Changelogs
On This Page:
- Objective
- May 10, 2022
- April 12, 2022
- February 22, 2022
- February 03, 2022
- January 13, 2022
- December 13, 2021
- August 26, 2021
- August 5, 2021
- July 15, 2021
- June 24, 2021
- June 3, 2021
- May 13, 2021
- April 22, 2021
- April 01, 2021
- March 11, 2021
- February 18, 2021
- January 21, 2021
- December 17, 2020
- November 25, 2020
- November 5, 2020
- October 14, 2020
- September 24, 2020
- August 13, 2020
- July 23, 2020
- June 9, 2020
Objective
This document covers:
- New features or functionalities
- Enhancements to existing features or functionalities
- Open issues or known issues
- Fixed issues
May 10, 2022
Last Updated: May 18, 2022
New Features
Site Management
Removal of Assisted Deployment from Cloud Sites
The Assisted Deployment
option is removed from the user interface for all cloud site types AWS VPC Site
, Azure VNET Site
, GCP VPC Site
, and AWS TGW Site
. In case of trying to create a site with Assisted Deployment
mode via API, an error is returned.
Note: Existing sites can continue using the site in assisted mode.
Mesh
Support Longer Idle Timeout on HTTP Load Balancer
Support for longer idle timeout (up to 60 minutes) in HTTP load balancer for specific application is introduced for specific application use cases. The number of such load balancers is limited based on the http_loadbalancer.large_idle_timeout
value.
Public Server CA Rotation and Credentials Update
Public certificates are switched from current provider to a new provider. The existing vK8s & managed K8s kubeconfig
will stop working. Users with existing kubeconfig
are required to download a new copy for the credentials.
F5 Distributed Cloud(XC) Bot Defense with iApp Connector for BIG-IP
This release introduces the F5 Distributed Cloud(XC) Standalone Bot Defense service with iApp Connector(v3.0.2) for BIG-IP. For more information, see Bot Defense.
Site Mesh Group for Public Cloud Sites
Support for configuring site mesh group for public cloud sites is introduced. Supported site types are AWS VPC Site
, Azure VNET Site
, and GCP VPC Site
.
Support HTTP Header as Allow list(Trusted Client Rules)
This release introduces HTTP header as Allow list(Trusted Client Rules) to skip Bot Defense, WAF, or Both. For more information, see Bot Defense.
Support for Multiple Tunnels between Sites
Support for multiple tunnels between the F5 distributed cloud Sites is introduced. Up to three tunnels will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.
Support for Site Mesh Group for K8s Site
Support for configuration of Site Mesh Group for K8s Site is introduced. Multiple tunnels (up to three) will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.
Support for Site Mesh Group for K8s Site on OpenShift
Support for configuration of Site Mesh Group for K8s Site on OpenShift platform is introduced. Multiple tunnels (up to three) will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.
New Identifiers for User Identification Rule
In addition to blocking users based on the IP Addresses, more granularity is enabled by introducing the following identifiers in the user identification rule:
- TLS fingerprint
- Client IP + TLS fingerprint
- Client IP + HTTP header value
Changes to Default Behavior
None.
Caveats
The following caveats apply:
-
The external service creation is not successful with pre-existing AWS TGW site. Before creating the external service with pre-existing AWS TGW site, terraform needs to be applied for that AWS TGW site so that the creation is successful.
-
The Bot Defense does not function correctly when hash policy is enabled on load balancer (for example, source IP stickiness). As workaround, disable hash policy on the load balancer.
-
In the
Client Classification
section of HTTP Load Balancer’sSecurity Monitoring
dashboard, the human requests count may show incorrect data. -
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently, they are not enforced at the vK8s API server.
April 12, 2022
Last Updated: April 19, 2022
New Features
Site Management
Factory-Reset Using Hardware Push Button on ISV
Support for doing factory reset for ISV boards with revision R0D
and above is introduced.
Multi-Node Support for Kubernetes Site
This feature introduces multi ETCD and multi VER pods on multi-node K8s cluster and adds support for various debug tools in the Tools
section in site dashboard and metrics for the Kubernetes Site.
Ability to Run Virtual Machines on Managed K8s Sites
It is now supported to run VMs on managed K8s Sites (physical K8s/App Stack Sites). Use the virtctl
binary to interact with the VM to perform functions such as start, stop, pause, etc.
Mesh
Optional Matching of Server Name Indication (SNI)
F5 load balancer will not match the SNI if single HTTPS load balancer is advertised on a given VIP:Port
. It always offers certificate programmed on the HTTPS load balancer ignoring the SNI. If additional HTTPS load balancers are advertised on this VIP:Port
, then SNI match becomes mandatory and requests without server name extension are rejected.
Custom Response Code for WAF Blocking Page
This release introduces support to set a response code to be returned when an incoming request is blocked due to WAF security violation.
DC Cluster Group Support for Cloud Sites
This feature introduces support for connecting Cloud Sites using DC cluster group.
Note: This requires Layer 3 connectivity between the Cloud Sites.
Ability to Configure IP Reputation per HTTP Load Balancer
This feature adds support to enable IP reputation per HTTP load balancer.
Rotate Public LE Certficatess
F5 Distributed Cloud Services will switch public certificates from current provider to a new provider in the release of May 10, 2022. The existing vK8s & managed K8s kubeconfig
will stop working after the release of May 10, 2022. Users with existing kubeconfig
are required to download a new copy which will include both old and new CAs. This will ensure that the kubeconfig
continues to work when switching to new provider.
Support Mutating Webhook Configuration
This feature introduces support to enable mutating webhook configuration for the F5 Distributed Cloud Sites.
Allowed Request Rate per API Base URL, Path, and Method
The API rate limit rules are introduced in two categories. The first category includes the rules defined in API server and base URL level. In the second category, more granular rules such as per API path and methods can be configured. Each rule is composed of match conditions (domain, base path, API endpoint, and methods), allowed rate (requests per given duration), and user identifier. Requests matching the configured conditions are counted per defined user identifier.
Note: Only first match is counted per each category.
Simple Route Based on Host Header in the Incoming Traffic
Configuring header matcher to allow/deny traffic to an origin pool based on the incoming traffic header is introduced for HTTP load balancer. Multiple rules can be configured in this header matcher.
Handling of Accidental Deletion of Secret Policies
The following functionalities are introduced in case of deletion of secret policies:
- Secret policy soft-delete and recover facility added
- A custom list API is introduced for listing secret policies based on their state such as active or deleted
- UI is introduced with soft-delete in place of default crud delete
- UI is enabled with facility to recover the soft-deleted policy
Header Match for Routes in HTTP Load Balancer
This feature adds support to match on header in simple route, redirect route, and direct response route in case of HTTP load balancer.
Handling TLS Coalescing
Connection Coalescing also known as Connection Reuse is a mechanism to reuse same HTTP/2 connection for new requests. To support coalescing requests across load balancers, multiple load balancers configuration is merged to a single one when the load balancers have same certificate configured. If mTLS is configured, then this merging of load balancer configuration is not done. This means 421 (misdirected request)
is returned by the load balancer. The browsers are expected to initiate new connection on receipt of 421
. The other exceptions for not merging load balancer configurations are when they have different configurations for the following features.
- Path Normalization
- Server Header
Support for Deploying External NFV Service - F5 BIG-IP
This release introduces External Service Object which can be used to deploy F5 Big IP VE EC2 instance in the services VPC of an already deployed AWS TGW Site. The External Service object deploys F5 BIG-IP VE and sets up bootstrap configuration needed for the service instance to become functional. The AWS TGW Site acts as external network load balancer and distributes the traffic to F5 BIG-IP nodes. Traffic may be East-West (originating from apps running on spoke) or North-South (originating from Internet).
Note: This feature requires users to manage virtual server and security policy configuration on F5 BIG-IP.
App Stack
Advertise Local Prometheus in Managed Kubernetes
This feature allows accessing Prometheus API on local K8s API endpoint on route/prometheus. You can integrate with this endpoint to receive node and kube-state-metrics monitoring.
Upgrade to K8s Version
The Kubernetes main version 1.21.x support is introduced. It automatically upgrades all sites to this version via software upgrade.
Console
Network Policy Update
The sidebar entry for Network Policy under shared
and system
namespaces is renamed to vK8s Network Policy
and Firewall Policy
respectively.
Note: The
vK8s Network Policy
is supported only under application and shared namespaces. TheFirewall Policy
is supported only under thesystem
namespace.
Recently Visited Service Links
The Console is updated to show recently visited service links. Up to four recently visited services links are shown in the Select Service
drop-down to simplify navigation between services. Also, the All Services
links are removed.
Changes to Default Behavior
None.
Caveats
The following caveats apply:
-
The Bot Defense does not function correctly when hash policy is enabled on load balancer (for example, source IP stickiness). As workaround, disable hash policy on the load balancer.
-
In the
Client Classification
section of HTTP Load Balancer’sSecurity Monitoring
dashboard, the human requests count may show incorrect data. -
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently, they are not enforced at the vK8s API server.
-
A recent software update to documentation may result in rendition/formatting issues in few documents.
February 22, 2022
New Features
Mesh
Enhancement for WAF Exclusion Rules
This release introduces enhancements in configuring exclusion rules for the WAF.
Certificate Revocation List Support
A CRL object can be created that configures HTTP server information reachable from site local network of a site. HTTP loadbalancer can refer to this CRL object whenever client certificate needs to be verified against a revocation list provided by the server. CRL file will be downloaded periodically and applied.
App Stack
Upgrade to k8s Version
This feature updated the K8s and vK8s main version support to 1.21. System automatically upgrades all sites to this version via the software upgrade.
Console
Managed K8s Overview Page
This release introduces a new page for the Managed K8s. The overview page is located at the Managed K8s
> Overview
option in the Cloud and Edge Sites
service in the Console.
Changes to Default Behavior
None.
Caveats
The following caveats apply:
-
The Bot Defence does not function correctly when hash policy is enabled on load balancer (for example, source IP stickiness). As workaround, disable hash policy on the load balancer.
-
In the
Client Classification
section of HTTP Load Balancer’sSecurity Monitoring
dashboard, the human requests count may show incorrect data. -
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently they are not enforced at the vK8s API server.
February 03, 2022
New Features
Node/Site Management
Support Cloud Tags and Labels in Cloud View Sites
This feature allows to insert custom tags/labels in the Console for all auto-provisioned Sites. It also automatically add tags ves-io-creator-id
with value of creator (for example, user1@f5.com
) and ves-io-site-name
with value of name. In case of GCP, this feature stripes at-sign suffix and replace dots by underscores. For example, the creator value p.user1@f5.com
is converted to ves-io-creator-id: p_user1
.
Mesh
Ability to Correlate between WAF Custom Blocking Page and Security event
With this feature, user can add {{request_id}}
placeholder in the custom blocking page to include the request identifier from the WAF security event.
Client IP Reputation Capability Using Service Policy
This release introduces the service policy rule based on IP reputation. The rule can allow or deny traffic based on IP score and/or IP Threat categories.
Policy-Based Malicious User Mitigation
This release introduces Malicious User Mitigation settings for HTTP Load Balancers. User can customize the settings to have corresponding actions for threat-levels LOW
, MEDIUM
, and HIGH
. The supported actions are Javascript Challenge
, Captcha Challenge
, and Block Temporarily
.
Console
F5 Distributed Cloud Services Brand Update
This release introduces updates to product terminology in all resources of F5 Distributed Cloud Services, including updated UX for Console users. F5® Distributed Cloud Services denotes set of distributed cloud services/products such as the following.
- F5® Distributed Cloud Mesh (Mesh)
- F5® Distributed Cloud App Stack (App Stack)
- F5® Distributed Cloud Console (Console)
Note: This list does not show all names of services/products. See About F5 Distributed Cloud and Services for more information on products and services.
Changes to Default Behavior
None.
Caveats
The following caveats apply:
-
In case of few IP addresses that might not be temporarily found in Webroot threat database, the IP reputation score might be inconsistent for the same IP address in different instances
-
Customizing of App Settings for functionalities such as malicious user mitigation is supported only for multip app load balancer and not for single app load balancer.
-
In the
Client Classification
section of HTTP Load Balancer’sSecurity Monitoring
dashboard, the human requests count may show incorrect data. -
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently they are not enforced at the vK8s API server.
January 13, 2022
New Features
Node/Site Management
OVF Property to Set Admin Password on Deployment
VMware OVF property to set admin password on deployment is introduced. It can be set from OVA form during provisioning and allows to fully automate deployment via terraform.
Mesh
Removal of CoreDNS Configmap on EKS
AWS introduced CoreDNS as an add-on for EKS clusters. When CoreDNS is an add-on, it resets any changes done to the Configmap of CoreDNS. This causes DNS Delegation to fail. Therefore, CoreDNS add-on is disabled while keeping CoreDNS service active.
Note: If CoreDNS add-on is deleted without the preserve flag, it will remove CoreDNS service itself. If a service discovery object is already present, then do one of the following: Execute the
eksctl delete addon --cluster <cluster-name> --name coredns --preserve --region <region-name>
command. Delete and re-create the discovery object. Restart the VER service from theTools
tab of the site monitoring page. Go toSites
->Site List
and click on your site to view the site monitoring page.
Remove Auto Generated Public CRUD for User Object
Some user management APIs exposed in earlier versions of software are now removed as they are no longer supported.
For example, instead of the https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Create
API, use the https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.CustomAPI.Create
Custom API.
The following list of APIs are removed:
https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Create
https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Replace
https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.List
https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Get
Note: Clients using the above APIs are required to use equivalent custom APIs for these operations. See API for more information.
Alert Policy Matching on any Alert Label
This feature allows users to configure alert policies with different alert labels as custom matchers and can configure receivers to send or block notifications based on matched alert labels.
Advanced AddOn Bot Defense in HTTP Load Balancers
This release introduces the Advanced AddOn Bot Defense feature for HTTP Load Balancers. For more information, see Bot Defense.
Define and Enforce API for the App Using its Swagger.
This feature introduces support for defining and enforcing API for application using its swagger files. After uploading application swagger files, you can create API definition which includes paths and methods from the swagger files. The API definition includes default API groups, all operations, and base URL. You can refer to the API definition and apply custom service policy in HTTP load balancer to allow/deny access to specific API groups. You can also tag operations in swagger by specific custom tag (x-volterra-api-group
). In this case, API definition builds multiple groups and allows higher granularity in policy rules.
Generic object store
This feature introduces ability to upload and download Open API Specification files. You can upload a swagger file via the Console in JSON or YAML format. The content is checked if it is a valid v2/v3 swagger. Each file version gets a unique URL in F5 Distributed Cloud Services and can be referred by other configuration objects such as API Definition. The user can list and download files in his tenant and required/accessible namespace.
App Stack
Permit K8s API Access to ClusterRole and ClusterRoleBinding
Managed K8s API server accesscontrol
is now enhanced to permit CRUD operations to manipulate ClusterRoles and ClusteRoleBindings. This can be enabled as advanced option on K8s Cluster configuration.
Console
Primary Navigation UX Enhancement
Console is enhanced with a new user experience. The primary navigation elements have been updated and the interface can be tailored to match any level of expertise. The new experience makes it easier for various teams to focus on tasks related to their respective roles. The following are the highlights of the new experience:
- Services - services are arranged into logical groups of tasks and functionalities that improve focus while making it easier to find and switch between services.
- Work domains - When you log in for the first time, you will be asked to choose your work domain. The user interface is tailored to this selection and the services related to that domain are filtered for easy access. You can also change your domain selection at any time.
- Home page - A new home page is created where you can access common, persona-related services accompanied by walkthroughs and solution videos.
For more information, see Getting Started.
Observability for Site Mesh Group and DC Cluster Group
This feature enables user to see enhanced sites topology connecting across different cloud providers (Site Mesh Group) and to check similar connection within a single data centre (DC Cluster Group).
Observability for L3-L4 DDoS
This feature enables user to have visibility into various L3-L4 monitoring Dashboards. The dashboards include the following:
- Top talkers
- Events list and details
- Alerts list and detail
- Mitigations list
- Details and Annotations
- Graphs by - Network, Application, Zone and Mitigation.
Changes to Default Behavior
None.
Caveats
The following caveats apply:
-
In the
Client Classification
section of HTTP Load Balancer’sSecurity Monitoring
dashboard, the human requests count may show incorrect data. -
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently they are not enforced at the vK8s API server.
-
In case of new user signup using the Single sign-on (SSO), after first time successful login, you may get an error screen with
permission denied
or403
message. To resolve this, retry login after some time and a choice of plan selection is displayed. Upon completion of the signup flow, you will be able to login and start using the Console.
December 13, 2021
New Features
Node/Site Management
Enhanced Ability to Update HTTP Proxy After Registration
New CLI command configure-http-proxy
is introduced to update HTTP proxy and distribute the update to all K8s nodes at the same time instead of doing it one by one. The command sends the updated information to SaaS and reloads the software with new HTTP Proxy parameters.
Note: This action is the same as software upgrade. Therefore, rolling update for all software components is expected.
Create and Support Cluster on Multiple Certified Hardware
Creating and supporting cluster with multiple certified hardware options is introduced.
Mesh
Configuration knob for SNI Strict Check
The HTTP load balancer is updated with configuration option for enabling and disabling SNI strict checking.
Support Certificate Minting without Requiring Domain Delegation
This feature introduces automatic certificate management on load balancer without delegating a sub domain to F5 Distributed Cloud. When such a load balancer is created (with automatic certificate management enabled but domain not delegated to F5 Distributed Cloud), a CNAME record information is provided. This record is required to be created in the parent domain by the user. Certificate is minted once this CNAME record is added.
Support for Priority-Based Load Balancing Among Origin Pools
This feature introduces option to specify priority among origin pools. When the highest priority origin pool is not available either due to health check or due to discovery of retracting the endpoint, subsequent priority origin pool is used for handling requests. The priority-based switching of origin pool is pre-emptive. That is, when the highest priority origin pool is available, it is selected immediately for load balancing the requests.
Support configuring OCSP Stapling in HTTP Load Balancer
This feature enables user to configure OCSP Stapling when using HTTPS proxy with custom certificates. The option to disable OSCP Stapling, enable OCSP Stapling with system configuration, or enable OCSP Stapling with custom order of Hash Algorithms is introduced.
Support Configuring AI Options Directly from HTTP Load Balancer
This feature enables the user to configure, for an HTTP load balancer, AI options like API discovery, malicious user detection and ddos detection directly from the HTTP load balancer form.
Replacement of Rule-Based WAF to Signature-Based Advanced WAF
This feature replaces the rules-based Web Application Firewall (WAF) with a much advanced application firewall that supports classification and detection for attacks that are based on signatures, provides bot protection, detects security violations, and also offers controlling response traffic. The WAF also provides protection against threat campaigns, supports enabling/disabling false positive suppression, and allows to mask sensitive data in request logs.
For more information on the new WAF, see WAF and Configure App Firewall.
Path URL Normalization
HTTP load balancer is enhanced to normalize the Path URL according to RFC 3986. Additionally, the slashed is merged when path URL normalization is enabled.
Path normalization is supported with an option to enable it for HTTP load balancer of type HTTPS proxy. In case of HTTP proxy, it is enabled by default.
Changes to Default Behavior
None.
Caveats
The following caveats apply:
-
In the
Client Classification
section of HTTP Load Balancer’sSecurity Monitoring
dashboard, the human requests count may show incorrect data. -
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently they are not enforced at the vK8s API server.
-
In case of new user signup using the Single sign-on (SSO), after first time successful login, you may get an error screen with
permission denied
or403
message. To resolve this, retry login after some time and a choice of plan selection is displayed. Upon completion of the signup flow, you will be able to login and start using the Console.
August 26, 2021
New Features
Mesh
SSL Renegotiation for Origin Pool
This features enables SSL renegotiation by default in case of origin pools.
App Stack
Enhancement to Cluster Role and Role Binding Manifest
This release introduces support for adding the :
character to the YAML format for the K8s cluster and cluster role binding manifests.
Changes to Default Behavior
None.
Caveats
The following caveats apply:
- AWS VPC site may operate as open recursive DNS resolver, conflicting with AWS Acceptable Use Policy (AUP).
- vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently they are not enforced at the vK8s API server.
August 5, 2021
New Features
Node/Site Management
Support Licensing VMware Site with NVIDIA vGPU
This features enables unlocking full GPU performance for a VMware site with licensing support. You can enable this by adding VMware site to a fleet that has vGPU enabled in its advanced configuration section. Also ensure that you add license server address and license type.
Mesh
Health Check Support for HTTPS-Enabled Origin Pool
This feature introduces support for health checks for origin pools enabled with HTTPS. The TLS configuration of the origin pool is used to make TLS connection with the upstream server for the periodic health check requests.
Monitoring for Site Networking
This release introduces Site Networking monitoring views. The dashboard view provides a summary view of site metrics dividied into sections and each section shows Top 10 Sites for that metric. The following metrics are presented:
- Data Sent
- Data Received
- Tunnels by Latency
- Tunnels by Drop Rate
- Tunnels by Throughput
The dashboard also provides table view for data for the following:
- Data when data plane reachability < 75%
- Data when control plane status is down
- Data when tunnel health < 70 score.
Note: The view also shows the tunnel alerts in the dashboard.
App Stack
Support Custom storage class
This feature introduces new storage device and storage class type called Custom, which allows to insert K8s storageclass manifest. This gives ability to enforce own storageclass names or integrations with 3rd party storages.
Console
Notification Preferences for Users
This features allows to set user notification preferences for the following notifications:
- Access Requests
- Product updates
- System Maintenance
You can select a notification to receive or deselect to disable receiving notifications for it. The notification preference setting is available in the General
-> Personal Management
-> My Account
page.
Changes to Default Behavior
None.
Caveats
vK8s Role and Role Binding currently does not support user level K8s RBAC and is applicable only for vK8s workloads. vK8s Role and Role Binding are propagated to the K8s cluster and enforced at the K8s cluster only. Currently they are not enforced at the vK8s API server.
July 15, 2021
New Features
Node/Site Management
Ability to Specify Total Worker Nodes Irrespective of Availability Zones
This feature adds support for specifying total number of work nodes, irrespective of the availability zones in case of Azure sites.
Addition of Alternate Region for Azure Sites
This feature introduces support to use the following alternate regions for the Azure VNET sites:
- northcentralus
- koreacentral
- centralindia
- southindia
- australiacentral2
- australiacentral
- southafricanorth
- norwayeast
- swedencentral
- switzerlandnorth
- uaenorth
- uaecentral
- switzerlandwest
- norwaywest
- germanynorth
- francesouth
- canadaeast
- koreasouth
VMware Site Deployment Enhancements
The default certified hardware for VMware site is changed to simplify user experience. The updated certified hardware is called as vmware-regular-nic-voltmesh
. This contains by default 2 virtual interfaces eth0 (site local outside) and eth1 (regular interface). The eth1 is optional interface, and can be configured only from Console through the network interface object.
Mesh
Storing All Request Logs
This feature enabled storing all request logs without any sampling on cold storage by default.
Handling of HTTP2 Coalescing
Client browsers may employ a performance optimisation known as connection coalescing. In case 2 virtual hosts with different domain names are hosted on the same IP address and present in the same TLS certificate, the HTTP/2 connection is reused between them when connection coalescing is used.
System detects such case and returns 421(Misdirected request)
error to the client browser. Client browser receiving a 421 (Misdirected Request)
response may retry the request over a different connection.
Note: Handling of
421
error is browser-specific. Not all client browsers handle this error code.
App Stack
Support NVIDIA Tesla T4 on VMware ESXi
This feature introduces support for NVIDIA Tesla T4 on App Stack on VMware ESXi on certified commodity hardware. By enabling fleet vGPU option, The Site switches runtime to NVIDIA and can deploy vGPU workload applications.
Upgrade to k8s Version
This feature updated the Kubernetes main version support to 1.19.11. System automatically upgrades all sites to this version via the software upgrade.
Console
Credential Create API Expiration Field Update
The expiration option for create and renew API for my credentials and service credentials is changed from expiration_timestamp
to expiration_days
. In case you are using API to download the credential, ensure that you use the updated expiration field. See Credentials guide for more information on using the credentials.
Note: This effects only users of the API and not the Console users.
Changes to Default Behavior
Expiration field for create and renew APIs of my credentials and service credentials is changed from expiration timestamp to number of days. Use the updated field expiration_days
for create and renew API requests.
Caveats
None
June 24, 2021
New Features
Node/Site Management
Support upgrading to a specific version
This feature allows specifying a particular software or operating system version during a site upgrade.
Note: You must obtain the correct version information before setting it for site upgrade.
Mesh
Deprecation of Virtual Host Object
The virtual host object creation is deprecated for most of the virtual host types except UDP and SMA proxy types.
Site Service Network Support
HTTP and TCP Load balancers can be configured to be advertised on vK8s network on F5 Distributed Cloud ADN. However, for TCP Load balancers, there is a limitation that no two TCP Load balancers can be advertised on the same port. Also, the HTTP and TCP Load balancers can only be advertised on the site local outside or site local inside networks of a customer site.
The site service network allows multiple TCP Load balancers to be advertised on the same port on vK8s network on the ADN. It also allows HTTP and TCP Load balancers to be advertised on vK8s network on customer site.
Console
Implicit Role for Tenant owner
An implicit system assigned role ves-io-tenant-owner-role
is added to all the tenant owners. All existing and new tenant owner users will be assigned with this role in the system namespace. This is internally assigned for tenant owners and cannot be assigned to normal users. A tenant admin can go to General
-> IAM
-> Users
and click ...
-> Upgrade to Tenant Owner
for a user to get this role added implicitly to the user.
Support SSO-based Signup for Free and Individual Accounts
This features allows users to signup for Free or Individual plan using Single Sign-On (SSO). As part of the initial support, sign in via Google is enabled. Users can use their existing Gmail/Google account credentials to authenticate when they choose SSO.
Changes to Default Behavior
None
Caveats
Routing to workload subnet in AWS site fails. The following is a workaround:
In case of AWS VPC Ingress-Egress Gateway and AWS TGW site, for the successful routing towards applications running in workload subnet, an inside static route to the workload subnet CIDR needs to be added on the respective site object.
June 3, 2021
New Features
Node/Site Management
Enable Site Local K8s API access for VoltStack Cluster Cloud Sites
This feature allows tenant to enable site local K8s API access for AWS, Azure, and GCP VoltStack cluster cloud view sites.
This provides same ability as VoltStack site to link K8s cluster on cloud site and access native K8s API server. See VoltStack Site for information on how to enable site local K8s API access for VoltStack site.
Mesh
Ability to Disable Advertisement of Services on Public Internet
This feature introduces the ability to disable advertisement on the public internet by default. This prevents unintended data leak to the public. Users are required to open a support ticket to use this feature.
Control Communication across Namespaces Using Implicit Namespace Label
This feature introduces implicit labels for namespaces. These labels can be used by administrators in service policies and network policies to control communication between namespaces.
Note: All objects in a namespace get the implicit label. This label cannot be modified by the user.
Inside and Outside VIP Enhancements for Multi-node Cloud Sites
This release introduces support for using AWS and Azure loadbalancer IP addresses as the Site-Local Outside (SLO) or Site-Local Inside (SLI) VIP addresses to reach the applications advertised using F5 Distributed Cloud load balancer on the multi-node sites.
In case of AWS sites, you are required to configure allowed VIP port configuration on multi-node AWS VPC site. This is to explicitly specify which ports are going to be used while configuring the F5 Distributed Cloud loadbalancer. After this is configured, you can use the AWS loadbalancer IP address as the SLO/SLI VIP. Also, using AWS loadbalancer frontend IP as the VIP to external K8s or Consul cluster is supported. This is when a discovery object with VIP publishing configuration is enabled on the AWS site.
In case of Azure sites, you can use Azure loadbalancer IP as the SLO/SLI VIP to reach applications advertised using F5 Distributed Cloud loadbalancer on Azure multi-node sites.
Changes to Default Behavior
None
Caveats
The UI does not support the option to update inside/outside VIP port configuration for AWS VPC Site. However, you can perform the updates using either of the following ways:
-
Using terraform run custom API.
-
Using the following vesctl ciommand
vesctl request rpc terraform_parameters.CustomActionAPI.Run --http-method POST --uri /public/namespaces/system/terraform/aws_vpc_site/<site-name>/run --json-data '{"namespace":"system","view_kind":"aws_vpc_site","view_name":"<site-name>","action":"APPLY"}'
May 13, 2021
New Features
Node/Site Management
Factory Reset Using Hardware Push Button on IGW
This feature adds support to do factory-reset on the IGW 5000 series using the hardware reset button. Press the button continuously for 5 seconds to trigger factory-reset.
App Stack
Nodes View for Managed K8s
This feature adds Nodes
tab to the monitoring of F5 Distributed Cloud's managed k8s cluster. This tab will give details about nodes in the cluster.
Managed K8s Monitoring Enhancements
This feature allows monitoring of the managed K8s cluster even when API access from Console is disallowed. This is done using metrics collected from the cluster and the monitoring dashboards appear different compared to when API access is allowed. The K8s monitoring is shown as Monitor K8s cluster
when API access from Console is allowed. It is shown as Monitor K8s cluster(with metrics)
when API access from Console is disallowed.
Global Kubeconfig for Managed K8s
This feature allows to download Kubeconfig for a the managed K8s cluster from Console gateway. Log into Console, navigate to Sites
-> Site List
in the system namespace, and click ...
-> Download Global Kubeconfig
for your App Stack site enabled with managed K8s.
Console
F5® Application Traffic Insight on F5® Distributed Cloud Console
F5 Application Traffic Insight (ATI) is a real-time, high-precision device identifier that utilizes advanced signal collection and machine learning algorithms to assign a unique identifier to each device visiting your site. This feature introduces ATI on Distributed Cloud Console and associated monitoring to view various dashboards of devices visiting your site. For more information, see ATI.
Improvements in Subscription Plan Transition Workflow
This feature improves the transition between teams plan and organization plan by enhancing error handling. This is applicable while upgrading from teams to organization plan and vice versa.
Changes to Default Behavior
None
Caveats
None
April 22, 2021
New Features
Mesh
F5 Distributed Cloud Services Direct Connect Enhancement
F5 Distributed Cloud Services support enabling direct connectivity to the backbone network. This feature enhances the direct connect functionality by adding support to advertise and discover services. Advertising of services is supported using HTTP and TCP load balancers.
Active Alert Policies in Namespace
This feature simplifies configuration of active alert polices in a namespace. A new API on the namespace is added that takes a list of alert policies and makes them active in that namespace. Corresponding UI enhancement is also added.
Managed Certificate option for HTTP Connect & DRP proxy
Users can use the TLS interception feature for HTTP Connect & DRP proxy without managing custom certificates with this feature. To use this feature, users need to simply select the Volterra Managed Signing Certificate
option in the downstream certificate configuration for TLS intercept configuration. After that they can use Download CA Certificate
menu item for the HTTP Connect & DRP proxy to download and use it from the browser and non-browser clients.
Simplified BGP Object Configuration
Configuring BGP object is simplified by removing invalid field combinations. The updated configuration form also allows the user to select interfaces per-peer instead of specifying a single list of interfaces for all peers.
Node/Site Management
Install CE with Specific Software Version
This feature adds support for specifying a specific software version and a specific operating system version when bringing up a Customer Edge (CE) site. For view based sites, the versions can be specified when creating the site or during registration approval. For other site types, the versions can be specified during registration approval.
Changes to Default Behavior
None
Caveats
None
April 01, 2021
New Features
Mesh
FQDN Support in Tunnel Configuration
This feature introduces using Fully Qualified Domain Name (FQDN) in case of establishing IPsec/SSL VPN connection to the Regional Edge Sites. A Site can be configured to use IPSec/SSL VPN with an option of going through a site proxy. This feature now allows server FQDN in site configuration in addition to IP address. This FQDN gets resolved to establish VPN connection.
In case of proxy configuration being used with OpenVPN tunnels, FQDN is sent in the HTTP Connect request to the configured proxy server. Proxy server is required to resolve the FQDN and relay the connection to the final destination server to establish OpenVPN tunnel.
Cluster Retraction
This feature allows configuring fallback in case of endpoints behind a cluster are not healthy and route points to multiple clusters as part of weighted cluster configuration. In such case, the traffic is distributed only among the remaining clusters that have one more healthy endpoints.
Load Balancing AWS Egress Traffic
This feature introduces load balancing of egress traffic to all the nodes in case of AWS Egress gateway site.
App Stack
Site Status in vK8s Pods View
vK8s monitoring is enhanced to show the site status in the Pods
view. Site status is shown in colored dots in the Node name
column. Healthy sites are shown in green color, unhealthy sites are shown in red color, and if health information is not available, grey color is shown for those sites.
Note: If node status is down, then pod status should be considered as unavailable even if it shows as available or running.
Changes to Default Behavior
None
Caveats
None
March 11, 2021
New Features
Node/Site Management
Monitoring GPU Status
Node monitoring is enhanced to display the GPU status in the node status dashboard view. GPU status shows information such as temperature, power, CPU utilization, throughput, etc. Find the GPU status by navigating to Sites
-> Site List
, click on your site to load its dashboard, select the Nodes
tab, and click on the node for which you want to monitor GPU status.
Mesh
F5 Distributed Cloud Direct Connect
This feature allows tenants to have a direct connecting link to the REs. This enables the CE to RE connectivity to be on the direct private link instead of being in public.
Allow VIP Usage for DNS Resolution
This feature allows VIP address to be used as DNS server to resolve domain names configured in the load balancers. DNS queries can be sent to the VIP addresses configured on CE. The system software on the CE runs DNS server on the VIP addresses and resolves queries for domain names configured in the load balancers. It will also forward other requests to external DNS servers.
Server Response Header Manipulation for HTTP Load Balancer
Support for manipulating server token in the HTTP load balancer response headers is introduced. User can now configure the response header to do the following:
- Set a default value
- Set a specific value
- Append a server name if no server header is not present
- Set to pass through if the server header is present
Malicious User Mitigation Enhancements
Malicious user detection and mitigation is enhanced in the HTTP load balancer monitoring. In the Security Monitoring
view, the Malicious Users
tab now allows admin to view and act upon malicious users identified by a user-identification object or the source IP address in case a user identification object is not defined. The following monitoring functionalities are added:
- Malicious user security events
- Activity timeline for the identified user
- Activity that contributed to the current suspicion score
- Time series variation for the suspicion score
- Options to block or whitelist users
F5 Distributed Cloud Services use advanced machine learning techniques and analyzes information to identify the malicious users. Analysis is performed on information such as WAF security events, forbidden access events, failed login attempts, and anomalous behavior.
Changes to Default Behavior
None
Caveats
None
February 18, 2021
New Features
Node/Site Management
Monitoring GPU Status
Node monitoring is enhanced to display the GPU status in the node status dashboard view. GPU status shows information such as temperature, power, CPU utilization, throughput, etc. Find the GPU status by navigating to Sites
-> Site List
, click on your site to load its dashboard, select the Nodes
tab, and click on the node for which you want to monitor GPU status.
TGW Service Policy for East-West Traffic
The AWS Transit Gateway (TGW)site allows for attaching multiple VPCs and forwarding of traffic between VPCs. This feature introduced support for service policy on the VPC-to-VPC traffic or east-west traffic and can be set in the security configuration section of TGW configuration wizard. User can enable the east-west service policy in the Manage East-West Service Policy
section and attach a service policy. The service policy can be created in system namespace in the Security
-> Firewall
-> Service Policies
page. It can also be created and attached from within the TGW configuration wizard.
Note: User can also enable east-west service policy with allowing all traffic to be sent via proxy.
Mesh
Policy Based Security Challenge
Support for enabling policy-based security challenges is introduced. User can now set policy based challenge in load balancer configuration and specify whether to always enable a challenge or disable it while also setting override rules for specific match conditions. Both javascript challenge and captcha challenge are supported. The matching parameters include IP, domain, path, peader, query parameters, etc. These are similar to the parameters in service policy rules.
Note: The security challenge can be enabled in the advanced configuration section of HTTP load balancer configuration. See Configure Javascript Challenge for more information.
Server Response Header Manipulation for HTTP Load Balancer
Support for manipulating server token in the HTTP load balancer response headers is introduced. User can now configure the response header to do the following:
- Set a default value
- Set a specific value
- Append a server name if no server header is not present
- Set to pass through if the server header is present
WAF Rule Exclusion for Security Events
Support to set WAF rules for exclusion in HTTP load balancer security events is introduced. User can now select security events and create an exception rule for them from the HTTP load balancer monitoring page in Console. Navigate to Virtual Hosts
-> HTTP Load Balancers
in your namespace and click on your load balancer. Select Security Events
tab and click ...
-> Create Exception Rule
for the security event entries for which you want to enable the WAF rule exception.
Note: Creating exception rule for an event will open HTTP load balancer configuration form with the WAF excluded rule added to the security configuration section. Click
Save and Exit
to update the configuration.
IP/User Blocking Rules for HTTP Load Balancer
Support for whitelisting or blocking specific clients for HTTP load balancer is introduced. The load balancer configuration is added with client blacklisting rules and trusted client rules sections. User can set to block or whitelist specific clients based on the IP addresses or AS numbers.
Route Options for TCP Load Balancer
TCP load balancer is enhanced to set load balancing schemes for the traffic to the origin servers. The schemes supported are round-robin, least active, random, and hash of source IP.
BGP Peering in Multiple Networks
This feature introduces ability to do BGP peering on multiple networks on a customer edge site. Networks could be site local, site local inside, or per site networks.
App Stack
Default Workload Flavor for vK8s
Support for setting default resource limits for vK8s containers is introduced using a default workload flavor object. User can now create a workload flavor object in the shared namespace at the Manage
-> Workload Flavors
page and attach it as a default limit in vK8s configuration. See Create Default Workload Flavor for more information.
Physical K8s Access for VoltStack Site
This feature gives ability to access customer edge (CE) K8s cluster through a kubeconfig file on the local network. Using this feature, user can deploy applications that can manage kubernetes workloads on the CE K8s cluster.
Changes to Default Behavior
None
Caveats
None
January 21, 2021
New Features
Node/Site Management
VoltStack Site Support
This release introduces support for creating Data Center (DC) or physical hardware edge sites using the VoltStack site object from Console.
Stream Logs to External Service
Support for stream request logs to syslog service is introduced. User can now create a log receiver object and attach to the fleet of sites. Log receiver object can be created in Console in the Manage
-> Site Management
-> Log Receivers
.
Note: The host IP of the external service must be reachable from the Site.
AWS View Site Enhancements
The following enhancements are added to AWS VPC site and AWS TGW site:
- Configuring workload subnets
- Configuring worker nodes - Supported only for AWS VPC site
- Site admin state field is added in the
Manage
->Site Management
->AWS VPC Sites
page and also in the JSON view for the AWS VPC site object.
AWS TGW Site Monitoring Enhancements
The Sites
-> Connectivity
page view for the AWS TGW site is enhanced with representing the site with transit gateway, tunnels, and attached VPCs. Also, the details view for the AWS TGW site is enhanced to show the information on tunnels to TGW. This information includes the data transfer, throughput, and BGP connection status.
USB Whitelisting with Fleet
Support for whitelisting USB devices from Fleet is introduced. Users can now create a USB policy to allow specific USB devives and apply the policy using Fleet.
Site Local UI Enhancement
Site local UI URL is enhanced to be more usable. User can now access site local UI using the https://volterra.local:65500
URL. For more information on using site local UI, see Site Local UI guide.
Mesh
Active Policies in Application Namespace
Support for adding active network and service policies in the application namespace is introduced. User can add active policies in the Security
-> vK8s Network Policy
-> Active Network Policies
and Security
-> Service Policy
-> Active Service Policies
pages.
App Stack
PVC Disk Usage
The virtual K8s (vK8s) dashboard and PVCs view are enhanced to display the disk usage of PVCs.
Changes to Default Behavior
None
Caveats
Deploying F5 Distributed Cloud Sites on the same broadcast domain/subnet with other F5 Distributed Cloud sites/devices enabled with VRRP is not supported. This will be supported in a future update.
December 17, 2020
New Features
Node/Site Management
Operating System Update
The OS is updated with CentOS release 7-9.2009 and kernel release 4.18.0-193.28.1.ves1.el7.x86_64
Proxy Support for VMware CE Site
Support for configuring HTTP Proxy for VMware CE site is introduced. During the initial configuration using CLI, user can set HTTP proxy. For more information on VMware site installation, see Create VMware Site. Download the latest image from the VMware Site Images page.
Site Monitoring Enhancements
- The tcpdump collection is improved for usability in the
Tools
tab of the site monitoring page. User can now start, fetch, and stop the tcpdump from single page for a selected target. - Traceroute utility is added to the
Tools
tab of the site monitoring page.
Note: Navigate to
Sites
->Site List
in theSystem
namespace and click on any site to display its monitoring view. The dashboard tab is loaded by default.
Mesh
Fast ACL Updates
The following updates are made to Fast ACLs:
- Fast ACL set table list is removed from the Console
- Fast ACLs for Internet VIPs object is introduced. The Fast ACL objects can be directly added to this.
DNS Management Enhancements for Load Balancers
In addition to supporting the HTTPS load balancer, the F5 Distributed Cloud DNS management is extended to TCP and HTTP load balancers. With this, users can now delegate domain to F5 Distributed Cloud and use the domains in load balancer of type TCP and HTTP.
AppType Creation for Application Namespace
App Type object support is enhanced so that it can be created from within the App Settings object in the application namespace.
Service Discovery for Kubernetes Headless Service
The service discovery is enhanced to discover and route to headless K8s services without depending on K8s DNS.
Note: This requires Layer 3 routing to be established between the CE site and the K8s pods.
App Stack
vK8s Resource Enhancements
The virtual K8s (vK8s) is enhanced to configure daemonsets, cronjobs, and service accounts.
vK8s Deployment Quota Increment
The deployments per vK8s is increased to 25.
Isolation for vK8s Services Across Namespaces
Support for restricting communication between vK8s services belonging to different namespaces is introduced. User can enable namespace isolation in the vK8s configuration and override this behavior for specific services by setting the ves.io/serviceisolation
annotation to false for that service.
Changes to Default Behavior
Cloud View Site Object Management Updates
The cloud sites created using the Manage
-> Site Management
page are updated to be edited and deleted only from the cloud site object menu and not from the Sites
-> Site List
menu. Navigate to Manage
-> Site Management
and click ...
for your cloud site object to edit or delete the object and this in turn applies the operation on the sites.
November 25, 2020
New Features
Node/Site Management
Enhanced HA on SLI
Node mastership is now based on all configured VIPs across Site Local Outside (SLO) and Site Local Inside (SLI) interfaces.
Local UI Enhancements
Introduced status and tooling enhancements to the local UI dashboard of F5 Distributed Cloud Site.
Mesh
Automatic API Schema Generation
Introduced per API endpoint Swagger API schema documentation generation. This can be found under App Namespace
-> Mesh
-> Service Mesh
-> API Endpoints
-> Endpoints Details
-> Swagger
.
Active Service Policies for HTTP Load Balancers
Introduced the ability to define active service policies for a specific HTTP Load Balancer. You can choose one of the following service policy options for the load balancer:
- Set a default service policy
- Apply active service policies
- Disable the active service policy
IP Prefix & Prefix List Options for Forward Proxy Policy
Introduced ability to match destinations based on IP prefix and IP prefix lists under the custom rule list of the forward proxy policy.
BGP ASN and GeoIP Support for Forward Proxy Policy
Introduced ability to create a forward proxy policy matching on a specific BGP AS, ASN list, and GeoIP labels.
Forward Proxy Support for Global Networks
Introduced support for configuring forward proxy in the network connector when connecting Site Local Inside (SLI) to Global Network Type VNs.
App Stack
Enhanced vK8s Workload Dashboard
Enhancements are added to the vK8s workload dashboard under App Namespace
-> Applications
-> Virtual K8s
-> Workloads
.
Container Registries
Introduced the ability for users to configure private registries for their vK8s workloads.
Console
Flow Table Under Site Management
Introduced the ability for the user to view existing flows per node.
Sidebar Navigation Enhancements
Several enhancements are added to the UX of the sidebar in Console.
Tooling
Beta Release of Public Terraform Provider
Introduced beta support for F5 Distributed Cloud's public terraform provider. See Terraform Provider for more information.
Changes to Default Behavior
Change to Packaging and Management Providers
In case of a CE Site behind a firewall that is performing URL filtering, ensure that you update it with the latest domains listed in the Network Cloud Reference page.
November 5, 2020
New Features
Node/Site Management
Upgrade Guided Sites (AWS VPC/TGW, Azure & GCP) directly from Site List
Introduced support for users to directly upgrade site deployments via Site Management
for AWS/Azure/GCP/TGW sites and also from the Site List
page for sites.
GCP and Azure support for VoltStack Cluster Deployment Option
Enhanced the Site Management
page for Azure VNET & GCP VPC to support a 3rd deployment option called VoltStack Cluster (One Interface)
.
Site Health Calculation Enhancements
Enhanced health score calculation to take Site Admin
state into account.
Mesh
TLS interception support for HTTP Connect & DRP
Introduced support for TLS interception when configuring an HTTP Connect or DRP (Dynamic Reverse Proxy) virtual host.
Descriptions for Policy Rules
Introduced logging of the description field for the configured policy in the hit logs. The policies include service policy, forward proxy policy (simple and custom rule set), network policy, and secret policy.
AWS TGW - East - West Forward Proxy Support
When provisioning an AWS TGW Site, East-West traffic now supports forward proxy policies by default.
App Stack
vK8s Workload & Jobs View Enhancements
Enhanced the vK8s workload & Pods table view to include deployment name, running pods, total pods, total sites, sites with error, sites without pods, virtual site, upgrade, and actions.
vK8s Virtual Site Descriptions
During vK8s virtual site selection, the selection table now shows descriptions for the virtual sites (system or user created).
Console
Site Security Dashboard
Introduced the beta version of the site security dashboard. This view provides tenant and site level firewall events and logs. This is available at Sites
-> Site Security
.
API Endpoint Enhancements & Fixes
Enhanced UX and navigation of endpoint details in the API Endpoint page.
Notification Dashboard Enhancements
Enhanced Alerts
and Audit Logs
pages under Notifications
section.
Revoking API Certificates and Kubeconfig
Support for revoking API certificates and Kubeconfigs is introduced. In case of API certificates and Kubeconfigs created prior to this release, you might receive the Client certificate is invalid or revoked
response for API requests. In such case, create new certificates and download for use.
F5 Distributed Cloud Services Hardware
ISV 8000 Series GA
The Industrial Server (ISV) 8000 is now Generally Available. The Industrial Server is a series of ruggedized edge computing devices providing hyper-converged compute, GPU, storage and networking. They are easy to deploy and operate systems capable of running learning, inference, containerized or legacy (VM) workloads—from manufacturing plants to retail stores and small branch offices. The Industrial Servers combine the capabilities of hyper-converged infrastructure (HCI) with a GPU for machine learning and robust connectivity (4G LTE/GPS/Wi-Fi/Bluetooth) in a single ruggedized device designed to meet the rigorous demands of edge and industrial environments. You can learn more about the Industrial Server from the data sheet here and the User Manual here.
Changes to Default Behavior
The System
-> Security
-> Advanced
page is deprecated.
October 14, 2020
New Features
Node/Site Management
Enhanced Remote Tooling (show service status)
The user can now query service specific status on a Per Node basis from Console. System -> Site -> Tools -> Show services status
Default Fleet
During CE setup the user can now configure a default ves.io/fleet type. This is helpful in scenarios where CEs required a basic working configuration on CE registration (i.e., Local breakout).
AWS TGW Site
Console now supports the deployment of Sites and management of AWS TGW's. System -> Site Management -> AWS TGW Site.
GCP VPC Site
Console now supports the deployment and management of Sites in GCP. System -> Site Management -> GCP VPC Site.
Site Wizard Improvements
The Site Wizard Page has been improved for better UX, readability and error/status reporting.
Mesh
DDoS forensics and analysis
DDoS forensics and analysis for Load Balancers and Site (Forward Proxy) Enhanced ability to perform forensics and analysis of configured HTTP & TCP Load Balancers and per Site Forward Proxy.
Enhanced Alerting of DoS/DDoS
Using Time Series Analysis (TSA) of the Request Rate, Response Throughput, Latency and Error Rate anomalous enhanced DoS/DDoS alerting has been enabled.
HTTP/HTTPS on additional ports
This release has added additional HTTP & HTTPS ports to be advertised on F5 Distributed Cloud's REs (Public Network). Supported HTTP ports are 80 8080 8880 2052 2082 2086 2095 25565. Supported HTTPS ports are 443 2053 2083 2087 2096 8443 25565.
Forward Proxy in Denied Rules Hit
Site Dashboard Denied Rules Tile now includes Forward Proxy. The site dashboard Denied Rules tile now includes Forward Proxy as an option, in addition to Service & Network Policy.
App Stack
VoltStack DC Cluster
Guided Configuration for F5 Distributed Cloud DC Cluster - This feature brings in vK8s application deployment workflow to ease deploying applications on F5 Distributed Cloud Services platform. The interface given caters to the developers, provides application level interface and hides some of the underlying infrastructure related tasks.
Storage
Storage Device Support - This feature brings support for Dell EMC Isilon F800 & HPE Nimbus Storage AF40, this is configured in the Fleet object under Storage Configuration.
Simplified Workload Deployments on vk8s
Simplified Workload Deployments on vk8s - This feature brings in vk8s application deployment workflow to ease deploying applications on F5 Distributed Cloud Services platform. The interface given caters to the developers, provides application level interface and hides some of the underlying infrastructure related tasks.
F5 Distributed Cloud Services Hardware
NVIDIA GPU support on ISV 8000 Series - Updated the ISV Certified Hardware Profiles to download to support NVIDIA GPUs.
Console
New User Type: Debug User
There is a new user type called "Debug User". This allows the tenant admin to provide the F5 Distributed Cloud Support team access to the tenant to enhance troubleshooting.
New Alert Receivers (SMS/Email)
Email and SMS are supported receivers under Alert Management.
Enhanced Connection Log Views
The connection log page has been enhanced to render the data in a more user friendly format.
Upcoming Changes to Default Behavior
In the planned November release, the System -> Security -> Advanced will be deprecated.
Caveats
In case of node hardware, the USB device whitelisting is enabled by default. Connecting a new device after registration of the node does not work.
Note: You can see the USB devices by navigating to your site dashboard via
Sites
->Site List
path. Open theNodes
tab and click on a node to open its dashboard view. ClickHardware Information
tab to see the USB devices list.
September 24, 2020
New Features
Node/Site Management
Per Node Tooling from Site Dashboard
The site dashboard in Console allows additional troubleshooting and status commands to be executed remotely.
Fleet Configuration Enhancements
Fleet Configuration and related objects (Network Interface, Virtual Networks, Network Connectors, Network Firewall, Network and Forward Policies) can be initially configured during Fleet creation. This is configured under System
-> Site Management
-> Fleets
.
For information on fleet configuration, see Create Fleet.
Mesh
Fast ACL Configuration Enhancements
Guided form is introduced to enable easier configuration of fast ACLs. See Fast ACLs for configuration instructions.
Hub Group Only Mesh
For smaller deployments, it is desired to configure site-to-site mesh groups without a hub & spoke model. This release introduces the ability to configure a mesh with a hub group only.
HTTP Connect & Dynamic Reverse Proxy Wizard
Guided forms are introduced to enable easier configuration of HTTP Connect & Dynamic Reverse Proxy under the <Namespace>
-> Manage
-> Load Balancer
.
App Stack
vK8s Dashboard
The vK8s dashboard is updated for a better UX experience and end-to-end view of pods deployments, statistics, and health.
F5 Distributed Cloud Services Hardware
IGW 5000 Series
General Availability (GA) Support for the Industrial Gateway 5008 & 5508 series is introduced.
Console
Site List & Connectivity Enhancements
Updates are made to the default System
-> Sites
-> Site List
page to provide clear views of per site data. Connectivity topologies are now arranged based on site longitude/latitude and no longer based on alphabetical order.
App Traffic Enhancements in App Namespaces
Optimizations are delivered to the app traffic graphs views under <Namespace>
-> Sites
-> App Traffic
.
General Tab Updates
Updates are introduced to the General
tab and layout for simplified UX for Billing
, Support
, IAM
, and Personal Management
.
Tenant Settings
A new section called Tenant Settings
is added. The tenant settings section provides an overview of tenant information such as tenant ID, domain and company name. System wide IAM credentials can be configured here.
Billing Enhancements
Updates are introduced to billing reports, usage details, and billing settings. These include options to request changes to existing plans and viewing existing tenant wide quotas.
Support
Updates to the escalation processes are added to team and organizational plans.
Changes to Default Behavior
The default time interval for App Firewall Dashboard is changed to 12hrs from 5 minutes.
Caveats
- Performing reboot of active master node of a multi-node site from the Console requires you to wait till the reboot is completed before attempting the reboot of other nodes.
August 13, 2020
New Features
Node/Site Management
Site Deployment Wizards
In this release, we've introduced a simplified Site Deployment Wizard. Initial Cloud Providers include AWS and Azure.Site Local UI and F5 Distributed Cloud CLI Enhancements
Introduction of Site Local UI Dashboard at https://<volterranode-ip>:65500
. Various debugging enhancements to F5 Distributed Cloud Admin CLI are added.
F5 Distributed Cloud CLI for Cloud Instances
Cloud instances for Node now support the F5 Distributed Cloud CLI for enhancement debugging. Users can access it using the ssh key used when used in the deployment of the Cloud instance.
Enhanced Site Monitoring
This feature enhanced existing site monitoring pages in the Site Dashboard. Enhancements included per node health, metrics (CPU/Memory), DHCP Server (Client Leases, Hostnames, IPs, etc.), Per Interface metrics, etc.Multi-Node Master Node Replacement Support
Support for replacing a master node in a multi-node cluster configuration. Details can be found here.
Mesh - Virtual Hosts - Load Balancers
Default Pages Error Pages for JS Challenge, Captcha and Errors
Added default pages for all VIPs configured using an HTTP Load Balancer or advanced Virtual Host configurations.Mesh - Delegated Domains
Delegated Domain - Enhancements
We now support native integration with LetsEncrypt for those customers who don't want to BYOC and want a secure app experience, this is available as part of the Virtual Host -> HTTP Load Balancer configuration. Provided enhancements in the Domains Verification setup and post-verification displays.Delegated Domain - DNSSEC
We now support DNSSEC for Delegated Domains. More information here.
App Stack - vK8s
vK8s Auditability
This enables the ability to get audit logs for Create/Update operations on k8s objects (for e.g deployment, service, etc.) in vk8s.Console
UI/UX Enhancements
Console sidebar and overall navigation has been augmented to enhance the UX and to simply NetOps, DevOps, Secops and Developer workflows.2FA Authentication
This feature allows the ability for customers to enable 2FA Authentication for freemium tenants and tenants who use F5 Distributed Cloud Services for Authentication. This does not apply to tenants that use SSO Authentication.
Okta SSO support
This release introduces tenant SSO support for Okta.
July 23, 2020
New Features
vK8s PVC Storage on Regional Edges
In case of Regional Edge sites the F5 Distributed Cloud Services ADN now support Persistent Volume Claims (PVC) for vK8s pods.
Ability to Select a List of Sites for vK8s Objects
This feature provides the ability to select a list of sites (using the ves-io/sites: site1,site2
annotation) for vK8s objects. This is an enhancement to the current ability to select a list of virtual sites(using the ves.io/virtual-sites: vsite1,vsite2
annotation).
See vK8s Resource Management for more details.
Audit Logs for Operations on K8s Objects in vK8s
This feature enables audit logs for the Create/Update operations on K8s objects (such as deployment, service, etc.) in vK8s.
Ability to Test Alert Notifications
This feature enables user to test alert notifications to an alert receiver. Once an alert receiver is created, a verify API on the alert receiver will generate a test alert to that receiver.
API User/Client Rate Limiting
This feature introduces the support for rate limiting the number of API requests per user over a time period. Rate limiting per user is based on the user identification configured on the rate limiter object. For more information, see Configure Rate Limiting.
Support TLS Fingerprinting in Service Policy Rules
This feature introduces the support for configuring a service policy rule to match TLS fingerprint and action. Actions are deny and rate-limit. For more information, see Configure TLS Fingerprinting.
Two Factor Authentication (2FA) VoltConsle Support
This feature introduces support for enabling 2FA for all plans for customers who use F5 Distributed Cloud Services for authentication. This does not apply to tenants that use SSO for authentication.
API Tokens for F5 Distributed Cloud Services APIs
This feature introduces support for API tokens to be used with APIs. This is in addition to the already supported API certificates. For more information, see Obtain Credentials.
Delegate Domains to F5 Distributed Cloud Services
This feature introduces support for delegation of domains to F5\ Distributed Cloud Services for DNS management. When a domain is delegated to F5 Distributed Cloud Services, all subsequent HTTP load balancer names created will result in the proper DNS RR records to be created. For more information, see Delegate Domains.
HTTPS Load Balancer Automatic SSL certificate Creation for Delegated Domains
This feature introduces support to enable automatic TLS certificate minting and verifying for a HTTPS load balancer provided a DNS domain is delegated to F5®Distributed Cloud Services. For more information, see Create HTTP Load Balancer.
Support for GCP
This feature introduces support for site deployment in GCP using the Node GCP images.
CentOS Support for VMWare Images
Node CentOS support is introduced on VMware ESXi hypervisors.
June 9, 2020
New Features
Verify Domain Ownership in the Bring Your Own Certificate (BYOC)
F5 Distributed Cloud Services will confirm domain ownership by verifying the domain in the virtual-host field matches that in the TLS certificates. If there is no match, the configuration is rejected.
Enable Wizard Forms for Alert Notifications
This feature presents simplified configuration views for alert notifications.
F5 Distributed Cloud Site on MiniKube, EKS, and AKS
This feature introduces the ability to deploy a Node on MiniKube, EKS, and AKS for site creation and use in Console tenant.
vK8s: K8s Pod Delete
This feature introduces support for pod deletion in vK8s and is supported using kubectl.
Support API Token
In addition to certificates, this introduces support for API tokens for 3rd party/external API to access Console services.
Caveats & Changes to Default Behavior
Network policies to implicitly deny traffic is now the system default behavior the moment network policy is configured. Prior to R1.2, the behavior was an implicit allow. In case you have an existing network policy set with no explicit rule to allow the ingress or egress traffic, the traffic will be dropped.