F5 Distributed Cloud Load Balancing Use Cases

Overview

Load balancing plays a critical role in modern application environments, ensuring high availability, minimal latency, scalability, and seamless traffic flow between users and applications. As modern applications are becoming increasingly distributed across hybrid and multi-cloud environments, the traditional approaches often fall short of addressing challenges like complex traffic patterns, managing availability and security, and dynamic scaling across multiple locations.

These modern architectures demand a more intelligent approach, one that is globally available, centrally managed, and capable of operating seamlessly across distributed locations.

F5 Distributed Cloud provides an innovative load balancing solution catering to the varied needs of standalone and distributed environments. This document covers four specific types of load balancers in F5 Distributed Cloud, while also highlighting why distributed load balancing is pivotal in cross-regional and multiple-site use cases. Additionally, this document delves into how traffic management is simplified and value-added through Distributed Cloud Services compared to traditional paradigms.

Introduction to Distributed Cloud load balancing

Application load balancing has long been central to delivering scalable and resilient services. Traditionally, enterprises deployed physical or virtual load balancers within data centers to distribute traffic among backend servers. As applications extended into multiple sites and clouds, however, traditional architectures struggled to maintain consistent control, visibility, and security across environments.

F5 Distributed Cloud offers a fundamentally different approach: it integrates global networking, application security, and load balancing under a single, cloud-native control plane.

By leveraging F5 Distributed Cloud’s Regional Edge (RE) and Customer Edge (CE) nodes, organizations can deploy load balancers close to users, at the network edge, or within private environments - all managed from one console.

This document focuses on four key load balancing use cases that F5 Distributed Cloud App Connect enables:

1. Public load balancer
2. Private load balancer
3. App-DMZ load balancer
4. Distributed load balancer

For each use case, this document outlines how the scenario is traditionally implemented, examines the key challenges and limitations associated with conventional approaches, and explains how F5 Distributed Cloud addresses these gaps. It also highlights the additional operational and architectural benefits delivered by the platform.

Load balancing use cases

Public load balancer

Traditionally, public-facing applications were deployed using data center–based ADCs within a DMZ or cloud-native load balancers. Traffic enters through public IP addresses mapped to these load balancers, requiring operators to independently configure routing, firewall rules, DNS, DDoS protection, TLS termination, failover mechanisms, and monitoring in each region.

This model introduces several operational challenges:

• Deployment control becomes fragmented, as each data center or cloud region maintains its own load balancer configuration, often leading to inconsistent policies.
• Traffic steering typically relies on DNS in the absence of anycast, which can result in propagation delays and suboptimal routing due to caching.
• Managing multiple load balancer instances across environments adds operational overhead, as each must be maintained, patched, upgraded, and monitored separately.
• Visibility is limited, with monitoring and troubleshooting spread across disparate systems, making it difficult to gain unified insights.
• Security enforcement is also inconsistent, as capabilities such as WAF, bot protection, DDoS mitigation, and API security are often implemented as separate, loosely integrated solutions.

While this approach can meet basic requirements, it becomes increasingly complex and resource-intensive at scale. Operations teams must contend with slower updates, reactive troubleshooting, and configuration drift across environments.

Performance and benefits

The public load balancer is the simplest to manage yet provides the greatest global impact within F5 Distributed Cloud. In this model, the publicly advertised load balancer gets an anycast virtual IP address (VIP) on all REs. The servers in the origin pool have public IP addresses or domain names that resolve to public IPs and are directly routable from the RE. The RE terminates client requests and load balances to the upstream servers, meaning user traffic enters and is served entirely within the RE infrastructure. CE nodes are not required for this deployment.

You can also use Distributed Cloud DNS to host the app’s domain name and load balancer’s auto certificate feature to automate the DNS and certificate management.

The F5 Distributed Cloud Services public load balancer gains the benefits of the platform’s anycast networking, centralized policy management, and integrated security stack. The benefits are substantial:

• Global availability: Applications instantly become multi-region without provisioning any regional hardware or cloud load balancer instances. Anycast VIPs automatically route users to the closest RE, minimizing the latency.
• Unified control plane: All policies, certificates, routing logic, and security settings are configured through the Distributed Cloud Console or API, eliminating regional configuration drift.
• Integrated application security: WAF, bot defense, DDoS protection, API discovery, and access control run at the RE, protecting applications before traffic reaches the origin.
• Operational simplicity: Adding or modifying origin servers requires only control plane updates - no manual DNS, NAT, or route changes.
• Analytics and observability: Real-time traffic analytics, performance metrics, and security insights are available from a single pane of glass.
• Consistent performance: Distributed Cloud Services uses its private network backbone for optimized routing, ensuring predictable user performance even during Internet congestion.

In short, publishing your application on the Distributed Cloud public load balancer makes it globally accessible while providing centralized visibility, management and integrated security - drastically reducing operational complexity.

Note: For applications which must be restricted to a geographic region for reasons like compliance, F5 Distributed Cloud Services also supports tying the anycast VIP to only the REs in the required region. You can also bring your own public IP to be used as a public load balancer VIP.

Private load balancer

Traditionally, private load balancing relied on physical appliances or software load balancers deployed in each data center. While functional, this approach introduces significant management and scalability challenges:

• Configuration is decentralized, with each load balancer - whether cloud-native or third party - having a unique feature set and management interface, often resulting in inconsistent policies across sites.
• Lifecycle operations such as access control and version upgrades must be performed per device, leading to variability and operational overhead.
• Security enforcement is fragmented, as WAF, bot protection, DDoS mitigation, and API security are frequently implemented as separate, loosely integrated solutions.
• Monitoring and troubleshooting are complex, since internal load balancers typically lack consolidated analytics.
• Migrating apps across providers is difficult and time-consuming as it requires reconfiguring the load balancer in the new environment.

Modern enterprises need a solution that operates seamlessly across environments while providing unified policies, consistent security, and simplified management.

In the private load balancer scenario, deployment of a CE is required. The CE functions as the load balancing appliance, hosting the VIP on one or more interfaces, while the origin pool remains locally routable within the enterprise’s private network.

Performance and benefits

The CE can be deployed as a physical server or as a virtual instance across environments such as branch offices, on-premises data centers, or public clouds - wherever the applications reside. For high availability, it may operate as a cluster of nodes or as multiple sites within a virtual site construct, but load balancing and VIP hosting are always handled locally. This model is typically used for applications that are not intended for public access.

The private load balancer in F5 Distributed Cloud enables organizations to use CE nodes as locally deployed load balancing appliances, while benefiting from centralized configuration, policy enforcement, and lifecycle management through a SaaS-based control plane. This model combines the flexibility of on-premises or cloud-local deployment with the simplicity of unified operations.

Key advantages include:

• Granular unified policy: Precisely define which applications and APIs are advertised within the network, enabling selective publishing based on environment, namespace, or service.
• Fine-grained access control: Enforce identity and policy-based access to applications, ensuring only required users, services, or networks can connect.
• Advanced Layer 7 routing: Leverage host-based and path-based routing, header inspection, and traffic steering to intelligently direct requests to appropriate backend services.
• Mutual TLS (mTLS) for workload authentication: Enable strong service-to-service authentication, ensuring that only trusted workloads can communicate within the environment.
• Integrated, consistent security posture: Apply WAF, API discovery and protection, DDoS mitigation, bot defense, and service policies uniformly across all deployments without relying on separate point solutions.
• Centralized SaaS-based management: Configure and manage all load balancers, policies, and security controls from a single global console or API, eliminating per-site configuration overhead.
• Simplified application mobility: Seamlessly migrate applications across environments by updating advertisement policies to point to CE sites in the target location, avoiding complex reconfiguration of load balancers.

App-DMZ load balancer

When applications need to be distributed across multiple geographies while keeping backend servers private, traditional architectures rely on deploying multiple regional points of presence (PoP). These PoPs are connected to the data center hosting the application through private networks, VPNs, or SD-WAN-based onramps. Each PoP must independently implement DDoS protection and Layer 7 security, while load balancing remains centralized at the data center. In addition, services such as global server load balancing (GSLB) are required to route clients to the nearest PoP.

This approach introduces several long-standing challenges:

• High capital and operational costs: Each PoP requires dedicated security appliances, along with ongoing maintenance, upgrades, and management.
• Operational complexity: Multiple configuration touch points across regions increase the likelihood of errors and slow down change management.
• Fragmented security enforcement: Distributing security controls across locations leads to inconsistent policy application and increased risk exposure.
• Slow time to onboard applications: New applications must pass through multiple infrastructure and security layers, delaying deployment.
• Inefficient failover mechanisms: DNS-based traffic steering can result in delayed failover due to caching.
• Limited end-to-end visibility: Monitoring is siloed across components, making it difficult to gain a unified view of application performance and security.
• Variable latency: Traffic backhauling over VPNs or private links can introduce unpredictable latency and degrade user experience.

The result is an architecture that, while functional, lacks scalability, consistency, and visibility-often evolving into a patchwork of cloud-native, network-specific, and vendor-dependent solutions.

Performance and benefits

The App-DMZ load balancer represents one of the most powerful deployment models in F5 Distributed Cloud. In this architecture, the VIP is publicly accessible and hosted on the RE, while the origin pool remains private behind a CE or within a virtual site.

This design enables enterprises to securely expose private backend services to the Internet without directly exposing the underlying infrastructure. Incoming traffic is received at the RE anycast VIP, where it is terminated and processed. The RE then forwards requests over secure, Distributed Cloud-managed tunnels to one or more CEs hosting the private origin services. The CE may be deployed as a cluster of nodes or across multiple sites within a virtual site construct, providing flexibility and resilience.

Backend services in the origin pool use private IP addresses and are not directly reachable from the Internet. Only explicitly advertised applications and APIs are exposed through the Distributed Cloud load balancer.

F5 Distributed Cloud App-DMZ load balancer provides a simple, SaaS-based solution for securely exposing applications to the Internet while keeping backend servers private and minimizing their direct attack surface. It eliminates the complexity of building and managing distributed access architectures using traditional tools.

The key benefits of this solution include:

• Global availability with optimal routing: Applications gain instant multi-region presence without deploying regional load balancers. Anycast VIPs automatically direct users to the nearest RE, minimizing latency and eliminating the need for DNS-based GSLB.
• Predictable, low-latency performance: Cross-region traffic is carried over F5’s high-speed private backbone, ensuring consistent and optimized application performance.
• Security enforced at the edge: Application security is offloaded to F5’s global network, where malicious traffic is blocked at the edge. Only validated traffic is forwarded to backend services over secure RE–CE tunnels, providing end-to-end encryption and reducing exposure of private infrastructure.
• Unified control plane: Policies, certificates, routing logic, and security configurations are centrally managed through the Distributed Cloud Console or API, ensuring consistency and eliminating configuration drift across environments.
• Seamless application mobility: Applications can be migrated across clouds or data centers without reconfiguring network connectivity such as VPNs or private interconnects. Updating the origin to point to a CE in the new environment is sufficient.
• End-to-end observability: Provides comprehensive visibility into traffic flows, performance metrics, and security events across both edge and backend environments from a single interface.

This model modernizes how applications are exposed to the Internet by combining global reach, strong security, and operational simplicity, eliminating much of the complexity and risk associated with traditional DMZ architectures.

Distributed load balancer

Historically, inter-site application delivery relied on a patchwork of networking technologies such as IPsec VPNs or private backbones to connect sites, along with routing configurations using static routes or SD-WAN overlays to enable private IP reachability. Each site maintains its own firewall policies and NAT rules, while internal GSLB or DNS-based steering directs traffic. In many cases, distributed ADC clusters are deployed across data centers to handle application delivery.

This approach introduces several challenges:

• Ensuring seamless Layer 4 and Layer 7 connectivity across sites while preserving private IP segmentation requires complex network design, and adding new sites often involves manual updates to IP addressing and routing.
• Failure handling is rarely automatic, typically requiring DNS changes, routing adjustments, or manual intervention.
• Connectivity remains opaque, making it difficult to troubleshoot cross-site performance issues or packet loss.
• Security is fragmented, with scattered firewalls, WAFs, and policies varying across locations, leading to inconsistent enforcement.
• Scalability is also a concern, as traditional VPN-based architectures struggle to grow efficiently, and the overall topology becomes increasingly complex as more sites and applications are added.

As a result, these environments are prone to operational drift, requiring significant network engineering effort, with teams spending more time managing connectivity and troubleshooting than optimizing application performance.

Performance and benefits

F5 Distributed Cloud simplifies distributed application connectivity by enabling the deployment of CE nodes in each cloud or data center where applications reside. This automatically creates a Layer 7 application delivery fabric across all sites. Applications can be discovered on any CE and securely advertised to other CE sites by configuring load balancers in Distributed Cloud Services with the appropriate origin and advertisement policies. Application traffic on a CE can also be isolated at the network level by using segmentation. Security services can then be enabled seamlessly on the load balancer through the Distributed Cloud Console.

By default, site-to-site traffic flows over secure CE–RE tunnels. For optimized direct connectivity, organizations can enable CE-to-CE tunnels by grouping sites into a Site Mesh Group (SMG). When sites are geographically distributed and the SMG is not configured, traffic leverages the RE global backbone, providing high-speed, reliable transit between locations.

All inter-site communication is encrypted in transit, ensuring secure and consistent connectivity across environments.

F5 Distributed Cloud Services abstracts the complexity of cross-site connectivity by creating a private, globally consistent application delivery fabric across CE sites. The distributed load balancer leverages this secure fabric to enable seamless application-to-application communication across environments.

Key benefits include:

• Eliminates cross-site networking complexity: Removes the need for public IP exposure, complex routing, or VPN configurations. Applications and APIs are connected selectively at Layer 7, without requiring full Layer 3 reachability between backend systems.
• Secure, encrypted communication: All traffic between CE–CE and CE–RE is protected using built-in IPsec or SSL tunnels, ensuring data confidentiality and integrity in transit.
• Centralized operations: Load balancing configurations, certificates, policies, and observability are managed through a single Distributed Cloud Console, reducing operational overhead.
• Consistent policy enforcement: TLS, access control, WAF (where enabled), API protection, and routing policies are uniformly applied across all sites, ensuring a consistent security posture.
• Enhanced performance visibility: Operators gain real-time insights into latency, throughput, and traffic flows between sites directly from the Distributed Cloud console.

This architecture enables true hybrid application connectivity, allowing services to span private data centers, branch locations, and cloud environments seamlessly - without sacrificing control, security, or visibility.

Summary of load balancing use cases

Modern application architectures demand more than traditional load balancing. They require a solution that seamlessly spans clouds, data centers, and edge locations while maintaining consistent performance, security, and operational simplicity.

F5 Distributed Cloud addresses this need by redefining load balancing as a globally distributed, policy-driven service rather than a collection of isolated appliances. Through its unified control plane and globally deployed infrastructure, Distributed Cloud enables organizations to adopt the right load balancing model based on application requirements, without introducing additional complexity.

The public load balancer enables rapid global application exposure with built-in performance optimization and edge security. The private load balancer provides localized control for internal applications while maintaining centralized management and consistent policy enforcement. The App-DMZ load balancer bridges the gap between public access and private infrastructure, allowing secure exposure of applications without increasing attack surface. Finally, the distributed load balancer creates a seamless application delivery fabric across sites, enabling secure, efficient, and scalable inter-application connectivity.

Across all these models, Distributed Cloud delivers a consistent set of advantages: centralized operations, integrated security, global reach, and deep observability. By abstracting the complexities of networking, security, and traffic management, it allows teams to focus on application delivery rather than infrastructure management. In essence, F5 Distributed Cloud transforms load balancing from a fragmented, infrastructure-heavy function into a unified, intelligent platform, enabling organizations to build, scale, and operate modern applications with greater agility, security, and efficiency.

---