We would like to request a feature enhancement in F5 Distributed Cloud to ensure that each HTTP Load Balancer only listens on the ports explicitly configured for it, even when sharing a VIP across multiple Namespaces.

Currently, if a VIP is configured with a specific port (e.g., 10443), any Load Balancer using that VIP—regardless of Namespace—can accept TCP connections on that port, even if it is not configured to handle traffic on that port. This results in behavior that violates expected Namespace isolation.

Example Scenario:

• LB-B is configured to listen on port 10443.

• LB-A (in a different Namespace) shares the same VIP but does not listen on 10443.

• A request sent to LB-A on port 10443 completes the TCP 3-way handshake and receives a TLS certificate—even though LB-A is not configured to handle that port.

This creates confusion and operational risk in environments that rely on strict separation between tenants or namespaces.

Requested Enhancement:

• Ensure that each Load Balancer only accepts connections on the ports it is explicitly configured to listen on.

• Alternatively, provide a mechanism to enforce port-level or Namespace-level isolation for shared VIPs, such that only authorized LBs respond on specific ports.

Providing this capability would greatly improve the security posture and tenant isolation in shared-VIP environments, and reduce the risk of unintentional cross-Namespace exposure.