# F5XC origin pool explainer

> Paste an F5XC origin_pool spec and get it decoded - origin-server types and addresses, the pool port, the load-balancing algorithm and endpoint selection, health checks, and the TLS-to-origin settings.

- Tool: https://ronutz.com/en/tools/f5xc-origin-pool-explainer
- Family: Networking

---

## What it does

This tool decodes an F5 Distributed Cloud (XC) origin_pool spec. Paste the origin_pool object from the Console's JSON view, its spec body, or a create/get envelope, and it lays out what the pool actually does: every origin server's type and address, the pool port, the load-balancing algorithm and endpoint selection, the health checks it references, and the TLS-to-origin settings. It runs entirely in your browser.

## Origin servers: type and place

An origin pool can point at origins in several ways, and the tool names each one. A public IP or public DNS name reaches origins over the internet. An IP or DNS name "on given sites" reaches origins through a Customer Edge or Regional Edge and carries a site or virtual-site locator - the tool shows that location. K8s and Consul service names use service discovery on a site. There are also virtual-network and custom-endpoint variants. Each origin can also carry labels, which the tool lists.

## Where weights and priorities actually live

A common misconception is that origin servers in a pool have weights and priorities. They do not. Inside a pool, the origin servers are a flat list served according to the pool's algorithm. Weights and priorities are set one level up, on the pool's reference inside a route or the load balancer's default pools - each reference is a pool plus a weight plus a priority. The tool states this so you look in the right place.

## The pool port and endpoint selection

The port can be explicit, taken from the endpoint, or automatic - and automatic means 443 when TLS to origin is enabled and 80 when it is not. Endpoint selection controls which Regional Edge egresses to the origin: Local Preferred (the default) egresses from the local RE when it has a healthy origin entry, and otherwise forwards over the F5 global network to an RE that does. That is why the same origin can appear many times in the Console, once per RE.

## TLS to origin

If TLS to origin is enabled, the tool decodes the security level - reusing the same level data as the TLS security-level mapper, so High is minimum TLS 1.2 - along with the SNI mode (use the Host header, an explicit value, or no SNI), the server-verification choice, and whether mTLS is on. It flags the case that matters most: skipping origin-server verification. That still encrypts the connection, but it does not validate the origin's certificate, so the tool calls it out.

## Standards and references

- [F5 Distributed Cloud: Create Origin Pools (origin-server types, port, TLS, SNI, server verification, mTLS)](https://docs.cloud.f5.com/docs-v2/multi-cloud-app-connect/how-to/app-networking/origin-pools) - the origin-server types, Port vs Automatic Port (443 with TLS / 80 without), the TLS block (Enable, SNI Selection, TLS Security Level with High default, Origin Server Verification incl. Skip, mTLS)
- [F5 K000161240: control which Regional Edges health-check origins (Endpoint Selection)](https://my.f5.com/manage/s/article/K000161240) - Endpoint Selection default Local Preferred; behavior when the local RE origin entry is DOWN; health-check routing
- [F5 Distributed Cloud: Load Balancing and Service Mesh (endpoint discovery: IP/port, DNS, K8s, Consul)](https://docs.cloud.f5.com/docs-v2/platform/concepts/load-balancing-and-mesh) - the where (site/virtual-site/virtual-network) and how (IP+port, DNS, K8s, Consul) of endpoint configuration
- [DevCentral: service-chain WAAP and CDN (real origin_pool + LB spec YAML)](https://community.f5.com/kb/technicalarticles/use-f5-distributed-cloud-to-service-chain-waap-and-cdn/303142) - verified spec shape: origin_servers/public_name, port, no_tls/use_tls, healthcheck, and default_route_pools with pool + weight + priority (where weights actually live)

## Related reading

- [The Anatomy of an XC Origin Pool: Origin Types, Endpoint Selection, and TLS to Origin](https://ronutz.com/en/learn/f5xc-origin-pool-anatomy.md): What an origin pool holds, the ways to name an origin (public IP/DNS, on-site with a locator, K8s/Consul, virtual network, custom endpoint), why one origin appears once per Regional Edge, the automatic-port rule (443 with TLS, else 80), the TLS-to-origin settings, and why weights and priorities live on the pool reference in a route, not on the servers.
