Back in the 1990s, the technology world was evolving at an electrifying pace, but in the realm of digital transformation, few innovations were as significant as F5 BIG-IP. It wasn’t just a product; it was a pioneer, responsible for shaping and defining the application delivery control (ADC) market as we know it today. Now, nearly three decades later, BIG-IP is a cornerstone of the F5 Application Delivery and Security Platform (ADSP)—a testament to its adaptability and enduring value in an ever-changing tech landscape.
Now, it’s no secret that the pace of change is only accelerating. The rise of AI, the looming potential of quantum computing, and the constant evolution of cyberthreats mean application delivery and security solutions need to be smarter, faster, and more secure than ever before. These trends make it clear that adaptability is essential, not just desirable. BIG-IP has carried this ethos of innovation and resilience for almost 30 years and will carry these traits forward into the future.
In this vein, many of you are likely aware of F5’s recent decision to discontinue BIG-IP Next and refocus on modernizing the BIG-IP TMOS software suite. This was a decision that stemmed from extensive customer feedback and the realization that many of the enhancements originally envisioned for BIG-IP Next could now be achieved within BIG-IP TMOS. These enhancements, combined with innovative new functionality designed for the evolving tech landscape, will ensure BIG-IP supports your mission-critical workloads throughout the next application era.
This new chapter begins today with the availability of F5 BIG-IP v21.0, an update designed to deliver control plane improvements, enhance AI data delivery, and strengthen security. In this blog post we’ll discuss what you can expect from this landmark release. So, let’s dive in.
Modernizing the BIG-IP control plane
You can think of the control plane as BIG-IP’s central command center, responsible for making critical decisions, managing the system’s configurations, and enabling administrative operations. In recent years, increasingly dynamic and extensive application ecosystems have placed greater strain on the BIG-IP control plane, which made upgrading the control plane a key objective of the BIG-IP Next program. However, with the discontinuation of BIG-IP Next, the focus for upcoming releases has instead shifted to modernizing BIG-IP TMOS’ control plane. With BIG-IP v21.0, two control plane components—the Master Control Program Daemon (commonly known as MCPD) and eXtremeDB—will receive major improvements to boost control plane reliability, scale, and performance.
1. MCPD: Effectively the brain of BIG-IP, MCPD manages configurations and orchestrates communication between different BIG-IP components. You can think of MCPD as an air traffic controller at an airport. Just as air traffic controllers coordinate the movement of planes—managing take-offs, landings, and taxiing—MCPD coordinates all the components within the BIG-IP system, ensuring configuration changes and system commands are applied consistently, and traffic flows are handled efficiently.
With BIG-IP v21.0, MCPD will move from being single-threaded to multi-threaded, allowing it to process certain tasks concurrently rather than sequentially and reducing the likelihood of control plane bottlenecks in high-demand scenarios. Additionally, we’re simplifying and accelerating the restart procedure for MCPD, helping to reduce downtime in the event of a system restart. And finally, we’re shortening end-to-end configuration validation times—the time taken between receiving a configuration change request and providing a validation response to the user—by up to 25%, ensuring swift configuration updates in highly dynamic environments.
2. eXtremeDB: While MCPD is like an airport traffic controller, eXtremeDB, a database management system, is comparable to a control tower’s flight information system, keeping track of aircraft locations, routes, schedules, and so on. For BIG-IP, eXtremeDB acts as a high-speed, centralized repository for all configuration and system state information, providing the control plane with real-time access to the latest data.
With BIG-IP v21.0, eXtremeDB is being upgraded to version 8.4 which unlocks various new capabilities. Multithreading improves control plane performance, while the use of SharedDB mode (enabling multiple processes to concurrently access the same resources) improves efficiency. The upgrade shifts eXtremeDB from a 32-bit to a 64-bit architecture which significantly expands configuration object scale and enhances the BIG-IP control plane’s ability to support larger and more complex configurations. Whether you’re managing thousands of virtual servers, security policies, or advanced load balancing configurations, the upgrade to eXtremeDB v8.4 ensures that BIG-IP can continue to meet the demands of your growing application portfolio.
Advancements for AI data delivery
Before we go further, let me explain what I mean by AI data delivery. AI data delivery is the process of efficiently moving, storing, and accessing data to power AI workloads, ensuring that the right data is available, scalable, and ready for use, whether it’s being ingested into systems or delivered for AI model training, fine-tuning, or retrieval-augmented generation (RAG) workflows. Unsurprisingly, this use case is bread and butter for BIG-IP, and with 96% of organizations now deploying AI models, optimizing AI data delivery and making it as seamless as possible is a top priority for F5.
With that, let’s look at a couple of enhancements coming in BIG-IP v21.0 that will augment AI data delivery:
1. Support for the Model Context Protocol (MCP): MCP is a relatively new, open protocol that standardizes how applications and data sources interface with AI models. Think of it as the USB-C of the AI world, a universal plug-and-play connector that eliminates the need for custom-built connections between every tool, app and data source. Without diving too deeply into the technical details, MCP operates on a client-server model where MCP clients (AI applications) can request context, such as files, prompts, or actions from MCP servers, which expose underlying data sources.
By enabling support for MCP, BIG-IP can more easily load balance, optimize, and secure AI traffic, helping to minimize latency and maximize AI modelresiliency. BIG-IP v21.0 will enable an initial set of MCP traffic management use cases, while additional functionality, including security capabilities, will be introduced with future releases.
2. Availability of S3-specific BIG-IP profiles: For many organizations, Amazon S3 and S3-compatible storage solutions (like MinIO, Dell, DDN, PureStorage, and NetApp) have become essential for managing massive datasets, powering AI apps, and driving other data-intensive applications. As these workloads grow in scale, the ability to efficiently, reliably, and securely move data to and from S3 storage becomes increasingly critical, which is where BIG-IP excels.
Already a trusted solution in this space, BIG-IP ensures high-performance data delivery, inspects S3 traffic to detect and block unauthorized access, protects the apps and APIs that interact with S3, and provides deep S3 traffic insights to streamline troubleshooting and improve decision-making.
Starting with version 21.0, BIG-IP will introduce S3-optimized profiles to simplify S3 configuration while maximizing both performance and security. These pre-configured, production-ready profiles improve S3 data ingress and egress and will include robust security policies that prevent unauthorized access and mitigate threats. Compared to default BIG-IP profiles, these new S3-optimized Profiles significantly enhance throughput, fuelling your AI models to operate at even greater capacity.
If you’re interested in learning more about how BIG-IP streamlines S3 performance and secures AI data pipelines, check out this technical deep dive.
F5 BIG-IP SSL Orchestrator enhancements
Playing an increasingly critical role in modern security architectures, F5 BIG-IP SSL Orchestrator (https://www.f5.com/products/big-ip-services/ssl-orchestrator) strengthens organizational defenses by efficiently decrypting, orchestrating, and re-encrypting TLS/SSL traffic. By seamlessly integrating with security service chains, it enables deep traffic inspection at scale, helping uncover hidden threats and ensuring comprehensive protection for your apps and network. First launched in 2016, BIG-IP SSL Orchestrator is fast approaching a decade of success as a trusted security solution, and the BIG-IP v21.0 release adds two new capabilities to its arsenal:
1. Dual service iRules enhance inspection service:
For enterprises relying on BIG-IP SSL Orchestrator to simplify their security workflows, header enrichment via iRules is a critical component for enabling deeper traffic inspection by connected security tools. However, until now, there hasn’t been an easy way to remove those enriched headers after inspection. If left in, they could expose sensitive information, violate compliance standards, or disrupt downstream operations, resulting in some users creating custom scripts to remove them.
The introduction of dual service iRules is set to change all that, however, by offering built-in functionality to both inject and remove headers. This ensures inspection services receive the enriched data they need, while downstream traffic remains clean and compliant, all without the need for error-prone, custom workarounds.
2. Client-side SNI preservation increases connection security:
Server Name Indication (SNI) is crucial in TLS handshakes as it helps direct traffic to the right application or hostname. Without it, backend systems would fail to perform SNI-based tasks, breaking workflows for app-specific routing, security policies, and decision making. Previously, when operating in Inbound Gateway Mode, BIG-IP SSL Orchestrator hasn't preserved SNI when proxying client connections, with the only solution being to leverage custom iRules or configurations.
With BIG-IP v21,0, however, SNI preservation is enabled by default. This out-of-the-box functionality seamlessly passes SNI data from the client-side connection to back-end servers, reducing setup time and ensuring critical backend workflows run smoothly and reliably. While enabled by default, you can, of course, still override this feature with custom configurations and iRules, if desired.
Migrating BIG-IP from entrust to alternative certificate authorities
Entrust, one of the pioneers of digital security, is soon to be delisted as a certificate authority by many major browsers. Following a variety of compliance failures with industry standards in recent years, browsers like Google Chrome and Mozilla made their distrust for Entrust certificates public last year. As such, Entrust certificates issued on, or after, November 12, 2024, are deemed insecure by most browsers.
For several years, Entrust had been the sole certificate authority that BIG-IP used when connecting to various web services for things like licensing validation, software update services, and usage reporting. Following these recent developments, however, BIG-IP will replace Entrust with alternative leading certificate authorities such as DigiCert, Let’s Encrypt, and many others. This will ensure that any data transmitted between your BIG-IP devices and public websites meets encryption standards and maintains the highest level of trust and security going forward. This change will not only be implemented within BIG-IP v21.0, but it will also be backported into BIG-IP v17.1.3 and v17.5.1.2.
More to come: What to expect beyond BIG-IP v21.0
BIG-IP v21.0 represents a significant step forward in our ongoing mission to modernize BIG-IP, but it’s just the beginning. Future releases will continue to build on this momentum, with a sharp focus on control plane improvements to help streamline operations in the most demanding environments.
Expect enhancements like faster software upgrades, separation of the control plane from the data plane, and a refreshed user interface. (Don’t worry. Your favorite knobs and buttons aren’t going anywhere). Beyond that, we’re revamping the BIG-IP roadmap to not only deliver innovative functionality that addresses emerging challenges, but also to incorporate the backlog of features many customers had requested for BIG-IP Next.
On the security front, F5 is committed to raising the software quality bar. Following F5’s October security incident disclosure, last week F5 announced an integration with CrowdStrike that provides BIG-IP endpoint threat detection and response, helping to proactively identify and prevent malicious activity. Although this is not yet supported with BIG-IP v21.0, support is expected imminently. BIG-IP v21.0 is our most secure release yet, containing the lowest total CVE count to date. It addresses over 200 CVEs since v17.5.0 and going forward, maintaining exceptional software quality and security will continue as our highest priority.
And finally, for BIG-IQ users eager to get started with BIG-IP v21.0, BIG-IQ v8.4.1 will be released shortly and will add BIG-IP v21.0compatibility.
To learn more about BIG-IP v21.0, be sure to check out our press release and webinar. Also, review the release notes and try out BIG-IP v21.0 for yourself by downloading the software from my.f5.com.
About the Author
Related Blog Posts
F5 BIG-IP v21.0: Control plane, AI data delivery and security enhancements
Learn how F5's BIG-IP v21.0 transforms AI app delivery and security with modernized solutions for control plane, server reliability, & application scalability.
F5 BIG-IP v21.0 brings enhanced AI data delivery and ingestion for S3 workflows
Optimize S3 workflows with F5 BIG-IP version 21.0: A scalable and secure solution for AI data delivery, object storage, and RAG pipelines with low-touch provisioning.
Three things every CISO should know about API security
Ever wanted to know what organizations could learn from looking at API security from the attacker’s perspective? Read our blog post to find out.
F5 completes acquisition of CalypsoAI, introduces F5 AI Guardrails and F5 AI Red Team
Learn how F5 defines and deploys adaptive guardrails for AI systems
F5’s announcement to acquire CalypsoAI builds towards TRiSM framework
F5’s strategic acquisition of CalypsoAI empowers organizations to confidently embrace AI while maintaining security, privacy, and operational control. Read the blog to find out how.