F5® Distributed Cloud Mesh’s Secure Networking provides connectivity and security services for your applications running on the Edge, Private Clouds or Public Clouds. This simplifies the deployment and configuration of connectivity and security services for your Multi-Cloud and Edge Cloud deployment needs across heterogeneous environments. Operation teams configure and monitor their site deployments using the F5 Distributed Cloud Console SaaS. This allows for a centrally managed, but globally distributed data plane of connectivity and security networking services.
Connectivity services range from high performance and scale-out data plane forwarding, Routing protocols, SD-WAN functionality, topology customization and secure using VPN, SNAT, proxy, local-breakout, etc. Security features from IP firewall and access-list support, service filtering using HTTP/HTTPS and custom protocols, isolation of networks and applications with VRFs. End to end system observability is provided using the Mesh & App Stack observability.
It’s out of the “box” ready and when F5 Distributed Cloud Node or Cluster is deployed. Using Console users can enable Mesh or App Stack services. Upgrading to premium connectivity with F5 Distributed Cloud Global Backbone services using Mesh Direct Connect can be found in our Secure Backbone offering.
If you are interested in further details of how the features described in this guide work, read more below in Concepts.
Introduction to Mesh Secure Networking
With all Node or Cluster deployments, you’ll have the ability to leverage other Mesh and App Stack services as a simple add-on. This section discusses specifically the Mesh Secure Networking features.
Mesh Secure Networking Features
Zero Touch Provisioning
- Seamless Distributed Cloud site registration using secure site credentials with F5 provided Cloud instances or edge hardware (F5 or Customer provided) Hardware or customer provided COTS or Cloud Instances. Additional details can be found in the App Stack Distributed Infrastructure Management.
Routing & SD-WAN
- Support for flexible deployments such as default gateway, local breakout, router-on-a-stick. Connectivity options such as Direct, SNAT, Forward Proxy. WAN protocols such as BGP for VIP advertisement, IP switching/routing, Policy Based Routing, etc.
- For various enterprise deployments, we support Site to Site (Full Mesh), Hub & Spoke using Mesh or On-prem, Local Breakout using L3 (SNAT) or L7 (Forward Proxy).
VPN over IPsec/SSL
- All topologies (Full Mesh, Hub & Spoke) are configured between Sites are secure using VPN over encrypted technologies such as IPsec/SSL.
Isolation of networks physically, logically and virtually
- Connectivity isolation and security using multiple physical and logical network Interfaces associated with a per-tenant virtual network (also known as VRFs - Virtual Routing and Forwarding). Virtual Networks can be configured with local or global scopes to complement site topology deployments as another layer of security.
- In-line URL inspection of different hosts accessed for any traffic originating from a Site, URL filtering, and URL/host observability.
Network Firewall and security policies
- Network access lists and firewall policy allows filtering based on IP addresses. Security policy using Forward Proxy allows for URL filtering and other matching criteria provided by the service policy framework.
High Availability and Clustering
- Nodes can be configured as Clusters for scale-out infrastructure providing increased capacity and high availability. For more details, you can refer to Distributed Infrastructure Management.
The following concepts are used for Mesh Secure Networking features. Click on each one to learn more:
- Site Registration
- Site Connectivity
- Virtual Site
- Network Interface
- Virtual Network
- Network Connector
- Network Firewall