Configure IP Prefix Sets

Objective
Prerequisites
Configuration
Configuration Sequence
Create IP Prefix Sets
Create Service Policy Rules
Create a Service Policy
Concepts
API References

Objective

This document provides instructions on how to create IP prefix sets, and apply them to service policies to control application traffic originating from or reaching the sets of IP addresses in F5® Distributed Cloud Services. To know more about service policies, see Service Policy.

Using the instructions provided in this guide, you can create IP prefix sets and configure a service policy to add the IP addresses to white list or black list so that the traffic is allowed or blocked respectively.

Prerequisites

The following prerequisites apply:

A valid Account is required.

Note: If you do not have an account, see Create an Account.

An application running on vK8s or deployed on an edge site.

Note: If you do not have an application running on vK8s or on an edge site, see vK8s Deployment.

Configuration

Configuration Sequence

Configuring IP prefix sets and applying them in service policy requires performing the following sequence of actions:

Phase	Description
Create IP Prefix Sets	Create IP prefix sets from the security options in the Console.
Create Service Policy Rules	Create policy rules to permit traffic from one IP prefix set and drop traffic from another.
Create a Service Policy	Create a policy with the configured rules.

Create IP Prefix Sets

IP Prefix Set can be viewed and managed in multiple services: Multi-Cloud Network Connect, Distributed Apps, Shared Configuration, Web App & API Protection, and Load Balancers.

This example shows IP Prefix Set setup in Shared Configuration.

Step 1: Log into F5® Distributed Cloud Console, select IP Prefix Sets.

Open F5® Distributed Cloud Console homepage, select Shared Configuration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

Select Shared Objects in left column menu > select IP Prefix Sets.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

IPPREFIX 1 2 — Figure: IP Prefix Sets Locations

Select Add IP Prefix Set button.

Note: You can change to another service and create the IP prefix set.

Step 2: Name Prefix, set labels, and add a description as needed.

Enter Name, enter Labels and Description as needed.

IPPrefixSet1 — Figure: IP Prefix Set Creation

Step 3: Select Prefix and enter the prefix from which you want to allow traffic.

Enter Prefix in box, select + Add Item if needed.

Step 4: Complete creating the ASN set.

Select Save and Exit

Step 5: Repeat Step 1 to Step 4 to create another IP Prefix set from which you want to block the traffic.

Create Service Policy Rules

Service policy rules are used in controlling the traffic based on various conditions. This example shows how to allow or reject traffic coming from specific IP addresses. For more information on service policies and rules, see Create Service Policy Rule.

Step 1: Open F5® Distributed Cloud Console, select Service Policy Rules and select Add service policy rule. The policy rule creation form gets loaded.

Open F5® Distributed Cloud Console homepage, select Shared Configuration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Visit [Homepage Customization] to adjust your homepage.

Select Security in left column menu > select Service Policies > Service Policies.

IPPREFIX SERVICEPOLICY7 2 4 — Figure: Open Virtual Hosts

Select + Add service policy button.

Step 2: Enter a name and select Allow for the Action field.

Step 3: Select IP Prefix Matcher to open the form to apply IP Prefix set. Select Select prefix set, and select the set you created in the Create IP Prefix Sets chapter.

In F5® Distributed Cloud Console select Multi-Cloud Network Connect.

Select Manage > select Firewall.
Select Service Policies > + Add service policy button.
Enter Name.
Select Configure link in Rules box.
Select + Add Item button in new Rules page.
Select Configure link in Rules Specification box.
Enter Name.
Select Allow in Action box.
Toggle Show Advanced Fields in Request Matcher box.
Select Configure link in HTTP Path section.
Select + Add Item > Enter Prefix Values in box.
- Toggle Show Advanced Fields to show more options.

PrefixMatcher — Figure: Service Policy Rule IP Prefix Matcher

Step 4: Select Select prefix set, and Apply to apply the set to the service policy rule.

Select + Add Item or select prefix set.
Select Apply button.

Step 5: Select Add service policy rule to complete creating service policy rule.

Step 6: Repeat Step 1 to Step 5 for creating a rule to block traffic from the second prefix set created in the Create IP Prefix Sets chapter. Ensure that you set the Action as Deny.

Create a Service Policy

Service policies apply rules in the order as per the specified configuration. For more information on service policies, see Configure Service Policy.

Step 1: Select the same namespace where you created your service policy rule. Select Security from the configuration menu and Network Security from the options pane. Select Service Policies and select Add service policy. The policy creation form gets loaded.

In F5® Distributed Cloud Console, select Multi-Cloud App Connect.

Select Security > Active Service Policies.
+ Select Active Service Policies, drag policy up or down.
Check boxes.
Select Service Policy button.

Step 2: Enter a name for the policy, and set First Rule Match for the Rule Combining Algorithm field.

Enter Name, enter Labels and Description as needed.

Step 3: Select rule and add the rules created in the Create Service Policy Rules chapter. Select Select rule.

Note: It is recommended to first add the rule that allows traffic from set of IP prefixes and then add the rule that drops traffic from the other set.

Step 4: Select Add service policy to complete service policy creation.

Note: You can use other fields of service policy creation such as Server Name Matcher for granular control. For more information, see Configure Service Policy.

You can use this policy in a service policy set and apply the IP Prefix sets to control your application traffic. For more information on service policy set configuration, see Configure Service Policy Set.