Skip to main content

F5 BIG-IP Virtual Edition (VE)

Bridge integrates with F5 BIG-IP Virtual Edition (VE) to provide external connectivity, per-tenant NAT, and load balancing at the data center edge. BIG-IP VE is deployed as a virtual machine on the fabric and managed by Bridge's GW controller.

Architecture

BIG-IP VE sits at the border of the fabric between the tenant VRFs and the external network. Bridge configures border leaf switches to direct tenant egress traffic to the gateway via route leaking.

Tenant VRF (T1) ──► Per-tenant External VRF ──► Route leak to Exit VRF ──► F5 BIG-IP VE ──► External Network
Tenant VRF (T2) ──► Per-tenant External VRF ──► Route leak to Exit VRF ──► F5 BIG-IP VE ──► External Network

Each tenant has an isolated external VRF. Route leaking to the shared Exit VRF is controlled by Bridge, preventing cross-tenant traffic leakage at the border.

Capabilities

CapabilityDescription
NAT GatewayTranslates tenant private IPs to public IPs; manages inbound DNAT rules
Security groupsEnforces per-tenant firewall rules (allow/deny by IP, port, protocol)
L4 load balancingTCP/UDP load balancing across multiple service endpoints
L7 load balancingHTTP/HTTPS routing with host- and path-based rules

Service Exposure

Bridge automates gateway configuration as tenant services are deployed, supporting two service exposure patterns:

Ingress (Shared External IP)

A wildcard DNS record resolves all tenant service hostnames to a single gateway IP. The gateway performs DNAT to the Kubernetes Ingress IP, and the Ingress controller routes requests to the appropriate backend.

Example:

DNS: *.inference.example.com → 203.0.13.25

Gateway config (applied by Bridge):
  DNAT: 203.0.13.25 → 172.17.8.8 (Ingress IP)
  FW Rule: Allow inbound TCP 443 on 203.0.13.25

Ingress routing rules are added dynamically as services are deployed.

LoadBalancer Service (Dedicated External IPs)

Each service gets its own external IP, DNAT'd directly to the Kubernetes service LoadBalancer IP. An L4 load balancer at the gateway handles traffic distribution when the same model is served across multiple clusters.

Example:

DNS: modelA.example.com → 203.0.13.25
DNS: modelB.example.com → 203.0.13.26

Gateway config (applied by Bridge):
  DNAT: 203.0.13.25 → 172.17.8.8
  DNAT: 203.0.13.26 → 172.17.8.9

Bridge GW Controller

Bridge's GW controller manages the BIG-IP VE lifecycle and configuration:

  • Onboards the F5 BIG-IP VE during Day 0 setup.
  • Configures border leaf route leaking as part of underlay creation.
  • Dynamically updates NAT rules, DNAT entries, and firewall rules as tenants are created and services are deployed.
Last updated on