Configure IP Prefix Sets
On This Page:
Objective
This document provides instructions on how to create IP prefix sets, and apply them to service policies to control application traffic originating from or reaching the sets of IP addresses in F5® Distributed Cloud Services. To know more about service policies, see Service Policy.
Using the instructions provided in this guide, you can create IP prefix sets and configure a service policy to add the IP addresses to white list or black list so that the traffic is allowed or blocked respectively.
Prerequisites
The following prerequisites apply:
- A valid Account is required.
Note: If you do not have an account, see Create an Account.
- An application running on vK8s or deployed on an edge site.
Note: If you do not have an application running on vK8s or on an edge site, see vK8s Deployment.
Configuration
Configuration Sequence
Configuring IP prefix sets and applying them in service policy requires performing the following sequence of actions:
Phase | Description |
---|---|
Create IP Prefix Sets | Create IP prefix sets from the security options in the Console. |
Create Service Policy Rules | Create policy rules to permit traffic from one IP prefix set and drop traffic from another. |
Create a Service Policy | Create a policy with the configured rules. |
Create IP Prefix Sets
IP Prefix Set can be viewed and managed in multiple services: Multi-Cloud Network Connect
, Distributed Apps
, Shared Configuration
, Web App & API Protection
, and Load Balancers.
This example shows IP Prefix Set
setup in Shared Configuration
.
Step 1: Log into F5® Distributed Cloud Console, select IP Prefix Sets
.
- Open
F5® Distributed Cloud Console
homepage, selectShared Configuration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to discover all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.
Note: Confirm
Namespace
feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
- Select
Shared Objects
in left column menu > selectIP Prefix Sets
.
Note: If options are not showing available, select
Show
link inAdvanced nav options visible
in bottom left corner. If needed, selectHide
to minimize options from Advanced nav options mode.
- Select
Add IP Prefix Set
button.
Note: You can change to another service and create the IP prefix set.
Step 2: Name Prefix, set labels, and add a description as needed.
Enter Name
, enter Labels
and Description
as needed.
Step 3: Select Prefix
and enter the prefix from which you want to allow traffic.
Enter Prefix
in box, select + Add Item
if needed.
Step 4: Complete creating the ASN set.
- Select
Save and Exit
Step 5: Repeat Step 1 to Step 4 to create another IP Prefix set from which you want to block the traffic.
Create Service Policy Rules
Service policy rules are used in controlling the traffic based on various conditions. This example shows how to allow or reject traffic coming from specific IP addresses. For more information on service policies and rules, see Create Service Policy Rule.
Step 1: Open F5® Distributed Cloud Console, select Service Policy Rules
and select Add service policy rule
. The policy rule creation form gets loaded.
- Open
F5® Distributed Cloud Console
homepage, selectShared Configuration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Visit [Homepage Customization] to adjust your homepage.
- Select
Security
in left column menu > selectService Policies
>Service Policies
.
- Select
+ Add service policy
button.
Step 2: Enter a name and select Allow
for the Action
field.
Step 3: Select IP Prefix Matcher
to open the form to apply IP Prefix set. Select Select prefix set
, and select the set you created in the Create IP Prefix Sets
chapter.
- In
F5® Distributed Cloud Console
selectMulti-Cloud Network Connect
.
-
Select
Manage
> selectFirewall
. -
Select
Service Policies
>+ Add service policy
button. -
Enter
Name
. -
Select
Configure
link inRules
box. -
Select
+ Add Item
button in newRules
page. -
Select
Configure
link inRules Specification
box. -
Enter
Name
. -
Select
Allow
inAction
box. -
Toggle
Show Advanced Fields
inRequest Matcher
box. -
Select
Configure
link inHTTP Path
section. -
Select
+ Add Item
> EnterPrefix Values
in box.- Toggle
Show Advanced Fields
to show more options.
- Toggle
Step 4: Select Select prefix set
, and Apply
to apply the set to the service policy rule.
-
Select
+ Add Item
or select prefix set. -
Select
Apply
button.
Step 5: Select Add service policy rule
to complete creating service policy rule.
Step 6: Repeat Step 1 to Step 5 for creating a rule to block traffic from the second prefix set created in the Create IP Prefix Sets
chapter. Ensure that you set the Action
as Deny
.
Create a Service Policy
Service policies apply rules in the order as per the specified configuration. For more information on service policies, see Configure Service Policy.
Step 1: Select the same namespace where you created your service policy rule. Select Security
from the configuration menu and Network Security
from the options pane. Select Service Policies
and select Add service policy
. The policy creation form gets loaded.
- In
F5® Distributed Cloud Console
, selectMulti-Cloud App Connect
.
-
Select
Security
>Active Service Policies
. -
+ Select Active Service Policies
, drag policy up or down. -
Check boxes.
-
Select Service Policy
button.
Step 2: Enter a name for the policy, and set First Rule Match
for the Rule Combining Algorithm
field.
- Enter
Name
, enterLabels
andDescription
as needed.
Step 3: Select rule
and add the rules created in the Create Service Policy Rules
chapter. Select Select rule
.
Note: It is recommended to first add the rule that allows traffic from set of IP prefixes and then add the rule that drops traffic from the other set.
Step 4: Select Add service policy
to complete service policy creation.
Note: You can use other fields of service policy creation such as
Server Name Matcher
for granular control. For more information, see Configure Service Policy.
You can use this policy in a service policy set and apply the IP Prefix sets to control your application traffic. For more information on service policy set configuration, see Configure Service Policy Set.