Protect an application on-premises or in the cloud with F5 XC WAAP Customer Edge

The use case

This use case is similar to the use case "Protect an application spread across several locations with F5 Distributed Cloud Web App and API Protection (XC WAAP) and Multi-Cloud Networking" but in this use case, the users will not connect to the F5 XC Global Network. The users will connect directly to the public cloud in order to reduce latency. Or directly to the customer Datacenter if the CE (Customer Edge) is deployed there.

A CE is an instance deployed by F5 or Infra ops with the same code/capabilities as the F5 RE (Regional Edge - POPs). In few words, CE is deployed in customer environments, RE is deployed in F5 environments.

The value of this use case is to take advantage of the F5 XC Console (Deployment, Configuration, Observability ...) with on-premises instances managed by F5 (or public cloud instances)

In such workflow and architecture, the application is not protected anymore against volumetric L3/L4 DDoS, as DDoS protection is part of the Global Network (Regional Edge). But DDoS L7 stays enforced.

With F5 XC WAAP, we will protect with:

  • L3/L4 DDoS Protection, unlimited
  • WAF
  • Bot Protection (signature based)
  • API protection
  • Rate Limiting


The architecture


From a DNS standpoint, netops route the users and the traffic to the Azure LB instead of the F5 XC Global Network anycast IP address.

This architecture fits perfecly also for regions where F5 does not own yet POPs (Africa, Middle East for instance). You can deploy the CE directly in your network and get advantage of all F5 XC WAAP capabilties.

  • Central management
  • Central observability
  • Single pane of glass
  • Management and control plane as a service

The CE (Customer Edge) is deployed by F5 (or infra ops for on-premises deployments), and F5 maintain/update/upgrade the CE.


Solution overview and services offered

F5 XC WAAP offers by default

  • 1 anycast VIP
  • 1 Distributed LB
  • 2 Delegated DNS domain
  • WAAP protection
    • WAF Policy (based on BIG-IP and Nginx WAF engine)
    • Bot Signature protection
    • API Protection (Swagger enforcement)

But more advanced services are available

  • Advanced Bot Protection (Shape)
  • Advanced API Protection with API discovery
  • Malicious User Detection and Mitigation (AI/ML)


Use Case video

In this video, we explain in details this use case and the solution.


Published Sep 15, 2022
Version 1.0

Was this article helpful?

No CommentsBe the first to comment