F5 and NGINX Together Extend Robust Security Across Your Hybrid Environment

Thelen Blum Thumbnail
Thelen Blum
Published January 20, 2022

When one of the world’s most successful premium car makers picks an application security solution, you can be confident they’ve made sure it meets their standards for performance and reliability. That’s why we’re proud that the Audi Group – active in more than 100 markets worldwide – recently chose F5 NGINX App Protect WAF to secure its Kubernetes‑based platform for modern application development.

NGINX App Protect is a prime example of how F5 enables customers on their digital transformation journeys by integrating its industry‑leading security expertise into tools for modern apps. In this case, we’ve ported the security engine from F5 Advanced Web Application Firewall (WAF) – tried and tested over decades by our BIG‑IP customers – into NGINX, known as an ideal platform for modern app delivery thanks to its exceptional performance, flexible programmability, and ease of deployment in any environment.

Like many F5 customers, Audi relies on both BIG‑IP and NGINX. By leveraging a common security engine in products with the right form factor for different environments, Audi can be confident that its entire infrastructure is protected from the OWASP Top 10 and other advanced threats. It also means that Audi’s DevOps and SecOps teams can operate in harmony with robust support from F5.

F5 acquired NGINX in 2019 because it recognized the changes it was seeing in the app‑delivery landscape as inexorable. NGINX App Protect is one of the first demonstrations of the synergy that makes F5 and NGINX better together. We look forward to building further on that synergy, strengthening both F5’s security portfolio and its role in the modern application landscape.

How NGINX Helps Make F5 Better

In the mid‑2010s, F5 realized that to continue succeeding in the modern app‑delivery landscape it needed to build out its product portfolio. Today we see those changes accelerating, as evidenced by these trends:

  • Enterprises are adopting Kubernetes for modern app environments
  • Enterprises are adopting DevSecOps, which shifts security left, closer to developers
  • Developers prefer – and often insist on – open source software

As enterprises move to modern app deployments and architectures, the world of application security is also witnessing a shift away from models that treat infrastructure as a shared service. Increasingly, microservices and Kubernetes dominate the modern app landscape, with security tools fully integrated into the delivery process. According to the 2021 Kubernetes Adoption report, 89% of IT professionals expect Kubernetes to expand its role in infrastructure management over the next two to three years as Kubernetes adoption and functionality continue to grow.

BIG‑IP and NGINX provide similar core application‑delivery functionality but are suited to different app development and delivery environments. BIG‑IP’s relatively large footprint isn’t ideal for all application types, especially highly distributed and dynamic ones. Particularly as DevSecOps shifts security left – and developers deploy new and updated software faster than ever – enterprises need a solution with a smaller footprint that integrates easily into DevOps workflows.

F5 provides that solution in the form of NGINX App Protect and other NGINX products. Additionally, NGINX satisfies the craving of today’s modern app developers – and anyone who focuses on building applications rather than managing networks and security – for open source technology. The DevSecOps culture also leans towards open source, and NGINX brought to F5 its large, enthusiastic open source community and modern mindset. Beyond that, NGINX’s modern modular architecture makes it easy to incorporate F5 security technology in the form of modules.

With its open source roots, NGINX has put a community‑forward mindset front and center in its app development and microservices architectures. Now NGINX is helping influence F5 to extend its more traditional culture and embrace open source as part of product development. As a clear example, at Sprint 2.0, F5 announced its expanded participation in open source projects like the Kubernetes Gateway API SIG and community.

How F5 Helps Make NGINX Better

The F5 Advanced WAF is a perfect fit for security‑focused organizations that wish to self‑manage and tailor granular controls for traditional apps. Its WAF and DoS security engines have long been available to BIG‑IP customers as modules in Advanced WAF, but not in a lightweight form factor suitable for microservices architectures and environments. NGINX customers, on the other hand, had trouble finding a WAF with the rich feature set of Advanced WAF that didn’t drive up latency.

After the NGINX acquisition, F5 made it a top priority to port its trusted application security solutions to NGINX, offering enterprise‑grade security expertise in a high‑performance and lightweight form factor that serves the needs of DevOps and DevSecOps teams building modern applications. NGINX App Protect is the result. Immediately upon its release in 2020, it set new benchmarks for low latency, high performance, and resistance to bypass techniques.

The many benefits from integrating Advanced WAF’s power into NGINX include:

  • Protecting and scaling mission‑critical, advanced front‑end services in your modern application stack
  • Achieving the time-to-market benefits of a microservices architecture without compromising reliability and security controls
  • Providing consistent, robust, and high‑performance application security wherever application traffic moves – whether through BIG‑IP or through microservices architectures enabled by NGINX

NGINX App Protect WAF provides high performance in a small footprint, optimized for microservices architectures, cloud, and containers. NGINX App Protect DoS defends against hard-to-detect Layer 7 attacks.

And how does F5 serve enterprises who want to shift left? By enabling them to inject battle‑tested and superior application security into their CI/CD pipelines, reducing the inherent risks of rapid and frequent releases. The F5 NGINX Controller App Security add‑on for both API management and application delivery enable AppDev and DevOps teams to implement WAF protection in their development pipelines in a self‑service manner while still complying with corporate security requirements. You can also apply consistent policies across all of your BIG‑IP and NGINX deployment environments with the NGINX App Protect Policy Converter.

Improving Governance and Observability with Machine Learning and Portable Policies

Of course, technology never stops evolving, and F5 and NGINX plan to continue innovating.

F5’s “Adaptive Applications” Vision Promises Comprehensive Security

As modern threats become increasingly complex, an app’s ability to adapt to threats and other changes becomes ever more crucial. In an ideal world, app services independently scale based on demand. F5 sees this as entering a new world of “Adaptive Applications” – one where a consistent, declarative API layer enables easy management of applications that learn to take care of themselves and avoid evolving security threats, allowing customers to safely deliver modernized experiences.

Acquisitions like Shape and Threat Stack Enrich F5 with ML and Observability

Further expanding its world‑class portfolio of application security and delivery technology, F5 acquired Shape Security, a leader in online fraud and abuse prevention, in 2020, and Threat Stack, a cloud‑ and container‑native observability solution, in 2021. Incorporating Shape and Threat Stack technology gives F5 an end-to-end application security solution with proactive risk identification and real‑time threat mitigation, plus enhanced visibility across application infrastructures and workloads. Dashboards and monitoring are already in the works, along with projects focusing on machine learning (ML). F5 sees the need for sophisticated, adaptive protection and is dedicated to expanding its offerings in that area.

One WAF Engine Across Platforms Ensures Effective Security Everywhere

Using common WAF technology, F5 customers can maintain their standardized security policies when migrating from traditional environments to containerized and cloud environments, and from the F5 Advanced WAF to NGINX App Protect. Portability across our WAF products ensures continued security and confidence for F5 customers by use of a shared declarative API for WAF policy. Staying close to the application workloads, F5 is committed to enabling WAF capabilities in form factors best able to meet the needs of the application and its architecture.

Get Started with F5 NGINX Today

To stay up to date with F5 NGINX, engage with your trusted technology advisors – whether that be your account team or partner. Environments are constantly being streamlined for better management, and it’s easier than ever to stay plugged‑in and subscribe, especially with our focus on community. Whether you’re shifting left, requiring complex protection, or looking for time-to-market benefits, F5 NGINX’s tested technology, smaller footprint, and high‑performance solutions ensure agile and lightweight security both now and for the future.

Regardless of where you are in your app development journey, you can get started with free 30-day trials of our commercial security solutions:

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"