Pricing

F5 Distributed Cloud DDoS provides three types of Cloud DDoS mitigation services:

1. On-demand infrastructure protection from 100Mbps up to 500Mbps clean traffic, which provides BGP redirect based Cloud DDoS mitigation for Layer3/Layer 4 infrastructure protection

2. Always-on infrastructure protection from 100Mbps up to 100Gbps clean traffic, which provides BGP redirect based Cloud DDoS mitigation for Layer3/Layer4 infrastructure protection

3. Always-on Web Application Security and Performance provides security for Network Layer and Application Layer (HTTP/HTTPs) Security. Network layer and Application layer protects against volumetric and multi-vector attacks. Web Application security includes a Web Application Firewall (WAF) that protects against Top 10 OWASP vulnerabilities such as SQL injection. Web application security also includes ability for custom layer 7 policies such as Javascript challenge.

In addition, F5 Distributed Cloud Services provide SSL offload (a.k.a TLS termination) on F5 Distributed Cloud's Global Network points of presence in the country, improving the performance of the enterprise’s web application. Hence the name Web Application Security and Performance.

Where

On-demand means limited amounts of mitigations and hours under attack for scrubbing. F5 Distributed Cloud Services provide 18 mitigations for up to 90 attack hours per year. If customer chooses this package, but need more hours for scrubbing, customers are provided with options to purchase additional SKUs for extra hours.

Note: After mitigation is done for the scrubbing, within 12hours, customer should move the traffic off F5 Distributed Cloud Console backbone, otherwise there will be additional on-net charge.

Always-on means unlimited amounts of mitigations and hours under attack for scrubbing.

On-demand infrastructure protection and Always-on infrastructure protection is offered only in the Organization Plan. Web Application protection is offered in Individual, Teams and Organization plans.

The Organization Base Plan already includes all the standard features required to protect your website or Public API. The base plan includes many capabilities described next that will help enterprises to protect their website/APIs.

Web Application Security

• App Security (Basic WAFs) provides the following security capabilities:

  • Network policies enabling users to define prefixes and ports (Layer3 and Layer 4) from which to accept traffic or send traffic to those destinations. Please see this link for more information. See Network Policy for more information.
  • Network firewall to enable blocking/allowing traffic at layer 3/layer 4. See Network Firewall for more information.
  • Egress Filter.
  • Application Firewall: See App Firewall for more information.
  • Application layer Security Policies, for example Javascript challenge

• Secure Networking provides fast ACLs that enable users to define a list of prefixes and ports (Layer 3 and Layer 7) from which to accept traffic. See Fast ACLs for more information.

• Secure Networking provides the ability to define a policer action in addition to allow/deny actions. This policer action provides rate limiting capabilities at the VIP level. That means, it is applicable to all the domains that share the VIP. This is equivalent to the per VIP level rate limiting provided by Cloud Protect. See this link for more information with policer action: See Fast ACLs for more information.

Web Application Performance

• Public Load-Balancer:

  • A public load-balancer that is globally distributed across all F5 Distributed Cloud Global Network points of presence.
  • This public load balancer can load balance across origin servers spread across multiple geographic locations.
  • The public load balancer performs health checks across multiple origin servers across multiple geographic locations
  • Health checks are performed at a highly granularity 1 second.

• Anycast

  • The VIP provided by F5 Distributed Cloud is anycast via all F5 Distributed Cloud global network. This means that enterprise’s end-users reach the closest global network site in country by default without the enterprise having to do any networking magic.

• SSL offload (also known as TLS termination)

  • F5 Distributed Cloud can perform SSL offload for https traffic reducing the load on the enterprise’s infrastructure.
  • Furthermore, the SSL offload is performed on the global network in the country reducing the latency of the communication and improving web application performance.

The following table shows capabilities of each plan:

You don’t need a VIP per FQDN. All 5 FQDNs can be on the same VIP. Alternatively, each FQDN can be on separate VIP. The choice of number of VIPs depends upon your architecture. Some customers might want to have all their public APIs/URLs on one VIP, and important API/URLs , such as payment URL, or SaaS portal, on another VIP.

Rate Limiting per user provides the ability to rate limiting the number of requests originating from a particular user. The user can be defined by client IP address, cookie name, HTTP header name, query parameter key.

Please refer to Rate Limiting guide.

Rate limiting is an advanced security protection concept. There are several advanced use cases where it could potentially be used. Examples include

Example 1: Say your website provides services to premium and free customers. And say, your website gets overloaded frequently. You might be working on increasing your capacity to meet the demand. However, in the interim, you want to ensure the user experience for your premium users is not affected due to increased load from the free users. In this case, one solution you could implement is to do http-header-name or cookie-name based rate limiting. Premium vs. free user’s traffic can be tagged at the client side with a premium-user-http-header or premium-user-cookie-name or free-user-http-header or free-user-cookie-name. And then you can ratelimit the free user’s traffic to your website, ensuring the premium user’s user-experience is not affected by the free users.

There are many other ways to solve this problem without using per user rate limiting. You could have two different VIPs, and two different websites for free vs. premium users.

API security and Anomaly detection is an advanced capability that provides users ability to characterize how their APIs are being consumed, traffic patterns to their APIs, and the latency experienced by the users of the APIs. Moreover, Anomaly detection identifies patterns of API usage, baselines the patterns and identifies anomalies in the patterns.

F5® Distributed Cloud Mesh rate limit per client automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain. Rate Limiting protects against brute force attacks and limits access to forum searches, API calls, or resources that involve database-intensive operations at your origin.

You will then be charged $0.05 per 10,000 requests. For example, if you had a total of 40,000 good/allowed requests matching any rate-limiting rule, you will be charged $0.20 in total for Rate Limiting on your next billing date. The charge will appear as a line item on your invoice and will list the total number of requests billed.

Rate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across all your websites. Each request is only counted once so you will not be double charged if a request matches multiple rules. For example, given a rule that matches acmecorp.com/login/* and blocks clients that send over 30 requests per minute:

• Client A sends 45,000 requests to acmecorp.com/login/premium at a rate of 10 requests per minute. All requests are allowed.

• Client B sends 120,000 requests to acmecorp.com/login/free, usually at a rate of 10 requests per minute, but with bursts over 30 requests per minute. 90,000 of their requests are blocked during the bursts, and 30,000 are allowed when their request rate is lower.

• Client C sends 80,000 requests to acmecorp.com/docs at a rate of 40 requests per minute. While this exceeds the threshold, it doesn't match the rule path, so all 80,000 requests are allowed.

In this example, 75,000 (45,000 + 30,000) requests are billable: clients A and B both sent requests that matched the rule, but some of client B's requests were blocked, and those blocked requests were not billed. In total, the cost is (75,000/10,000) * $0.05 = $0.375.