f5 government symposium 2018 aws and f5 deep …...aws and f5 deep dive ryan johnson federal system...

F5 Government Symposium 2018 AWS and F5 Deep Dive

Ryan Johnson Federal System Engineer

4/4/2018

User

PRIVATE CLOUD PUBLIC CLOUD

HYBRID CLOUD

On premises Off premises

• Time to Market

• Low initial costs (Pay per use)

• Flexible & unlimited capacity growth

• Security: private keys, policies, sensitive data

• Storage: cost, data to/from the cloud

• Cloud lock-in: policies, data transfer cost

• Performance: Higher latency

Public Cloud – Pros and Cons

• Strong Security (sensitive data, keys)

• Full Control (policies & compliance)

• Easily Customizable

• Cost / upfront investment

• Under-utilization

• Capacity Ceiling

Private Cloud – Pros and Cons

PRO

CON

Private Cloud

ADC & Security

Application

Data

Application

Data

ADC & Security AWS Tools

ADC & Security Azure Tools

How about migrating/scaling or adding new apps to a public cloud provider

to get the benefits of public cloud : cost, time to market and scale ?

Application

Data

Public Internet

Time to Market

Low initial costs (Pay per use)

Flexible & unlimited capacity growth

• Security: private keys, policy, sensitive data


• Cloud lock-in: policy, data transfer cost

• Performance: Higher latency CO

NS

Private Cloud

ADC & Security

Application

Data

ADC & Security AWS Tools

ADC & Security Azure Tools

Application

Data

PR

OS

New Green App to Azure

Application

Data

Migrate/Scale out Orange App to AWS

Public Internet

Private Cloud

ADC & Security

AC

AC

Application

Storage

ADC & Security

• Security: sensitive data


• Cloud lock-in: data transfer cost


NSSensitive data securely stored in Colo

Colo brings app closer to end users

Moving data in/out colo at low cost

Low latency towards all public cloud providers

Application

Data

Application

Data

Application

Data

App Connector

App Connector

Public Internet

Colo Facility

Public Cloud

XChangePrivate

Interconnect

Extend your Private Cloud into Colo Facility

PR

OS

Secure

Reverse

Tunnel

Private Cloud

ADC & Security

AC

AC

Application

Storage

ADC & Security

Application

Data

Application

Data

Application

Data

App Connector

App Connector

Public Internet

Colo Facility

Public Cloud

XChangePrivate

Interconnect

Extend your Private Cloud into Colo Facility

Secure

Reverse

Tunnel

© 2018 F5 Networks

Multi-Cloud Challenges

Operational Agility

• Manual IT processes impede

developer’s agility needs

• Feature gaps in cloud native

services result in longer time

to value

• Basic native services tied

to each cloud provider

infrastructure

• Insufficient/basic security

services make apps more

vulnerable to attacks

• Inconsistent security services

increase compliance gaps

and audit risks

• No centralized method to

manage policy and enforce

compliance

• Poor cross-environment

visibility/analytics

• Lack of standardized and

common set of app

services result in

complexity and costs

• Disparate platforms and

toolsets exacerbate IT

skillset gaps and lead to

cloud lock-in

• Higher costs and inability to

scale with multiple different

app services to deploy and

maintain

Making Your Cloud Apps Go Smarter, Faster, Safer

SimpleOperations

• Service abstraction

• Cloud independence with

portable multi-cloud app

services

• Integration with application

ecosystem

• Turnkey solutions validated

and tested in multiple

clouds

• Library of automation and

DevOps toolsets

• Enable NetOps with

SuperNetOps training

• Consistent security

policies

• Simplified policy deployment

and compliance

• Advanced app protection

• Centralized visibility for

control

F5 transforms app services delivering consistency and security to Multi-Cloud deployments

Reduce complexity across

multiple clouds

Scale deployments with

increased agility

Reduced risk – Consistent Policy

maintain compliance and control

Cloud Solution Templates for Multi-Cloud

• Quickly deploy common F5 services

• … for your applications

• … in the infrastructure of your choice

• … in “one-click”

• … supported by F5

• Available on GitHub

• And cloud provider product pages

© 2018 F5 Networks

• 1, 2, 3 NIC HA BYOL & Hourly

• HA across AZ

• Cloud WAF in MP

• Cloud LTM

• Service Discovery – 1, 2, 3 NIC, HA

• BIG-IQ: 5.2, 5.3- Receive licensing

• Existing Prod stack, no public IPs

• Autoscale: SvcDisc Support

• Autoscale: Cloud WAF and v13

• Autoscale: Master Election

• Autoscale: BYOL (BIG-IQ)

• Autoscale: on vCPU

• Marketplace: LTM, WAF, HA across Azs

• Marketplace: Autoscale update

• GovCloud Template Support

• 1, 2, 3 NIC, HA BYOL & Hourly

• MultiNIC support – HA, WAF

• HA across AVset

• HA across AVset + 2 TGs (no ALB)

• WAF ASC, Tier 2

• Service Discovery– All templates

• BIG-IQ: 5.2, 5.3- Receive licensing

• Deploy into existing VNET: HA, Cloud LTM, Cloud

WAF

• V13 WAF support

• Autoscale: Master Election

• Autoscale BYOL (BIG-IQ)

• Marketplace: LTM, WAF, ASC

• Marketplace: O365 SSO Solution

• 1/2/3 NIC BYOL Templates

• 1/2/3 NIC Utility Templates

• Hourly billing now available in Google

Launcher

• Service Discovery

Cloud Solution Templates by Platformhttps://github.com/f5networks

© 2018 F5 Networks

https://github.com/f5networks

Tested & Validated Simple & Automated Consistency Across Clouds

Simplified Cloud DeploymentsSolution Templates for the EZ Button ERA

https://github.com/f5networks http://clouddocs.f5.com/

VE Deployments in minutes Familiar tool sets Cloud Security Consistency

https://github.com/f5networks

http://clouddocs.f5.com/

F5 Product Size Option

BIG-IP Good 25MB, 200MB, 1GB, 5GB PAYGO or BYOL

BIG-IP Better 25MB, 200MB, 1GB, 5GB PAYGO or BYOL

BIG-IP Best 25MB, 200MB, 1GB, 5GB PAYGO or BYOL

BIG-IP Good 3GB, 10GB BYOL only

BIG-IP Better 3GB, 10GB BYOL only

BIG-IP Best 3GB, 10GB BYOL only

BIG-IQ B BYOL only

19 Products Listings on• Globally Deployed + Gov Cloud and C2S

• BYOL or PAYG

• 15 supported Cloud Solution Templates

• Top 5 ISV with 2+ Competencies

• In GovCloud and C2S Marketplaces

• Enterprise Contracts Partner

• Deep Technical Alignment

• Partner Programs in Marketplace

• PAYGO includes F5 support

* - caveat any gotcha’s for GovCloud

• Resale • Private Offer• Refer

© 2018 F5 Networks

(Procurement Process and

can be used by BIG-IQ Lic

Manager)

(One-time purchase)

© 2018 F5 Networks

Feature F5 BIGIP LTM VE Amazon ELB

Local Load Balancing X X

Application Acceleration X

SSL and Compression Offload X X

Content Caching X

Scripted Traffic Handling X

Ipv6 Support X X

Global Load Balancing X1

Bandwidth Management X

Transaction Rate Shaping X1

Service Level Monitoring X

Application Integration X

Application Access Control X1

L3/L4 Firewall X1

Community Support Devcentral.f5.com forum

1 Add-on functionality

© 2018 F5 Networks

In a Nutshell: Why ELB?

• Auto scaling of servers

• Dynamic scaling load balancer itself

• Cookie persistency

• HTTP monitor with 200OK

• Cheap

• DevOPs do not have to login to my console

Good enough Load balancer

© 2018 F5 Networks

Why not F5 in AWS?Customer responses:

• Feature Rich but complicated

• Expensive

• No Auto scaling of Servers

• No Auto scaling of BIG-IP

Challenge Accepted

© 2018 F5 Networks

How AWS Charges

With ELB

ELB instance + ELB Traffic + EC2 traffic + EC2 compute

Without ELB

EC2 traffic + EC2 compute

© 2018 F5 Networks

ELB pricing

Price per instance + traffic cost

$0.025/hour $0.008/GByte

$219/year

Is variable cost a problem for federal agencies?

© 2018 F5 Networks

Cost comparison: ELB vs LTM single instance

Breakeven traffic:~ 140Mbps with 200Mbps license

~300Mbps with 1Gig license

AWS makes it’s money with charging for Traffic.

If you don’t use ELB for your Service it’s cheap – but why use it?

$0.00

$5,000.00

$10,000.00

$15,000.00

$20,000.00

$25,000.00

$30,000.00

$35,000.00

LTM/year

ELB/yr

© 2018 F5 Networks

•

•

•

•

•

© 2018 F5 Networks

•

•

us-east-1a Availability Zone

us-east-1 Region (N. VA)

BIG-IP #1

instances

© 2018 F5 Networks

•

•

•

us-east-1a Availability Zone

us-east-1 Region (N. VA)

BIG-IP #1 BIG-IP #2

instances

© 2018 F5 Networks

••

•

•

•

us-gov-east-1 Region

us-gov-east-1a Availability Zone

LTM LTM

instances

us-gov-east-1b Availability Zone

LTM LTM

instances

DNS

DNS

© 2018 F5 Networks

Sync-Failover Group

AZ1 Mgmt Vlan = 10.0.0.0/24

AZ1 Internal Vlan = 10.0.2.0/24

AZ1 External Vlan = 10.0.1.0/24

AZ1 Default Gateway =

10.0.1.1

VPC = 10.0.0.0/16

AZ2 Mgmt Vlan = 10.0.10.0/24



VIP = 10.0.11.100 (tg = traffic-group-1)


10.0.11.1

Availability Zone 1 Availability Zone 2

VIP = 10.0.1.100 (tg = traffic-group-1)

EIP for Virtual in AZ 1 =

100.0.0.0

EIP for Virtual in AZ 2 =

100.0.0.1

DNS LB/GSLB

Sync-Failover Group

10.0.2.201 10.0.2.202 10.0.2.203 10.0.12.201 10.0.12.202 10.0.12.203© 2018 F5 Networks

•

•

•



LTM: Active

instances


LTM: Standby

instances

Elastic IP

address

Elastic IP moves

on failover

© 2018 F5 Networks

Sync-Failover Group

Self IP = 10.0.2.200 Self IP = 10.0.12.101

Self IP = 10.0.11.101Self IP = 10.0.1.101

Traffic Group = traffic-group-1

Dictates Active

AZ1 Mgmt Vlan = 10.0.0.0/24




10.0.1.1

AZ1 Mgmt IP = 10.0.0.100AZ2 Mgmt IP = 10.0.10.100

VPC = 10.0.0.0/16

AZ2 Mgmt Vlan = 10.0.10.0/24

AZ2 Pool Vlan = 10.0.13.0/24


EIP (VIP1) = 55.55.55.55

VIP = 10.0.1.100 (traffic-group-none) VIP = 10.0.11.100 (traffic-group-none)


10.0.11.1

Availability Zone 1 Availability Zone 2

10.0.3.201 10.0.3.202 10.0.3.203 10.0.13.201 10.0.13.202 10.0.13.203

AZ1 Pool Vlan = 10.0..3.0/24


HA Across AZs

NOTE:

Pool’s members can span AZs:

Ex.

VIP 10.0.1.100

&

VIP 10.0.11.100

Are the same service

and both use:

my_pool:

10.0.3.201

10.0.3.202

10.0.3.203

10.0.13.201

10.0.13.202

10.0.13.203

© 2018 F5 Networks

© 2018 F5 Networks

•

•

•

© 2018 F5 Networks

•



Active

instances


Active

instances

Standby

Standby

HSM

HSM

HSM

HSM

Shared Responsibility Model

Cloud vendors leave layer 4-7 services to the cloud customer

Runtime

Middleware

Operating System

Physical Servers

Storage

Your

Customer’s

Responsibility

Cloud Vendor

ResponsibilityAccess & Identity

Federation

Web Application Firewall

Local Traffic Management

Global Traffic Management

Network Firewall

Data

Virtualization

Public Cloud Infrastructure (IaaS/PaaS/SaaS)

Applications

Microsoft Azure

Amazon Web

Services

Google Cloud

Platform

Networking Functions

© 2018 F5 Networks

40

Bolster your Existing AWS WAFF5’s Three Managed Rulesets Prevent Leading Attack Mechanisms

Ruleset 1: Web Exploits OWASP Top 10• Protects against web exploits that are a part of the OWASP Top 10 including:

• Including: SQLi, XSS, command injection, No-SQLi injection, path traversal, and predictable resource

Ruleset 2: Common Vulnerabilities & Exposures (CVE)• Provides high profile protection for CVE’s for major systems including:

• Apache, Apache Struts, Bash, Elasticsearch, IIS, JBoss, JSP, Java, Joomla, MySQL, Node.js, PHP, PHPMyAdmin, Perl, Ruby On Rails, and WordPress

Ruleset 3: Bot Protection• Protect against automated attacks - Bot Protections Rules stop a broad range of

malicious bots including:

• Vulnerability scanners, web scrapers, DDoS tools, and forum spam tools.

1

2

3

© 2018 F5 Networks

Basic WAF protection :

• Limited protection against OWASP 10

Basic WAF protection :

• Enhanced protection against OWASP

10 web exploits, Bots or CVE’s

Comprehensive, complete WAF :

• L7 DoS mitigation

• Proactive bot defense

• Complete OWASP 10 protection

• Automated policy learning

• Context-aware risk management

• Virtual patching

• Advanced compliance

• … & many more features

Simplified deployment – native service Simplified deployment – native serviceSimplified deployment from the AWS MP

with F5 CloudFormation Templates

Hourly Licensing Hourly LicensingHourly, Subscription, ELA and Perpetual

Licensing

AWS WAF & F5 Managed Rules is Good... …But F5’s Dedicated Web Application Firewall is Better!

AWS WAF +

F5 Managed RulesAWS WAF F5 Web Application Firewall

© 2018 F5 Networks

Availability Zone 1

BYOL BIG-IP

App subnet

Public subnet

Availability Zone 2

Hourly BIG-IP

Public subnet

Availability Zone 3

Public subnet

Hourly BIG-IP

BIG-IP EC2 Autoscale Group

• Save costs by on-

demand scalability of F5

app services

• Capacity on-demand

• Autoscale BIG-IPs and

Poolmembers

• Integrates with AWS

Autoscale and

CloudWatch

• Leverages Cloud-init

• BYOL and/or Hourly

© 2018 F5 Networks

•

•

•

Auto Scaling group



LTM: Active

instances


LTM: Active

instances

LTM: Active

LTM: Active

© 2018 F5 Networks

•

•

•

•

•

•

•

•

Securing and automating app delivery in public cloud

• F5 Solution for Private–Public Cloud inter-connect

• Secure reverse tunnel between Private–Public cloud (SSL keys on BIG-IP in Private Cloud/DC)

• Public cloud resources auto-discovered and managed by BIG-IP in Private Cloud/DC

Application Connector

Private Cloud

ADC & Security

App Connector

App Connector

AC

AC

Private keys

Application

Data

Application

Data

Public Internet

Application

Data Secure Reverse Tunnel

© 2018 F5 Networks

• Security: private keys, sensitive data


• Cloud lock-in: data transfer cost


NSPrivate keys stored in Private Cloud

App front-end via BIG-IP in Private Cloud

Auto-discovery of Public Cloud resources

All resources managed from Private Cloud

Private Cloud

ADC & Security

App Connector

App Connector

AC

AC

Private keys

Application

Data

Application

Data

Public Internet

Application

Data

PR

OS

Secure Reverse Tunnel

© 2018 F5 Networks

f5 government symposium 2018 aws and f5 deep …...aws and f5 deep dive ryan johnson federal system...

Documents