Skip to content
DDoS

Cloud Configuration

XC (UI)

Section titled “XC (UI)”

Use the web interface to configure the Cloud side, based on the L3/L4 Routed DDoS Mitigation guide.

Enable DDoS workspace

Section titled “Enable DDoS workspace”

Before you can configure tunnels and BGP:

  1. Contact the Cloud team (via sales@example.com or your account team) to:

    • Enable Routed DDoS Mitigation workspace for your tenant.
    • Provide:
      • Your public IP netblocks (/24 or shorter for IPv4, /48 or shorter for IPv6) and proof of ownership (or LOA).
      • Your ASN (must be issued by ARIN or equivalent registry).
      • IRR registration (RIPE, ARIN, APNIC, etc.) and ROA in RPKI repository.
      • Desired clean-traffic return method (GRE tunnels, Layer 2, private peering via Equinix, etc.).
      • Data center locations and routers to protect.
      • AS-Path prepends required for route announcements.
      • Any BGP communities, route preferences, or AS-SET

  2. SOC will provision:

    • Tunnels
    • ASNs
    • Protected prefixes
    • Route advertisement options
    • Fast ACLs / firewall policies, as needed

Tunnels

Section titled “Tunnels”
  1. Log in to the Cloud Console and select Routed DDoS from the service selector.
  2. Go to Manage > Tunnels > Add Tunnel, and configure:
    • Location Name and Availability Zone (Zone 1 by default).
    • Bandwidth Max in MB.
    • Tunnel Type:
      • GRE Over IPv4 for IPv4 outer tunnel.
      • GRE Over IPv6 for IPv6 outer tunnel.
      • IP Over IP for IPv4-in-IPv4 encapsulation.
      • IPv6 Over IPv6 for IPv6-in-IPv6 encapsulation.
    • Customer Endpoint IP: BIG-IP’s external address (outer self IP, must be publicly routable when tunnels traverse the public Internet).
    • Optional: IPv4/IPv6 interconnect, fragmentation, keepalive (all disabled by default).
  3. Under Tunnel BGP Information:
    • Select an ASN object (your ASN).
    • Set Customer Peer Secret Override: Use Default Secret (default), BGP Password Override (blindfolded or clear text), or No Secret.
    • Set Holddown Timer value in seconds if different from default.

SOC may pre-create these tunnel objects for you; you simply match the endpoint IPs and BGP settings on BIG-IP.

ASNs and Routes

Section titled “ASNs and Routes”

  • ASNs: -> Manage > ASNs > Add ASN.

    • Enter your ASN and ensure BGP is enabled.

  • Prefixes: -> Manage > Prefixes > Add Prefix.

    • Enter each IP prefix and associate it with your ASN.

  • Route Advertisements -> Manage > Route Advertisement > Add Route Advertisement.

    • Enter prefix, choose Active or Not Advertised, and optional expiration.

These objects control which prefixes are announced via the global network when the service is active.

Network Restriction

Section titled “Network Restriction”

Firewall Rules, Deny List Rules, and Fast ACLs for Internet VIPs let you:

  • Block or allow specific traffic.
  • Rate-limit abusive sources.
  • Apply additional DDoS protections beyond pure volumetric scrubbing.