Changelogs

Code optimizations are added in user deletion workflow while handling a high number of namespaces.

The Azure Machine Type for Node field is now required in Azure VNET site configuration.

In situations where a Centralized Control and Management service restarts, the "Site Hardware Changed" alert is triggered. This alert is responsible for alerting user in situations where the underlying "Node Flavor" or "Certified hardware" changes. This false positive alert condition is fixed.

Issue: Pod Security Policy is removed, migrate to Pod Security Admission.

Symptoms: NA

Conditions: PSP is removed from k8s version 1.25. If custom PSP is used in managed k8s, it has to be migrated to custom PSA.

Fix: Find out equivalent PSA security standard for the custom PSP and configure custom PSA for managed k8s. See Kubernetes Migration from PSP page for more information.

Issue: Fixed an issue that causes registry change on K8s community.

Symptoms: A third party csi driver image could not get pulled.

Conditions: When a specific storage feature enabled from the Console.

Fix: Correct the container registry which will make this application to not depend on the upstream change.

By using the old Software version, if user creates a Site, the upgrade option is not showing up to the newer version which is happening because of Maurice version object in old code. This fix in the Maurice code with AvailableVersion resolve the issue provides the option in Site.

Customer Edge health status reported 100% healthy even when if a node in the Site transitions to NotReady state. With this fix, customers can keep track of the Site health when a node transitions to NotReady state. This is especially helpful for AppStack Sites.

Resolved issue with Incorrect client IP extraction resulting in failure of Tenant access.

Issue: CE with small disk may get disk pressure.

Symptoms: CE runs with small disk may get disk pressure. It is recommended to use a larger CE to host application data.

Conditions: When any CE running with 40G disk and has been running software upgrade multiple times.

Fix: After every software upgrade, vpm will run a docker system prune to clear up unused docker image. Crio image will get cleared based on K8s garbage collection process.

Issue: Fixed an issue where argo may not come up with specific memory setting.

Symptoms: With a specific argo memory setting, argo and socket memory allocation may result in memory init failure due to K8s limits. This issue is only seen at the software upgrade. This release has fixed this issue.

Conditions: When customer starts Software upgrade, argo pod may stay in crashloopbackoff or not became Running state.

Fix: This release has added logic to allocate memory to avoid above issue.

Issue: CE admin CLI was not able to show vpm logs for RHEL9 OS.

Symptoms: The log vpm command will not show any output.

Conditions: When the user logs in to CE admin CLI in RHEL9.

Fix: Improved the log collector code to make it able to read format on RHEL9.

Issue: When the customer node is broken, customer may need to delete or decommission the node. When any node is broken or suspect an issue, delete the node.

Symptoms: Node is broken and stuck.

Conditions: NA

Fix: This release allows the customer to run kubectl delete node command with kubeconfig

Previously, creating load balancers was not allowed if any of the domains is greater than 64 characters. This limitation is removed, and users can create load balancers as long as one of the domain is less than 64 characters in length.

Issue: Site Upgrade State Stuck in UPGRADING if Worker Node Added During Upgrade

Symptoms: NA

Conditions: During upgrade, if user introduces new worker node to a Site cluster, the Site upgrade status gets stuck in UPGRADING, and the new worker node cannot join the cluster when upgrade is happening.

Fix: This fix resolves the issue where site is stuck in UPGRADING state, and new worker node can subsequently join the cluster once upgrade is completed.

Issue: Tunnel flaps are happening because of BFD flaps.

Symptoms: BFD container is getting killed due to OOM. When this happens, the `veth`` interface for communication between BFD and Argo is deleted. New interface gets created upon BFD restart, but it is not updated to Argo.

Conditions: NA

Fix: Fix delivered by ensuring that the interface is not deleted if BFD is killed.

Issue: Updating header transformation settings for both upstream and downstream configurations.

Symptoms: NA

Conditions: NA

Fix: Header Transformation settings are applicable only for HTTP 1.1, and this information has been added as a tooltip in the UI. For upstream connections (i.e., request headers), users can configure this option in the origin pool. However, for downstream connections (i.e., response headers), this option is hidden for both HTTPS Automatic Certificate and HTTPS Custom Certificate configurations, requiring users to contact F5 Distributed CLoud Services SRE team for assistance.

Issue: Some VPM CLI tools used for edit configuration does not work properly with RHEL9 OS.

Symptoms: NA

Conditions: Some VPM CLI tools used for edit configuration does not work properly with RHEL9 OS.

Fix: This release fixed the VPM tool file edit issue.

Issue: New worker node became NotReady after adding it to cluster.

Symptoms: NA

Conditions: After adding new worker node to cluster Site, there is a rare chance that the node will stay in a NotReady status due to the order of process.

Fix: This release has fixed the issue by ensuring the process order.

Issue: When there are any issue with NFS client, debug-info collector will wait and not continue to finish.

Symptoms: NA

Conditions: NA

Fix: This release fixe the issue.

While configuring the external service nodes, the UI will only show the list of AZs where the AWS TGW Site is deployed.

The new soft restart implementation provides ability to restart all software components instead of just limited subset of core components.

F5 Distributed Cloud Observability service has improved the design of the API for Synthetic Monitoring by replacing the nested field valid_response_codes with the un-nested field response_codes.

If SNI in the TLS packets of incoming requests is not in the lower case, TLS handshake fails and consequently request also fails. With this enhancement, the load balancer performs case-insensitive comparison of SNI of the incoming request with the configured SNI. As a result, incoming TLS handshakes will not fail if the SNI in the incoming requests differs only in the case.

Issue while handling mastership change resulting in configuration update being blocked is resolved.

Rate limiting rules now support new fields such as IP address, Country, and ASN for defining the request match criteria.

Log Collection in offline survivability stores 5 minutes or 8 MB of logs, after that time, some logs are going to be dropped. When logs get filled there can be occasionally crashes of fluentbit component.

This feature adds support for Client Country, Client Region, and Client City as user identifiers.

This release allows one organization to “Delegate Access” to their tenant to users from another tenant and easily allow users from the second tenant to manage configuration in side the first organization's tenant.

This release enhances Open API specification to include more learnt information for discovered Application API. The API Discovery feature allows downloading of generated OpenAPI Specification based on analyzed traffic per application. The OpenAPI Specification is extended to include application domains; request content-types and headers; detected response codes. The specification can be downloaded from Application Security Dashboard > API Endpoints tab.

The Personal Identifiable Information (PII) detection capability is enhanced to detect Credit Card Number, US Social Security Number, Email, and Password for API requests and responses. The PII is detected for JSON and x-www-form-urlencoded formats, and can be monitored by navigating to API Endpoints > API Endpoint Details,

With Site Offline Survivability enabled, a site continues to function with existing configuration even when it has lost its connectivity to Regional Edge (RE) Site. A Local Control Plane is implemented in a site when this is enabled, so local traffic load balancing for this site continues to work. Also, if two or more sites (having this feature enabled) are part of DC Cluster group, load balancing across local and remote endpoints in CE Sites continues to work as well, even when connectivity with the RE is lost.

With offline survivability, a site can continue to function as is with existing configuration for upto 7 days, even when the site is offline. The certificates needed to keep the services running on this site are signed using a local CA. Secrets would also be cached locally to handle the connectivity loss. When this feature is enabled/disabled on an existing site, the pods/services on this site will be restarted. If a site is running in offline state, it would not be able to communicate with REs (even if there is connectivity). Site would resume communication with REs/GC as soon as connectivity to GC is restored. A Local Control Plane is implemented in a CE site with this feature. So when a site loses its connectivity to RE, the local site load-balancing continues to work. If two or more such sites are in a DC Cluster Group (SLO/SLI), when a site loses its connectivity to RE, the load-balancing across local and remote endpoints continue to work.

A new alert for TLS Automatic certificate renewal failure is introduced. The alert can be configured in alert policy rules.

This feature allows advertising application virtual IP (VIP) or application endpoints over a private virtual network (known as private ADN network). When a customer on-premises location or Data Center is connected to F5 Distributed Cloud Global Backbone using Regional Edge (RE) site, the customer's on-premises network is mapped as a private virtual network on the RE site. The users or applications on this on-premises network needs access to applications residing on other cloud or edge sites. With this feature, the application's VIP or endpoint can be advertised into the private virtual network, thereby providing access across clouds.

This release introduces the CSRF protection, enabling protection for your applications against CSRF attacks. This feature can be configured within the Web Application Firewall section in the HTTP Load balancer.

WAF exclusion rules now provide the ability to skip WAF processing on a path. This provides the flexibility for users to skip (disable) WAF on one or more paths.

Customers can now use F5 DNS Load Balancer (known as GSLB) as part of the F5 Distributed Cloud Services, allowing to improve the performance and availability of global applications by sending users to the closest or fastest endpoint. The DNSLB leverages F5 Distributed Cloud Anti-DDoS and Anycast architecture to distribute DNS delivery globally.

All Kubernetes distributions use an API object called Ingress to manage external access to the services in a cluster. This object describes the way to terminate the Layer 7 request from the client (HTTP/HTTPs), and apply host and path-based routing policies. An ingress controller is responsible for fulfilling and enforcing what the ingress describes, usually with a load balancer.

Security and Performance Dashboards are introduced with a new set of features dedicated to the following:

• Identifying, analyzing, and blocking attack activity against web applications and APIs
• Identifying and analyzing the performance and health of applications

The F5 Distributed Cloud Console has improved presentation when blindfolding secrets.

The F5 Distributed Cloud Console has introduced improved presentation across various forms. The "View Configuration" and "Clone" operations are now available for shared resources in application namespaces.

This release introduces support for Kubernetes main version 1.22.x. The F5 Distributed Cloud Services automatically upgrade all sites to this version via software upgrade.

This release adds the ability to purge orphaned containers through the Site Command Line Interface (CLI).

Duplicate origins were allowed in CDN Distributions across different tenants. This would lead to the CDN Distribution remaining in Pending status and not transitioning to an active CDN Distribution. Validation is added to prevent duplicated origins.

Introduces F5 Distributed Cloud Bot Defense AWS CloudFront Connector. Users will be able to configure the protection through a new AWS CloudFront Connector type. In addition users will be able to manage and download the configuration through the Distributed Cloud console. Users will access AWS Console to deploy the F5 Lambda@Edge Connector module for CloudFront via the Serverless Application Repository(SAR). Once it is completed, users will be able to view traffic statistics and security report in the Console dashboard. For more information, see Bot Defense.

Cache TTL has changed to "Cache Options". A new Cache Setting to "Disable Cache" has been added. This option will disable caching by the CDN service. When caching is disabled, the x-cache-status header will show BYPASS.

This feature supports the user in specifying a list of HTTP response status codes to be considered healthy. To use this feature, user can configure the list of expected status codes in HTTP Health Check Parameters. If this field is configured, the configured status codes are used to determine health status rather than the default status code.

This release adds the ability to send logs to Kafka receivers and AWS Cloud Watch receivers, allowing to cover a broader set of targets. It is now also supported to send Audit Logs. Users can select between Request Logs, Audit Logs, and Security Events.

API security events can be triggered by detecting a WAF signature of type "information leakage" in the transaction's response. Detecting this kind of signature will trigger the API Security event with "sec_event_name":"App Security Misconfiguration". All detected signatures will be visible in the event's details in the event page. If users decide this is not an API security event (false positive), or for any other reason, users can set an exclusion rule for this detected signature and avoid future events on this signature.

Note: This exclusion mechanism is already supported for WAF events and now the support is extended to API security events.

The support team by default has read and write access to all namespaces on all customer tenants. Customer can now change the level of access of the support team to read-only access to all namespaces or read-and-write access to all namespaces or read-and-write access to selected namespaces.

This release introduces the App Infrastructure Service for cloud workload protection, which delivers deep telemetry and high-efficacy intrusion detection for cloud-native workloads.

The API Discovery mechanism is extended to learn responses payload schema. The discovered schema and response examples are presented per path and method in API Endpoints dashboard and in downloaded swagger. Currently, 2XX/3XX JSON and form-urlencoded responses are analyzed.

When user initiates delete of external service object, the actual object deletion takes few minutes as it waits for cloud resources to be deleted.

F5 Distributed Cloud Bot Defense users now will receive monthly scheduled threat briefing report through email. Users can enable and disable this email report through Manage Application page. By default, this feature is enabled for all subscribed bot defense customers.

With Customer Edge (CE) Site Offline Survivability enabled, a site continues to function with existing configuration even when it has lost its connectivity to Regional Edge (RE) Site. A Local Control Plane is implemented in a site when this is enabled, so local traffic load balancing for this site continues to work. Also, if two or more sites (having this feature enabled) are part of Site Mesh Group (Full Mesh), load balancing across local and remote endpoints in CE Sites continues to work as well, even when connectivity with the RE is lost.

With offline survivability, a site can continue to function as is with existing configuration for upto 7 days, even when the site is offline. The certificates needed to keep the services running on this site are signed using a local Certificate Authority (CA). Secrets would also be cached locally to handle the connectivity loss. When this feature is enabled/disabled on an existing site, the pods/services on this site will be restarted. If a site is running in offline state, it would not be able to communicate with REs (even if there is connectivity). The Site resumes communication with REs and Global Controller (GC) as soon as connectivity to GC is restored.

Azure Vnet Site in a Hub VNET mode now supports multiple connection to express route circuit.

CDN Dashboard shows a country map widget that displays the country that visitors are coming from. CDN Dashboard shows the Top 5 countries that are visitors are coming from.

The custom selection in date and time picker for following HTTP Load Balancer Monitoring pages provides the ability to select maximum 24 hrs in the last 30 days.

• Overview dashboard
• Security dashboard
• Performance dashboard
• Malicious Users
• DDOS
• Security events
• Alerts
• Bot Defense
• Metrics
• Errors
• Origin Servers
• Traffic

The brush component is replaced with Pan and Zoom component in the charts, for all monitoring pages, to simplify ease of use while viewing and investigating of logs.

Maximum query duration for audit log APIs is extended from 24 hours to 30 days. In the F5 Distributed Cloud Console, the custom selection in date and time picker for Audit Logs page provides the ability to select any duration in the last 30 days.

F5 Distributed Cloud Bot Defense users now can select up to 30 days data range on Dashboard page and Traffic Overview page.

This release adds execcli subcommand, which provides options to provide advanced debug operations like dropstats, nh, systemctl-restart-kubelet, systemctl-restart-docker, systemctl-restart-vpm, vif, rt, flow, journalctl, curl-host, edit-etc-hosts, etc.

When using WAF as a CDN Distribution's origin, the WAF protected origin would occasionally respond with a set-cookie header and cause a cache miss on corresponding requests.

This release adds the ability to send Security Events and option to select between Request Logs and Security Events for streaming. This allows customers to send Security Events to the monitoring systems (such as SIEM systems) so that those events can be processed by those systems.

Note: The supported targets are the same as for Request Logs (AWS S3, Datadog, Splunk, Azure Blob Storage, Azure Event Hubs, and Generic HTTPS Endpoint). Security Events are sent in the same format (JSON) as Request Logs.

The Skip IP Reputation functionality is removed from Service policy custom rule in Action section. To bypass IP Reputation feature for one or more IP addresses, the Trusted Client Rules feature should be used. The Trusted Client functionality is available in the Common Security Controls section of HTTP Load Balancer.

The redirect route configuration is enhanced to replace query parameters of incoming requests with user specified values.

Note: Before this release, the redirect route configuration only supported removing or retaining the query parameters of incoming request.

When endpoints discovered via vk8s service discovery are getting deleted, they are marked with lower priority in data-path for short duration. Newly discovered endpoints are programmed with higher priority. The old endpoints programmed with lower priority will be removed after short duration. This will ensure that traffic will always go to new discovered endpoints when they are available and minimize traffic drops.

The security configuration section has been enhanced to highlight the different features of WAAP to simplify onboarding and enablement of security features for users. The WAF, Bot Protection, API Protection, Dos Protection, Client Side Defense, and Common Security Controls sections now simplify and highlight the various WAAP features.

Note: The enhancement is supported with API backward compatibility.

DataVolumes are a way to automate importing virtual machine disks onto PVCs during the virtual machine's launch flow. Without using a DataVolume, users have to prepare a PVC with a disk image before assigning it to a VM or VMI manifest. With a DataVolume, both the PVC creation and import is automated on behalf of the user. A DataVolume is a custom resource provided by the Containerized Data Importer (CDI) project. KubeVirt integrates with CDI in order to provide users a workflow for dynamically creating PVCs and importing data into those PVCs.

Note: In order to take advantage of the DataVolume volume source on a VM or VMI, CDI must be installed.

Service policy blocking page shows the request ID. This provides the ability to search for the blocked request in the security events page and view the details and reason for blocking.

Note: The Support ID value displayed in the blocking page is the request ID.

A simple route matches on a path and/or HTTP method and forwards the matching requests to one or more origin pools. Users now have the ability to configure an App Firewall policy per simple route.

Trusted Client IP Headers feature provides the ability to identify the real client IP address, that initiated the connection to the platform, as the source IP, from the configured http headers, when there are one or more proxies between the real client and the distributed cloud platform.

Security events and request logs will show this extracted IP address from the HTTP headers as the source IP, when this feature is enabled.

During service discovery, port of the service was required to be specified. This release introduces automatic port option where specifying port is not mandatory. When this automatic port option is specified for K8S service discovery, the service will be discovered in port 80 or 443 depending on whether TLS is configured in Origin Pool. For Consul discovery, all the services matching the name will be discovered. When there are multiple ports for Consul service, all of them will be discovered with one endpoint for each unique port.

Users may misconfigure their application, which may result in application information leakage to an attacker. A new detection capability for information leakage has been added to identity this scenario. In case of information leakage detection, an API security event is triggered in the Security events page with Event Name as App Security Misconfiguration. This security event will be triggered when WAF is enabled on the HTTP Load Balancer. See App Firewall for more information on App Firewall.

F5 Distributed Cloud Mesh Connector now supports automatic JavaScript injection for Client-Side Defense to enable new add-on protection for WAAP users. Client-Side Defense users will have an enhanced self-serving onboarding alternative to leverage native JavaScript injection. Users can configure Client-Side Defense JavaScript injection through an HTTP Load Balancer and define the protected domains still through the Client-Side Defense Service card. Users will be able to view statistics and detection report in the Client-Side Defense Service dashboard. For more information, see Client-Side Defense.

This release introduces TLS support for TCP Load Balancer. To use this feature, user can pick TLS type or TLS with autocert option in newly added loadbalancer_type property.

Attackers can exploit API endpoints that are vulnerable to Broken Object Level Authorization (BOLA) by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. In many cases attacker sends requests to multiple non-existent URLs trying to discover unprotected resources. Malicious Users feature detection mechanism is enhanced to identify and flag such scenarios.

SCIM is a standard protocol for automating the exchange of user identity information between identity domains and IT systems. This feature simplifies organisations in managing their employees On-boarding / Off-boarding from F5 Distributed Cloud Console and also managing the roles.

The SCIM feature simplifies user acccess management for organisations. This release adds the SCIM support for Azure AD.

A new feature that provides the ability to normalize the headers of the upstream requests, has been added. To use this feature, the user can enable header transformation options present under advanced options of Origin Pool configuration.

This release introduces the Synthetic Monitoring feature for Observability. For more information, see Synthetic Monitoring guide.

The enhancements include refresh and auto-refresh capabilities, ability to filter items in the Table tab, and a new tooltip for Security Events column.

Note: The new tooltip in the security events column provides details for the values in that column.

The following capabilities are added to Security Dashboard:

• Ability to filter dashboard metrics per domain
• Global filter for the dashboard widgets
• Security Events by Type widget
• Top Attack Sources widget
• Top Attacked Domain/Path widget
• Top Attacked API Endpoints widget
• Top Attacks by Violations widget
• Top Attacks by Threat Campaigns widget
• Domains filter to view stats per domain
• Global filter for metrics in the dashboard

The Recent Security Events widget is removed.

Forensics provides an intuitive approach to investigate attacks and take relevant actions. More than 25 metrics are supported that provide the ability to slice and dice the security events, along with the ability to view the top values for each metrics along with the percentages.

Cloud Site terraform parameters should be applied after the cloud site software upgrade. A message box will pop up after the Cloud Site software upgrade is started, which will ask users to run apply after the site is updated successfully.

In case of AWS Sites with direct connect enabled, if user selects show direct connect status option, a new field is displayed showing routes imported by the Distributed Cloud dataplane from VGW.

While configuring "Blocked Services" in cloud sites, the option to chose "Web UI" was present. This option is incorrect as the cloud sites do not have "Web UI". This option is now removed. You can now choose only SSH or DNS.

F5 Distributed Cloud Bot Defense new dashboard is enhanced with known good bot classification.

Custom ASN option enabled while configuring direct connect on AWS Sites.

BGP can be configured to run in passive mode where it will never initiate a session to the peer. Instead, it will wait for connection to be initiated by peer. By default, BGP is configured in active mode until passive mode is set.

Number of static routes that can be attached per virtual network is increased to 100.

This release adds the ability to send logs to Splunk and Datadog receivers, as well as a generic HTTP(s) endpoint, allowing to cover a broader set of targets. It is now also possible to send logs to Azure Blob Storage and Azure Event Hubs. Customers can now select for which application namespaces they want the logs to be sent, and the Shared namespace is also supported.

Site labels can be added by user in the Site which in turn can be used to define destination and source in network policy. The keys of these labels should be the known_label key.

OpenAPI 3 is introduced to define discovered API endpoints instead of OpenAPI 2 (Swagger). The OpenAPI spec can be retrieved per discovered API endpoint or downloaded for all discovered API endpoints of a specific HTTP Load Balancer.

Introduces F5 Distributed Cloud Bot Defense Mesh Connector web-scraping protection for WAAP. Users will be able to configure the protection natively on an HTTP Load Balancer through Bot Defense protected endpoint with either GET(XHR) or GET(Document) HTTP methods(not both). Users will be able to view traffic statistics and security report in the dashboard. For more information, see Bot Defense.

When multiple HTTP and/or TCP Load balancers are adverstised on a single VIP address, the load balancer allowed requests only when their Server Name Indication(SNI) matches. This feature introduces concept of default load balancer per Advertise policy. If SNI is missing in the TLS client Hello, default HTTPS LB is selected and certificate of this HTTPS LB is used for TLS session.

Appstack/Pk8s site Kubevirt VMs now support multiple interfaces each from different subnets.

Azure Vnet Site can now support VNET to VNET peering in a hub and spoke VNET model. Any Azure VNET Site can now be made as Hub VNET and users can give list of azure spoke VNETs which need to be peered. These spoke VNET CIDR routes will be discovered by the Site, and it will route from hub VNET. All spoke VNET to VNET communication will happen via Azure Vnet Site.

OpenAPI Specification files can be uploaded during HTTP Load Balancer Configuration flow. During HTTP Load Balancer configuration a user can define API Definition of the application by uploading OpenAPI Specification files. This API Definition sets the Inventory of paths and methods for the given HTTP Load Balancer. The Inventory and Discovered API can be monitored in API Endpoints Security dashboard. In addition, the Inventory can be used in suggestions to build API Protection and Rate Limit rules. The flow is improved by allowing to upload OpenAPI files directly during HTTP Load Balancer or API Definition configuration.

This release introduces F5 Distributed Cloud CDN. A CDN is a geographically distributed set of highly efficient servers that cache and deliver static and dynamic content. Users can take advantage of Distributed Cloud CDN to improve application performance and end user experience when delivering apps on Distributed Cloud. Distributed Cloud CDN is available to all users. For more information, see Configure CDN.

Support of time range selection up to 30 days for F5 Distributed Cloud Bot Defense is enabled.

Following connectivity graph API's now support 30 days of observability data:

1. api/data/namespaces/<namespace name>/graph/connectivity/edge

2. api/data/namespaces/<namespace name>/graph/connectivity/node

3. api/data/namespaces/<namespace name>/graph/connectivity.

Following connectivity graph UI pages now support 30 days of observability data:

cloud-and-edge-sites/sites/site_connectivity/connectivity/system_metrics.

Note: It will take 30 days after the upgrade to populate the backend storage with the historical data required to support this functionality. If you make a query for a time range greater than 24 hours before 30 days data is fully populated, you will see that the data is unavailable for the time range before the upgrade. If you narrow down the range using brush over the time range where data is unavailable, you may suddenly see data. This inconsistency will be resolved once backend storage has complete data for 30 days.

This release will show Timestamp along with Refresh for Dashboard and other Data Visualisation page.

The Kubevirt version v0.54.0 is released. The F5 Distributed Cloud Services automatically upgrades all sites to this version via the software upgrade.

This release introduces F5 Distributed Cloud Bot Defense self-serving mobile SDK and base configuration download capability for all Connectors as applicable (Mesh, iApp, and Custom Connectors). Users can download the stable and Long Term Support(LTS) versions of compatible Mobile SDK from the Standalone Bot Defense Service. In addition, users can manage base configuration and access mobile integration guide from the F5 Distributed Cloud Console. For more information, see Bot Defense.

This release adds support for DNSSEC in Primary DNS Zone.

IP reputation database is frequently updated and reputation of any specific IP may change between updates. With this enhancement, you can set trusted client to skip IP reputation check if this IP is misclassified and blocked by IP reputation policy.

The enhancement to skip Malicious User Detection for Specific User IDs is introduced. With this, you can create Trusted Client to skip Malicious User detection check and mitigation if this user ID is mistakenly detected and blocked as Malicious User.

Trusted Clients can be defined to skip different protection layers, including API Protection. For example, you can define API Protection allowing access to only specific APIs. With this enhancement, you can configure to bypass these rules for specific trusted clients.

Managed K8s configured with Allow K8s API Access to ClusterRoles, ClusterRoleBindings, MutatingWebhookConfiguration, and ValidatingWebhookConfiguration is enhanced to allow you to perform Create, Replace, Update, and Delete (CRUD) operations on POD Priority Classes denoted with the priorityclasses construct. Users can manage their own classes. However, users cannot delete or modify existing list of priority classes deployed by the F5 Distributed Cloud Services.

The following is the existing list of priority classes:

          NAME                      VALUE        GLOBAL-DEFAULT    AGE

ares-priority             900000       false            468d
ares1-priority            900000       false            495d
argo-priority             1000000      false            251d
bdbewaf-priority          1000000      false            83d
envoy-priority            1000000      false            251d
etcd-priority             1100000      false            495d
fluentbit-priority        600000       false            495d
frr-priority              1000000      false            251d
ganges-priority           900000       false            13d
gubernator-priority       900000       false            495d
ike-priority              1000000      false            251d
keepalived-priority       1000000      false            251d
obelix-priority           1000000      false            495d
openvpn-priority          1000000      false            251d
opera-priority            1000000      false            495d
phobos1-priority          900000       false            456d
piku-priority             900000       false            495d
pmtud-priority            1000000      false            251d
prometheus-priority       700000       false            495d
sredns-priority           1000000      false            468d
system-cluster-critical   2000000000   false            495d
system-node-critical      2000001000   false            495d
test-priority             1100000      false            16s
ver-priority              1000000      false            495d
voucher-priority          1100000      false            495d
webroot-priority          1000000      false            210d

        

This release introduced support for user's application to access kube-state-metric which allows user to scrape the metrics via Kubernetes service kube-state-metrics.kube-system.svc:65031. It is accessible from any namespace/pod in the Site. This feature is enabled by adding ClusterWideApplication called Prometheus.

Note: It also opens the ports to be accessible from the outside of the Site. Therefore, block the ports if your Site is exposed to the Internet.

The F5 Distributed Cloud Console User Interface is enhanced with configuration forms with improved presentation and functionalities. This contains layout resizing with change in screen resolution (anything above 1280 px resolution is supported). It contains visual changes for grouping of form components, reference viewing, editing, and mixing of modes within same form. The enhancement also updated left side navigation to provide more information about all steps in reaching a nested level.

Not all objects are enhanced with the improved forms. Only the following objects are enhanced in this release:

          
DNS Zones
DNS Delegated Domain
Fast ACLs
Workload flavor
App Setting
App Type
K8s Clusters
USB Policy
API Definition
Certificate Revocation List
Rate Limiter
Log Receivers
Global Log Receiver
Alert Receivers
User Identifications
K8s Cluster Role Bindings
Applications
Malicious User Mitigation
Bot Defence - Applications
Mobile Base Configs
K8s Cluster Roles
K8s Pod Security Policies

        

Note: Configuration for enhanced objects does not load the improved form if it is created or updated from a parent object that is not enhanced with the new UI.

Support for multi-node Site deployment in a single Availability Zone (AZ) is introduced.

Using Direct Connect Support, users can connect the on-premises data centers to VPC in which F5 Distributed Cloud Sites are hosted. The platform automatically discovers the on-premises datacenter routes advertised by the on-premises router connected to AWS router via direct connect. These routes will be learnt on the inside network of the F5 Distributed Cloud Site. Two modes of direct connect private vif interface are supported.

Note: User must manage the direct connect connection.

This release introduces F5 Distributed Cloud Bot Defense mobile application protection for Mesh Connector through an HTTP Load Balancer, iApp Connector(v3.0.3), and Native Connector for BIG-IP. Users can configure mobile protection natively on an HTTP Load Balancer though Bot Defense configuration and view the mobile traffic in the security dashboard. For BIG-IP users, mobile protection is configured through the iApp or Native Connectors and users can view the mobile traffic in the standalone Bot Defense service dashboard. For more information, see Bot Defense.

HTTP Load Balancer API Endpoints dashboard is enhanced to present Inventory, Discovered, and Shadow API for better tracking of approved versus detected API. The Inventory API consists of operations defined in OpenAPI files, imported by a user for a given HTTP Load Balancer. Discovered set includes API with traffic detected during last few days. The Shadow API presents discovered which is not in inventory. User can configure API Protection or Rate Limiting rules for Shadow or other API Endpoints.

This release introduces support for configuring user groups and associated user group roles. For more information, see User Groups and User Group Roles.

This release introduces the capability to stream logs from a tenant to an AWS S3 bucket. Customers can have all the logs (sites, HTTP load balancers, etc.) sent to an AWS S3 bucket, allowing for an easy integration with SIEM solutions.

Note: Streaming of logs is only available for Organization plans.

The retention period for the logs is changed to 7 days. This change only applies to logs. The other events displayed in the dashboard (events, incidents, etc.) can be viewed up to 30 days back, with a 24 hours interval.

This release introduces support for Site Mesh Group connection type. Connection type can be privateIp or publicIp.

When service discovery is configured on a given site, it discovers services from all the K8S/Consul clusters on the site by default. With the introduction of cluster-identifier configuration, users can assign an identifier for each K8S/Consul cluster. This allows users to control service discovery from one or more clusters thereby allowing service to be discovered from only subset of clusters on a given site.

This release introduces support for DC cluster group on inside network. Sites can form a DC cluster group on the site local inside network.

Virtual hosts can have references to one or more service-policy-set objects. If any of these objects have invalid or incomplete configuration, the corresponding virtual host object will not get installed.

API protection rules are introduced for HTTP load balancers. These rules can be defined in two categories. The first category includes fine-grained rules, per API path and methods. The second category includes rules per API groups or server URLs. If request matches any rule in the first category, second category rules are not evaluated. Rules can also include additional conditions. For example, specific clients can access certain API endpoint or API group.

This release introduces Bot Defense multiple data region support for F5 Distributed Cloud Mesh Connector through an HTTP Load Balancer. You will be able to configure Bot Defense to select the EU region for data residency. For more information, see Bot Defense.

This release introduces primary and secondary DNS zone support using F5 Distributed Cloud Services. You can now manage your DNS zones and leverage F5 Distributed Cloud Anti-DDoS and Anycast architecture to distribute DNS delivery globally.

Services such as SSH, DNS, and Web UI are allowed implicitly. User's ACL can not disable them. However, if user wants to disable any or all of them, configuration is introduced to support disabling services. These services can be disabled or enabled using the Blocked Services configuration in the Fleet.

This release introduces Console Assistant (CoA) for UI. The CoA provides assistance to users in executing various features and services provided via the Console. The assistance is offered in the form of step-by-step guides for various scenarios, inline access to various resources, etc. See Console Assistant for more information.

The Assisted Deployment option is removed from the user interface for all cloud site types AWS VPC Site, Azure VNET Site, GCP VPC Site, and AWS TGW Site. In case of trying to create a site with Assisted Deployment mode via API, an error is returned.

Note: Existing sites can continue using the site in assisted mode.

Support for longer idle timeout (up to 60 minutes) in HTTP load balancer for specific application is introduced for specific application use cases. The number of such load balancers is limited based on the http_loadbalancer.large_idle_timeout value.

Public certificates are switched from current provider to a new provider. The existing vK8s & managed K8s kubeconfig will stop working. Users with existing kubeconfig are required to download a new copy for the credentials.

This release introduces the F5 Distributed Cloud(XC) Standalone Bot Defense service with iApp Connector(v3.0.2) for BIG-IP. For more information, see Bot Defense.

Support for configuring site mesh group for public cloud sites is introduced. Supported site types are AWS VPC Site, Azure VNET Site, and GCP VPC Site.

This release introduces HTTP header as Allow list(Trusted Client Rules) to skip Bot Defense, WAF, or Both. For more information, see Bot Defense.

Support for multiple tunnels between the F5 distributed cloud Sites is introduced. Up to three tunnels will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.

Support for configuration of Site Mesh Group for K8s Site is introduced. Multiple tunnels (up to three) will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.

Support for configuration of Site Mesh Group for K8s Site on OpenShift platform is introduced. Multiple tunnels (up to three) will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.

In addition to blocking users based on the IP Addresses, more granularity is enabled by introducing the following identifiers in the user identification rule:

• TLS fingerprint
• Client IP + TLS fingerprint
• Client IP + HTTP header value

Support for doing factory reset for ISV boards with revision R0D and above is introduced.

This feature introduces multi ETCD and multi VER pods on multi-node K8s cluster and adds support for various debug tools in the Tools section in site dashboard and metrics for the Kubernetes Site.

It is now supported to run VMs on managed K8s Sites (physical K8s/App Stack Sites). Use the virtctl binary to interact with the VM to perform functions such as start, stop, pause, etc.

F5 load balancer will not match the SNI if single HTTPS load balancer is advertised on a given VIP:Port. It always offers certificate programmed on the HTTPS load balancer ignoring the SNI. If additional HTTPS load balancers are advertised on this VIP:Port, then SNI match becomes mandatory and requests without server name extension are rejected.

This release introduces support to set a response code to be returned when an incoming request is blocked due to WAF security violation.

This feature introduces support for connecting Cloud Sites using DC cluster group.

Note: This requires Layer 3 connectivity between the Cloud Sites.

This feature adds support to enable IP reputation per HTTP load balancer.

F5 Distributed Cloud Services will switch public certificates from current provider to a new provider in the release of May 10, 2022. The existing vK8s & managed K8s kubeconfig will stop working after the release of May 10, 2022. Users with existing kubeconfig are required to download a new copy which will include both old and new CAs. This will ensure that the kubeconfig continues to work when switching to new provider.

This feature introduces support to enable mutating webhook configuration for the F5 Distributed Cloud Sites.

The API rate limit rules are introduced in two categories. The first category includes the rules defined in API server and base URL level. In the second category, more granular rules such as per API path and methods can be configured. Each rule is composed of match conditions (domain, base path, API endpoint, and methods), allowed rate (requests per given duration), and user identifier. Requests matching the configured conditions are counted per defined user identifier.

Note: Only first match is counted per each category.

Configuring header matcher to allow/deny traffic to an origin pool based on the incoming traffic header is introduced for HTTP load balancer. Multiple rules can be configured in this header matcher.

The following functionalities are introduced in case of deletion of secret policies:

• Secret policy soft-delete and recover facility added
• A custom list API is introduced for listing secret policies based on their state such as active or deleted
• UI is introduced with soft-delete in place of default crud delete
• UI is enabled with facility to recover the soft-deleted policy

This feature adds support to match on header in simple route, redirect route, and direct response route in case of HTTP load balancer.

Connection Coalescing also known as Connection Reuse is a mechanism to reuse same HTTP/2 connection for new requests. To support coalescing requests across load balancers, multiple load balancers configuration is merged to a single one when the load balancers have same certificate configured. If mTLS is configured, then this merging of load balancer configuration is not done. This means 421 (misdirected request) is returned by the load balancer. The browsers are expected to initiate new connection on receipt of 421. The other exceptions for not merging load balancer configurations are when they have different configurations for the following features.

• Path Normalization
• Server Header

This release introduces External Service Object which can be used to deploy F5 Big IP VE EC2 instance in the services VPC of an already deployed AWS TGW Site. The External Service object deploys F5 BIG-IP VE and sets up bootstrap configuration needed for the service instance to become functional. The AWS TGW Site acts as external network load balancer and distributes the traffic to F5 BIG-IP nodes. Traffic may be East-West (originating from apps running on spoke) or North-South (originating from Internet).

Note: This feature requires users to manage virtual server and security policy configuration on F5 BIG-IP.

This feature allows accessing Prometheus API on local K8s API endpoint on route/prometheus. You can integrate with this endpoint to receive node and kube-state-metrics monitoring.

The Kubernetes main version 1.21.x support is introduced. It automatically upgrades all sites to this version via software upgrade.

The sidebar entry for Network Policy under shared and system namespaces is renamed to vK8s Network Policy and Firewall Policy respectively.

Note: The vK8s Network Policy is supported only under application and shared namespaces. The Firewall Policy is supported only under the system namespace.

The Console is updated to show recently visited service links. Up to four recently visited services links are shown in the Select Service drop-down to simplify navigation between services. Also, the All Services links are removed.

This release introduces enhancements in configuring exclusion rules for the WAF.

A CRL object can be created that configures HTTP server information reachable from site local network of a site. HTTP loadbalancer can refer to this CRL object whenever client certificate needs to be verified against a revocation list provided by the server. CRL file will be downloaded periodically and applied.

This feature updated the K8s and vK8s main version support to 1.21. System automatically upgrades all sites to this version via the software upgrade.

This release introduces a new page for the Managed K8s. The overview page is located at the Managed K8s > Overview option in the Multi-Cloud Network Connect service in the Console.

This feature allows to insert custom tags/labels in the Console for all auto-provisioned Sites. It also automatically add tags ves-io-creator-id with value of creator (for example, user1@f5.com) and ves-io-site-name with value of name. In case of GCP, this feature stripes at-sign suffix and replace dots by underscores. For example, the creator value p.user1@f5.com is converted to ves-io-creator-id: p_user1.

With this feature, user can add \{\{request_id\}\} placeholder in the custom blocking page to include the request identifier from the WAF security event.

This release introduces the service policy rule based on IP reputation. The rule can allow or deny traffic based on IP score and/or IP Threat categories.

This release introduces Malicious User Mitigation settings for HTTP Load Balancers. User can customize the settings to have corresponding actions for threat-levels LOW, MEDIUM, and HIGH. The supported actions are Javascript Challenge, Captcha Challenge, and Block Temporarily.

This release introduces updates to product terminology in all resources of F5 Distributed Cloud Services, including updated UX for Console users. F5® Distributed Cloud Services denotes set of distributed cloud services/products such as the following.

• F5® Distributed Cloud Mesh (Mesh)
• F5® Distributed Cloud App Stack (App Stack)
• F5® Distributed Cloud Console (Console)

Note: This list does not show all names of services/products. See About F5 Distributed Cloud and Services for more information on products and services.

VMware OVF property to set admin password on deployment is introduced. It can be set from OVA form during provisioning and allows to fully automate deployment via terraform.

AWS introduced CoreDNS as an add-on for EKS clusters. When CoreDNS is an add-on, it resets any changes done to the Configmap of CoreDNS. This causes DNS Delegation to fail. Therefore, CoreDNS add-on is disabled while keeping CoreDNS service active.

Note: If CoreDNS add-on is deleted without the preserve flag, it will remove CoreDNS service itself. If a service discovery object is already present, then do one of the following: Execute the eksctl delete addon --cluster <cluster-name> --name coredns --preserve --region <region-name> command. Delete and re-create the discovery object. Restart the VER service from the Tools tab of the site monitoring page. Go to Sites -> Site List and click on your site to view the site monitoring page.

Some user management APIs exposed in earlier versions of software are now removed as they are no longer supported.

For example, instead of the https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Create API, use the https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.CustomAPI.Create Custom API.

The following list of APIs are removed:

• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Create
• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Replace
• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.List
• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Get

Note: Clients using the above APIs are required to use equivalent custom APIs for these operations. See API for more information.

This feature allows users to configure alert policies with different alert labels as custom matchers and can configure receivers to send or block notifications based on matched alert labels.

This release introduces the Advanced AddOn Bot Defense feature for HTTP Load Balancers. For more information, see Bot Defense.

This feature introduces support for defining and enforcing API for application using its swagger files. After uploading application swagger files, you can create API definition which includes paths and methods from the swagger files. The API definition includes default API groups, all operations, and base URL. You can refer to the API definition and apply custom service policy in HTTP load balancer to allow/deny access to specific API groups. You can also tag operations in swagger by specific custom tag (x-volterra-api-group). In this case, API definition builds multiple groups and allows higher granularity in policy rules.

This feature introduces ability to upload and download Open API Specification files. You can upload a swagger file via the Console in JSON or YAML format. The content is checked if it is a valid v2/v3 swagger. Each file version gets a unique URL in F5 Distributed Cloud Services and can be referred by other configuration objects such as API Definition. The user can list and download files in his tenant and required/accessible namespace.

Managed K8s API server accesscontrol is now enhanced to permit CRUD operations to manipulate ClusterRoles and ClusteRoleBindings. This can be enabled as advanced option on K8s Cluster configuration.

Console is enhanced with a new user experience. The primary navigation elements have been updated and the interface can be tailored to match any level of expertise. The new experience makes it easier for various teams to focus on tasks related to their respective roles. The following are the highlights of the new experience:

• Services - services are arranged into logical groups of tasks and functionalities that improve focus while making it easier to find and switch between services.
• Work domains - When you log in for the first time, you will be asked to choose your work domain. The user interface is tailored to this selection and the services related to that domain are filtered for easy access. You can also change your domain selection at any time.
• Home page - A new home page is created where you can access common, persona-related services accompanied by walkthroughs and solution videos.

For more information, see Getting Started.

This feature enables user to see enhanced sites topology connecting across different cloud providers (Site Mesh Group) and to check similar connection within a single data centre (DC Cluster Group).

This feature enables user to have visibility into various L3-L4 monitoring Dashboards. The dashboards include the following:

• Top talkers
• Events list and details
• Alerts list and detail
• Mitigations list
• Details and Annotations
• Graphs by - Network, Application, Zone and Mitigation.

New CLI command configure-http-proxy is introduced to update HTTP proxy and distribute the update to all K8s nodes at the same time instead of doing it one by one. The command sends the updated information to SaaS and reloads the software with new HTTP Proxy parameters.

Note: This action is the same as software upgrade. Therefore, rolling update for all software components is expected.

Creating and supporting cluster with multiple certified hardware options is introduced.

The HTTP load balancer is updated with configuration option for enabling and disabling SNI strict checking.

This feature introduces automatic certificate management on load balancer without delegating a sub domain to F5 Distributed Cloud. When such a load balancer is created (with automatic certificate management enabled but domain not delegated to F5 Distributed Cloud), a CNAME record information is provided. This record is required to be created in the parent domain by the user. Certificate is minted once this CNAME record is added.

This feature introduces option to specify priority among origin pools. When the highest priority origin pool is not available either due to health check or due to discovery of retracting the endpoint, subsequent priority origin pool is used for handling requests. The priority-based switching of origin pool is pre-emptive. That is, when the highest priority origin pool is available, it is selected immediately for load balancing the requests.

This feature enables user to configure OCSP Stapling when using HTTPS proxy with custom certificates. The option to disable OSCP Stapling, enable OCSP Stapling with system configuration, or enable OCSP Stapling with custom order of Hash Algorithms is introduced.

This feature enables the user to configure, for an HTTP load balancer, AI options like API discovery, malicious user detection and ddos detection directly from the HTTP load balancer form.

This feature replaces the rules-based Web Application Firewall (WAF) with a much advanced application firewall that supports classification and detection for attacks that are based on signatures, provides bot protection, detects security violations, and also offers controlling response traffic. The WAF also provides protection against threat campaigns, supports enabling/disabling false positive suppression, and allows to mask sensitive data in request logs.

For more information on the new WAF, see WAF and Configure App Firewall.

HTTP load balancer is enhanced to normalize the Path URL according to RFC 3986. Additionally, the slashed is merged when path URL normalization is enabled.

Path normalization is supported with an option to enable it for HTTP load balancer of type HTTPS proxy. In case of HTTP proxy, it is enabled by default.

This features enables SSL renegotiation by default in case of origin pools.

This release introduces support for adding the : character to the YAML format for the K8s cluster and cluster role binding manifests.

This features enables unlocking full GPU performance for a VMware site with licensing support. You can enable this by adding VMware site to a fleet that has vGPU enabled in its advanced configuration section. Also ensure that you add license server address and license type.

This feature introduces support for health checks for origin pools enabled with HTTPS. The TLS configuration of the origin pool is used to make TLS connection with the upstream server for the periodic health check requests.

This release introduces Site Networking monitoring views. The dashboard view provides a summary view of site metrics dividied into sections and each section shows Top 10 Sites for that metric. The following metrics are presented:

• Data Sent
• Data Received
• Tunnels by Latency
• Tunnels by Drop Rate
• Tunnels by Throughput

The dashboard also provides table view for data for the following:

• Data when data plane reachability < 75%
• Data when control plane status is down
• Data when tunnel health < 70 score.

Note: The view also shows the tunnel alerts in the dashboard.

This feature introduces new storage device and storage class type called Custom, which allows to insert K8s storageclass manifest. This gives ability to enforce own storageclass names or integrations with 3rd party storages.

This features allows to set user notification preferences for the following notifications:

• Access Requests
• Product updates
• System Maintenance

You can select a notification to receive or deselect to disable receiving notifications for it. The notification preference setting is available in the General -> Personal Management -> My Account page.

This feature adds support for specifying total number of work nodes, irrespective of the availability zones in case of Azure sites.

This feature introduces support to use the following alternate regions for the Azure VNET sites:

• northcentralus
• koreacentral
• centralindia
• southindia
• australiacentral2
• australiacentral
• southafricanorth
• norwayeast
• swedencentral
• switzerlandnorth
• uaenorth
• uaecentral
• switzerlandwest
• norwaywest
• germanynorth
• francesouth
• canadaeast
• koreasouth

The default certified hardware for VMware site is changed to simplify user experience. The updated certified hardware is called as vmware-regular-nic-voltmesh. This contains by default 2 virtual interfaces eth0 (site local outside) and eth1 (regular interface). The eth1 is optional interface, and can be configured only from Console through the network interface object.

This feature enabled storing all request logs without any sampling on cold storage by default.

Client browsers may employ a performance optimisation known as connection coalescing. In case 2 virtual hosts with different domain names are hosted on the same IP address and present in the same TLS certificate, the HTTP/2 connection is reused between them when connection coalescing is used.

System detects such case and returns 421(Misdirected request) error to the client browser. Client browser receiving a 421 (Misdirected Request) response may retry the request over a different connection.

Note: Handling of 421 error is browser-specific. Not all client browsers handle this error code.

This feature introduces support for NVIDIA Tesla T4 on App Stack on VMware ESXi on certified commodity hardware. By enabling fleet vGPU option, The Site switches runtime to NVIDIA and can deploy vGPU workload applications.

This feature updated the Kubernetes main version support to 1.19.11. System automatically upgrades all sites to this version via the software upgrade.

The expiration option for create and renew API for my credentials and service credentials is changed from expiration_timestamp to expiration_days. In case you are using API to download the credential, ensure that you use the updated expiration field. See Credentials guide for more information on using the credentials.

Note: This effects only users of the API and not the Console users.

This feature allows specifying a particular software or operating system version during a site upgrade.

Note: You must obtain the correct version information before setting it for site upgrade.

The virtual host object creation is deprecated for most of the virtual host types except UDP and SMA proxy types.

HTTP and TCP Load balancers can be configured to be advertised on vK8s network on F5 Distributed Cloud ADN. However, for TCP Load balancers, there is a limitation that no two TCP Load balancers can be advertised on the same port. Also, the HTTP and TCP Load balancers can only be advertised on the site local outside or site local inside networks of a customer site.

The site service network allows multiple TCP Load balancers to be advertised on the same port on vK8s network on the ADN. It also allows HTTP and TCP Load balancers to be advertised on vK8s network on customer site.

An implicit system assigned role ves-io-tenant-owner-role is added to all the tenant owners. All existing and new tenant owner users will be assigned with this role in the system namespace. This is internally assigned for tenant owners and cannot be assigned to normal users. A tenant admin can go to General -> IAM -> Users and click ... -> Upgrade to Tenant Owner for a user to get this role added implicitly to the user.

This features allows users to signup for Free or Individual plan using Single Sign-On (SSO). As part of the initial support, sign in via Google is enabled. Users can use their existing Gmail/Google account credentials to authenticate when they choose SSO.

This feature allows tenant to enable site local K8s API access for AWS, Azure, and GCP VoltStack cluster cloud view sites.

This provides same ability as VoltStack site to link K8s cluster on cloud site and access native K8s API server. See VoltStack Site for information on how to enable site local K8s API access for VoltStack site.

This feature introduces the ability to disable advertisement on the public internet by default. This prevents unintended data leak to the public. Users are required to open a support ticket to use this feature.

This feature introduces implicit labels for namespaces. These labels can be used by administrators in service policies and network policies to control communication between namespaces.

Note: All objects in a namespace get the implicit label. This label cannot be modified by the user.

This release introduces support for using AWS and Azure loadbalancer IP addresses as the Site-Local Outside (SLO) or Site-Local Inside (SLI) VIP addresses to reach the applications advertised using F5 Distributed Cloud load balancer on the multi-node sites.

In case of AWS sites, you are required to configure allowed VIP port configuration on multi-node AWS VPC site. This is to explicitly specify which ports are going to be used while configuring the F5 Distributed Cloud loadbalancer. After this is configured, you can use the AWS loadbalancer IP address as the SLO/SLI VIP. Also, using AWS loadbalancer frontend IP as the VIP to external K8s or Consul cluster is supported. This is when a discovery object with VIP publishing configuration is enabled on the AWS site.

In case of Azure sites, you can use Azure loadbalancer IP as the SLO/SLI VIP to reach applications advertised using F5 Distributed Cloud loadbalancer on Azure multi-node sites.

This feature adds support to do factory-reset on the IGW 5000 series using the hardware reset button. Press the button continuously for 5 seconds to trigger factory-reset.

This feature adds Nodes tab to the monitoring of F5 Distributed Cloud's managed k8s cluster. This tab will give details about nodes in the cluster.

This feature allows monitoring of the managed K8s cluster even when API access from Console is disallowed. This is done using metrics collected from the cluster and the monitoring dashboards appear different compared to when API access is allowed. The K8s monitoring is shown as Monitor K8s cluster when API access from Console is allowed. It is shown as Monitor K8s cluster(with metrics) when API access from Console is disallowed.

This feature allows to download Kubeconfig for a the managed K8s cluster from Console gateway. Log into Console, navigate to Sites -> Site List in the system namespace, and click ... -> Download Global Kubeconfig for your App Stack site enabled with managed K8s.

F5 Application Traffic Insight (ATI) is a real-time, high-precision device identifier that utilizes advanced signal collection and machine learning algorithms to assign a unique identifier to each device visiting your site. This feature introduces ATI on Distributed Cloud Console and associated monitoring to view various dashboards of devices visiting your site. For more information, see ATI.

This feature improves the transition between teams plan and organization plan by enhancing error handling. This is applicable while upgrading from teams to organization plan and vice versa.

F5 Distributed Cloud Services support enabling direct connectivity to the backbone network. This feature enhances the direct connect functionality by adding support to advertise and discover services. Advertising of services is supported using HTTP and TCP load balancers.

This feature simplifies configuration of active alert polices in a namespace. A new API on the namespace is added that takes a list of alert policies and makes them active in that namespace. Corresponding UI enhancement is also added.

Users can use the TLS interception feature for HTTP Connect & DRP proxy without managing custom certificates with this feature. To use this feature, users need to simply select the Volterra Managed Signing Certificate option in the downstream certificate configuration for TLS intercept configuration. After that they can use Download CA Certificate menu item for the HTTP Connect & DRP proxy to download and use it from the browser and non-browser clients.

Configuring BGP object is simplified by removing invalid field combinations. The updated configuration form also allows the user to select interfaces per-peer instead of specifying a single list of interfaces for all peers.

This feature adds support for specifying a specific software version and a specific operating system version when bringing up a Customer Edge (CE) site. For view based sites, the versions can be specified when creating the site or during registration approval. For other site types, the versions can be specified during registration approval.

This feature introduces using Fully Qualified Domain Name (FQDN) in case of establishing IPsec/SSL VPN connection to the Regional Edge Sites. A Site can be configured to use IPSec/SSL VPN with an option of going through a site proxy. This feature now allows server FQDN in site configuration in addition to IP address. This FQDN gets resolved to establish VPN connection.

In case of proxy configuration being used with OpenVPN tunnels, FQDN is sent in the HTTP Connect request to the configured proxy server. Proxy server is required to resolve the FQDN and relay the connection to the final destination server to establish OpenVPN tunnel.

This feature allows configuring fallback in case of endpoints behind a cluster are not healthy and route points to multiple clusters as part of weighted cluster configuration. In such case, the traffic is distributed only among the remaining clusters that have one more healthy endpoints.

This feature introduces load balancing of egress traffic to all the nodes in case of AWS Egress gateway site.

vK8s monitoring is enhanced to show the site status in the Pods view. Site status is shown in colored dots in the Node name column. Healthy sites are shown in green color, unhealthy sites are shown in red color, and if health information is not available, grey color is shown for those sites.

Note: If node status is down, then pod status should be considered as unavailable even if it shows as available or running.

Node monitoring is enhanced to display the GPU status in the node status dashboard view. GPU status shows information such as temperature, power, CPU utilization, throughput, etc. Find the GPU status by navigating to Sites -> Site List, click on your site to load its dashboard, select the Nodes tab, and click on the node for which you want to monitor GPU status.

This feature allows tenants to have a direct connecting link to the REs. This enables the CE to RE connectivity to be on the direct private link instead of being in public.

This feature allows VIP address to be used as DNS server to resolve domain names configured in the load balancers. DNS queries can be sent to the VIP addresses configured on CE. The system software on the CE runs DNS server on the VIP addresses and resolves queries for domain names configured in the load balancers. It will also forward other requests to external DNS servers.

Support for manipulating server token in the HTTP load balancer response headers is introduced. User can now configure the response header to do the following:

• Set a default value
• Set a specific value
• Append a server name if no server header is not present
• Set to pass through if the server header is present

Malicious user detection and mitigation is enhanced in the HTTP load balancer monitoring. In the Security Monitoring view, the Malicious Users tab now allows admin to view and act upon malicious users identified by a user-identification object or the source IP address in case a user identification object is not defined. The following monitoring functionalities are added:

• Malicious user security events
• Activity timeline for the identified user
• Activity that contributed to the current suspicion score
• Time series variation for the suspicion score
• Options to block or whitelist users

F5 Distributed Cloud Services use advanced machine learning techniques and analyzes information to identify the malicious users. Analysis is performed on information such as WAF security events, forbidden access events, failed login attempts, and anomalous behavior.

Node monitoring is enhanced to display the GPU status in the node status dashboard view. GPU status shows information such as temperature, power, CPU utilization, throughput, etc. Find the GPU status by navigating to Sites -> Site List, click on your site to load its dashboard, select the Nodes tab, and click on the node for which you want to monitor GPU status.

The AWS Transit Gateway (TGW)site allows for attaching multiple VPCs and forwarding of traffic between VPCs. This feature introduced support for service policy on the VPC-to-VPC traffic or east-west traffic and can be set in the security configuration section of TGW configuration wizard. User can enable the east-west service policy in the Manage East-West Service Policy section and attach a service policy. The service policy can be created in system namespace in the Security -> Firewall -> Service Policies page. It can also be created and attached from within the TGW configuration wizard.

Note: User can also enable east-west service policy with allowing all traffic to be sent via proxy.

Support for enabling policy-based security challenges is introduced. User can now set policy based challenge in load balancer configuration and specify whether to always enable a challenge or disable it while also setting override rules for specific match conditions. Both javascript challenge and captcha challenge are supported. The matching parameters include IP, domain, path, peader, query parameters, etc. These are similar to the parameters in service policy rules.

Note: The security challenge can be enabled in the advanced configuration section of HTTP load balancer configuration. See Configure Javascript Challenge for more information.

Support for manipulating server token in the HTTP load balancer response headers is introduced. User can now configure the response header to do the following:

• Set a default value
• Set a specific value
• Append a server name if no server header is not present
• Set to pass through if the server header is present

Support to set WAF rules for exclusion in HTTP load balancer security events is introduced. User can now select security events and create an exception rule for them from the HTTP load balancer monitoring page in Console. Navigate to Virtual Hosts -> HTTP Load Balancers in your namespace and click on your load balancer. Select Security Events tab and click ... -> Create Exception Rule for the security event entries for which you want to enable the WAF rule exception.

Note: Creating exception rule for an event will open HTTP load balancer configuration form with the WAF excluded rule added to the security configuration section. Click Save and Exit to update the configuration.

Support for whitelisting or blocking specific clients for HTTP load balancer is introduced. The load balancer configuration is added with client blacklisting rules and trusted client rules sections. User can set to block or whitelist specific clients based on the IP addresses or AS numbers.

TCP load balancer is enhanced to set load balancing schemes for the traffic to the origin servers. The schemes supported are round-robin, least active, random, and hash of source IP.

This feature introduces ability to do BGP peering on multiple networks on a customer edge site. Networks could be site local, site local inside, or per site networks.

Support for setting default resource limits for vK8s containers is introduced using a default workload flavor object. User can now create a workload flavor object in the shared namespace at the Manage -> Workload Flavors page and attach it as a default limit in vK8s configuration. See Create Default Workload Flavor for more information.

This feature gives ability to access customer edge (CE) K8s cluster through a kubeconfig file on the local network. Using this feature, user can deploy applications that can manage kubernetes workloads on the CE K8s cluster.

This release introduces support for creating Data Center (DC) or physical hardware edge sites using the VoltStack site object from Console.

Support for stream request logs to syslog service is introduced. User can now create a log receiver object and attach to the fleet of sites. Log receiver object can be created in Console in the Manage -> Site Management -> Log Receivers.

Note: The host IP of the external service must be reachable from the Site.

The following enhancements are added to AWS VPC site and AWS TGW site:

• Configuring workload subnets
• Configuring worker nodes - Supported only for AWS VPC site
• Site admin state field is added in the Manage -> Site Management -> AWS VPC Sites page and also in the JSON view for the AWS VPC site object.

The Sites -> Connectivity page view for the AWS TGW site is enhanced with representing the site with transit gateway, tunnels, and attached VPCs. Also, the details view for the AWS TGW site is enhanced to show the information on tunnels to TGW. This information includes the data transfer, throughput, and BGP connection status.

Support for whitelisting USB devices from Fleet is introduced. Users can now create a USB policy to allow specific USB devives and apply the policy using Fleet.

Site local UI URL is enhanced to be more usable. User can now access site local UI using the https://volterra.local:65500 URL. For more information on using site local UI, see Site Local UI guide.

Support for adding active network and service policies in the application namespace is introduced. User can add active policies in the Security -> vK8s Network Policy -> Active Network Policies and Security -> Service Policy -> Active Service Policies pages.

The virtual K8s (vK8s) dashboard and PVCs view are enhanced to display the disk usage of PVCs.

The OS is updated with CentOS release 7-9.2009 and kernel release 4.18.0-193.28.1.ves1.el7.x86_64

Support for configuring HTTP Proxy for VMware CE site is introduced. During the initial configuration using CLI, user can set HTTP proxy. For more information on VMware site installation, see Create VMware Site. Download the latest image from the VMware Site Images page.

• The tcpdump collection is improved for usability in the Tools tab of the site monitoring page. User can now start, fetch, and stop the tcpdump from single page for a selected target.
• Traceroute utility is added to the Tools tab of the site monitoring page.

Note: Navigate to Sites -> Site List in the System namespace and click on any site to display its monitoring view. The dashboard tab is loaded by default.

The following updates are made to Fast ACLs:

• Fast ACL set table list is removed from the Console
• Fast ACLs for Internet VIPs object is introduced. The Fast ACL objects can be directly added to this.

In addition to supporting the HTTPS load balancer, the F5 Distributed Cloud DNS management is extended to TCP and HTTP load balancers. With this, users can now delegate domain to F5 Distributed Cloud and use the domains in load balancer of type TCP and HTTP.

App Type object support is enhanced so that it can be created from within the App Settings object in the application namespace.

The service discovery is enhanced to discover and route to headless K8s services without depending on K8s DNS.

Note: This requires Layer 3 routing to be established between the CE site and the K8s pods.

The virtual K8s (vK8s) is enhanced to configure daemonsets, cronjobs, and service accounts.

The deployments per vK8s is increased to 25.

Support for restricting communication between vK8s services belonging to different namespaces is introduced. User can enable namespace isolation in the vK8s configuration and override this behavior for specific services by setting the ves.io/serviceisolation annotation to false for that service.

Node mastership is now based on all configured VIPs across Site Local Outside (SLO) and Site Local Inside (SLI) interfaces.

Introduced status and tooling enhancements to the local UI dashboard of F5 Distributed Cloud Site.

Introduced per API endpoint Swagger API schema documentation generation. This can be found under App Namespace -> Mesh -> Service Mesh -> API Endpoints -> Endpoints Details -> Swagger.

Introduced the ability to define active service policies for a specific HTTP Load Balancer. You can choose one of the following service policy options for the load balancer:

• Set a default service policy
• Apply active service policies
• Disable the active service policy

Introduced ability to match destinations based on IP prefix and IP prefix lists under the custom rule list of the forward proxy policy.

Introduced ability to create a forward proxy policy matching on a specific BGP AS, ASN list, and GeoIP labels.

Introduced support for configuring forward proxy in the network connector when connecting Site Local Inside (SLI) to Global Network Type VNs.

Enhancements are added to the vK8s workload dashboard under App Namespace -> Applications -> Virtual K8s -> Workloads.

Introduced the ability for users to configure private registries for their vK8s workloads.

Introduced the ability for the user to view existing flows per node.

Several enhancements are added to the UX of the sidebar in Console.

Introduced beta support for F5 Distributed Cloud's public terraform provider. See Terraform Provider for more information.

Introduced support for users to directly upgrade site deployments via Site Management for AWS/Azure/GCP/TGW sites and also from the Site List page for sites.

Enhanced the Site Management page for Azure VNET & GCP VPC to support a 3rd deployment option called VoltStack Cluster (One Interface).

Enhanced health score calculation to take Site Admin state into account.

Introduced support for TLS interception when configuring an HTTP Connect or DRP (Dynamic Reverse Proxy) virtual host.

Introduced logging of the description field for the configured policy in the hit logs. The policies include service policy, forward proxy policy (simple and custom rule set), network policy, and secret policy.

When provisioning an AWS TGW Site, East-West traffic now supports forward proxy policies by default.

Enhanced the vK8s workload & Pods table view to include deployment name, running pods, total pods, total sites, sites with error, sites without pods, virtual site, upgrade, and actions.

During vK8s virtual site selection, the selection table now shows descriptions for the virtual sites (system or user created).

Introduced the beta version of the site security dashboard. This view provides tenant and site level firewall events and logs. This is available at Sites -> Site Security.

Enhanced UX and navigation of endpoint details in the API Endpoint page.

Enhanced Alerts and Audit Logs pages under Notifications section.

Support for revoking API certificates and Kubeconfigs is introduced. In case of API certificates and Kubeconfigs created prior to this release, you might receive the Client certificate is invalid or revoked response for API requests. In such case, create new certificates and download for use.

The Industrial Server (ISV) 8000 is now Generally Available. The Industrial Server is a series of ruggedized edge computing devices providing hyper-converged compute, GPU, storage and networking. They are easy to deploy and operate systems capable of running learning, inference, containerized or legacy (VM) workloads—from manufacturing plants to retail stores and small branch offices. The Industrial Servers combine the capabilities of hyper-converged infrastructure (HCI) with a GPU for machine learning and robust connectivity (4G LTE/GPS/Wi-Fi/Bluetooth) in a single ruggedized device designed to meet the rigorous demands of edge and industrial environments. You can learn more about the Industrial Server from the data sheet here and the User Manual here.

The user can now query service specific status on a Per Node basis from Console. System -> Site -> Tools -> Show services status

During CE setup the user can now configure a default ves.io/fleet type. This is helpful in scenarios where CEs required a basic working configuration on CE registration (i.e., Local breakout).

Console now supports the deployment of Sites and management of AWS TGW's. System -> Site Management -> AWS TGW Site.

Console now supports the deployment and management of Sites in GCP. System -> Site Management -> GCP VPC Site.

The Site Wizard Page has been improved for better UX, readability and error/status reporting.

DDoS forensics and analysis for Load Balancers and Site (Forward Proxy) Enhanced ability to perform forensics and analysis of configured HTTP & TCP Load Balancers and per Site Forward Proxy.

Using Time Series Analysis (TSA) of the Request Rate, Response Throughput, Latency and Error Rate anomalous enhanced DoS/DDoS alerting has been enabled.

This release has added additional HTTP & HTTPS ports to be advertised on F5 Distributed Cloud's REs (Public Network). Supported HTTP ports are 80 8080 8880 2052 2082 2086 2095 25565. Supported HTTPS ports are 443 2053 2083 2087 2096 8443 25565.

Site Dashboard Denied Rules Tile now includes Forward Proxy. The site dashboard Denied Rules tile now includes Forward Proxy as an option, in addition to Service & Network Policy.

Guided Configuration for F5 Distributed Cloud DC Cluster - This feature brings in vK8s application deployment workflow to ease deploying applications on F5 Distributed Cloud Services platform. The interface given caters to the developers, provides application level interface and hides some of the underlying infrastructure related tasks.

Storage Device Support - This feature brings support for Dell EMC Isilon F800 & HPE Nimbus Storage AF40, this is configured in the Fleet object under Storage Configuration.

Simplified Workload Deployments on vk8s - This feature brings in vk8s application deployment workflow to ease deploying applications on F5 Distributed Cloud Services platform. The interface given caters to the developers, provides application level interface and hides some of the underlying infrastructure related tasks.

There is a new user type called "Debug User". This allows the tenant admin to provide the F5 Distributed Cloud Support team access to the tenant to enhance troubleshooting.

Email and SMS are supported receivers under Alert Management.

The connection log page has been enhanced to render the data in a more user friendly format.

The site dashboard in Console allows additional troubleshooting and status commands to be executed remotely.

Fleet Configuration and related objects (Network Interface, Virtual Networks, Network Connectors, Network Firewall, Network and Forward Policies) can be initially configured during Fleet creation. This is configured under System -> Site Management -> Fleets.

For information on fleet configuration, see Create Fleet.

Guided form is introduced to enable easier configuration of fast ACLs. See Fast ACLs for configuration instructions.

For smaller deployments, it is desired to configure site-to-site mesh groups without a hub & spoke model. This release introduces the ability to configure a mesh with a hub group only.

Guided forms are introduced to enable easier configuration of HTTP Connect & Dynamic Reverse Proxy under the <Namespace> -> Manage -> Load Balancer.

The vK8s dashboard is updated for a better UX experience and end-to-end view of pods deployments, statistics, and health.

General Availability (GA) Support for the Industrial Gateway 5008 & 5508 series is introduced.

Updates are made to the default System -> Sites -> Site List page to provide clear views of per site data. Connectivity topologies are now arranged based on site longitude/latitude and no longer based on alphabetical order.

Optimizations are delivered to the app traffic graphs views under <Namespace> -> Sites -> App Traffic.

Updates are introduced to the General tab and layout for simplified UX for Billing, Support, IAM, and Personal Management.

A new section called Tenant Settings is added. The tenant settings section provides an overview of tenant information such as tenant ID, domain and company name. System wide IAM credentials can be configured here.

Updates are introduced to billing reports, usage details, and billing settings. These include options to request changes to existing plans and viewing existing tenant wide quotas.

Updates to the escalation processes are added to team and organizational plans.