Let’s decompose what you need at minimum

You need to configure 3 elements:

• Health Check: to monitor your application and confirm it is accessible by simulating a normal user traffic (HTTP / HTTPS).
• Origin Pool: it contains your Public IP and port for the application you host.
• HTTP Load Balancer: the FQDN your end users will point to, with the certificate in case of TLS termination.
• Optionally: you can add WAF Policy, API Protection and more

 

How is Health Check from the RE working ?

By default, your Health Check is coming from each RE (23 as of June 2023). It is using its own routing and Internet breakout to check the reachability of the application. You end up with a list of Origin Servers times the number of REs. On your Website, you should see IP addresses coming from those networks: https://docs.cloud.f5.com/docs/reference/network-cloud-ref

This is the reason why you see a list of Origin Server with the same exact IP (your Public IP), 23 times with a different RE (the “Site” column in the screenshot below).

Same Origin Server STATIC IP:Port, seen by each and every Regional Edge

The cool thing here, is that each and every RE is independent from the other in term of health check and is not relying on F5 Global Network. Traffic from the Regional Edge is leaving from the local presence to the Internet directly.

 

Can I restrict the list of REs that do the Health Check ?

By default, when you select “Public IP” in the Origin Pool member list, all the REs will check your Public IP and port. But if you select “IP Address of Origin Server on Given Sites” then you can restrict the list of REs (based on a country, a list of names, …).

Changing the default “Public IP” to “IP Address of Origin Server on given sites”

Selecting for the Public IP, a “virtual Site”

Selecting in the “virtual site” only REs that are located in France.

Done.

Now your list of Origin Server has changed from 23 to 2.

only Regional Edges from France have the state of the Origin Server

What happens if my traffic enter an RE not in this list ?

As mentioned in the introduction, the FQDN is matching an IP Anycast, exposed by default WorldWide on the 22 REs.

By default, the RE you enter, has a list of all those “Origin Server + RE” for your application.

When you created the Origin Pool for your application, the default configuration value in how a destination is selected is “Local Preferred”.

But you can select other options.

 

Here is quick summary of how things look depending on what you choose as “Endpoint Selection”:

 

State of the Origin Server on the Regional Edge	Local Endpoints ONLY	Local Endpoints Preferred	All Endpoints
Non existent or “DOWN”	Traffic is dropped as no destination can be found	As no local Endpoints are “UP”, selecting Endpoints “UP” from other REs if any (using the load balancing algorithm) – crossing F5 Global Network	As no local Endpoints are “UP”, selecting Endpoints “UP” from other REs if any (using the load balancing algorithm) – crossing F5 Global Network
Listed as “UP”	Leave directly to the destination	Leave directly to the destination	Leave directly to the destination

RE to RE when intial RE Origin Server is marked DOWN

Conclusion

The intent of this article is to clarify how you can control the Health Checks coming from Regional Edges, and use (or not) F5 XC Global Network to reach your application exposed on the Internet.

Of course, if you want a better control of this traffic, and even secure the transport of this traffic, you can add a Customer Edge closer to your application, on premise or in the cloud.

 

 

Related Content: 

Adding WAAP to your HTTP LB in F5 Distributed Cloud : https://community.f5.com/t5/technical-articles/deploy-waap-anywhere-with-f5-distributed-cloud/ta-p/313079