kubectl apply: F5 BIG-IP Next CNF Live Lab Demo on NVIDIA BlueField 3 DPU

Key Concepts

• Big-IP Next CNF (Cloud-Native Network Functions): A modularized, containerized version of F5’s Big-IP services designed to run within a Kubernetes environment.
• Big-IP Next for Kubernetes vs. CNF: "Big-IP Next for Kubernetes" services traffic inside the cluster, whereas "CNF" services traffic outside the cluster (e.g., external APIs, web servers).
• DPU (Data Processing Unit): High-performance hardware (e.g., NVIDIA BlueField-3) that offloads networking and security tasks from the CPU to the network interface card, enabling line-rate performance.
• CRD (Custom Resource Definition): Kubernetes extensions that allow F5 to define custom objects (like load balancers or firewall policies) that the Kubernetes API can manage.
• Olivin: An open-source tool used in the lab to provide a UI for executing complex CLI/Kubectl commands, simplifying the demonstration of infrastructure-as-code.
• OTEL (OpenTelemetry): A standard for observability data (logs, metrics, traces) used by CNF for logging, replacing traditional Syslog/Splunk-only dependencies.

---

1. Overview of Big-IP Next CNF

The video explains the evolution of F5’s Big-IP from a monolithic appliance (T-MOS) to a deconstructed, cloud-native architecture. By breaking down services like TMM (Traffic Management Microkernel), AFM (Advanced Firewall Manager), and DNS into individual containers, F5 allows users to deploy only the specific services they need within a Kubernetes cluster.

2. Technical Architecture and Deployment

• Hardware Acceleration: While CNF can run on standard nodes, it is optimized for DPU-enabled hardware. The lab environment utilizes a Dell R760 server with an NVIDIA BlueField-3 DPU, providing 200Gbps throughput.
• Networking: The setup requires mapping bare-metal NICs to Kubernetes network policies and VLANs, mimicking traditional Big-IP self-IP and VLAN configurations but managed via Kubernetes manifests.
• Persistence: Unlike traditional Big-IP, which uses local disk storage, CNF relies on Kubernetes persistent storage to maintain configuration state.

3. Step-by-Step Methodology (Lab Process)

The demonstration followed a structured, declarative approach using the Olivin UI:

1. Reset: Clears existing resources to ensure a clean state.
2. Networking Setup: Defines internal/external VLANs and static routes.
3. Security Policy: Creates a firewall policy (defining source addresses, allows/rejects, and logging).
4. Proxy Creation: Deploys a "Context Secure" (Load Balancer) object, attaching the previously created firewall policy, TCP profiles, and pool members.
5. DNS Configuration: Implements DNS listeners, caching profiles, and blocking rules.
6. Verification: Uses CLI-based checks to confirm traffic flow, DNS resolution, and security blocking.

4. Key Arguments and Perspectives

• Industry Standards: John Callang emphasizes that CNF is not about learning proprietary F5 commands (TMSH), but rather adopting industry-standard Kubernetes practices (YAML manifests, declarative APIs).
• Distributed Systems: The transition from monolithic appliances to distributed CNFs allows for "configuration as code," where infrastructure is version-controlled and repeatable.
• Modularization: Users can pick and choose specific services (e.g., just the firewall or just the load balancer) rather than deploying a full-stack appliance.

5. Notable Quotes

• "Big-IP Next for Kubernetes is services inside Kubernetes that Big-IP is going to service. Big-IP Next Cloud-Native Network Functions are services outside of the Kubernetes cluster." — John Callang
• "It’s Big-IP deconstructed... you’re learning another way to do it, but you’re learning it in an industry standard." — John Callang

6. Synthesis and Conclusion

The session highlights that while the industry is moving toward Kubernetes, many organizations still maintain critical services outside of clusters. F5’s CNF bridges this gap by providing high-performance, hardware-accelerated traffic management that integrates seamlessly into Kubernetes workflows. By utilizing CRDs and OTEL, F5 ensures that network administrators can manage complex traffic policies with the same declarative rigor as application developers, effectively modernizing the traditional Big-IP experience for the cloud-native era.

For those interested in hands-on experience, the lab is available via the Worldwide Technology (WWT) platform, designed to be completed in approximately 20 minutes.