SNAT Pool Configuration in Origin Pool

Published January 13, 2026 | Last modified January 13, 2026

Objective

This reference guide outlines the purpose, use case scenarios, and key considerations for configuring the SNAT pool feature for origin pools in environments leveraging the F5 Distributed Cloud Services Multi-Cloud App Connect workspace.

What is the SNAT Pool Configuration?

The SNAT pool configuration feature within the origin pool enables precise control over the Source Network Address Translation (SNAT) behavior for load balancer and origin pools, offering flexibility in routing traffic through intermediary firewalls for enhanced security checks. By allowing differentiated IP address assignments at the origin pool level, it enables you to integrate security checks and traffic policies seamlessly while improving visibility and control.

SNAT pool configuration allows you to define the source IP addresses that the Customer Edge (CE) uses when communicating with origin servers on behalf of incoming client traffic. While the CE typically uses the single source IP address per node from the network interface chosen within configuration, the SNAT pool configuration enables you to use different source IP addresses based on specific origin pools. Therefore, this configuration allows you to cater uses cases wherein admins are required to enable intermediary devices, such as firewalls, to apply differentiated security policies based on the source IP address of the traffic.

This feature provides granularity and control in multi-tenant or security-sensitive environments.

For example:

  • Traffic from the Blue load balancer is translated using SNAT to IP address range 1.1.1.0/30, routed through a firewall's spam and antivirus filters.

  • Traffic from the Green load balancer is translated using SNAT to IP address range 1.1.1.4/30, routed through antivirus and malware filters.

See the full example below.

When Should You Use SNAT Pool Configuration?

The SNAT Pool Configuration feature is ideal for scenarios where a CE is deployed in a DMZ and compliance with firewall security policies and traffic segregation is required in DMZ deployments, or where specific security filters (for example, spam filters, antivirus, and malware detection) must be applied based on differentiated source IP addresses.

For example:

  • In a DMZ, traffic destined for the Blue origin servers, such as email servers, may undergo spam filtering and antivirus checks.

  • In contrast, traffic destined for the Green origin servers, such as file share servers, may only pass through antivirus and malware detection filters.

Applying a different SNAT IP address per load balancer origin enables firewalls to recognize and enforce these distinctions efficiently.

Key Considerations When Configuring SNAT Pool

When you set up SNAT IP pools for load balancers and origin servers, consider the information below.

IP Selection Behavior

The IP address allocation from the available SNAT pool range does not follow a sequential pattern. Rather, it gets assigned randomly from the available range.

Operations on CE Site

SNAT pool configuration supports both single and multi-node cluster CE sites. This feature is not supported for virtual site (vSite) setups.

If a request switches to a different CE node due to an ECMP rehash or network conditions, it will have a different SNAT pool IP address (assigned to that node) with which it will reach the origin pool.

IP Address Pool Allocation

SNAT pool range structure:

  • A SNAT pool range represents all possible IP addresses within a certain prefix (for example, /30, /31, or /32).

  • Each IP address range consists of multiple IP addresses, and the number of usable IP addresses from this range depends on the number of CE nodes within a cluster.

  • Some of these addresses, such as the network address (first address 00) and broadcast address (last address 11), are usually avoided. However, they might be used if the usable host IP addresses within that SNAT pool range is exhausted (in cases multi-node CEs).

IP address usage depends on deployment type:

  • If using a /30 subnet and four Customer Edge (CE) nodes, all four addresses in the pool can be used for SNAT, including the network and broadcast addresses.

  • If using a /31 subnet and two CE nodes, only two addresses (including the network and broadcast addresses) are used for SNAT.

  • If using a /32 subnet for a single node CE, only one address is available and used for SNAT.

  • If using a /30 subnet for a single CE node:

    • Only two of the usable addresses (for example, second and third IP addresses in the range) are used to allocate for the SNAT pool.
    • The first address (network address) and last address (broadcast address) are not used for SNAT.

Example

If your SNAT pool is using the subnet 1.1.1.0/30:

  • For four CE nodes: All four IP addresses (1.1.1.0, 1.1.1.1, 1.1.1.2, and 1.1.1.3) are used, even though 1.1.1.0 is the network address and 1.1.1.3 is the broadcast address.
  • For two CE nodes with /31: Only two IP addresses (1.1.1.0 and 1.1.1.1) participate in the SNAT pool.
  • For a single-node CE with /30: Only 1.1.1.1 and 1.1.1.2 are used, and the network (1.1.1.0) and broadcast (1.1.1.3) addresses remain unused for SNAT.

Insufficient IP Address Allocation

If the number of CE nodes exceeds the number of allocated IP addresses for SNAT, then the CE(s) in the cluster with the SNAT pool configuration that are devoid of the SNAT IP address(es) will tunnel the traffic via another node within the cluster, which has SNAT IP addresses allocated to reach the origin server(s).

Protocol Considerations

The behavior of SNAT Pool Configuration remains consistent across TCP and UDP load balancers.

Example Configuration

This example is network setup for a three-node CE cluster where two applications, Blue and Green, are load balanced along with a SNAT pool configuration on the origin pool.

  • Blue load balancer configuration:

    • Virtual IP (VIP): Advertised to Internet
    • Origin pool: Server 1 with 10.1.1.2 and Server 2 with 10.1.1.3
    • SNAT range: 1.1.1.0/30

  • Green load balancer configuration:

    • Virtual IP (VIP): Advertised to Internet
    • Origin pool: Sever 1 with 10.2.2.2 and Server 2 with 10.2.2.3
    • SNAT range: 1.1.1.4/30
Figure: Three-Node CE Cluster Example

Figure: Three-Node CE Cluster Example

The example steps include the following:

  • Define the SNAT pools in your F5 Distributed Cloud Services Multi-Cloud App Connect workspace.

  • Assign IP address range 1.1.1.0/30 for Blue load balancer origin pool.

  • Assign IP address range 1.1.1.4/30 for Green load balancer origin pool.

  • Configure firewall rules to perform appropriate security scans:

    • Rule 1: If source IP address range is 1.1.1.0/30, run a SPAM filter with antivirus checks.
    • Rule 2: If source IP address range is 1.1.1.4/30, run antivirus with malware checks.

  • Validate traffic flows as per the routing policy.

On this page: