Changelogs

The Assisted Deployment option is removed from the user interface for all cloud site types AWS VPC Site, Azure VNET Site, GCP VPC Site, and AWS TGW Site. In case of trying to create a site with Assisted Deployment mode via API, an error is returned.

Note: Existing sites can continue using the site in assisted mode.

Support for longer idle timeout (up to 60 minutes) in HTTP load balancer for specific application is introduced for specific application use cases. The number of such load balancers is limited based on the http_loadbalancer.large_idle_timeout value.

Public certificates are switched from current provider to a new provider. The existing vK8s & managed K8s kubeconfig will stop working. Users with existing kubeconfig are required to download a new copy for the credentials.

This release introduces the F5 Distributed Cloud(XC) Standalone Bot Defense service with iApp Connector(v3.0.2) for BIG-IP. For more information, see Bot Defense.

Support for configuring site mesh group for public cloud sites is introduced. Supported site types are AWS VPC Site, Azure VNET Site, and GCP VPC Site.

This release introduces HTTP header as Allow list(Trusted Client Rules) to skip Bot Defense, WAF, or Both. For more information, see Bot Defense.

Support for multiple tunnels between the F5 distributed cloud Sites is introduced. Up to three tunnels will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.

Support for configuration of Site Mesh Group for K8s Site is introduced. Multiple tunnels (up to three) will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.

Support for configuration of Site Mesh Group for K8s Site on OpenShift platform is introduced. Multiple tunnels (up to three) will be setup between the Sites, if the Sites have more than one master node. A single-node Site will be set up with a single tunnel.

In addition to blocking users based on the IP Addresses, more granularity is enabled by introducing the following identifiers in the user identification rule:

• TLS fingerprint
• Client IP + TLS fingerprint
• Client IP + HTTP header value

Support for doing factory reset for ISV boards with revision R0D and above is introduced.

This feature introduces multi ETCD and multi VER pods on multi-node K8s cluster and adds support for various debug tools in the Tools section in site dashboard and metrics for the Kubernetes Site.

It is now supported to run VMs on managed K8s Sites (physical K8s/App Stack Sites). Use the virtctl binary to interact with the VM to perform functions such as start, stop, pause, etc.

F5 load balancer will not match the SNI if single HTTPS load balancer is advertised on a given VIP:Port. It always offers certificate programmed on the HTTPS load balancer ignoring the SNI. If additional HTTPS load balancers are advertised on this VIP:Port, then SNI match becomes mandatory and requests without server name extension are rejected.

This release introduces support to set a response code to be returned when an incoming request is blocked due to WAF security violation.

This feature introduces support for connecting Cloud Sites using DC cluster group.

Note: This requires Layer 3 connectivity between the Cloud Sites.

This feature adds support to enable IP reputation per HTTP load balancer.

F5 Distributed Cloud Services will switch public certificates from current provider to a new provider in the release of May 10, 2022. The existing vK8s & managed K8s kubeconfig will stop working after the release of May 10, 2022. Users with existing kubeconfig are required to download a new copy which will include both old and new CAs. This will ensure that the kubeconfig continues to work when switching to new provider.

This feature introduces support to enable mutating webhook configuration for the F5 Distributed Cloud Sites.

The API rate limit rules are introduced in two categories. The first category includes the rules defined in API server and base URL level. In the second category, more granular rules such as per API path and methods can be configured. Each rule is composed of match conditions (domain, base path, API endpoint, and methods), allowed rate (requests per given duration), and user identifier. Requests matching the configured conditions are counted per defined user identifier.

Note: Only first match is counted per each category.

Configuring header matcher to allow/deny traffic to an origin pool based on the incoming traffic header is introduced for HTTP load balancer. Multiple rules can be configured in this header matcher.

The following functionalities are introduced in case of deletion of secret policies:

• Secret policy soft-delete and recover facility added
• A custom list API is introduced for listing secret policies based on their state such as active or deleted
• UI is introduced with soft-delete in place of default crud delete
• UI is enabled with facility to recover the soft-deleted policy

This feature adds support to match on header in simple route, redirect route, and direct response route in case of HTTP load balancer.

Connection Coalescing also known as Connection Reuse is a mechanism to reuse same HTTP/2 connection for new requests. To support coalescing requests across load balancers, multiple load balancers configuration is merged to a single one when the load balancers have same certificate configured. If mTLS is configured, then this merging of load balancer configuration is not done. This means 421 (misdirected request) is returned by the load balancer. The browsers are expected to initiate new connection on receipt of 421. The other exceptions for not merging load balancer configurations are when they have different configurations for the following features.

• Path Normalization
• Server Header

This release introduces External Service Object which can be used to deploy F5 Big IP VE EC2 instance in the services VPC of an already deployed AWS TGW Site. The External Service object deploys F5 BIG-IP VE and sets up bootstrap configuration needed for the service instance to become functional. The AWS TGW Site acts as external network load balancer and distributes the traffic to F5 BIG-IP nodes. Traffic may be East-West (originating from apps running on spoke) or North-South (originating from Internet).

Note: This feature requires users to manage virtual server and security policy configuration on F5 BIG-IP.

This feature allows accessing Prometheus API on local K8s API endpoint on route/prometheus. You can integrate with this endpoint to receive node and kube-state-metrics monitoring.

The Kubernetes main version 1.21.x support is introduced. It automatically upgrades all sites to this version via software upgrade.

The sidebar entry for Network Policy under shared and system namespaces is renamed to vK8s Network Policy and Firewall Policy respectively.

Note: The vK8s Network Policy is supported only under application and shared namespaces. The Firewall Policy is supported only under the system namespace.

The Console is updated to show recently visited service links. Up to four recently visited services links are shown in the Select Service drop-down to simplify navigation between services. Also, the All Services links are removed.

This release introduces enhancements in configuring exclusion rules for the WAF.

A CRL object can be created that configures HTTP server information reachable from site local network of a site. HTTP loadbalancer can refer to this CRL object whenever client certificate needs to be verified against a revocation list provided by the server. CRL file will be downloaded periodically and applied.

This feature updated the K8s and vK8s main version support to 1.21. System automatically upgrades all sites to this version via the software upgrade.

This release introduces a new page for the Managed K8s. The overview page is located at the Managed K8s > Overview option in the Cloud and Edge Sites service in the Console.

This feature allows to insert custom tags/labels in the Console for all auto-provisioned Sites. It also automatically add tags ves-io-creator-id with value of creator (for example, user1@f5.com) and ves-io-site-name with value of name. In case of GCP, this feature stripes at-sign suffix and replace dots by underscores. For example, the creator value p.user1@f5.com is converted to ves-io-creator-id: p_user1.

With this feature, user can add {{request_id}} placeholder in the custom blocking page to include the request identifier from the WAF security event.

This release introduces the service policy rule based on IP reputation. The rule can allow or deny traffic based on IP score and/or IP Threat categories.

This release introduces Malicious User Mitigation settings for HTTP Load Balancers. User can customize the settings to have corresponding actions for threat-levels LOW, MEDIUM, and HIGH. The supported actions are Javascript Challenge, Captcha Challenge, and Block Temporarily.

This release introduces updates to product terminology in all resources of F5 Distributed Cloud Services, including updated UX for Console users. F5® Distributed Cloud Services denotes set of distributed cloud services/products such as the following.

• F5® Distributed Cloud Mesh (Mesh)
• F5® Distributed Cloud App Stack (App Stack)
• F5® Distributed Cloud Console (Console)

Note: This list does not show all names of services/products. See About F5 Distributed Cloud and Services for more information on products and services.

VMware OVF property to set admin password on deployment is introduced. It can be set from OVA form during provisioning and allows to fully automate deployment via terraform.

AWS introduced CoreDNS as an add-on for EKS clusters. When CoreDNS is an add-on, it resets any changes done to the Configmap of CoreDNS. This causes DNS Delegation to fail. Therefore, CoreDNS add-on is disabled while keeping CoreDNS service active.

Note: If CoreDNS add-on is deleted without the preserve flag, it will remove CoreDNS service itself. If a service discovery object is already present, then do one of the following: Execute the eksctl delete addon --cluster <cluster-name> --name coredns --preserve --region <region-name> command. Delete and re-create the discovery object. Restart the VER service from the Tools tab of the site monitoring page. Go to Sites -> Site List and click on your site to view the site monitoring page.

Some user management APIs exposed in earlier versions of software are now removed as they are no longer supported.

For example, instead of the https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Create API, use the https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.CustomAPI.Create Custom API.

The following list of APIs are removed:

• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Create
• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Replace
• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.List
• https://www.volterra.io/docs/api/user#operation/ves.io.schema.user.API.Get

Note: Clients using the above APIs are required to use equivalent custom APIs for these operations. See API for more information.

This feature allows users to configure alert policies with different alert labels as custom matchers and can configure receivers to send or block notifications based on matched alert labels.

This release introduces the Advanced AddOn Bot Defense feature for HTTP Load Balancers. For more information, see Bot Defense.

This feature introduces support for defining and enforcing API for application using its swagger files. After uploading application swagger files, you can create API definition which includes paths and methods from the swagger files. The API definition includes default API groups, all operations, and base URL. You can refer to the API definition and apply custom service policy in HTTP load balancer to allow/deny access to specific API groups. You can also tag operations in swagger by specific custom tag (x-volterra-api-group). In this case, API definition builds multiple groups and allows higher granularity in policy rules.

This feature introduces ability to upload and download Open API Specification files. You can upload a swagger file via the Console in JSON or YAML format. The content is checked if it is a valid v2/v3 swagger. Each file version gets a unique URL in F5 Distributed Cloud Services and can be referred by other configuration objects such as API Definition. The user can list and download files in his tenant and required/accessible namespace.

Managed K8s API server accesscontrol is now enhanced to permit CRUD operations to manipulate ClusterRoles and ClusteRoleBindings. This can be enabled as advanced option on K8s Cluster configuration.

Console is enhanced with a new user experience. The primary navigation elements have been updated and the interface can be tailored to match any level of expertise. The new experience makes it easier for various teams to focus on tasks related to their respective roles. The following are the highlights of the new experience:

• Services - services are arranged into logical groups of tasks and functionalities that improve focus while making it easier to find and switch between services.
• Work domains - When you log in for the first time, you will be asked to choose your work domain. The user interface is tailored to this selection and the services related to that domain are filtered for easy access. You can also change your domain selection at any time.
• Home page - A new home page is created where you can access common, persona-related services accompanied by walkthroughs and solution videos.

For more information, see Getting Started.

This feature enables user to see enhanced sites topology connecting across different cloud providers (Site Mesh Group) and to check similar connection within a single data centre (DC Cluster Group).

This feature enables user to have visibility into various L3-L4 monitoring Dashboards. The dashboards include the following:

• Top talkers
• Events list and details
• Alerts list and detail
• Mitigations list
• Details and Annotations
• Graphs by - Network, Application, Zone and Mitigation.

New CLI command configure-http-proxy is introduced to update HTTP proxy and distribute the update to all K8s nodes at the same time instead of doing it one by one. The command sends the updated information to SaaS and reloads the software with new HTTP Proxy parameters.

Note: This action is the same as software upgrade. Therefore, rolling update for all software components is expected.

Creating and supporting cluster with multiple certified hardware options is introduced.

The HTTP load balancer is updated with configuration option for enabling and disabling SNI strict checking.

This feature introduces automatic certificate management on load balancer without delegating a sub domain to F5 Distributed Cloud. When such a load balancer is created (with automatic certificate management enabled but domain not delegated to F5 Distributed Cloud), a CNAME record information is provided. This record is required to be created in the parent domain by the user. Certificate is minted once this CNAME record is added.

This feature introduces option to specify priority among origin pools. When the highest priority origin pool is not available either due to health check or due to discovery of retracting the endpoint, subsequent priority origin pool is used for handling requests. The priority-based switching of origin pool is pre-emptive. That is, when the highest priority origin pool is available, it is selected immediately for load balancing the requests.

This feature enables user to configure OCSP Stapling when using HTTPS proxy with custom certificates. The option to disable OSCP Stapling, enable OCSP Stapling with system configuration, or enable OCSP Stapling with custom order of Hash Algorithms is introduced.

This feature enables the user to configure, for an HTTP load balancer, AI options like API discovery, malicious user detection and ddos detection directly from the HTTP load balancer form.

This feature replaces the rules-based Web Application Firewall (WAF) with a much advanced application firewall that supports classification and detection for attacks that are based on signatures, provides bot protection, detects security violations, and also offers controlling response traffic. The WAF also provides protection against threat campaigns, supports enabling/disabling false positive suppression, and allows to mask sensitive data in request logs.

For more information on the new WAF, see WAF and Configure App Firewall.

HTTP load balancer is enhanced to normalize the Path URL according to RFC 3986. Additionally, the slashed is merged when path URL normalization is enabled.

Path normalization is supported with an option to enable it for HTTP load balancer of type HTTPS proxy. In case of HTTP proxy, it is enabled by default.

This features enables SSL renegotiation by default in case of origin pools.

This release introduces support for adding the : character to the YAML format for the K8s cluster and cluster role binding manifests.

This features enables unlocking full GPU performance for a VMware site with licensing support. You can enable this by adding VMware site to a fleet that has vGPU enabled in its advanced configuration section. Also ensure that you add license server address and license type.

This feature introduces support for health checks for origin pools enabled with HTTPS. The TLS configuration of the origin pool is used to make TLS connection with the upstream server for the periodic health check requests.

This release introduces Site Networking monitoring views. The dashboard view provides a summary view of site metrics dividied into sections and each section shows Top 10 Sites for that metric. The following metrics are presented:

• Data Sent
• Data Received
• Tunnels by Latency
• Tunnels by Drop Rate
• Tunnels by Throughput

The dashboard also provides table view for data for the following:

• Data when data plane reachability < 75%
• Data when control plane status is down
• Data when tunnel health < 70 score.

Note: The view also shows the tunnel alerts in the dashboard.

This feature introduces new storage device and storage class type called Custom, which allows to insert K8s storageclass manifest. This gives ability to enforce own storageclass names or integrations with 3rd party storages.

This features allows to set user notification preferences for the following notifications:

• Access Requests
• Product updates
• System Maintenance

You can select a notification to receive or deselect to disable receiving notifications for it. The notification preference setting is available in the General -> Personal Management -> My Account page.

This feature adds support for specifying total number of work nodes, irrespective of the availability zones in case of Azure sites.

This feature introduces support to use the following alternate regions for the Azure VNET sites:

• northcentralus
• koreacentral
• centralindia
• southindia
• australiacentral2
• australiacentral
• southafricanorth
• norwayeast
• swedencentral
• switzerlandnorth
• uaenorth
• uaecentral
• switzerlandwest
• norwaywest
• germanynorth
• francesouth
• canadaeast
• koreasouth

The default certified hardware for VMware site is changed to simplify user experience. The updated certified hardware is called as vmware-regular-nic-voltmesh. This contains by default 2 virtual interfaces eth0 (site local outside) and eth1 (regular interface). The eth1 is optional interface, and can be configured only from Console through the network interface object.

This feature enabled storing all request logs without any sampling on cold storage by default.

Client browsers may employ a performance optimisation known as connection coalescing. In case 2 virtual hosts with different domain names are hosted on the same IP address and present in the same TLS certificate, the HTTP/2 connection is reused between them when connection coalescing is used.

System detects such case and returns 421(Misdirected request) error to the client browser. Client browser receiving a 421 (Misdirected Request) response may retry the request over a different connection.

Note: Handling of 421 error is browser-specific. Not all client browsers handle this error code.

This feature introduces support for NVIDIA Tesla T4 on App Stack on VMware ESXi on certified commodity hardware. By enabling fleet vGPU option, The Site switches runtime to NVIDIA and can deploy vGPU workload applications.

This feature updated the Kubernetes main version support to 1.19.11. System automatically upgrades all sites to this version via the software upgrade.

The expiration option for create and renew API for my credentials and service credentials is changed from expiration_timestamp to expiration_days. In case you are using API to download the credential, ensure that you use the updated expiration field. See Credentials guide for more information on using the credentials.

Note: This effects only users of the API and not the Console users.

This feature allows specifying a particular software or operating system version during a site upgrade.

Note: You must obtain the correct version information before setting it for site upgrade.

The virtual host object creation is deprecated for most of the virtual host types except UDP and SMA proxy types.

HTTP and TCP Load balancers can be configured to be advertised on vK8s network on F5 Distributed Cloud ADN. However, for TCP Load balancers, there is a limitation that no two TCP Load balancers can be advertised on the same port. Also, the HTTP and TCP Load balancers can only be advertised on the site local outside or site local inside networks of a customer site.

The site service network allows multiple TCP Load balancers to be advertised on the same port on vK8s network on the ADN. It also allows HTTP and TCP Load balancers to be advertised on vK8s network on customer site.

An implicit system assigned role ves-io-tenant-owner-role is added to all the tenant owners. All existing and new tenant owner users will be assigned with this role in the system namespace. This is internally assigned for tenant owners and cannot be assigned to normal users. A tenant admin can go to General -> IAM -> Users and click ... -> Upgrade to Tenant Owner for a user to get this role added implicitly to the user.

This features allows users to signup for Free or Individual plan using Single Sign-On (SSO). As part of the initial support, sign in via Google is enabled. Users can use their existing Gmail/Google account credentials to authenticate when they choose SSO.

This feature allows tenant to enable site local K8s API access for AWS, Azure, and GCP VoltStack cluster cloud view sites.

This provides same ability as VoltStack site to link K8s cluster on cloud site and access native K8s API server. See VoltStack Site for information on how to enable site local K8s API access for VoltStack site.

This feature introduces the ability to disable advertisement on the public internet by default. This prevents unintended data leak to the public. Users are required to open a support ticket to use this feature.

This feature introduces implicit labels for namespaces. These labels can be used by administrators in service policies and network policies to control communication between namespaces.

Note: All objects in a namespace get the implicit label. This label cannot be modified by the user.

This release introduces support for using AWS and Azure loadbalancer IP addresses as the Site-Local Outside (SLO) or Site-Local Inside (SLI) VIP addresses to reach the applications advertised using F5 Distributed Cloud load balancer on the multi-node sites.

In case of AWS sites, you are required to configure allowed VIP port configuration on multi-node AWS VPC site. This is to explicitly specify which ports are going to be used while configuring the F5 Distributed Cloud loadbalancer. After this is configured, you can use the AWS loadbalancer IP address as the SLO/SLI VIP. Also, using AWS loadbalancer frontend IP as the VIP to external K8s or Consul cluster is supported. This is when a discovery object with VIP publishing configuration is enabled on the AWS site.

In case of Azure sites, you can use Azure loadbalancer IP as the SLO/SLI VIP to reach applications advertised using F5 Distributed Cloud loadbalancer on Azure multi-node sites.

This feature adds support to do factory-reset on the IGW 5000 series using the hardware reset button. Press the button continuously for 5 seconds to trigger factory-reset.

This feature adds Nodes tab to the monitoring of F5 Distributed Cloud's managed k8s cluster. This tab will give details about nodes in the cluster.

This feature allows monitoring of the managed K8s cluster even when API access from Console is disallowed. This is done using metrics collected from the cluster and the monitoring dashboards appear different compared to when API access is allowed. The K8s monitoring is shown as Monitor K8s cluster when API access from Console is allowed. It is shown as Monitor K8s cluster(with metrics) when API access from Console is disallowed.

This feature allows to download Kubeconfig for a the managed K8s cluster from Console gateway. Log into Console, navigate to Sites -> Site List in the system namespace, and click ... -> Download Global Kubeconfig for your App Stack site enabled with managed K8s.

F5 Application Traffic Insight (ATI) is a real-time, high-precision device identifier that utilizes advanced signal collection and machine learning algorithms to assign a unique identifier to each device visiting your site. This feature introduces ATI on Distributed Cloud Console and associated monitoring to view various dashboards of devices visiting your site. For more information, see ATI.

This feature improves the transition between teams plan and organization plan by enhancing error handling. This is applicable while upgrading from teams to organization plan and vice versa.

F5 Distributed Cloud Services support enabling direct connectivity to the backbone network. This feature enhances the direct connect functionality by adding support to advertise and discover services. Advertising of services is supported using HTTP and TCP load balancers.

This feature simplifies configuration of active alert polices in a namespace. A new API on the namespace is added that takes a list of alert policies and makes them active in that namespace. Corresponding UI enhancement is also added.

Users can use the TLS interception feature for HTTP Connect & DRP proxy without managing custom certificates with this feature. To use this feature, users need to simply select the Volterra Managed Signing Certificate option in the downstream certificate configuration for TLS intercept configuration. After that they can use Download CA Certificate menu item for the HTTP Connect & DRP proxy to download and use it from the browser and non-browser clients.

Configuring BGP object is simplified by removing invalid field combinations. The updated configuration form also allows the user to select interfaces per-peer instead of specifying a single list of interfaces for all peers.

This feature adds support for specifying a specific software version and a specific operating system version when bringing up a Customer Edge (CE) site. For view based sites, the versions can be specified when creating the site or during registration approval. For other site types, the versions can be specified during registration approval.

This feature introduces using Fully Qualified Domain Name (FQDN) in case of establishing IPsec/SSL VPN connection to the Regional Edge Sites. A Site can be configured to use IPSec/SSL VPN with an option of going through a site proxy. This feature now allows server FQDN in site configuration in addition to IP address. This FQDN gets resolved to establish VPN connection.

In case of proxy configuration being used with OpenVPN tunnels, FQDN is sent in the HTTP Connect request to the configured proxy server. Proxy server is required to resolve the FQDN and relay the connection to the final destination server to establish OpenVPN tunnel.

This feature allows configuring fallback in case of endpoints behind a cluster are not healthy and route points to multiple clusters as part of weighted cluster configuration. In such case, the traffic is distributed only among the remaining clusters that have one more healthy endpoints.

This feature introduces load balancing of egress traffic to all the nodes in case of AWS Egress gateway site.

vK8s monitoring is enhanced to show the site status in the Pods view. Site status is shown in colored dots in the Node name column. Healthy sites are shown in green color, unhealthy sites are shown in red color, and if health information is not available, grey color is shown for those sites.

Note: If node status is down, then pod status should be considered as unavailable even if it shows as available or running.

Node monitoring is enhanced to display the GPU status in the node status dashboard view. GPU status shows information such as temperature, power, CPU utilization, throughput, etc. Find the GPU status by navigating to Sites -> Site List, click on your site to load its dashboard, select the Nodes tab, and click on the node for which you want to monitor GPU status.

This feature allows tenants to have a direct connecting link to the REs. This enables the CE to RE connectivity to be on the direct private link instead of being in public.

This feature allows VIP address to be used as DNS server to resolve domain names configured in the load balancers. DNS queries can be sent to the VIP addresses configured on CE. The system software on the CE runs DNS server on the VIP addresses and resolves queries for domain names configured in the load balancers. It will also forward other requests to external DNS servers.

Support for manipulating server token in the HTTP load balancer response headers is introduced. User can now configure the response header to do the following:

• Set a default value
• Set a specific value
• Append a server name if no server header is not present
• Set to pass through if the server header is present

Malicious user detection and mitigation is enhanced in the HTTP load balancer monitoring. In the Security Monitoring view, the Malicious Users tab now allows admin to view and act upon malicious users identified by a user-identification object or the source IP address in case a user identification object is not defined. The following monitoring functionalities are added:

• Malicious user security events
• Activity timeline for the identified user
• Activity that contributed to the current suspicion score
• Time series variation for the suspicion score
• Options to block or whitelist users

F5 Distributed Cloud Services use advanced machine learning techniques and analyzes information to identify the malicious users. Analysis is performed on information such as WAF security events, forbidden access events, failed login attempts, and anomalous behavior.

Node monitoring is enhanced to display the GPU status in the node status dashboard view. GPU status shows information such as temperature, power, CPU utilization, throughput, etc. Find the GPU status by navigating to Sites -> Site List, click on your site to load its dashboard, select the Nodes tab, and click on the node for which you want to monitor GPU status.

The AWS Transit Gateway (TGW)site allows for attaching multiple VPCs and forwarding of traffic between VPCs. This feature introduced support for service policy on the VPC-to-VPC traffic or east-west traffic and can be set in the security configuration section of TGW configuration wizard. User can enable the east-west service policy in the Manage East-West Service Policy section and attach a service policy. The service policy can be created in system namespace in the Security -> Firewall -> Service Policies page. It can also be created and attached from within the TGW configuration wizard.

Note: User can also enable east-west service policy with allowing all traffic to be sent via proxy.

Support for enabling policy-based security challenges is introduced. User can now set policy based challenge in load balancer configuration and specify whether to always enable a challenge or disable it while also setting override rules for specific match conditions. Both javascript challenge and captcha challenge are supported. The matching parameters include IP, domain, path, peader, query parameters, etc. These are similar to the parameters in service policy rules.

Note: The security challenge can be enabled in the advanced configuration section of HTTP load balancer configuration. See Configure Javascript Challenge for more information.

Support for manipulating server token in the HTTP load balancer response headers is introduced. User can now configure the response header to do the following:

• Set a default value
• Set a specific value
• Append a server name if no server header is not present
• Set to pass through if the server header is present

Support to set WAF rules for exclusion in HTTP load balancer security events is introduced. User can now select security events and create an exception rule for them from the HTTP load balancer monitoring page in Console. Navigate to Virtual Hosts -> HTTP Load Balancers in your namespace and click on your load balancer. Select Security Events tab and click ... -> Create Exception Rule for the security event entries for which you want to enable the WAF rule exception.

Note: Creating exception rule for an event will open HTTP load balancer configuration form with the WAF excluded rule added to the security configuration section. Click Save and Exit to update the configuration.

Support for whitelisting or blocking specific clients for HTTP load balancer is introduced. The load balancer configuration is added with client blacklisting rules and trusted client rules sections. User can set to block or whitelist specific clients based on the IP addresses or AS numbers.

TCP load balancer is enhanced to set load balancing schemes for the traffic to the origin servers. The schemes supported are round-robin, least active, random, and hash of source IP.

This feature introduces ability to do BGP peering on multiple networks on a customer edge site. Networks could be site local, site local inside, or per site networks.

Support for setting default resource limits for vK8s containers is introduced using a default workload flavor object. User can now create a workload flavor object in the shared namespace at the Manage -> Workload Flavors page and attach it as a default limit in vK8s configuration. See Create Default Workload Flavor for more information.

This feature gives ability to access customer edge (CE) K8s cluster through a kubeconfig file on the local network. Using this feature, user can deploy applications that can manage kubernetes workloads on the CE K8s cluster.

This release introduces support for creating Data Center (DC) or physical hardware edge sites using the VoltStack site object from Console.

Support for stream request logs to syslog service is introduced. User can now create a log receiver object and attach to the fleet of sites. Log receiver object can be created in Console in the Manage -> Site Management -> Log Receivers.

Note: The host IP of the external service must be reachable from the Site.

The following enhancements are added to AWS VPC site and AWS TGW site:

• Configuring workload subnets
• Configuring worker nodes - Supported only for AWS VPC site
• Site admin state field is added in the Manage -> Site Management -> AWS VPC Sites page and also in the JSON view for the AWS VPC site object.

The Sites -> Connectivity page view for the AWS TGW site is enhanced with representing the site with transit gateway, tunnels, and attached VPCs. Also, the details view for the AWS TGW site is enhanced to show the information on tunnels to TGW. This information includes the data transfer, throughput, and BGP connection status.

Support for whitelisting USB devices from Fleet is introduced. Users can now create a USB policy to allow specific USB devives and apply the policy using Fleet.

Site local UI URL is enhanced to be more usable. User can now access site local UI using the https://volterra.local:65500 URL. For more information on using site local UI, see Site Local UI guide.

Support for adding active network and service policies in the application namespace is introduced. User can add active policies in the Security -> vK8s Network Policy -> Active Network Policies and Security -> Service Policy -> Active Service Policies pages.

The virtual K8s (vK8s) dashboard and PVCs view are enhanced to display the disk usage of PVCs.

The OS is updated with CentOS release 7-9.2009 and kernel release 4.18.0-193.28.1.ves1.el7.x86_64

Support for configuring HTTP Proxy for VMware CE site is introduced. During the initial configuration using CLI, user can set HTTP proxy. For more information on VMware site installation, see Create VMware Site. Download the latest image from the VMware Site Images page.

• The tcpdump collection is improved for usability in the Tools tab of the site monitoring page. User can now start, fetch, and stop the tcpdump from single page for a selected target.
• Traceroute utility is added to the Tools tab of the site monitoring page.

Note: Navigate to Sites -> Site List in the System namespace and click on any site to display its monitoring view. The dashboard tab is loaded by default.

The following updates are made to Fast ACLs:

• Fast ACL set table list is removed from the Console
• Fast ACLs for Internet VIPs object is introduced. The Fast ACL objects can be directly added to this.

In addition to supporting the HTTPS load balancer, the F5 Distributed Cloud DNS management is extended to TCP and HTTP load balancers. With this, users can now delegate domain to F5 Distributed Cloud and use the domains in load balancer of type TCP and HTTP.

App Type object support is enhanced so that it can be created from within the App Settings object in the application namespace.

The service discovery is enhanced to discover and route to headless K8s services without depending on K8s DNS.

Note: This requires Layer 3 routing to be established between the CE site and the K8s pods.

The virtual K8s (vK8s) is enhanced to configure daemonsets, cronjobs, and service accounts.

The deployments per vK8s is increased to 25.

Support for restricting communication between vK8s services belonging to different namespaces is introduced. User can enable namespace isolation in the vK8s configuration and override this behavior for specific services by setting the ves.io/serviceisolation annotation to false for that service.

Node mastership is now based on all configured VIPs across Site Local Outside (SLO) and Site Local Inside (SLI) interfaces.

Introduced status and tooling enhancements to the local UI dashboard of F5 Distributed Cloud Site.

Introduced per API endpoint Swagger API schema documentation generation. This can be found under App Namespace -> Mesh -> Service Mesh -> API Endpoints -> Endpoints Details -> Swagger.

Introduced the ability to define active service policies for a specific HTTP Load Balancer. You can choose one of the following service policy options for the load balancer:

• Set a default service policy
• Apply active service policies
• Disable the active service policy

Introduced ability to match destinations based on IP prefix and IP prefix lists under the custom rule list of the forward proxy policy.

Introduced ability to create a forward proxy policy matching on a specific BGP AS, ASN list, and GeoIP labels.

Introduced support for configuring forward proxy in the network connector when connecting Site Local Inside (SLI) to Global Network Type VNs.

Enhancements are added to the vK8s workload dashboard under App Namespace -> Applications -> Virtual K8s -> Workloads.

Introduced the ability for users to configure private registries for their vK8s workloads.

Introduced the ability for the user to view existing flows per node.

Several enhancements are added to the UX of the sidebar in Console.

Introduced beta support for F5 Distributed Cloud's public terraform provider. See Terraform Provider for more information.

Introduced support for users to directly upgrade site deployments via Site Management for AWS/Azure/GCP/TGW sites and also from the Site List page for sites.

Enhanced the Site Management page for Azure VNET & GCP VPC to support a 3rd deployment option called VoltStack Cluster (One Interface).

Enhanced health score calculation to take Site Admin state into account.

Introduced support for TLS interception when configuring an HTTP Connect or DRP (Dynamic Reverse Proxy) virtual host.

Introduced logging of the description field for the configured policy in the hit logs. The policies include service policy, forward proxy policy (simple and custom rule set), network policy, and secret policy.

When provisioning an AWS TGW Site, East-West traffic now supports forward proxy policies by default.

Enhanced the vK8s workload & Pods table view to include deployment name, running pods, total pods, total sites, sites with error, sites without pods, virtual site, upgrade, and actions.

During vK8s virtual site selection, the selection table now shows descriptions for the virtual sites (system or user created).

Introduced the beta version of the site security dashboard. This view provides tenant and site level firewall events and logs. This is available at Sites -> Site Security.

Enhanced UX and navigation of endpoint details in the API Endpoint page.

Enhanced Alerts and Audit Logs pages under Notifications section.

Support for revoking API certificates and Kubeconfigs is introduced. In case of API certificates and Kubeconfigs created prior to this release, you might receive the Client certificate is invalid or revoked response for API requests. In such case, create new certificates and download for use.

The Industrial Server (ISV) 8000 is now Generally Available. The Industrial Server is a series of ruggedized edge computing devices providing hyper-converged compute, GPU, storage and networking. They are easy to deploy and operate systems capable of running learning, inference, containerized or legacy (VM) workloads—from manufacturing plants to retail stores and small branch offices. The Industrial Servers combine the capabilities of hyper-converged infrastructure (HCI) with a GPU for machine learning and robust connectivity (4G LTE/GPS/Wi-Fi/Bluetooth) in a single ruggedized device designed to meet the rigorous demands of edge and industrial environments. You can learn more about the Industrial Server from the data sheet here and the User Manual here.

The user can now query service specific status on a Per Node basis from Console. System -> Site -> Tools -> Show services status

During CE setup the user can now configure a default ves.io/fleet type. This is helpful in scenarios where CEs required a basic working configuration on CE registration (i.e., Local breakout).

Console now supports the deployment of Sites and management of AWS TGW's. System -> Site Management -> AWS TGW Site.

Console now supports the deployment and management of Sites in GCP. System -> Site Management -> GCP VPC Site.

The Site Wizard Page has been improved for better UX, readability and error/status reporting.

DDoS forensics and analysis for Load Balancers and Site (Forward Proxy) Enhanced ability to perform forensics and analysis of configured HTTP & TCP Load Balancers and per Site Forward Proxy.

Using Time Series Analysis (TSA) of the Request Rate, Response Throughput, Latency and Error Rate anomalous enhanced DoS/DDoS alerting has been enabled.

This release has added additional HTTP & HTTPS ports to be advertised on F5 Distributed Cloud's REs (Public Network). Supported HTTP ports are 80 8080 8880 2052 2082 2086 2095 25565. Supported HTTPS ports are 443 2053 2083 2087 2096 8443 25565.

Site Dashboard Denied Rules Tile now includes Forward Proxy. The site dashboard Denied Rules tile now includes Forward Proxy as an option, in addition to Service & Network Policy.

Guided Configuration for F5 Distributed Cloud DC Cluster - This feature brings in vK8s application deployment workflow to ease deploying applications on F5 Distributed Cloud Services platform. The interface given caters to the developers, provides application level interface and hides some of the underlying infrastructure related tasks.

Storage Device Support - This feature brings support for Dell EMC Isilon F800 & HPE Nimbus Storage AF40, this is configured in the Fleet object under Storage Configuration.

Simplified Workload Deployments on vk8s - This feature brings in vk8s application deployment workflow to ease deploying applications on F5 Distributed Cloud Services platform. The interface given caters to the developers, provides application level interface and hides some of the underlying infrastructure related tasks.

There is a new user type called "Debug User". This allows the tenant admin to provide the F5 Distributed Cloud Support team access to the tenant to enhance troubleshooting.

Email and SMS are supported receivers under Alert Management.

The connection log page has been enhanced to render the data in a more user friendly format.

The site dashboard in Console allows additional troubleshooting and status commands to be executed remotely.

Fleet Configuration and related objects (Network Interface, Virtual Networks, Network Connectors, Network Firewall, Network and Forward Policies) can be initially configured during Fleet creation. This is configured under System -> Site Management -> Fleets.

For information on fleet configuration, see Create Fleet.

Guided form is introduced to enable easier configuration of fast ACLs. See Fast ACLs for configuration instructions.

For smaller deployments, it is desired to configure site-to-site mesh groups without a hub & spoke model. This release introduces the ability to configure a mesh with a hub group only.

Guided forms are introduced to enable easier configuration of HTTP Connect & Dynamic Reverse Proxy under the <Namespace> -> Manage -> Load Balancer.

The vK8s dashboard is updated for a better UX experience and end-to-end view of pods deployments, statistics, and health.

General Availability (GA) Support for the Industrial Gateway 5008 & 5508 series is introduced.

Updates are made to the default System -> Sites -> Site List page to provide clear views of per site data. Connectivity topologies are now arranged based on site longitude/latitude and no longer based on alphabetical order.

Optimizations are delivered to the app traffic graphs views under <Namespace> -> Sites -> App Traffic.

Updates are introduced to the General tab and layout for simplified UX for Billing, Support, IAM, and Personal Management.

A new section called Tenant Settings is added. The tenant settings section provides an overview of tenant information such as tenant ID, domain and company name. System wide IAM credentials can be configured here.

Updates are introduced to billing reports, usage details, and billing settings. These include options to request changes to existing plans and viewing existing tenant wide quotas.

Updates to the escalation processes are added to team and organizational plans.