# F5XC HTTP LB route explainer

> Paste the routes of an F5XC HTTP load balancer and get each route decoded in order - type, path/method/header match, action, header mutations, and per-route WAF - plus a first-match simulator for a test request.

- Tool: https://ronutz.com/en/tools/f5xc-http-lb-route-explainer
- Family: Networking

---

## What it does

This tool decodes the routes block of an F5 Distributed Cloud (XC) HTTP load balancer. Paste the full `http_loadbalancer` object from the Console's JSON view, just its `routes` array, or a create/get API envelope, and the tool walks each route in order and explains it: the route type (simple, redirect, direct-response, or custom), the match conditions (HTTP method, path as prefix / exact / regex, and any header or query-parameter conditions), the action (which origin pool with what weight, or the redirect target, or the direct-response code), any path rewrite and request/response header mutations, the host-rewrite override, and the per-route WAF attachment. It also simulates first-match evaluation - give it a method and a path, and it tells you which route would win. Everything runs in your browser.

## Why order matters

XC evaluates routes in the order they appear, and the first route that matches wins - the same first-match model Envoy uses under the hood. F5's own guidance makes this concrete: when you want a route to take priority, you drag it to the top of the list. That is why the tool numbers routes in order, states the first-match rule up front, and warns you when a catch-all route (prefix `/` or regex `.*` with no header conditions) sits above more specific routes, because those later routes can never be reached.

## The per-route WAF

A load balancer has one WAF policy at its base, but any simple route can override it. In Advanced Options a route can attach its own App Firewall, or disable WAF entirely, or leave it to inherit the load balancer's policy - which is the default. The tool shows each route's WAF mode explicitly and flags routes that disable WAF, because an unprotected route is easy to create by accident and hard to spot in raw JSON.

## The four route types

A simple route forwards matching traffic to an origin pool. A redirect route returns a 3xx to a new protocol, host, and path. A direct-response route returns a fixed status code and body without touching an origin - F5's own examples use this to serve small pages or scripts. A custom route object references a separately defined route, so its match and action live in that referenced object; the tool shows the reference and notes that the details are external, and the first-match simulator flags that such a route could match ahead of the one it picked.

## Standards and references

- [F5 Distributed Cloud: Create HTTP Load Balancer (route types, path match, redirect/direct-response, request/response manipulation)](https://docs.cloud.f5.com/docs-v2/multi-cloud-app-connect/how-to/load-balance/create-http-load-balancer) - Simple / Redirect / Direct Response / Custom route types; Prefix/Regex path match; redirect parameters; add/remove request & response headers
- [F5 Distributed Cloud API: ves.io.schema.route (match / action / custom JS)](https://docs.cloud.f5.com/docs-v2/api/route) - a route = match condition + action + custom-JS flag
- [F5 Distributed Cloud: Per-Route WAF Policy](https://community.f5.com/kb/technicalarticles/introduction-to-f5-distributed-cloud-platform-per-route-waf-policy/304079) - a simple route can attach its own App Firewall (Advanced Options > Security > WAF), overriding the LB-level policy
- [F5 K000146653: Host rewrite behavior in F5 Distributed Cloud HTTP Load Balancers](https://my.f5.com/manage/s/article/K000146653) - default host rewrite for DNS-name origins; a route can override host-rewrite behavior
- [DevCentral: hiding internal URLs / dynamic redirection with the XC HTTP LB (route ordering)](https://community.f5.com/kb/communityarticles/how-to-achieve-hiding-internal-urls-and-http-dynamic-redirection-with-f5-xc-http/342126) - routes are evaluated in order - drag a route to the top to have it evaluated first (first-match)

## Related reading

- [How the XC HTTP Load Balancer Picks a Route: First-Match, Path Types, and the Per-Route WAF](https://ronutz.com/en/learn/f5xc-http-lb-route-evaluation.md): XC routes are an ordered list evaluated first-match; the four route types (simple, redirect, direct-response, custom); prefix vs exact vs regex path match; method/header/query conditions; and how any route can attach or disable its own WAF.
