Configure IP Prefix Sets

Published April 5, 2023 | Last modified April 8, 2025

Objective

This document provides instructions on how to create IP prefix sets, and apply them to service policies to control application traffic originating from or reaching the sets of IP addresses in F5® Distributed Cloud Services. To know more about service policies, see Service Policy.

Using the instructions provided in this guide, you can create IP prefix sets and configure a service policy to add the IP addresses to an allowlist or denylist so that traffic is allowed or blocked, respectively.

Prerequisites

The following prerequisites apply:

Configuration

Configuration Sequence

Configuring IP prefix sets and applying them in service policy requires performing the following sequence of actions:

PhaseDescription
Create IP Prefix SetsCreate IP prefix sets from the security options in the Console.
Create Service Policy RulesCreate policy rules to permit traffic from one IP prefix set and drop traffic from another.
Create a Service PolicyCreate a policy with the configured rules.

Create IP Prefix Sets

IP Prefix Set can be viewed and managed in multiple services: Multi-Cloud Network Connect, Distributed Apps, Shared Configuration, Web App & API Protection, and Load Balancers.

This example shows IP Prefix Set setup in Shared Configuration.

Step 1: Log into F5 Distributed Cloud Console, select IP Prefix Sets.
  • Open F5 Distributed Cloud Console homepage, select Shared Configuration.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: Homepage

Figure: Homepage

  • Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Security > Shared Objects in left column menu. Then select IP Prefix Sets.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Figure: IP Prefix Sets Locations

Figure: IP Prefix Sets Locations

  • Select Add IP Prefix Set button.

Note: You can change to another service and create the IP prefix set.

Step 2: Name Prefix, set labels, and add a description as needed.

  • Enter Name.

  • Enter Labels and Description as needed.

Figure: IP Prefix Set Creation

Figure: IP Prefix Set Creation

Step 3: Select Prefix, and enter the prefix from which you want to allow traffic.

  • Enter Prefix in box.

  • Select + Add Item if needed.

Figure: IP Prefix Set Creation

Figure: IP Prefix Set Creation

Step 4: Complete creating the ASN set.
  • Select Save and Exit button.
Step 5: Repeat Step 1 to Step 4 to create another IP Prefix set from which you want to block the traffic.

Create Service Policy Rules

Service policy rules are used in controlling the traffic based on various conditions. This example shows how to allow or reject traffic coming from specific IP addresses. For more information on service policies and rules, see Create Service Policy Rule.

Step 1: Open F5 Distributed Cloud Console, select Service Policy Rules.
  • Open F5 Distributed Cloud Console homepage, select Shared Configuration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Visit [Homepage Customization] to adjust your homepage.

Figure: Homepage

Figure: Homepage

  • Select Security in left column menu > select Service Policies > Service Policies.
Figure: Service Policies

Figure: Service Policies

  • Select + Add Service Policy button.

Note: The policy rule creation form gets loaded.

Step 2: Enter Name, select Allow.

  • Enter Name.

  • Enter Labels and Description as needed.

  • Select Policy Rules drop-down menu, select Allowed Sources.

Figure: Service Policies

Figure: Service Policies

  • Select Default Action drop-down menu, select Allow.
Figure: Service Policies Default Action

Figure: Service Policies Default Action

  • Select Save and Exit button.
Step 3: Select IP Prefix Matcher to open the form to apply IP Prefix set. Select Select prefix set, and select the set you created in the Create IP Prefix Sets chapter.
  • In F5 Distributed Cloud Console select Multi-Cloud Network Connect.
Figure: Homepage

Figure: Homepage

  • Select Manage > select Firewall.

  • Select Service Policies > + Add Service Policy button.

Figure: Service Policy

Figure: Service Policy

Step 3.1: Setup Service Policy.

  • Enter Name.

  • Select Configure link in Rules box.

Figure: Service Policy Form

Figure: Service Policy Form

  • Select + Add Item button in new Rules page.
Step 3.2: Setup Rules.

  • Enter Name.

  • Select Allow in Action drop-down menu.

Figure: Service Policy Form

Figure: Service Policy Form

Step 3.3: Setup HTTP Path.

  • Toggle Show Advanced Fields in Request Match box.

  • Select Configure link in HTTP Path section.

Figure: Service Policy Rule IP Prefix Matcher

Figure: Service Policy Rule IP Prefix Matcher

  • In Prefix Values, select + Add Item button.

  • Enter Prefix Values in box.

Note: See HTTP Path for valid format examples.

Figure: HTTP Path Prefix Value

Figure: HTTP Path Prefix Value

Step 3.4: Apply HTTP Path Prefix Value.

  • Select Apply button.

  • Select Apply button.

Figure: HTTP Path Prefix Value

Figure: HTTP Path Prefix Value

Step 4: Select prefix set and Apply to apply the set to the service policy rule.

  • Select Rules by Order number.

    • Select Actions ... Move to another spot to reorder Rules as needed.
  • Select Apply button.
Figure: Service Policy Rule

Figure: Service Policy Rule

Step 5: Select Add service policy rule to complete creating service policy rule.
  • Select Save and Exit button.
Step 6: Repeat Step 1 to Step 5 for creating a rule to block traffic from the second prefix set created in the Create IP Prefix Sets chapter. Ensure that you set the Action as Deny.

Create a Service Policy

Service policies apply rules in the order as per the specified configuration. For more information on service policies, see Configure Service Policy.

Step 1: Open Service Policy.

Select the same namespace where you created your service policy rule. Select Security from the configuration menu and Network Security from the options pane. Select Service Policies and select Add service policy. The policy creation form gets loaded.

  • In F5 Distributed Cloud Console, select Multi-Cloud App Connect.

  • Select Namespace where you created your service policy rule.

Figure: Homepage

Figure: Homepage

  • Select Security > Service Policies > Active Service Policies.

  • + Select Active Service Policies button.

Step 2: Create Service Policy.

Enter a name for the policy, and set First Rule Match for the Rule Combining Algorithm field.

  • Select Service Policies drop-down menu to select service policy.

  • Select + Add Item button in Service Policies drop-down menu to create another service policy.

  • Enter Name

  • Enter Labels and Description as needed.

Step 3: Select Rule

Select rule and add the rules created in the Create Service Policy Rules chapter.

  • Select Policy Rules drop-down menu.

    • Custom Rule List > Configure.

    • Allowed Sources > Configure.

    • Denied Sources > Configure.

    • Allow All Requests

    • Deny All Requests

Note: It is recommended to first add the rule that allows traffic from set of IP prefixes, and then add the rule that drops traffic from the other set.

  • Select Server Selection drop-down menu to select Servers, Any Server is default.

Note: For granular control you can use other fields of service policy creation such as Server Selection. For more information, see Configure Service Policy.

  • Select Continue button to finish the Service Policy Rules form.
Add More or Move Service Policies

  • Select + Add Items button to add more service policies.

  • Select Service Policies drop-down menu to select the service policy you created or another service policy as needed.

  • Select the dot box to the left of the number, and drag to rearrange the service policies Order.

  • Select ... to delete or Move to another spot > enter Row number > select Move Row button to move.

  • Select Save and Exit button to save service policy selection and order.

Step 4: Complete service policy creation.

You can use this policy in a service policy set and apply the IP Prefix sets to control your application traffic. For more information on service policy set configuration, see Configure Service Policy Set.

Concepts

API References

On this page: