Introducing F5 BIG-IP Next CNF solutions for Red Hat OpenShift (2023)

5G y Red Hat OpenShift

5G standards have adopted Cloud Native Network Functions (CNF) to implement network services in software such as containers. This is a big change from the previous Virtual Network Functions (VNF) or Physical Network Functions (PNF).

The main features of cloud native functions are:

  • Deploy as containerized microservices
  • Small version, with the possibility of scaling
  • Guest OS independence as CNFs act as containers
  • Kubernetes can manage the lifecycle

Taken together, they provide a major improvement in terms of flexibility, faster provisioning, robustness, and the key use of Kubernetes as a single orchestration layer. The latter is a drastic change from previous standards where each vendor had their own orchestration. This unification around Kubernetes greatly simplifies network functions for operators, reducing the cost of setting up and maintaining networks. Additionally, by adopting the container form factor, it enables the implementation of network functions (NF) in new use cases, such as the remote edge. This is because they take up less space and at the same time can be deployed on a large scale in a central data center due to horizontal scalability.

In this article, we focus on Red Hat OpenShift, which is the industry reference and market-leading implementation of Kubernetes for IT and telecom workloads.

(Video) F5 BIG-IP & Red Hat OpenShift: high performance, secure applications

Introduction to F5 BIG-IP Next CNF solutions

F5 BIG-IP Next CNF Solutions is a set of Kubernetes native 5G network functions, implemented as microservices. It shares the same Cloud Native Engine (CNE) as theF5 BIG-IP Next SPK introduced last year. Functionalities implemented by CNF Solutions deal mainly with user plan data.

User plane data has a special nature that the final destination of the traffic is not the Kubernetes cluster, but an external endpoint, usually the Internet. In other words, traffic enters the Kubernetes cluster and is forwarded back out of the cluster. This is achieved by using dedicated interfaces that are not used for regular ingress and egress routes for regular traffic in the Kubernetes cluster. In this case, the main goal of using Kubernetes is to take advantage of its orchestration, flexibility and scalability.

The main functionalities implemented in the first GA version of the CNF solution are:

  • F5 Next Edge Cortafuegos CNF, an IPv4/IPv6 firewall that primarily focuses on protecting 5G core networks from external threads, including DDoS flood protection and IPS DNS protocol inspection.
  • F5 Next CGNAT CNF, which offers a large NAT with the following features:
    • NAPT Mapping Modes, Port Block Mapping, Static NAT, Peer Address Aggregation, and Endpoint Independent Mode.
    • Ulazni NAT i Hairpinning.
    • Filtering outgoing routes and excluding addresses.
    • Podrška ALG: FTP/FTPS, TFTP, RTSP i PPTP.
  • F5 Next DNS CNF, which offers transparent DNS resolution and caching services. Other significant characteristics are:
    • zero rating
    • DNS64, which allows IPv6-only clients to connect to IPv4-only services via synthetic IPv6 addresses.
  • F5 Next CNF Policy Enforcer, which enables traffic classification, control and shaping, as well as video and TCP optimization. This product will be released as early access in February 2023 with basic features. Static TCP optimization is now GA in the first release.

Although the Carrier Grade NAT (CGNAT) and Policy Enforcer capabilities are specific to user-plane use cases, the Edge Firewall and DNS capabilities have additional uses in other parts of the network.

F5 y OpenShift

BIG-IP Next CNF solutions are fully compatibleRed Hat OpenShift Container Platformenabling deployment to central or edge locations with unified management across multiple deployments. OpenShift operators make it much easier to configure and tune telecom applications. These are:

On the OpenShift platform, they are all configured transparently for applications, and BIG-IP Next CNF solutions only require configuration with the appropriate runtime class.

Architecture of the F5 BIG-IP Next CNF solution

F5 BIG-IP Next CNF Solutions uses the highly reliable F5 BIG-IP Traffic Management Microkernel (TMM) data plane. This enables a reliable, high-performance product right from the start. CNF functionalities come from the new microservices architecture of the widely used F5 BIG-IP VNFs. The following diagram illustrates how the microservices architecture is used.

Introducing F5 BIG-IP Next CNF solutions for Red Hat OpenShift (1)

(Video) Using OpenShift Route with F5 is so Easy and Fast!

Dataplanet's POD scales from 1 to 16 cores and scales from 1 to 32 PODs, enabling it to work with millions of subscribers. NUMA nodes are supported.

The following diagram focuses on data plane handling, which is the most relevant aspect for this CNF package:

Introducing F5 BIG-IP Next CNF solutions for Red Hat OpenShift (2)Typically, each data plane POD has two IP addresses, one for each side of the N6 reference point. These can be called radio and internet sites, as shown in the diagram above.

L3 hops on the left side must distribute traffic between addresses on the left side of the CNF data plane. This left L3 hop can be a router with BGP ECMP (Equal Cost Multi Path), SDN, or any other mechanism that can:

  • Divide subscribers by data plane PODs, as shown in [1] in the figure above.
  • Keep these subscribers on the same PODs when there is a change in the number of active PODs of the data plan (scaling, scale-out, maintenance, etc.) as shown in [2] in the figure above. This reduces service interruptions.

On the right side of CNFs, the path to the Internet, it is typical to implement NAT functionality to transform private phone addresses into public addresses. This is done using BIG-IP Next CG-NAT CNF. This NAT makes the return traffic symmetric by arriving at the same POD that processed the outgoing traffic. This is due to the fact that each POD owns a part of this NAT space, as shown in [3] in the previous figure. The NAT address space of each POD can be advertised via BGP.

When NAT is not used on the right side of CNFs, it is necessary that the network can send traffic back to the same POD handling the same connection. Traffic must remain symmetrical at all times, this is often the case with SDN.

Using the F5 BIG-IP Next CNF solution

As expected in a fully integrated Kubernetes solution, both installation and configuration are done using the Kubernetes API. Installation is done using a flowchart and configuration using Custom Resource Definitions (CRD). Unlike using ConfigMaps, using CRDs allows validation of configuration schemas before they are applied. You can find more information about CRDson this cloud documents page. Below is an overview of the most relevant CRDs.

General network settings

A Kubernetes implementation automatically configures and assigns IP addresses to CNF PODs. Data plane interfaces require special configuration. The necessary steps are:

(Video) Azure Red Hat OpenShift (ARO) with F5 Distributed Cloud

  1. Create Kubernetes NetworkNodePolicies and NetworkAttachment definitions that enable SR-IOV VFs to be exposed to CNF data plane PODs (TMMs). To use these VF SR-IOVs, reference them in the Helm map settings file of the BIG-IP driver. This is described inNetwork overview page.
  2. Define L2 and L3 configuration of SR-IOV interfaces exposed usingF5BigNetVlanCRD.
  3. If static routes need to be configured, they can be added usingF5BigNetStaticrouteCRD.
  4. If a BGP configuration is to be added, it is configured in the BIG-IP controller's Helm graph settings file. This is described inBGP monitoring. It is expected that this will be configured using CRD in the future.

Configuring traffic control listeners

As with classic BIG-IP, once the CNFs are up and connected to the network, traffic is not processed by default. The traffic management functionalities implemented by BIG-IP Next CNF Solutions are the same as the analog modules in classic BIG-IP, and the CRDs in BIG-IP Next for configuring these functionalities are also conceptually similar.

Analogous to virtual servers in classic BIG-IP, BIG-IP Next CNF Solutions has a set of CRDs that create traffic listeners where traffic management policies are applied. this is mostlyF5BigContextSecureA CRD that allows us to specify traffic selectors that specify the VLANs, source, destination prefixes, and ports we want the rules to apply to.

There are separate CRDs for application-level gateway (ALG) listeners and protocol-specific solutions. This required several steps in classic BIG-IP: first create a virtual service, then create a profile and finally apply it to the virtual server. In BIG-IP Next, this is done in one CRD. At the time of writing, these CRDs are:

  • F5BigZerorationPolicy- Part of the DNS Zero-Rating solution; allows subscribers to bypass rate caps.
  • F5BigDns application- High performance DNS resolution, caching and DNS64 translations.
  • F5BigAlgFtp- File Transfer Protocol (FTP) application laggatewaytjenester.
  • F5BigAlgTftp- Lagsgatewaytjenester aplikacija Trivial File Transfer Protocol (TFTP).
  • F5BigAlgPptp- Point-to-Point Tunneling Protocol (PPTP) application latency.
  • F5BigAlgRtsp- lagsgatewaytjenester Real-time Streaming Protocol (RTSP) applications.

Traffic management profiles and policy settings

Depending on the type of listeners created, they can have different types of profiles and policies associated with them.

In case ofF5BigContextSecure can be attachedthe following CRDs to define how traffic is processed:

and the following security and NAT rules:

  • F5 BigDdos policy- Denial of Service (DoS/DDoS) event detection and mitigation.
  • F5BigFwPolicy- Stateful granular flow filtering based on access control list (ACL) policies.
  • F5BigIpsPolicy- Intelligent packet inspection protects applications from malicious network traffic.
  • F5BigNat politics- Carrier level NAT (CG-NAT) using large group NATs (LSNs).

ALG listeners require useF5BigNat politicsand you can use itF5BigFwPolicyCRD.oveCRDs also have traffic selectors that allow additional control over the traffic to which these policies should be applied.

Konteksti vatrozida

Firewall rules are applied to the listener with the best match. exceptF5BigFwPolicythat can be attached, a global firewall policy (thus effective on all listeners) can be configured before evaluating a listener-specific firewall policy. this is done withF5BigContextGlobalCRD, which may have attached aF5BigFwPolicy.

F5BigContextGlobalalso contains a default action that is applied to traffic that does not match any firewall rules in any context (for example, a global context or a secure context or another listener). This default action can be configured to accept, reject, or reject, and whether this default action can be logged.

In summary, firewall contexts in listen matching are processed in this order:

(Video) Red Hat Enterprise Linux Tutorial (Full Course)
  1. KontekstGlobal
  2. Matching ContextSecure or other listening context.
  3. Default action defined by ContextGlobal's default action.

Event log

Quickly logging events is key to providing insight into what CNFs are doing. The following CRDs are implemented for this:

  • F5BigLogPerfil- Specifies subscriber connection information sent to external registration servers.
  • F5BigLogHslpub- Defines remote log server endpoints for F5BigLogProfile.

Plan F5 BIG-IP Next CNF solution

What is revealed here is just the beginning of the journey. Telecom companies have embraced Kubernetes as a compute and orchestration layer. This is why BIG-IP Next CNF solutions will eventually replace classic analog BIG-IP VNFs. In the coming months, expect BIG-IP Next CNF solutions to match and possibly surpass the capabilities currently offered by analog VNFs.


This article presents a completely rebuilt and scalable solution for Red Hat OpenShift, primarily aimed at the telecommunications customer plan. This new microservices architecture offers flexibility, faster service delivery, robustness and most importantly, the use of Kubernetes. Kubernetes is becoming a unified orchestration layer for telecommunications companies, simplifying the infrastructure lifecycle and reducing costs. OpenShift is a best-in-class Kubernetes platform with enterprise-ready and Telco-specific features. The architecture of this solution, together with the use of OpenShift, also extends the use cases of network services to the edge enabling network functions to be implemented in a smaller footprint.Please check Official documentation of the BIG-IP Next CNF solutionfor more technical details and for a high-level overview.

(Video) Red Hat + F5: Automate, scale, and secure application workloads across multi-cloud environments


What is F5 CNF? ›

F5 BIG-IP Next CNFs enable a cloud-native solution that is secure, automated, and scalable, critical for the transition to 5G networks.

What is F5 SPK? ›

SPK integrates F5's containerized Traffic Management Microkernel (TMM), Ingress Controller, and Custom Resource Definitions (CRDs) into the OpenShift container platform, to proxy and load balance low-latency 5G workloads.

What is CNF in cloud? ›

A cloud-native network function (CNF) is a service that performs network duties in software, as opposed to purpose-built hardware. Operating network functions via software is possible due to the vast and low-cost central processing unit and memory resources available in today's server platforms.

What is Bigip next? ›

BIG-IP Next is the next generation BIG-IP software built to offer greater automation opportunities, scalability, and ease-of-use for organizations running applications on-premises, in the cloud, or out at the edge.

What is CNF Cisco? ›

For each Cisco Unified Client Services Framework (CSF) device that you add to the system, Cisco Unified Communications Manager creates a configuration (CNF. xml) file. The CNF file contains the device specifications for the associated user.

What is BIG-IP in F5? ›

F5 BIG-IP is the overarching marketing name used to identify F5's software suite of licensed “modules”. All of the modules sit “logically” inside of F5's Traffic Management Operation System® (TMOS), in other words, they are all enabled via software.

What is BIG-IP SPK? ›

BIG-IP SPK provides 4G signaling traffic management, visibility, and security at container ingress (North/South) into the 5G core Kubernetes clusters. Running on Red Hat OpenShift, it can also proxy service provider-specific protocols, such as 5G HTTP/2-REST, Diameter, SIP, GTP, and SCTP.

Does Amazon use F5? ›

F5 on AWS (Amazon Web Services) Take your business-critical applications to the AWS cloud with confidence. F5 advanced application services provide the performance, visibility, and security your apps require.

What are the components of CNF? ›

The main elements of creative nonfiction are setting, descriptive imagery, figurative language, plot, and character.

What is the difference between CNF and VNF? ›

This approach makes it easy to move the contained component among environments (development, test, production, etc.) —and even among clouds—while retaining full functionality. As an evolution from VNFs, cloud-native network functions (CNFs) are designed and implemented to run inside containers.

What is CNF and containers? ›

A Cloud-Native Network Function (CNF) is a software-implementation of a function, or application, traditionally performed on a physical device, but which runs inside Linux containers (typically orchestrated by Kubernetes).

Is F5 BIG-IP a load balancer? ›

F5 provides highly available, intelligent load balancing and traffic policy management across your preferred cloud providers.

What is the difference between F5 BIG-IP LTM and GTM? ›

Similar to a usual DNS server, the GTM does not provide any port information in its resolution. The LTM doesn't do any name resolution and assumes a DNS decision has already been made. When traffic is directed to the LTM traffic flows directly through its' full proxy architecture to the servers it's load balancing.

Is F5 BIG-IP a reverse proxy? ›

For more complex and hybrid environments, the F5 BIG-IP system is a full proxy that can be deployed as a full reverse proxy server capable of intercepting, inspecting, and interacting with requests and responses.

What is CNF in Devops? ›

Basically, CNFs are network functions like routers or firewalls moved inside Linux containers, which are themselves orchestrated by tools such as Kubernetes. This means that, in a sense, Kubernetes is managing network traffic.

How does CNF works? ›

CNF stands for Cost and Freight. This means the supplier of goods is responsible for the freight-related charges. The buyer of the products is responsible for organising and paying the insurance on the goods.

What file type is CNF? ›

CNF is a text-based file format for storing a Boolean expression in conjunctive normal form. The format was created by DIMACS (Center for Discrete Mathematics and Theoretical Computer Science). The general-purpose commands Import and Export also support this format.

What are the advantages of F5 BIG-IP? ›

BIG-IP ADC appliances can simplify your network and reduce TCO by offloading servers, providing a consistent set of comprehensive application services, and consolidating devices, saving management, power, space, and cooling costs in the data center.

What are the different methods of F5 BIG-IP load balancer? ›

Those methods are: Least Connections, Weighted Least Connections, Fastest, Observed, and Predictive. The Least Connections methods are relatively simple in that the BIG-IP system passes a new connection to the pool member or node that has the least number of active connections.

What are the minimum requirements for F5 BIG-IP? ›

Virtual machine memory requirements

The guest should have a minimum of 4 GB of RAM for the initial 2 virtual CPUs. For each additional CPU, you should add an additional 2 GB of RAM. If you license additional modules, you should add memory. Two modules maximum.

Is BIG-IP a VPN? ›

F5 BIG-IP® Edge Gateway™ is an accelerated remote access solution that brings together SSL VPN, security, application acceleration, and availability services.

Is BIG-IP a firewall? ›

BIG-IP AFM is an ICSA Labs certified network firewall with DDoS threshold alerting that hyper- scales across many devices using IP Anycast for DDoS absorption. It mitigates threats by blocking access to malicious IP domains.

What is the difference between BIG-IP and wide IP? ›

A Wide IP equates to the common URL that you are load balancing. For example, A pool or pools are usually attached to a WIP, which contain the IP addresses it's intelligently resolving. BIG-IP® DNS selects pools based on the order in which they are listed in a wide IP.

Is F5 access a VPN? ›

F5 Network's FirePass SSL VPN is an SSL VPN that provides broad application support, scalability, easy installation and use, and the highest standard of integrated end-point security.

What type of virtual servers are F5? ›

The F5 Virtual Server is a traffic management object on your F5 BIG-IP device. It is the representation of multiple servers to the user as a single server. The F5 Virtual Server is a virtual IP that serves user requests. It transmits the requests to the pool that you configure.

What AWS does Netflix use? ›

These are called cloud computing companies. Netflix uses AWS - Amazon Web Services.

What are the examples of CNF? ›

Chomsky's Normal Form (CNF)
  • Start symbol generating ε. For example, A → ε.
  • A non-terminal generating two non-terminals. For example, S → AB.
  • A non-terminal generating a terminal. For example, S → a.

How do you write a CNF? ›

The 4 Golden Rules of Writing Creative Nonfiction
  1. Make sure everything is factually accurate. ...
  2. Play with person. ...
  3. Follow emotion. ...
  4. Incorporate literary techniques.
Sep 29, 2021

What do you know about CNF? ›

CNF stands for “Confirmed” in the context of Indian Railways. It implies that the passenger has a confirmed seat on the train. If you get a CNF in a train ticket, it means that you have been allocated a seat and can travel on the reserved date.

What is the difference between CNF and PNF? ›

In contrast to Virtualized Network Functions, physical network function (PNF) refers to the legacy network appliances on proprietary hardware. And cloud-native network function (CNF) refers to the containerized Virtualized Network Functions and may be the container networking and service mesh among microservices.

What does VNF stand for? ›

VNF — Virtual Network Functions

Virtual Network Functions (VNFs) are virtualized network services running on open computing platforms formerly carried out by proprietary, dedicated hardware technology. Common VNFs include virtualized routers, firewalls, WAN optimization, and network address translation (NAT) services.

What is the difference between VM and container networking? ›

A container network is a form of virtualization similar to virtual machines (VM) in concept but with distinguishing differences. Primarily, the container method is a form of operating system virtualization as compared to VMs, which are a form of hardware virtualization.

What is CNF architecture? ›

A cloud native network function is a connectivity service that is designed and constructed to operate inside containers. Most cloud-native concepts (architectural as well as operational), such as K8s service lifecycle management, mobility, robustness, and observability, are inherited by CNFs.

What is the difference between VNF and VNFC? ›

A VNF consists of one or more VNFCs (Virtual Network Function Component). A VNFC (defined via a Resource Descriptor) is made up of: Lifecycle Ansible® scripts. One or more VDUs (Virtual Deployment Unit) - Each VDU will be tied to a specific infrastructure type.

What is CNF in Azure? ›

CNFs are networking elements packaged as a set of cloud native microservices. CNAs are any arbitrary application (in our case edge computing applications) packaged as a set of cloud native microservices. These CNFs/CNAs need to have a “package” that describes how to orchestrate the application.

What is F5 Cgnat? ›

F5 BIG-IP CGNAT functionality includes NAT44, to primarily focus on extending the use of IPv4 addresses in the network, as well as NAT64, enabling IPv6 endpoints to seamlessly and transparently access IPv4 content and destinations.

What is CNF in testing? ›

A cloud native network function (CNF) is an application that implements or facilitates network functionality in a cloud native way, developed using standardized principles and consisting of at least one microservice.

Is F5 a CDN? ›

F5 Distributed Cloud Services are SaaS-based security, networking, app management, and content delivery network (CDN) services that enable customers to deploy, secure, and operate their apps in a cloud-native environment wherever needed—the data center, multi-cloud, and network and enterprise edge.

What is F5 in load balancing? ›

F5 provides protocol and application traffic awareness for intelligent load balancing decisions. BIG-IP Local Traffic Manager (LTM) Obtain the flexible control you need from basic load balancing to complex traffic management decisions. NGINX Plus.

What is the difference between NAT and CGNAT? ›

Differences between NAT and CGNAT

Purpose: As mentioned above, NAT is primarily used in home and small business networks to allow multiple devices to access the internet through a single router, while CGNAT is primarily used by ISPs to allow multiple customers to share a single public IP address.

Is CGNAT the same as double NAT? ›

It is just a NAT. With CGN, Service Providers do NAT44 on the CPE from a private address to another private address (Well known /10 prefix which is allocated by IANA) and another NAT44 on the Service Provider network. That's why you can hear CGN, LSN, Double NAT, or NAT444. All of them refer to the same thing.

Why is CNF necessary? ›

Conjunctive normal form (CNF) is an approach to Boolean logic that expresses formulas as conjunctions of clauses with an AND or OR. Each clause connected by a conjunction, or AND, must be either a literal or contain a disjunction, or OR operator. CNF is useful for automated theorem proving.

What are included in CNF? ›

CNF refers to cost and freight. This is a common type of shipping agreement where the seller will pay for delivering the goods to the port closest to the buyer.

Is F5 a load balancer or firewall? ›

F5 will allow you to inspect and encrypt all the traffic passing through your network. The solution includes features of Load Balancing, Application Firewall and Proxy.

What is CDN vs load balancer? ›

At the end of the day, CDNs and load balancers are fundamentally different types of tools. The main purpose of CDNs is to distribute content across a wide geographic area, whereas a load balancer distributes traffic across a network of servers that are usually in close geographic proximity to each other.

What is the difference between F5 and Akamai? ›

Akamai provides a really high level of blocking of attacks, mitigation of DDOS and acceleration of the content. F5 will be able to tie in things like XML gateway, ICAP AV scanning and other rich features. The 2 technologies work well with each other to provide a very high level of security.

Why floating IP is used in F5? ›

A floating self IP address ensures that application traffic reaches its destination. More specifically, a floating self IP address enables a source node to successfully send a request, and a destination node to successfully send a response, when the relevant BIG-IP device is unavailable.

How many types of F5 load balancer are there? ›

Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP.


1. [Technical Product Update] What's New: OpenShift 4.12 [Jan-2023]
2. Red Hat CNF Certification and Vendor Validation for OpenShift program
3. Red Hat OpenShift on AWS (ROSA) with F5 Distributed Cloud
(F5 DevCentral)
4. Ask an OpenShift Admin (E74) | Red Hat Single Sign On and GitHub Authentication
(Red Hat)
5. Install and Configure F5 Cloud-Native Network Functions!
(F5 DevCentral)
6. Red Hat Advanced Cluster Management
(Tech Field Day)


Top Articles
Latest Posts
Article information

Author: Virgilio Hermann JD

Last Updated: 10/08/2023

Views: 6475

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.