud Native Functions (CNFs)

BIG-IP Next for Kubernetes enables the advanced networking, traffic management and security functionalities; CNFs enables additional advanced services.

VNFs and CNFs can be consolidated in the S/Gi-LAN or the N6 LAN in 5G networks. A consolidated approach results in simpler management and operation, reduced operational costs up to reduced TCO by 60% and more opportunities to monetize functions and services. Functions can include DNS, Edge Firewall, DDoS, Policy Enforcer, and more.

BIG-IP Next CNFs provide scalable, automated, resilient, manageable, and observable cloud-native functions and applications. Support dynamic elasticity, occupy a smaller footprint with fast restart, and use continuous deployment and automation principles.

NGINX for Kubernetes / NGINX One

NGINX for Kubernetes is a versatile and cloud-native application delivery platform that aligns closely with DevOps and microservices principles. It is built around two primary models:

• NGINX Ingress Controller (OSS and Plus): Deployed directly inside Kubernetes clusters, it acts as the primary ingress gateway for HTTP/S, TCP, and UDP traffic. It supports Kubernetes-native CRDs, and integrates easily with GitOps pipelines, service meshes (e.g., Istio, Linkerd), and modern observability stacks like Prometheus and OpenTelemetry.
  
  
• NGINX One/NGINXaaS: This SaaS-delivered, managed service extends the NGINX experience by offloading the operational overhead, providing scalability, resilience, and simplified security configurations for Kubernetes environments across hybrid and multi-cloud platforms.

NGINX solutions prioritize lightweight deployment, fast performance, and API-driven automation. NGINX Plus variants offer extended features like advanced WAF (NGINX App Protect), JWT authentication, mTLS, session persistence, and detailed application-layer observability.

Some under the hood differences, BIG-IP Next for Kubernetes/CNF make use of F5 own TMM to perform application delivery and security, NGINX rely on Kernel to perform some network level functions like NAT, IP tables and routing. So it’s a matter of the architecture of your environment to go with one or both options to enhance your application delivery and security experience.

BIG-IP Container Ingress Services (CIS)

BIG-IP CIS works on management flow. The CIS service is deployed at Kubernetes cluster, sending information on created Pods to an integrated BIG-IP external to Kubernetes environment. This allows to automatically create LTM pools and forwarding traffic based on pool members health.

This service allows for application teams to focus on microservice development and automatically update BIG-IP, allowing for easier configuration management.

Use cases categorization

Let’s talk in use cases terms to make it more related to the field and our day-to-day work,

• NGINX One
  • Access to NGINX commercial products, support for open-source, and the option to add WAF.
  • Unified dashboard and APIs to discover and manage your NGINX instances.
  • Identify and fix configuration errors quickly and easily with the NGINX One configuration recommendation engine. 
  • Quickly diagnose bottlenecks and act immediately with real-time performance monitoring across all NGINX instances. 
  • Enforce global security polices across diverse environments. Real-time vulnerability management identifies and addresses CVEs in NGINX instances.
  • Visibility into compliance issues across diverse app ecosystems. Update groups of NGINX systems simultaneously with a single configuration file change.
  • Unified view of your NGINX fleet for collaboration, performance tuning, and troubleshooting. 
  • NGINX One to automate manual configuration and updating tasks for security and platform teams.
    
    
•  BIG-IP CIS
  • Enable self-service Ingress HTTP routing and app services selection by subscribing to events to automatically configure performance, routing, and security services on BIG-IP.
  • Integrate with the BIG-IP platform to scale apps for availability and enable app services insertion. In addition, integrate with the BIG-IP system and NGINX for Ingress load balancing.

• BIG-IP Next for Kubernetes
  • Supports ingress and egress traffic management and routing for seamless integration to multiple networks.
  • Enables support for 4G and 5G protocols that are not supported by Kubernetes—such as Diameter, SIP, GTP, SCTP, and more.
  • BIG-IP Next for Kubernetes enables security services applied at ingress and egress, such as firewalling and DDoS.
  • Topology hiding at ingress obscures the internal structure within the cluster.
  • As a central point of control, per-subscriber traffic visibility at ingress and egress allows traceability for compliance tracking and billing.
  • Support for multi-tenancy and network isolation for AI applications, enabling efficient deployment of multiple users and workloads on a single AI infrastructure.
  • Optimize AI factories implementations with BIG-IP Next for Kubernetes on Nvidia DPU. 
    
    
• F5 Cloud Native Functions (CNFs)
  • Add containerized services for example Firewall, DDoS, and Intrusion Prevention System (IPS) technology Based on F5 BIG-IP AFM.
  • Ease IPv6 migration and improve network scalability and security with IPv4 address management. Deploy as part of a security strategy.
  • Support DNS Caching, DNS over HTTPS (DoH).
  • Supports advanced policy and traffic management use cases. Improve QoE and ARPU with tools like traffic classification, video management and subscriber awareness.
    
    
• NGINX Ingress Controller
  • Provide L4-L7 NGINX services within Kubernetes cluster.
  • Manage user and service identities and authorize access and actions with HTTP Basic authentication, JSON Web Tokens (JWTs), OpenID Connect (OIDC), and role-based access control (RBAC).
  • Secure incoming and outgoing communications through end-to-end encryption (SSL/TLS passthrough, TLS termination).
  • Collect, monitor, and analyze data through prebuilt integrations with leading ecosystem tools, including OpenTelemetry, Grafana, Prometheus, and Jaeger.

  • Easy integration with Kubernetes Ingress API, Gateway API (experimental support), and Red Hat OpenShift Routes
    
    

• F5 Distributed Cloud Kubernetes deployment mode

The F5 XC k8s deployment is supported only for Sites running Managed Kubernetes, also known as Physical K8s (PK8s). Deployment of the ingress controller is supported only using Helm.

• • The Ingress Controller manages external access to HTTP services in a Kubernetes cluster using the F5 Distributed Cloud Services Platform.
  • The ingress controller is a K8s deployment that configures the HTTP Load Balancer using the K8s ingress manifest file.
  • The Ingress Controller automates the creation of load balancer and other required objects such as VIP, Layer 7 routes (path-based routing), advertise policy, certificate creation (k8s secrets or automatic custom certificate)

 

Conclusion

As you can see, the diverse Ingress controllers tools give you more flexibility, tailoring your architecture based on organization requirements and maintain application delivery and security practices across your applications ecosystem.

 

Related Content and Technical demos

• BIG-IP Next SPK: a Kubernetes native ingress and egress gateway for Telco workloads
• F5 BIG-IP Next CNF solutions suite of Kubernetes native 5G Network Functions 
• Deploy WAF on any Edge with F5 Distributed Cloud 
• Announcing F5 NGINX Ingress Controller v4.0.0 | DevCentral
• JWT authorization with NGINX Ingress Controller
• My first CRD deployment with CIS | DevCentral  
• BIG-IP Next for Kubernetes
• BIG-IP Next for Kubernetes (LA)
• BIG-IP Next Cloud-Native Network Functions (CNFs)
• CNF Home
• F5 NGINX Ingress Controller
• Overview of F5 BIG-IP Container Ingress Services
• NGINX One