Enable F5 Distributed Cloud Private Link

Published April 5, 2023 | Last modified June 17, 2026

Objective

This guide presents information on F5® Distributed Cloud Private Link, including how to enable it, how to use it to deploy Distributed Cloud Sites, and how to perform advertisement/discovery.

Important: F5 Distributed Cloud Private Link is not currently supported with Customer Edge (CE) Site deployments.

Private Link is a Virtual Network configuration managed by F5 Distributed Cloud Services for customers who request it. This private virtual network is only visible and usable to that customer.

The Private Link provides private connectivity between private customer networks, services of F5 Distributed Cloud SaaS, and other SaaS endpoints, without exposing traffic to the public Internet. Private Link makes it easy to securely connect services across environments and abstracts the functionality as Private Network.

For customers' sites that are deployed on networks that are isolated from the Internet, the CE sites require the following as part of installation and registration:

  • Download a set of configurations.
  • Download images from Docker repositories for various site services.
  • Establish SSL tunnels to the Regional Edge (RE) sites.
  • Communicate with PKI/Identity Authority.

Note: Private link does not support IPsec. Therefore, only use SSL tunnels to connect to the RE sites.

After site installation, it is also required to enable the ability to advertise services, configure end points, and enable service discovery for these isolated networks.

Private Network connects the isolated networks to a set of RE sites using the Private Link. The Sites in the isolated network are provisioned using this Private Network as opposed to the regular Sites that connect to the RE Sites and Global Controller over the Internet.

The following list presents the benefits of using the Private Link:

Secure traffic: You can connect sites to SaaS services in a secure and scalable manner using the Private Link. In this way, network traffic that uses Private Link does not traverse the public internet, reducing exposure to brute force and Distributed Denial-of-Service (DDoS) attacks, along with other threats. You can use private IP connectivity so that services function as though they are hosted directly on Private Network. This provides better control to define precise network and service access policies while delivering visibility, scalability, and performance. ​ 

Simplified network management​: The Private Link simplifies DC network extensions to F5 Distributed Cloud Edge. This makes it easier to manage, observe, and monitor​. ​ 

Accelerate secure SaaS and cloud adoption​: You can easily migrate additional traditional on-premises applications to F5 Distributed Cloud Edge, hosted and managed by F5 Distributed Cloud using Private Link. The data is not exposed to the internet, reducing the risk of data compromise so that you can migrate more cloud services.

After the Private Network is enabled, the following objects are created for your tenant:

  • Virtual Network object representing the Private Network.
  • Global configuration object containing DNS IP address to be used in the private virtual network.
  • HTTP Connect/DRP Proxy object for site installation and management over the Private Network.

Note: The created Virtual Private Network represents the enabled Private Link.

Physical Connections Between Private Network and On-Premises Network

To enable a physical direct connection between the Private Network and your on-premises network, the following apply:

  • F5 Distributed Cloud provides 1 (or 2 if you require 2 links) Letter of Authorization (LOA) so that you can order the interconnects in the data center toward F5 Distributed Cloud.

  • In case of 2 physical interconnections, F5 Distributed Cloud delivers them on two separate devices for resiliency.

  • Only 10GBase-LR and 100GBase-LR4 modules are supported.

  • You can assign the interconnection subnets (preferably /31 IPv4 networks) over the direct private physical link between the on-premises network and F5 Distributed Cloud network. If required, F5 Distributed Cloud also can assign the IPv4 interconnection subnet and validate with you that there is no overlap with your network.

  • F5 Distributed Cloud uses public IP addresses for its network so that there is no overlap with your on-premises network.

  • F5 Distributed Cloud transports the Private Network over F5 Distributed Cloud global backbone using a dedicated L3 VPN.

  • You can use multiple Regional Edge (RE) sites on multiple Points of Presence (POPs) in the backbone. Unicast traffic is directed to the corresponding POP using the shortest path in the network. Anycast traffic is directed to the closest location using the shortest path.

Prerequisites

The following prerequisites apply:

Procedure

To use the Private Link, you must first raise a support request to enable it. After the Private Link is enabled for your tenant, a Virtual Private Network object is created, and you can deploy Sites using the created Private Network. You can also perform activities such as advertising services, configuring endpoints, setting up discoveries, and more.

Raise Support Ticket

Step 1: Create a support request.

  • On the homepage, select the Administration workspace. If you do not see it in the common workspaces, search for it using the search bar on the top of the homepage.

  • From the Support section in the left navigation pane, select Requests.

  • Select Add Request. This opens a new support request form.

Step 2: Fill the request information.

  • From the Workspace drop-down menu, select the workspace you are requesting. For example, Web App & API Protection.

  • From the Type drop-down menu, select Account Support or Technical Support.

  • From the Topic drop-down menu, select Other.

  • Select Priority from the options available:

    • Normal
    • High
    • Urgent

  • In the Subject field, enter a short subject line for your request.

  • In the Product Data field, use the following guidelines to enter the recommended details:

    • Required interface speed: Specify 10G LR or 100G LR4.
    • Access or Trunk: Specify the VLAN such as VLAN 200.
    • Specify whether Link Aggregation Control Protocol (LACP) is required or not.
    • Interconnection prefix: F5 Distributed Cloud Services can provide you with CGNAT, or you can specify an existing prefix.
    • Specify if you wish to use a dedicated VIP (specify a public IP) or default VIP (provided by F5 Distributed Cloud Services).
    • ASN you want to use.
    • City and Country: Specify the city and country so that F5 Distributed Cloud Services can suggest two RE sites.

Note: Prefix filtering is not available. A maximum prefix of 1000 per BGP session is supported by default.

  • Optionally, under Additional Details, enter more information if needed.

  • Select Submit Request. F5 Distributed Cloud Services support enables the Private Network and configures it for your tenant in the shared namespace.

Step 3: Verify the Private Link after it is enabled.

  • Switch to the Multi-Cloud Network Connect workspace.

  • Go to Manage > Networking > Virtual Networks.

  • Verify that there is a network entry that has a Name in the adn-private-vn-<tenant-name> format and that is listed in the shared namespace.

  • Expand the network object to view details in JSON format. The value VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK for the legacy_type field indicates that it is the F5 Distributed Cloud Private Network configured for your tenant.

You can use the Private Link in one of the following two ways:

  • Using HTTP Connect proxy (recommended method)

  • Using Dynamic Reverse Proxy (DRP)

Step 1: Install CE Site node image in your isolated network location.

  • Install the Site on a location in your isolated network. You can download and install the image on a VM or a hardware device. For information on site installation requirements and instructions, see the documentation in the Customer Edge Deployment guides. For information on the software image, see the image downloads in the CE Node Images guides. If you use F5 Distributed Cloud Services hardware, such as IGW or ISV, the box is shipped with a pre-installed image, so no installation is required.

  • Power up the VM or the hardware device.

Step 2: Perform post-installation configuration.

After switching on the VM or device with the CE Site image installed, perform initial configuration using one of the following methods:

Using HTTP Connect proxy

  • Enter admin username and Volterra123 password. Log in for the first time prompts you to update the password for the admin user.

  • Enter configure and enter the Private Virtual Network name.

  • Finish configuring your CE Site. For more information, see the Customer Edge Deployment guides.

Using DRP

In case of DRP, make sure that your corporate HTTP proxy is resolving against F5 Distributed Cloud DNS or manually configure all DNS records. Perform the following:

  • Enter admin username and Volterra123 password. The first time you log in, the system prompts you to update the password for the admin user.

  • Enter configure-network.

  • Enter the HTTP proxy for the ? Set HTTP_PROXY field. Enter the HTTP proxy in the http://username:password@10.0.0.1:3129 format. Ensure that you configure your HTTP Proxy used internally.

  • Optionally, enter configure and enter the Private Virtual Network name. However, you can also set this option at the registration time.

  • Perform the rest of the configuration per your requirements. For more information, see the Customer Edge Deployment guides.

Step 3: Perform CE Site registration.

  • In Console, go to the Multi-Cloud Network Connect workspace.

  • Go to Manage > Site Management > Registrations.

  • Select the green checkmark to load the registration acceptance form for your CE node.

  • Set F5 Distributed Cloud Private Network using one of the following methods:

    • If you are using HTTP Connect proxy method for site installation, verify that the Private Network name is reflecting in the registration acceptance form in the Private Network Name field.

    • If you are using DRP method and did not set the Private Network during the post-install configuration, enter the Private Network name in the Private Network Name field.

  • Set the rest of the registration fields per your requirements. Enter all mandatory fields marked with the asterisk (*) character.

  • Select Save and Exit.

  • Wait for the CE Site status to become ONLINE. You can check this in the Overview > Infrastructure > Sites for your CE Site in the Site Admin State column.

Advertising services on the Private Link requires you to select the Private Network for advertising. If you set the default VIP in advertising configuration, the VIP of the Private Network is used as the listener IP.

Note: This section only provides the advertisement configuration for load balancers. For complete configuration instructions, see the Create HTTP Load Balancer guide.

Step 1: Start creating load balancer.

  • Go to the Multi-Cloud App Connect workspace and select your namespace from the drop-down menu.

  • Select Manage > Load Balancers > HTTP Load Balancers.

  • Select Add HTTP Load Balancer to start creating a load balancer.

  • In the Metadata section, perform the following:

    • Enter Name.

    • Enter Labels and Description as needed.

  • In the Domains and LB Type section, perform the following:

    • Enter Domain.

    • Select an option from the Load Balancer Type drop-down menu.

  • In the Origins section, select Add Item to set up an origin pool.

Step 2: Perform VIP configuration for advertising on the Private Network.

  • In the Other Settings section, select Custom from the VIP Advertisement drop-down menu.

  • Select the Configure link. The Custom Advertise VIP Configuration page opens.

  • Select Add Item in the List of Sites to Advertise section.

  • From the Select Where to Advertise drop-down menu, select Virtual Network.

  • From the Network drop-down menu, select the Private Network object from the list of network objects.

Note: The option Default V4 VIP is set by default for the Select V4 VIP option, and the default VIP is used as a listener IP.

  • Select Apply to return to the List of Sites to Advertise section.

  • Select Apply to return to the Other Settings section.

Step 3: Complete creating the load balancer.

In the load balancer configuration page, select Add HTTP Load Balancer.

Perform the following to discover services on the Private Link.

Note: This section only provides the configuration for valid service discovery. For complete configuration instructions, see the Kubernetes Service Discovery guide for K8s discovery. See the Discover Service Endpoints Using HashiCorp Consul guide for Consul discovery.

Step 1: Start creating service discovery object.

  • Go to the Multi-Cloud App Connect workspace.

  • Select Manage > Service Discoveries.

  • Use the tabs to select your service discovery type, and then select Add <SERVICE-TYPE> Service Discovery.

  • Enter a name for the discovery object in the Metadata section.

Step 2: Set that discovery is visible on the Private Network.

  • Navigate to the Where section and toggle the Show Advanced Fields option.

  • From the Virtual-Site or Site or Network drop-down menu, select Virtual Network.

  • From the Reference drop-down menu, select the Private Network object.

Step 3: Complete creating the service discovery object.

Perform the following to configure an origin server on the Private Link:

Note: This section only provides the origin server configuration part of origin pool. For a full set of origin pool configuration instructions, see the Create Origin Pools guide.

Step 1: Start creating origin pool.

  • Go to the Multi-Cloud App Connect workspace. Select your namespace from the drop-down menu to change to it.

  • Select Manage > Load Balancers > Origin Pools and select Add Origin Pool.

  • Enter a name for the origin pool in the Metadata section.

Step 2: Specify the origin server IP address or DNS name reachable over the Private Network.

  • Navigate to the Origin Servers section and select Add Item.

  • Select one of the following options from the Select Type of Origin Server drop-down menu:

    • Select IP address on Virtual Network and enter the IP address of the origin server in the IPV4 field. From the Virtual Network drop-down menu, select the Private Network from the list of network objects.

    • Select Name on Virtual Network and enter the DNS name of the origin server in the DNS Name field. From the Virtual Network drop-down menu, select the Private Network from the list of network objects.

  • Select Apply to complete origin server configuration.

  • Ensure that origin servers are running so that endpoint discovery is successful while attempting to use the origin pools.

Step 3: Complete creating the origin pool object.

  • Perform configuration for the rest of origin pool sections per your requirements. See the Create Origin Pools guide for more information.

  • Select Add Origin Pool.

Concepts

On this page: