F5’s Cloud-Native Network Functions (CNFs) deliver full-proxy security and traffic management use-cases, designed for communication service provider (CSP) 5G networks. CNFs integrates F5’s containerized Traffic Management Microkernel (TMM), Ingress Controller, and Custom Resource Definitions (CRDs) into the OpenShift Cloud Native Platform, to secure, proxy and optimize low-latency 5G workloads.

This document describes the CNFs feature set and software components for the OpenShift container platform.


CNFs supports the following features:

  • Distributed denial-of-service (DDoS) attack prevention.
  • Intrusion detection and prevention (IPS).
  • Industry-standard network firewall rules.
  • Carrier-grade NAT (CGNAT) with large-scale NAT (LSN).
  • High performance DNS resolution with caching.
  • High performance SR-IOV interface networking.
  • Kubernetes IPv4/IPv6 dual-stack networking
  • Redundant data storage with persistence.
  • Diagnostics, statistics and debugging.
  • Centralized logging collection.
  • Pod health monitoring.
  • Rulelist in the AFM ACL Policy.
  • Switch License.
  • CRD Conversion Webhook.
  • f5nxtctl tool.


CNFs software comprises these primary components:

BIG-IP Controller

The BIG-IP Controller watches the Kube-API for Custom Resource (CR) update events, and configures both the Edge Firewall and Traffic Management Microkernel (TMM) Proxy Pods based on the update.

Custom Resource Definitions

Custom Resource Definitions (CRDs) extend the Kubernetes API, enabling Edge Firewall and TMM to be configured using CNFs’ Custom Resource (CR) objects. CRs configure Edge Firewall and TMM to inspect and protect 5G application traffic. CRs also configure TMM’s DNS Caching feature and networking components such as self IP addresses and static routes.

TMM Proxy Pod

The Traffic Management Microkernel (TMM) Proxy Pod provide intelligent packet inspection, network address translation, and DNS caching. Additional Proxy Pod containers may also be installed to assist TMM with dynamic routing, logging collection and debugging.

Firewall Policy Compiler

The Firewall Policy Compiler Pod is comprised of a Packet Classification Compiler daemon (PCCD) that converts network firewall rules and CG-NAT configurations into binary large objects (BLOBs). BLOBS are optimized for fast lookup performance, and are then sent to the Traffic Management Microkernel (TMM) Proxy Pod for traffic matching and processing.

Next step

Continue to the CNFs Release Notes for recent software updates and bug information.