Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

Today, F5 Distributed Cloud boasts a myriad of security capabilities, ranging from

  • Web Application Firewall
  • API security
  • DDoS Mitigation
  • Bot Detection
  • Application Infrastructure Protection

and more. As the platform continues to grow, the number of security, networking and application management capabilities is only going to increase over time.

But, what if you need certain capabilities that do not exist today on the platform? SaaS offerings are easy to be consumed, but can be opinionated in how capabilities are provided, if at all. The best course of action is to raise a feature request. In the meantime, allow me to introduce a superpower hidden in plain sight:

F5 Distributed Cloud App Stack

A brief primer on Distributed Cloud App Stack

Described as a SaaS to enable lifecycle management of application across distributed infrastructure, it lets users run Kubernetes applications in any location or environment, without needing to manage Kubernetes clusters. This could be on any of the Distributed Cloud Regional Edges (RE), or Customer Edges (CE) deployed in the users' private environment.

An application deployed on App Stack runs like a Kubernetes application, and can be advertised via HTTP or TCP Load Balancers for clients to consume its services. In other words, an application running on App Stack can be treated as an origin server in the context of a Load Balancer on F5 Distributed Cloud.

Enhancing Distributed Cloud with App Stack

If F5 Distributed Cloud Load Balancer is missing certain capabilities you require today, one option is to use App Stack to deploy another proxy running on the REs, and have the proxy perform the required capabilities instead. Some use cases that I have been exploring include (click on the links to see code examples!):

  1. Injecting client certificate details into a HTTP header for a mutual TLS connection

  2. Parsing a PROXY protocol header

  3. Validating a claim in a JSON Web Token



For those who have experience with F5 BIG-IP, these might feel similar to using an iRule to perform custom logic not natively supported on BIG-IP. Given enough time and requests, some of these might even make it into the platform as a native capability, akin to how some BIG-IP modules/features today were born from commonly used iRules in the past.

It is also worth noting that proxies deployed in the examples above can further forward the traffic to another HTTP or TCP Load Balancer on F5 Distributed Cloud, allowing you to take advantage of other capabilities on the platform. Again, this should ring a bell for those who are aware of the VIP targeting VIP concept in BIG-IP.



I hope this article has provided you with a new perspective on F5 Distributed Cloud App Stack. F5 Distributed Cloud is constantly evolving, and will continue to introduce more capabilities, but for what is missing now, have a look at implementing it with App Stack.


Related Content

Community Manager
Community Manager

@Leon_Seng love it!! Thanks for sharing, this is super helpful in not just the "iRule-ability" within distributed cloud, but also fleshing out some of the features that are there natively. Appreciate it!

F5 Employee
F5 Employee

In the BIG-IP world this analogy would have been a VIP-targeting-VIP type approach. Same same but different.

Nice article @Leon_Seng !

F5 Employee
F5 Employee

Great piece of work Leon !


Version history
Last update:
‎01-May-2023 16:18
Updated by: