NGINX Plus FIPS Premium - RHEL 9

NGINX Plus & RHEL for FIPS 140-Validated Environments on AWS

Deploy F5 NGINX Plus running on Red Hat Enterprise Linux (RHEL) 9, pre-configured to operate within a FIPS 140-3 validated boundary. Designed for developers, Platform Engineering and Security Operations (SecOps) teams tasked with building, securing, and delivering applications, APIs, and AI/ML inference endpoints within environments mandating FIPS compliance, such as U.S. federal agencies, financial services, healthcare, and critical services.

Pre-Configured FIPS-Validated Stack & Lifecycle Management

This AWS Marketplace AMI (Amazon Machine Image) bundles NGINX Plus with RHEL, enabling FIPS mode system-wide via RHEL standard fips-mode-setup -enable utility. NGINX Plus is configured to use underlying OpenSSL 3 cryptographic libraries - part of RHEL FIPS validation. This approach offers advantages:

Direct Dynamic Linking to RHEL FIPS 140-Validated OpenSSL3: NGINX Plus dynamically links against RHEL validated OpenSSL libraries. This ensures that all cryptographic operations performed by NGINX Plus (TLS handshakes, certificate handling, JWT signing/verification when configured) utilize CMVP-validated cryptographic algorithms and implementations.

Standard Builds & Simplified Maintenance: It eliminates the need for custom NGINX or OpenSSL compilations. You rely on standard RHEL and NGINX Plus packages. RHEL FIPS validation boundary and patching lifecycle cover the cryptographic modules.

Defined Deployment & Activation: Launch the AMI in AWS GovCloud (US) or standard AWS regions. The process involves enabling RHEL FIPS mode and ensuring NGINX Plus uses the system OpenSSL via documented, straightforward steps.

Coordinated Patching & Continuous Compliance: F5 and Red Hat provide coordinated security patches and updates for this integrated solution. Updates are tested to ensure compatibility and maintain the FIPS-validated boundary. This approach simplifies patch management, reduces the risk of breaking compliance during updates, and streamlines your Authority to Operate (ATO) process and ongoing compliance reporting. It helps ensure that RHEL (including SELinux policies and OpenSSL) and NGINX Plus remain aligned and secure.

Core NGINX Plus Architecture: Security & Efficiency

Inherent Security by Design: NGINX Plus adheres to a design philosophy prioritizing a minimal set of external dependencies, which reduces the potential attack surface. Its core architecture stems from over two decades of development and deployment across high-traffic internet sites, ensuring a resilient and extensively reviewed codebase.

Lightweight & Resource-Efficient: The asynchronous, event-driven, non-blocking architecture ensures a small footprint. NGINX Plus consumes minimal CPU and memory resources, allowing deployment on smaller AWS EC2 instances (reducing TCO), supporting containerized deployments, and enabling fast start-ups for effective autoscaling and rapid recovery.

NGINX Plus Technical Capabilities on a FIPS-Certified Base

Leverage the full NGINX Plus feature set, with cryptographic operations handled by RHEL certified FIPS modules:

Here are the benefits with an added single line of detail for each:

TLS/SSL Offload & Management: Securely terminate high-volume TLS 1.2/1.3 traffic using RHEL underlying FIPS 140-validated crypto modules while offloading intensive processing from backend servers.

L7 Load Balancing & Reverse Proxy: Intelligently distribute traffic across diverse applications, API, and AI/ML backends with multiple algorithms, session persistence, and deep health checks.

Advanced API Gateway Functions: Protect and control API access with native JWT validation, OIDC integration, mutual TLS, and fine-grained rate limiting.

Observability & Monitoring of 240+ Metrics: Gain real-time insight into performance and errors via a native JSON API

High Availability & Scalability: Build resilient active-active clusters with state sharing enabling scaled AuthN and AuthZ. Dynamically manage upstream servers via API for seamless scaling.

Centralized Fleet Management, Monitoring and Security Policies with NGINX One: Manage your entire NGINX fleet from a single SaaS console, enforcing consistent configurations and security policies across FIPS and non-FIPS environments.

In-Line NGINX One AI Assistant Trained on Up-to-Date Documentation and Best Practices: Accelerate development and improve security posture by asking natural language questions for configuration validation, optimization, and security hardening suggestions.