TechLeague

    Networking

    F5 BIG-IP Next vs. Classic: The 2026 Engineering Migration Guide

    TechLeague Editorial··14 min read

    The TMOS era is ending, and if you are still treating your load balancer as a monolithic appliance in 2026, you are sitting on a technical debt time bomb. The shift from Classic BIG-IP to BIG-IP Next isn't a mere version upgrade; it is a total architectural decapitation of the control plane, moving from a Linux-based monolithic OS to a Kubernetes-native, microservices-driven engine that finally kills the 'bigip.conf' as we know it.

    The Post-TMOS Reality: Why Classic is Dead

    For twenty years, F5 engineers lived and died by bigpipe then tmsh. Classic BIG-IP architecture bundled the control plane, management plane, and data plane into a single, tightly coupled image. This made scaling difficult and upgrades treacherous. As of 2026, the industry has transitioned. BIG-IP Next bifurcates these functions entirely. The data plane (TMM) now runs as a containerized process, while the management plane is offloaded to a centralized controller (BIG-IP Next Central Manager).

    In the Classic days, a CVE in the management GUI meant taking down your entire traffic-processing engine to patch. In BIG-IP Next, the data plane is decoupled. You are no longer managing 'boxes'; you are managing high-performance traffic instances that are lifecycle-managed via Central Manager. If you haven't seen the writing on the wall, look at the EOL dates for the iSeries and the shift toward VELOS and rSeries hardware—these are the final landing spots for Classic before the hard pivot to Next.

    Architecture Deep Dive: Kubernetes as the Underlay

    Under the hood of BIG-IP Next, F5 has finally embraced the Kubernetes ecosystem. This is not just 'F5 in a container.' The entire orchestration of the instance lifecycle is handled via K8s primitives. When you deploy a Next instance on a VELOS partition or as a VE on ESXi, you are interacting with a system that uses an API-first approach, treating the load balancer as an ephemeral resource.

    The Shift to Decoupled Management

    Classic BIG-IP used the system-auth and mcpd processes to handle configuration state. This was the bottleneck of every large-scale deployment. BIG-IP Next moves the 'source of truth' to the Central Manager. Your instances are essentially stateless proxies. This allows for horizontal scaling that was previously impossible. In 2026, we are seeing enterprise deployments where a single Central Manager controls 500+ Next instances across multiple clouds and on-prem clusters, a feat that would have required dozens of BIG-IQ clusters in the old world.

    Configuration: The Death of 'bigip.conf' and the Rise of AS3

    If you are still clicking around in the GUI to create Virtual Servers, you are failing your organization. BIG-IP Next effectively mandates Application Services 3 Extension (AS3) or its evolved derivatives. There is no /config/bigip.conf to grep through anymore. The configuration is stored as JSON and pushed via REST API. 

    {
    "class": "ADC",
    "schemaVersion": "3.0.0",
    "id": "NextMigration",
    "tenant1": {
        "class": "Tenant",
        "app1": {
            "class": "Application",
            "template": "http",
            "serviceMain": {
                "class": "Service_HTTP",
                "virtualAddresses": ["10.10.10.100"],
                "pool": "web_pool"
            },
            "web_pool": {
                "class": "Pool",
                "monitors": ["http"],
                "members": [{
                    "servicePort": 80,
                    "serverAddresses": ["192.168.1.10", "192.168.1.11"]
                }]
            }
        }
    }
}

    This shift allows for true GitOps. In 2026, the standard workflow is: Developer submits a PR to a GitHub repo -> CI/CD pipeline validates the AS3 JSON -> Central Manager pushes the changes to the BIG-IP Next instances. This eliminates manual configuration drift, which was the leading cause of outages in the Classic era.

    Parity Gaps: What You Lose in the Transition

    Let's be blunt: BIG-IP Next is not at 100% feature parity with Classic, and it likely never will be. F5 is using this transition to shed technical debt. Ancient protocols and niche features that were clogging the TMOS kernel have been excised. If you are relying on obscure iRules command-sets from 2012, or specific legacy NTLM profiles, you are in for a world of hurt.

    • iRules Migration: F5 offers the "BIG-IP Next Migration Assistant," but it is not a magic wand. Roughly 20% of complex iRules require manual rewriting. iRules on Next are more performant but stricter on syntax.
    • AFM/ASM: The security modules have been rebranded as 'BIG-IP Next WAF' and 'BIG-IP Next Access'. The policy engines are cleaner, but if you are coming from a heavily customized v15/v16 ASM policy, the migration is a multi-week audit process.
    • L7 Persistence: Many legacy persistence methods have been deprecated in favor of cookie-based or universal inspection via Modern TLS standards.

    The Migration Roadmap for 2026

    A haphazard migration will fail. We recommend a three-phase approach, which we've documented extensively in our F5 to modern SDN guide.

    Phase 1: Central Manager Deployment

    Do not deploy a single Next instance until your Central Manager (CM) is hardened and your IPAM/DNS integrations are solid. The CM is the brain; treat it with more reverence than you treated the BIG-IQ. Ensure you have a 3-node cluster for the CM for high availability.

    Phase 2: Shadow Configuration and AS3 Conversion

    Take your existing Classic BIG-IP configuration and run it through the Migration Assistant. For every Virtual Server, generate the corresponding AS3 declaration. Conduct 'read-only' testing where you deploy these to a laboratory Next instance and verify the data plane behavior matches the legacy TMM output.

    Phase 3: The Traffic Flip

    Use DNS-based migration (GSLB/BIG-IP DNS) to bleed traffic from the Classic iSeries to the Next instances. Do not try a forklift swap at the MAC address level. The underlying networking stack in Next handles ARP and routing differently, especially in multi-tenant environments.

    Hardware Performance: VELOS and rSeries in the Next Era

    Running BIG-IP Next on legacy hardware is a recipe for frustration. To get the most out of the K8s-based architecture, you need the FPGA-assisted offloading provided by the rSeries (e.g., r5900 or r10900) or the VELOS chassis. The rSeries provides a dedicated FPGAs for SSL/TLS offload that the Next data plane taps into directly via the QuickAssist Technology (QAT) drivers.

    In my tests, a BIG-IP Next instance on an r10900 handles 40% more concurrent TLS handshakes than the equivalent Classic v15 software on the same hardware. Why? Because the Next data plane is optimized for multi-core scaling without the overhead of the massive management processes that plagued Classic TMOS.

    Real-World Costs and Licensing

    F5 has moved fully to a subscription-based model. If you are still on perpetual licenses, 2026 is the year your maintenance costs will skyrocket as F5 incentivizes the move to F5 FlexPool or BIG-IP Next subscriptions. Expect to pay roughly $15k-$25k per year for a high-performance Next instance (equivalent to a 10Gbps throughput tier), depending on your WAF/Advanced Firewall requirements.

    Verdict: Should You Move Now?

    If you are standing up new infrastructure, do not deploy Classic. You are just building a legacy system you'll have to migrate in 24 months. If you are running stable workloads on iSeries hardware, you have until the end of 2026 to finalize your strategy. The performance gains in TLS 1.3 and the operational efficiency of AS3/GitOps make the transition worth the initial pain of configuration conversion. However, if your team is not ready for API-first management, stay on Classic until you've hired or trained for the devops-centric reality of Next.

    Ready to modernize your ADC stack or need an expert audit of your current F5 environment? Check out our engineering services and architecture reviews at techleague.io.

    Frequently asked questions

    Is configuration parity 1:1 between Classic and Next in 2026?+

    F5 has significantly improved the Migration Assistant, but complex iRules and niche L7 persistence still require manual intervention. Plan for a 20% manual refactor rate.

    Is BIG-IP Next just a rebrand of TMOS?+

    No, Next is built on a Kubernetes-native microservices architecture where the data plane (TMM) is decoupled from the management plane (Central Manager).

    Do I need to buy new hardware for BIG-IP Next?+

    While Next can run on VEs, it is optimized for rSeries and VELOS hardware, leveraging QAT and FPGA offloading that Classic TMOS cannot utilize as efficiently.

    What is the role of AS3 in BIG-IP Next?+

    AS3 (Application Services 3 Extension) is the primary method for configuration. If you aren't using declarative APIs, you aren't using Next correctly.

    How does Central Manager differ from BIG-IQ?+

    Central Manager is the single source of truth and lifecycle manager for all Next instances, replacing the functionality of BIG-IQ but with a microservices-based backend.

    What features are being dropped in Next?+

    Many legacy L7 protocols and niche NTLM features have been deprecated to reduce the security attack surface and kernel complexity.

    What is the best way to handle the cutover?+

    DNS-based traffic shifting (GSLB) is the safest method to bleed traffic from Classic to Next, as it avoids MAC-level conflicts and allows for granular rollbacks.