F5 BIG-IP Next on DPU
F5 BIG-IP Next can be deployed and managed by Bridge directly on NVIDIA BlueField-3 DPUs. This model distributes gateway functions across DPUs in each compute node, eliminating the centralized gateway appliance and enforcing per-tenant policies at the point of network ingress.
Architecture
In the centralized BIG-IP VE model, all tenant traffic must traverse a shared VM appliance at the fabric edge. With BIG-IP Next on DPU, gateway functions are distributed:
| Model | Gateway Location | Traffic Path |
|---|---|---|
| BIG-IP VE (centralized) | Single VM on fabric edge | All traffic → F5 VE → external |
| BIG-IP Next on DPU | Each BF3 DPU in compute nodes | Tenant traffic → DPU gateway → exit router |
VXLAN tunnels from tenant workloads terminate at the DPU, where NAT and routing policies are applied before traffic reaches the exit router.
Capabilities
BIG-IP Next on DPU provides the following gateway functions, executed directly on the DPU for low latency and high throughput:
| Capability | Description |
|---|---|
| L4 load balancing | TCP/UDP load balancing for tenant services such as AI model inference endpoints |
| L7 load balancing | HTTP/HTTPS routing with intelligent request routing |
| Per-tenant internet gateway | Isolated NAT and routing policies per tenant applied at the DPU |
| WAF (Web Application Firewall) | Application-level security enforcement at the DPU |
| Kubernetes Ingress integration | Integration with Kubernetes Ingress controllers for multi-cluster service routing |
Traffic Flow
- Tenant workload generates traffic within the tenant VxLAN overlay.
- VxLAN tunnels terminate at the BF3 DPU.
- BIG-IP Next on the DPU applies NAT, routing policies, and WAF rules.
- Traffic exits via the exit router to the external network.
This architecture ensures that per-tenant gateway enforcement is local to the compute node, reducing latency and removing the central gateway as a bottleneck.
Deployment and Management
Bridge manages the full lifecycle of BIG-IP Next on DPU:
- Bridge deploys BIG-IP Next on BF3 DPUs as part of DPU provisioning.
- Gateway configuration (NAT rules, load balancer policies, WAF rules) is applied per tenant as tenants are created and services deployed.
- BIG-IP Next instances are updated and managed through Bridge's GW controller without manual intervention on individual DPUs.
Prerequisites
- BlueField-3 DPUs must be provisioned in DPU mode (Zero Trust). See BlueField-3 (BF3).
- DPU Fabric (DPF) control plane must be active. See DPU Overview.
Related Pages
- F5 BIG-IP VE — Centralized gateway for external connectivity
- Gateway Overview — Service exposure models
- BlueField-3 (BF3) — DPU provisioning required for BIG-IP Next deployment