Billing FAQs
The following question and answer sets provide usage information for different F5® Distributed Cloud Services subscriptions. In this section, you will find the following information:
-
General Usage and Billing Questions
-
Understanding Base Package
-
Understanding Application Security Services
-
Understanding Application Delivery Services
Find out more about the available products and services on the platform here: Distributed Cloud Services | F5 Products.
For account specific pricing information please reach out to your account team or Contact Sales.
General Usage and Billing Questions
Where can I view my current Distributed Cloud Services consumption?
Distributed Cloud customers will receive a monthly report from F5 detailing their current usage.
What does metering mean?
Metering refers to product usage that is tracked according to specific units. Consumption of services is tracked, and any increases in consumption of those services will result in additional charges.
How often am I billed for usage?
Billing depends on your billing program:
- AWS Pay-as-you-go for Distributed Cloud | F5 Distributed Cloud Technical Knowledge
- Term Subscription for Distributed Cloud | F5 Distributed Cloud Technical Knowledge
- Flex Consumption Program for Distributed Cloud | F5 Distributed Cloud Technical Knowledge
Most purchased products have a monthly usage entitlement included in the purchase (for example, 1 application per month, 1M good requests per month). Additional capacity can be purchased to accommodate increased monthly usage.
What happens if I go over my consumption entitlements?
Your obligations for excess usage or going over your consumption entitlements are defined in the End User Services Agreement in the section on usage metrics F5, Inc. End User Services Agreement. If you have excess usage, your account team will work with you to right-size your subscription to cover your usage at an additional cost.
How do I add services to my subscription?
Most of the services can be enabled directly through your console by going to the “catalog” on the homepage. Some services may require you to work with F5 Support to enable, and you can work with your account team to help coordinate the services enablement.
Billing for usage of added services will vary by buying program. You can always work with your partner and account team to understand the additional cost of adding a service.
-
Term Subscription: You will be contacted by your account team in the quarter in which you have started a new service to review the additional costs. Work with your partner and account team to add and co-term the service(s) to your subscription.
-
Pay-as-you-go: Billed monthly in arrears for all usage.
-
Flex Consumption Program (FCP): Newly added services will appear in your monthly usage report. At your annual adjustment, if the total cumulative usage of all services used in the prior 12 months exceeds your annual commitment amount, there will be a True Up / True Forward payment.
How do I remove services from my subscription?
For term subscriptions, you have subscribed to a service for an agreed time. If you have concerns regarding your usage of existing services in your subscription, discuss these with your account team.
For Pay-as-you-go and FCP models, you are billed on what you consume. If you want to stop using a service, you can just stop using it.
When will these changes be reflected in my bill?
If you are currently purchasing under a Term Subscription, you will receive regular reports of your consumption, and your account team will review these reports with you on a quarterly basis. If there is excess usage, you will need to work with your channel partner to submit a one-time order for the excess usage. You will also have the option to amend your subscription to increase your entitlement amount for the remainder of your subscription term.
If you are currently purchasing under FCP, you will get regular consumption reports showing your consumption towards your annual commitment amount. If you have consumed over your annual commitment, you will need to work with your channel partner to submit a True Up or True Forward payment covering your excess consumption at your agreement anniversary.
If you are currently purchasing under a Pay-as-you-go program, you will receive a monthly bill on what you have consumed in the previous month period.
If I have F5 BIG-IP or NGINX subscriptions in addition to Distributed Cloud Services, will I receive a separate bill for each set of products?
If the products are on the same subscription, then you will receive one bill. If the products are on separate subscriptions, then you will receive one bill per subscription.
How is Service Policy Quota Usage Counted in Distributed Cloud?
In Distributed Cloud, service policies do not drive costs directly, however they are limited by a quota that is in place to ensure that resources are used correctly and protect the overall platform from runaway race conditions. The tenant's quota is based on the configuration and applications deployed. here's a breakdown of how usage is calculated for the service policies in a tenant:
-
Shared Service Policies: Count as a single object, regardless of the number of load balancers they are applied to.
-
Namespace-Specific Service Policies: Also count as one object, even if attached to multiple load balancers.
-
Specific Load Balancer Configurations: Certain load balancer configurations, such as IP Intelligence (IPI), can dynamically create hidden service policy objects for each load balancer. This can increase quota usage.
To view how service policies are affecting your quota, you can:
- Check the "Show Child Objects" option within the load balancer configuration.
- Review the associated service policies displayed.
If your quota usage seems inconsistent, further investigation may be necessary to confirm the calculations.
For more details about information on default quotas refer to Default Quota Reference page.
Understanding the Distributed Cloud Services Base Package
What services are included in the base package?
The base package offers capabilities that equip you with the essential application delivery and security services needed for your website or publicly accessible applications. A list of all products included in the base package can be found in this data sheet F5 Distributed Cloud Services Base Package.
What services are metered in the base package?
| Product | Description |
|---|---|
| Anycast Virtual IP Address (VIP) | Assign a virtual IP address to multiple servers or devices in different locations with Anycast routing. This ensures that the same VIP responds to requests globally, but the user gets directed to the optimal endpoint. |
| API Discovery | Detect and map all APIs directly from code repositories, through traffic analysis and external domain crawling including forgotten, unmanaged and shadow APIs, for a complete view into an apps ecosystem including automatic generation of OpenAPIspec (OAS) files. |
| API Protection | Automatically discover endpoints mapped to your applications, allow or deny list unwanted connections, and monitor for anomalous behavior. |
| Web App Scanning | Dynamically scan your external attack surface. Uncover vulnerabilities with automated penetration testing of web apps and APIs. |
| Globally Distributed Load Balancer | A globally distributed load balancer distributes user requests across servers or data centers located in multiple geographic regions to optimize performance, reduce latency, and ensure availability. |
| DNS Zones | A DNS zone is a distinct division of a domain namespace that is managed by an entity such as an organization. Customers can exercise granular control on the components such as name servers which hold the DNS records for the domain namespace represented by the zone. |
| DNS Load Balancer Records | Use records to distribute incoming traffic across multiple servers or endpoints to optimize performance, ensure high availability, and prevent overloading any single server, via Round Robin, Weighted, or Geolocation-based routing. |
| DNS Load Balancer Health Checks | Monitor the availability and responsiveness of backend servers or endpoints to ensure that only healthy servers are included in DNS responses. |
| Layer 3 DDoS Protection IP Prefixes | Quickly identify and restrict traffic from known malicious sources while allowing legitimate traffic to pass, helping protect targeted systems from being overwhelmed. |
| Client-Side Defense | Protect customer credentials, financial details, and PII against Magecart, Formjacking, and other client-side supply chain attacks by monitor web pages for suspicious code. |
| Synthetic Monitoring | Easily monitor your critical applications and systems from regions around the world. |
| WAF | A Web Application Firewall (WAF) monitors, filters, and blocks malicious HTTP/HTTPS traffic to protect web applications from threats like Cross-Site Scripting (XSS), SQL injection, and other vulnerabilities. |
How are services in the base package metered?
| Product | Entitlement | Metering Unit |
|---|---|---|
| Anycast Virtual IP Address (VIP) | 1 VIP per month | Per IPv4 address |
| API Discovery | 1 Load Balancer per month (equivalent to 1 Application) | Per Load balancer (aka application) - minimum 5 load balancers in addition to base |
| API Protection | 500k (good) requests per month | Per 1M (good) requests - minimum 5M good requests in addition to base |
| Web App Scanning | 3 Applications per month | Per application |
| Globally Distributed Load Balancer | 1 Load Balancer (equivalent to 1 Application) per month | Per load balancer (externally facing) |
| DNS Zones | 250 zones per month | Per zone |
| DNS Load Balancer Records | 50 records per month | Per record |
| DNS Load Balancer Health Checks | 200 health checks per month | Per health check |
| Layer 3 DDoS Protection IP Prefixes | 100 IP Prefixes per month | Per 100 IP Prefixes |
| Client-Side Defense | 1M Transactions per month | Per 1M transactions |
| Synthetic Monitoring | 500k Executions per month | Per 500k executions |
| WAF | 5M requests per month | Per 1M requests |
What is a good request for API Protection?
A good request for API Protection is any request that is not blocked. If a request is forwarded on to the application or API origin servers, it is a good request.
How do requests get metered for API Discovery and WAF? If a single request runs through my WAF, and then it runs through my API Protection, does it apply to both meters?
Each request applies to the meter of each service. For example, if a request passes through WAF and API Protection, it would be counted by the meter for each service.
What is an execution for Synthetic Monitoring?
An execution is one instance of one monitor endpoint operating from one region. If you have one HTTP monitor operating in three regions every five minutes, you have three executions occurring every five minutes.
What is an application for Web App Scanning?
An application is a deployed instance hosted on a web server, available through a defined entry URL. Different URLs are counted as different apps.
How many scans can be done per application per month?
There are no limits to the number of scans you can conduct per month on those applications.
What is a transaction for Client-Side Defense?
Client-Side Defense transactions refer to distinct page views of an Authorized Website with Client-Side Defense JavaScript. This number is generally lower than the total page views on those pages.
Understanding Application Security Services
What Application Security services are metered that are not included in the base package?
| Product | Description |
|---|---|
| BYO VIP | Customers may use their own virtual IP addresses for applications connected to their Distributed Cloud tenant. |
| Rate Limiting | Rate Limiting at the load balancer is used to enforce limits on the number of requests or amount of traffic that users, clients, or devices can send to a service with the same telemetry data. |
| Bot Defense Web | Defend against malicious bots that take over accounts, damage brand reputation, slow performance, and cause financial harm. Learn the value of rich client-side signals in the mitigation of bots for web applications. |
| Bot Defense Mobile | Defend against malicious bots that take over accounts, damage brand reputation, slow performance, and cause financial harm. Learn the value of rich client-side signals in the mitigation of bots for mobile applications. |
| Bot Defense Additional Transactions | Get additional transactions based on the projected number of interactions between a client and a server to determine if the request is coming from a person or a bot. |
| Bot Defense Add'l Region | Add a new Bot Defense server to another region or infrastructure deployment in your environment, after the first two are allocated |
| Bot Defense Content Scraping Protection | Content Scraping Protection prevents bots from scraping web application content and degrading web app performance. This enables CSP for all Bot Defense engines in your tenant. |
| Mobile SDK Integrator | Use the Mobile SDK Integrator to insert the Bot Defense Mobile SDK into CI/CD pipelines for mobile apps without making any code changes. |
| Mobile App Shield | Mobile App Shield thwarts attackers that try to debug mobile apps or run them on rooted devices looking for vulnerabilities. This runtime security prevents data loss that results from attacks on apps running on mobile devices. |
| Routed DDoS - Always Available | Routed DDoS will detect and mitigate large-scale, volumetric network-targeted attacks in real-time. The Always Available version is pre-configured for your systems, runs on standby, and can be initiated when under attack. Each tunnel carries filtered traffic to your network. |
| Routed DDoS - Always Available Clean Bandwidth | When enabled, Routed DDoS redirects customer traffic to the F5 Global Network to ensure app availability. This determines peak bandwidth usage for clean traffic. |
| Routed DDoS - Always On | Routed DDoS will detect and mitigate large-scale, volumetric network-targeted attacks in real-time. The Always On version is configured to continuously route and process your traffic on F5 Distributed Cloud Services, allowing only legitimate traffic to reach your apps. Each tunnel carries filtered traffic to your network. |
| Routed DDoS - Always On Clean Bandwidth | When enabled, Routed DDoS redirects customer traffic to the F5 Global Network to ensure app availability. This determines peak bandwidth usage for clean traffic. |
| DDoS Mitigation Tunnel | Additional GRE tunnels help route clean traffic to specific clouds or data centers. |
| DDoS Mitigation Router Monitoring | If additional router monitors are needed for an Always Available subscription, add more routers to ensure F5 SOCs are alerted to respond to threats. |
| Data Intelligence Basic | Data Intelligence provides intelligence on user behavior, network characteristics, and device characteristics that is useful for detecting malicious traffic using Device IDs. |
| Data Intelligence Basic for Bot Defense | Add Data Intelligence Device ID analysis capabilities to Bot Defense. |
| Data Intelligence Advanced for Bot Defense | Add advanced Data Intelligence features like Behavioral, Device Feature, and Device ID analysis capabilities to Bot Defense. |
| Data Intelligence Premium for Bot Defense | Add premium Data Intelligence features and managed services to Bot Defense, including anomaly detection and aggregated features analysis. |
How are Application Security services metered that are not included in the base package?
| Product | Entitlement | Metering Unit |
|---|---|---|
| Bring Your Own Virtual IP | 1 /24 subnet, or 256 IP addresses (254 usable) per month | Per /24 subnet (Customer Owned) |
| Rate Limiting | 10M good requests per month (minimum 10M purchased) | Per 1M good requests |
| Bot Defense Web | 10M good requests per month (minimum 10M purchased) | Per application |
| Bot Defense Mobile | 2 regions, plus 1 test region, and 500k transactions per month | Per application |
| Bot Defense Additional Transactions | 500k additional transactions per day, per month | Per 500k transactions per day, per month |
| Bot Defense Add'l Region | 1 additional region per month | Per region |
| Bot Defense Content Scraping Protection | N/A - on or off | |
| Mobile SDK Integrator | 1 application per month | Per application |
| Mobile App Shield | 1 application with 25k users per month | Per application per 25k users |
| Routed DDoS - Always Available | 2 GRE Tunnels, 1 Router Monitor per month | N/A - on or off |
| Routed DDoS - Always Available Clean Bandwidth | Per Mb of bandwidth - based on peak utilization | |
| Routed DDoS - Always On | 2 GRE Tunnels per month | N/A - on or off |
| Routed DDoS - Always On Clean Bandwidth | N/A - depends on bandwidth requirements | Per Mb of bandwidth - based on peak utilization |
| DDoS Mitigation Tunnel | 1 additional GRE Tunnel per month | Per tunnel |
| DDoS Mitigation Router Monitoring | 1 Router Monitor | Per router |
| Data Intelligence Basic | 500k Transactions per day, per month | Per 500k transactions per day, per month |
| Data Intelligence Basic for Bot Defense | 500k Transactions per day, per month | Per 500k transactions per day, per month |
| Data Intelligence Advanced for Bot Defense | 500k Transactions per day, per month | Per 500k transactions per day, per month |
| Data Intelligence Premium for Bot Defense | 500k Transactions per day, per month | Per 500k transactions per day, per month |
What is a good request for Rate Limiting?
A good request for Rate Limiting is any request that is not blocked. If a request is forwarded on to the application or API origin servers, it is a good request.
What is a transaction for Bot Defense?
A transaction is any request that comes to the Bot Defense service. This includes (1 requests from endpoints configured to be protected using Bot Defense and 2) the requests for Bot Defense JavaScript as configured by the user.
How are Bot Defense transactions metered?
Transaction counts are measured as a daily average over a month and are sold in 500K per day blocks, with tiered pricing available.
What is a transaction for Data Intelligence?
For Data Intelligence Basic, a transaction is defined as an API call made to a Device ID backend to fetch device identifiers. Data Intelligence can be included on all web pages, or just specific pages.
For Data Intelligence for Bot Defense, a transaction is defined as a call made to an endpoint protected by Bot Defense, which can include Login, Forgot Password, Payment, Address Change, and Create Account.
What is included in the API Discovery license?
The following is included:
- Traffic-Based Discovery
- API Crawling
- API Discovery from Code
- API Security Testing
To learn more about each capability, visit Compare F5 Distributed Cloud Services.
What is included in the API Protection license?
The following is included:
- API Protection Rules
- Rate Limiting
- OAS Validation
- JWT Validation
- Malicious User Detection
To learn more about each capability, visit Compare F5 Distributed Cloud Services.
Understanding Application Delivery Services
What Application Delivery services are metered that are not included in the base package?
| Product | Description |
|---|---|
| CE Node - Small CE Node - Medium CE Node - Large | CE nodes extend Distributed Cloud Services into customer environments, enabling local service deployment and hybrid multi cloud networking. Recommended size depends on your performance and scaling needs. |
| Traffic from CE Node to F5 Global Network | Traffic passes from CEs to the F5 Global Network, even if traffic is processed locally at the CE. |
| Application Firewall | A Web Application Firewall (WAF) monitors, filters, and blocks malicious HTTP/HTTPS traffic to protect web applications from threats like Cross-Site Scripting (XSS), SQL injection, and other vulnerabilities. |
| App Stack Combo-Node - Small App Stack Combo Node - Medium App Stack Combo Node - Large App Stack Combo Node - 80vCPU | App Stack nodes extend Distributed Cloud Services into customer environments, enabling local service deployment and hybrid multi cloud networking, as well as application hosting on the CE. Recommended size depends on number of applications to host, and their performance needs. |
| App Stack Tiny Container App Stack Medium Container App Stack Large Container | App Stack Containers can be used to deploy your applications on the F5 Global Network. The size of the container varies depending on application requirements and throughput. |
| App Stack Container-to-Container Traffic | Bandwidth for any traffic passed between App Stack containers. |
| App Stack Container-to-Internet Traffic | Bandwidth for any traffic passed from App Stack containers to the public internet. |
| CDN Transfer to Internet - North America CDN Transfer to Internet - Europe CDN Transfer to Internet - Asia CDN Transfer to Internet - South America | A Content Delivery Network (CDN) is a globally distributed network of servers designed to deliver web content, such as images, videos, and scripts, to users with high speed and low latency by caching and serving data from the nearest geographic location. Depending on which region content needs to be delivered to, this covers volume of traffic required for delivering content to the public internet. |
| CDN HTTP(S) Requests - North America CDN HTTP(S) Requests - Europe CDN HTTP(S) Requests - Asia CDN HTTP(S) Requests - South America | A Content Delivery Network (CDN) is a globally distributed network of servers designed to deliver web content, such as images, videos, and scripts, to users with high speed and low latency by caching and serving data from the nearest geographic location. Depending on which region content needs to be delivered to, this covers the number of requests for content that can come in from the public internet. |
How are Application Delivery services that are not included in the base package metered?
| Product | Entitlement | Metering Unit |
|---|---|---|
| CE Node - Small | 1 small node per month | Per node hour |
| CE Node - Medium | 1 medium node per month | Per node hour |
| CE Node - Large | 1 large node per month | Per node hour |
| Traffic from CE Node to F5 Global Network | 1 TB traffic per month | Per TB of traffic |
| Application Firewall | 1 App Firewall per month | Per node |
| App Stack Combo-Node - Small | 1 small node per month | Per node hour |
| App Stack Combo Node - Medium | 1 medium node per month | Per node hour |
| App Stack Combo Node - Large | 1 large node per month | Per node hour |
| App Stack Combo Node - 80vCPU | 1 80vCPU node per month | Per node hour |
| App Stack Tiny Container | 1 tiny container per month | Per container hour |
| App Stack Medium Container | 1 medium container per month | Per container hour |
| App Stack Large Container | 1 large container per month | Per container hour |
| App Stack Container-to-Container Traffic | 1 TB traffic per month | Per TB |
| App Stack Container-to-Internet Traffic | 1 TB traffic per month | Per TB |
| CDN Transfer to Internet - North America | 1 TB Data Transfer per month | Per TB |
| CDN Transfer to Internet - Europe | 1 TB Data Transfer per month | Per TB |
| CDN Transfer to Internet - Asia | 1 TB Data Transfer per month | Per TB |
| CDN Transfer to Internet - South America | 1 TB Data Transfer per month | Per TB |
| CDN HTTP(S) Requests - North America | 1M requests per month | Per 1M requests |
| CDN HTTP(S) Requests - Europe | 1M requests per month | Per 1M requests |
| CDN HTTP(S) Requests - Asia | 1M requests per month | Per 1M requests |
| CDN HTTP(S) Requests - South America | 1M requests per month | Per 1M requests |
How are nodes, combo-nodes, and containers metered?
Nodes, combo-nodes, and containers are metered by node hour. Node hours are based on the size and the hours the node is running. Size is typically determined by the hardware or virtual machine size. On public cloud providers, size is selected during CE provisioning.
How is CDN metered?
CDN offers regional pricing for four distinct regions: North America, South America, Europe, and Asia, and requires both the Data Transfer SKU and the HTTP(s) Requests SKU for each region CDN will operate in. To estimate your total volume of traffic to cover with the Data Transfer SKUs, multiply the number of requests by the average size of those requests.
What are some examples of how to calculate CDN data transfer and request volume?
Utilizing CDN for Web Applications to enhance performance: In general, take the total data transfer amount and divide by 50kb to determine the number of requests.
A typical website setup would need 16 TB of Data Transfer. Using 50kb as the average request size, 16 TB supports 320 million requests spread across the regions that the website operates within.
Using CDN to support Video traffic which includes Video on Demand (VOD) and Live Video: In general, take the total data transfer amount and then divide by 500kb to provide number of requests.
A typical setup for Video Traffic uses 1PB of Data Transfer. Using 500kb as the average request size, 1 PB of Data Transfer supports 2 billion requests.