Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee


For those of you following along with the F5 Hybrid Security Architectures series, welcome back!  If this is your first foray into the series and would like some background, have a look at the intro article.  This series is using the F5 Hybrid Security Architectures GitHub repo and CI/CD platform to deploy F5 based hybrid security solutions based on DevSecOps principles.  This repo is a community supported effort to provide not only a demo and workshop, but also a stepping stone for utilizing these practices in your own F5 deployments.  If you find any bugs or have any enhancement requests, open a issue or better yet contribute!

Use Case:

Here in this example solution, we will be using DevSecOps practices to deploy an AWS Elastic Kubernetes Service (EKS) cluster running the Brewz test web application serviced by F5 NGINX Ingress Controller.  To secure our application and APIs, we will deploy F5 Distributed Cloud's Web App and API Protection service as well as F5 BIG-IP Access Policy Manger and Advanced WAF.  We will then use F5 Container Ingress Service and IngressLink to tie it all together.

Distributed Cloud WAAP: Available for SaaS-based deployments and provides comprehensive security solutions designed to safeguard web applications and APIs from a wide range of cyber threats. 

BIG-IP Access Policy Manager(APM) and Advanced WAF:  Available for on-premises / data center and public or private cloud (virtual edition) deployment, for robust, high-performance web application and API security with granular, self-managed controls.

BIG-IP Container Ingress Services: A container integration solution that helps developers and system teams manage Ingress HTTP routing, load-balancing, and application services in container deployments.  

F5 IngressLink: Combines BIG-IP, Container Ingress Services (CIS), and NGINX Ingress Controller to deliver unified app services for fast-changing, modern applications in Kubernetes environments.

NIGNX Ingress Controller for Kubernetes: A lightweight software solution that helps manage app connectivity at the edge of a Kubernetes cluster by directing requests to the appropriate services and pods.


XC WAAP + BIG-IP Access Policy Manager + F5 Container Ingress Services + NGINX Ingress Controller Workflow

GitHub Repo: 

F5 Hybrid Security Architectures



  • xc: F5 Distributed Cloud WAAP
  • nic: NGINX Ingress Controller
  • bigip-base: F5 BIG-IP Base deployment
  • bigip-cis: F5 Container Ingress Services
  • infra: AWS Infrastructure (VPC, IGW, etc.)
  • eks: AWS Elastic Kubernetes Service
  • brewz: Brewz SPA test web application


  • Cloud Provider: AWS
  • Infrastructure as Code: Terraform
  • Infrastructure as Code State: Terraform Cloud
  • CI/CD: GitHub Actions

Terraform Cloud

Workspaces: Create a workspace for each asset in the workflow chosen

Workflow Workspaces
xcbn-cis infra, bigip-base, bigip-cis, eks, nic, brewz, xc

Your Terraform Cloud console should resemble the following:

Screenshot 2023-08-21 at 11.25.15 AM.png

Variable Set: Create a Variable Set with the following values.
IMPORTANT: Ensure sensitive values are appropriately marked.

  • AWS_ACCESS_KEY_ID: Your AWS Access Key ID - Environment Variable
  • AWS_SECRET_ACCESS_KEY: Your AWS Secret Access Key - Environment Variable
  • AWS_SESSION_TOKEN: Your AWS Session Token - Environment Variable
  • VOLT_API_P12_FILE: Your F5 XC API certificate. Set this to api.p12 - Environment Variable
  • VES_P12_PASSWORD: Set this to the password you supplied when creating your F5 XC API key - Environment Variable
  • nginx_jwt: Your NGINX Java Web Token associated with your NGINX license - Terraform Variable
  • tf_cloud_organization: Your Terraform Cloud Organization name - Terraform Variable

Your Variable Set should resemble the following:

Screenshot 2023-06-26 at 1.59.11 PM.png


Fork and Clone Repo: F5 Hybrid Security Architectures  


Actions Secrets:
Create the following GitHub Actions secrets in your forked repo

  • XC_P12: The base64 encoded F5 XC API certificate
  • TF_API_TOKEN: Your Terraform Cloud API token
  • TF_CLOUD_ORGANIZATION: Your Terraform Cloud Organization
  • TF_CLOUD_WORKSPACE_workspace: Create for each workspace used in your workflow. EX: TF_CLOUD_WORKSPACE_XC would be created with the value xc

Your GitHub Actions Secrets should resemble the following:

Screenshot 2023-08-21 at 11.32.45 AM.png

Setup Deployment Branch and Terraform Local Variables:

Step 1: Check out a branch for the deploy workflow using the following naming convention

xcbn-cis deployment branch: deploy-xcbn-cis

Screenshot 2023-08-21 at 11.37.36 AM.png

Step 2: Upload the Brewz OAS file to XC
             * From the side menue under Manage, navigate to Files->Swagger Files and choose Add Swagger File

Screenshot 2023-08-21 at 12.09.12 PM.png

             * Upload Brewz OAS file from the repo f5-hybrid-security-architectures/brewz/brewz-oas.yaml

Screenshot 2023-08-21 at 11.58.36 AM.png

Step 3:
 Rename infra/terraform.tfvars.examples to infra/terraform.tfvars and add the following data


project_prefix = "Your project identifier"
resource_owner = "You"

aws_region = "Your AWS region" ex: us-west-1
azs = "Your AWS availability zones" ex: ["us-west-1a", "us-west-1b"] 

nic = true
nap = false
bigip = true
bigip-cis = true


Step 4: Rename xc/terraform.tfvars.examples to xc/terraform.tfvars and add the following data


#XC Global
api_url = "https://<Your Tenant>"
xc_tenant = "Your XC Tenant ID"
xc_namespace = "Your XC namespace"

app_domain = "Your App Domain"

xc_waf_blocking = true

#XC AI/ML Settings for MUD, APIP - NOTE: Only set if using AI/ML settings from the shared namespace
xc_app_type = []
xc_multi_lb = false

#XC API Protection and Discovery
xc_api_disc = true
xc_api_pro = true
xc_api_spec = ["Path to uploaded API spec"] *See below screen shot for how to obtain this value.

#XC Bot Defense
xc_bot_def = false

xc_ddos = false

#XC Malicious User Detection
xc_mud = false


* For Path to API Spec navigate to Manage->Files->Swagger Files, click the three dots next to your OAS, and choose "Copy Latest Version's URL".  Paste this into the xc_api_spec in the xc/terraform.tfvars.

Screenshot 2023-06-26 at 2.07.20 PM.png

Step 5: Modify line 16 in the .gitignore and comment out the *.tfvars line with # and save the file

Screenshot 2023-02-21 at 8.14.58 AM.png

Step 6: Commit your changes
 Screenshot 2023-08-21 at 11.45.28 AM.png


Step 1: Push your deploy branch to the forked repo

Screenshot 2023-08-21 at 11.45.28 AM.png

Step 2: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your build


Screenshot 2023-08-21 at 11.43.51 AM.png

Step 3: Once the pipeline completes, verify your assets were deployed to AWS and F5 XC

Screenshot 2023-08-21 at 11.48.38 AM.png

Step 4: Check your Terraform Outputs for XC and verify your app is available by navigating to the FQDN

Screenshot 2023-06-26 at 2.17.31 PM.png

Step 5: Configure F5 APM and Advanced WAF following the guide here.

API Discovery:

The F5 XC WAAP platform learns the schema structure of the API by analyzing sampled request data, then reverse-engineering the schema to generates an OpenAPI spec.  The platform validates what is deploy versus what is discovered and tags any Shadow APIs that are found.  We can then download the learned schema and use it to augment our BIG-IP APM API protection configuration.

Screenshot 2023-06-26 at 2.19.56 PM.png 

Deployment Teardown:

Step 1: From your deployment branch check out a branch for the destroy workflow using the following naming convention

xcbn-cis destroy branch: destroy-xcbn-cis

Screenshot 2023-08-21 at 11.52.44 AM.png

Step 2: Push your destroy branch to the forked repo

Screenshot 2023-08-21 at 11.56.49 AM.png

Step 3: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your build


Screenshot 2023-08-21 at 12.13.37 PM.png

Step 4: Once the pipeline completes, verify your assets were destroyed

Screenshot 2023-08-21 at 11.51.17 AM.png


In this article we have shown how to utilize the F5 Hybrid Security Architectures GitHub repo and CI/CD pipeline to deploy a tiered security architecture utilizing F5 XC WAAP, F5 BIG-IP, and NGINX Ingress Controller to protect a test API running in AWS EKS.  While the code and security policies deployed are generic and not inclusive of all use-cases, they can be used as a steppingstone for deploying F5 based hybrid architectures in your own environments. 

Workloads are increasingly deployed across multiple diverse environments and application architectures. Organizations need the ability to protect their essential applications regardless of deployment or architecture circumstances.  Equally important is the need to deploy these protections with the same flexibility and speed as the apps they protect.  With the F5 WAF portfolio, coupled with DevSecOps principles, organizations can deploy and maintain industry-leading security without sacrificing the time to value of their applications.  Not only can Edge and Shift Left principles exist together, but they can also work in harmony to provide a more effective security solution.


Article Series:

F5 Hybrid Security Architectures (Intro - One WAF Engine, Total Flexibility)
F5 Hybrid Security Architectures (Part 1 - F5's Distributed Cloud WAF and BIG-IP Advanced WAF)
F5 Hybrid Security Architectures (Part 2 - F5's Distributed Cloud WAF and NGINX App Protect WAF)
F5 Hybrid Security Architectures (Part 3 - F5 XC API Protection and NGINX Ingress Controller)
F5 Hybrid Security Architectures (Part 4 - F5 XC BOT and DDoS Defense and BIG-IP Advanced WAF) 
F5 Hybrid Security Architectures (Part 5 - F5 XC, BIG-IP APM, CIS, and NGINX Ingress Controller)

For further information or to get started:

  • F5 Distributed Cloud Platform (Link)
  • F5 Distributed Cloud WAAP Services (Link)
  • F5 Distributed Cloud WAAP YouTube series (Link)
  • F5 Distributed Cloud WAAP Get Started (Link)
Version history
Last update:
‎22-Sep-2023 14:12
Updated by: