API Developer Portal
API Docs
Community
Knowledgebase
Training
menu icon
  1. Home
  2.  / How To
  3.  / Advanced Security
  4.  / Configure IP Prefix Sets

Configure IP Prefix Sets

On This Page:

Objective

This document provides instructions on how to create IP prefix sets, and apply them to service policies to control application traffic originating from or reaching the sets of IP addresses in F5® Distributed Cloud Services. To know more about service policies, see Service Policy.

Using the instructions provided in this guide, you can create IP prefix sets and configure a service policy to add the IP addresses to white list or black list so that the traffic is allowed or blocked respectively.

Prerequisites

The following prerequisites apply:

Note: If you do not have an account, see Create an Account.

  • An application running on vK8s or deployed on an edge site.

Note: If you do not have an application running on vK8s or on an edge site, see vK8s Deployment.

Configuration

Configuration Sequence

Configuring IP prefix sets and applying them in service policy requires performing the following sequence of actions:

PhaseDescription
Create IP Prefix SetsCreate IP prefix sets from the security options in the Console.
Create Service Policy RulesCreate policy rules to permit traffic from one IP prefix set and drop traffic from another.
Create a Service PolicyCreate a policy with the configured rules.

Create IP Prefix Sets

IP Prefix Set can be viewed and managed in multiple services: Multi-Cloud Network Connect, Distributed Apps, Shared Configuration, Web App & API Protection, and Load Balancers.

This example shows IP Prefix Set setup in Shared Configuration.

Step 1: Log into F5 Distributed Cloud Console, select IP Prefix Sets.
  • Open F5 Distributed Cloud Console homepage, select Shared Configuration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOMEPAGE 22
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Shared Objects in left column menu > select IP Prefix Sets.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

IPPREFIX 1 2
Figure: IP Prefix Sets Locations
  • Select Add IP Prefix Set button.

Note: You can change to another service and create the IP prefix set.

Step 2: Name Prefix, set labels, and add a description as needed.

  • Enter Name.

  • Enter Labels and Description as needed.

IPPrefixSet1
Figure: IP Prefix Set Creation
Step 3: Select Prefix, and enter the prefix from which you want to allow traffic.

  • Enter Prefix in box.

  • Select + Add Item if needed.

IPPrefixSet1
Figure: IP Prefix Set Creation
Step 4: Complete creating the ASN set.
  • Select Save and Exit button.
Step 5: Repeat Step 1 to Step 4 to create another IP Prefix set from which you want to block the traffic.

Create Service Policy Rules

Service policy rules are used in controlling the traffic based on various conditions. This example shows how to allow or reject traffic coming from specific IP addresses. For more information on service policies and rules, see Create Service Policy Rule.

Step 1: Open F5 Distributed Cloud Console, select Service Policy Rules.
  • Open F5 Distributed Cloud Console homepage, select Shared Configuration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Visit [Homepage Customization] to adjust your homepage.

NEW HOMEPAGE 22
Figure: Homepage
  • Select Security in left column menu > select Service Policies > Service Policies.
IPPREFIX SERVICEPOLICY7 2 4
Figure: Service Policies
  • Select + Add Service Policy button.

Note: The policy rule creation form gets loaded.

Step 2: Enter Name, select Allow.

  • Enter Name.

  • Enter Labels and Description as needed.

  • Select Policy Rules drop-down menu, select Allowed Sources.

SHAREDCONFIG SP
Figure: Service Policies
  • Select Default Action drop-down menu, select Allow.
SPDEFAULTACTION
Figure: Service Policies Default Action
  • Select Save and Exit button.
Step 3: Select IP Prefix Matcher to open the form to apply IP Prefix set. Select Select prefix set, and select the set you created in the Create IP Prefix Sets chapter.
  • In F5 Distributed Cloud Console select Multi-Cloud Network Connect.
NEW HOMEPAGE 22
Figure: Homepage

  • Select Manage > select Firewall.

  • Select Service Policies > + Add Service Policy button.

IP SERVICEPOLICIES
Figure: Service Policy
Step 3.1: Setup Service Policy.

  • Enter Name.

  • Select Configure link in Rules box.

SERVICEPOLICYFORM
Figure: Service Policy Form
  • Select + Add Item button in new Rules page.
Step 3.2: Setup Rules.

  • Enter Name.

  • Select Allow in Action drop-down menu.

SPFORM2
Figure: Service Policy Form
Step 3.3: Setup HTTP Path.

  • Toggle Show Advanced Fields in Request Match box.

  • Select Configure link in HTTP Path section.

PrefixMatcher
Figure: Service Policy Rule IP Prefix Matcher

  • In Prefix Values, select + Add Item button.

  • Enter Prefix Values in box.

Note: See HTTP Path for valid format examples.

SPHTTP
Figure: HTTP Path Prefix Value
Step 3.4: Apply HTTP Path Prefix Value.

  • Select Apply button.

  • Select Apply button.

SPHTTP
Figure: HTTP Path Prefix Value
Step 4: Select prefix set and Apply to apply the set to the service policy rule.

  • Select Rules by Order number.

    • Select Actions ... Move to another spot to reorder Rules as needed.
  • Select Apply button.
Rules
Figure: Service Policy Rule
Step 5: Select Add service policy rule to complete creating service policy rule.
  • Select Save and Exit button.
Step 6: Repeat Step 1 to Step 5 for creating a rule to block traffic from the second prefix set created in the Create IP Prefix Sets chapter. Ensure that you set the Action as Deny.

Create a Service Policy

Service policies apply rules in the order as per the specified configuration. For more information on service policies, see Configure Service Policy.

Step 1: Open Service Policy.

Select the same namespace where you created your service policy rule. Select Security from the configuration menu and Network Security from the options pane. Select Service Policies and select Add service policy. The policy creation form gets loaded.

  • In F5 Distributed Cloud Console, select Multi-Cloud App Connect.

  • Select Namespace where you created your service policy rule.

NEW HOMEPAGE 22
Figure: Homepage

  • Select Security > Service Policies > Active Service Policies.

  • + Select Active Service Policies button.

Step 2: Create Service Policy.

Enter a name for the policy, and set First Rule Match for the Rule Combining Algorithm field.

  • Select Service Policies drop-down menu to select service policy.

  • Select + Add Item button in Service Policies drop-down menu to create another service policy.

  • Enter Name

  • Enter Labels and Description as needed.

Step 3: Select Rule

Select rule and add the rules created in the Create Service Policy Rules chapter.

  • Select Policy Rules drop-down menu.

    • Custom Rule List > Configure.

    • Allowed Sources > Configure.

    • Denied Sources > Configure.

    • Allow All Requests

    • Deny All Requests

Note: It is recommended to first add the rule that allows traffic from set of IP prefixes, and then add the rule that drops traffic from the other set.

  • Select Server Selection drop-down menu to select Servers, Any Server is default.

Note: For granular control you can use other fields of service policy creation such as Server Selection. For more information, see Configure Service Policy.

  • Select Continue button to finish the Service Policy Rules form.
Add More or Move Service Policies

  • Select + Add Items button to add more service policies.

  • Select Service Policies drop-down menu to select the service policy you created or another service policy as needed.

  • Select the dot box to the left of the number, and drag to rearrange the service policies Order.

  • Select ... to delete or Move to another spot > enter Row number > select Move Row button to move.

  • Select Save and Exit button to save service policy selection and order.

Step 4: Complete service policy creation.

You can use this policy in a service policy set and apply the IP Prefix sets to control your application traffic. For more information on service policy set configuration, see Configure Service Policy Set.

Concepts

API References

© 2024 F5, Inc. All rights reserved | Trademarks | Policies | Privacy | California Privacy | Do Not Sell My Personal Information |