f5 government symposium 2018 aws and f5 deep …...aws and f5 deep dive ryan johnson federal system...
TRANSCRIPT
F5 Government Symposium 2018 AWS and F5 Deep Dive
Ryan Johnson Federal System Engineer
4/4/2018
User
PRIVATE CLOUD PUBLIC CLOUD
HYBRID CLOUD
On premises Off premises
• Time to Market
• Low initial costs (Pay per use)
• Flexible & unlimited capacity growth
• Security: private keys, policies, sensitive data
• Storage: cost, data to/from the cloud
• Cloud lock-in: policies, data transfer cost
• Performance: Higher latency
Public Cloud – Pros and Cons
• Strong Security (sensitive data, keys)
• Full Control (policies & compliance)
• Easily Customizable
• Cost / upfront investment
• Under-utilization
• Capacity Ceiling
Private Cloud – Pros and Cons
PRO
CON
Private Cloud
ADC & Security
Application
Data
Application
Data
ADC & Security AWS Tools
ADC & Security Azure Tools
How about migrating/scaling or adding new apps to a public cloud provider
to get the benefits of public cloud : cost, time to market and scale ?
Application
Data
Public Internet
Time to Market
Low initial costs (Pay per use)
Flexible & unlimited capacity growth
• Security: private keys, policy, sensitive data
• Storage: cost, data to/from the cloud
• Cloud lock-in: policy, data transfer cost
• Performance: Higher latency CO
NS
Private Cloud
ADC & Security
Application
Data
ADC & Security AWS Tools
ADC & Security Azure Tools
Application
Data
PR
OS
New Green App to Azure
Application
Data
Migrate/Scale out Orange App to AWS
Public Internet
Private Cloud
ADC & Security
AC
AC
Application
Storage
ADC & Security
• Security: sensitive data
• Storage: cost, data to/from the cloud
• Cloud lock-in: data transfer cost
• Performance: Higher latency CO
NSSensitive data securely stored in Colo
Colo brings app closer to end users
Moving data in/out colo at low cost
Low latency towards all public cloud providers
Application
Data
Application
Data
Application
Data
App Connector
App Connector
Public Internet
Colo Facility
Public Cloud
XChangePrivate
Interconnect
Extend your Private Cloud into Colo Facility
PR
OS
Secure
Reverse
Tunnel
Private Cloud
ADC & Security
AC
AC
Application
Storage
ADC & Security
Application
Data
Application
Data
Application
Data
App Connector
App Connector
Public Internet
Colo Facility
Public Cloud
XChangePrivate
Interconnect
Extend your Private Cloud into Colo Facility
Secure
Reverse
Tunnel
© 2018 F5 Networks
Multi-Cloud Challenges
Operational Agility
• Manual IT processes impede
developer’s agility needs
• Feature gaps in cloud native
services result in longer time
to value
• Basic native services tied
to each cloud provider
infrastructure
• Insufficient/basic security
services make apps more
vulnerable to attacks
• Inconsistent security services
increase compliance gaps
and audit risks
• No centralized method to
manage policy and enforce
compliance
• Poor cross-environment
visibility/analytics
• Lack of standardized and
common set of app
services result in
complexity and costs
• Disparate platforms and
toolsets exacerbate IT
skillset gaps and lead to
cloud lock-in
• Higher costs and inability to
scale with multiple different
app services to deploy and
maintain
Making Your Cloud Apps Go Smarter, Faster, Safer
SimpleOperations
• Service abstraction
• Cloud independence with
portable multi-cloud app
services
• Integration with application
ecosystem
• Turnkey solutions validated
and tested in multiple
clouds
• Library of automation and
DevOps toolsets
• Enable NetOps with
SuperNetOps training
• Consistent security
policies
• Simplified policy deployment
and compliance
• Advanced app protection
• Centralized visibility for
control
F5 transforms app services delivering consistency and security to Multi-Cloud deployments
Reduce complexity across
multiple clouds
Scale deployments with
increased agility
Reduced risk – Consistent Policy
maintain compliance and control
Cloud Solution Templates for Multi-Cloud
• Quickly deploy common F5 services
• … for your applications
• … in the infrastructure of your choice
• … in “one-click”
• … supported by F5
• Available on GitHub
• And cloud provider product pages
© 2018 F5 Networks
• 1, 2, 3 NIC HA BYOL & Hourly
• HA across AZ
• Cloud WAF in MP
• Cloud LTM
• Service Discovery – 1, 2, 3 NIC, HA
• BIG-IQ: 5.2, 5.3- Receive licensing
• Existing Prod stack, no public IPs
• Autoscale: SvcDisc Support
• Autoscale: Cloud WAF and v13
• Autoscale: Master Election
• Autoscale: BYOL (BIG-IQ)
• Autoscale: on vCPU
• Marketplace: LTM, WAF, HA across Azs
• Marketplace: Autoscale update
• GovCloud Template Support
• 1, 2, 3 NIC, HA BYOL & Hourly
• MultiNIC support – HA, WAF
• HA across AVset
• HA across AVset + 2 TGs (no ALB)
• WAF ASC, Tier 2
• Service Discovery– All templates
• BIG-IQ: 5.2, 5.3- Receive licensing
• Deploy into existing VNET: HA, Cloud LTM, Cloud
WAF
• V13 WAF support
• Autoscale: Master Election
• Autoscale BYOL (BIG-IQ)
• Marketplace: LTM, WAF, ASC
• Marketplace: O365 SSO Solution
• 1/2/3 NIC BYOL Templates
• 1/2/3 NIC Utility Templates
• Hourly billing now available in Google
Launcher
• Service Discovery
Cloud Solution Templates by Platformhttps://github.com/f5networks
© 2018 F5 Networks
Tested & Validated Simple & Automated Consistency Across Clouds
Simplified Cloud DeploymentsSolution Templates for the EZ Button ERA
https://github.com/f5networks http://clouddocs.f5.com/
VE Deployments in minutes Familiar tool sets Cloud Security Consistency
F5 Product Size Option
BIG-IP Good 25MB, 200MB, 1GB, 5GB PAYGO or BYOL
BIG-IP Better 25MB, 200MB, 1GB, 5GB PAYGO or BYOL
BIG-IP Best 25MB, 200MB, 1GB, 5GB PAYGO or BYOL
BIG-IP Good 3GB, 10GB BYOL only
BIG-IP Better 3GB, 10GB BYOL only
BIG-IP Best 3GB, 10GB BYOL only
BIG-IQ B BYOL only
19 Products Listings on• Globally Deployed + Gov Cloud and C2S
• BYOL or PAYG
• 15 supported Cloud Solution Templates
• Top 5 ISV with 2+ Competencies
• In GovCloud and C2S Marketplaces
• Enterprise Contracts Partner
• Deep Technical Alignment
• Partner Programs in Marketplace
• PAYGO includes F5 support
* - caveat any gotcha’s for GovCloud
• Resale • Private Offer• Refer
© 2018 F5 Networks
(Procurement Process and
can be used by BIG-IQ Lic
Manager)
(One-time purchase)
© 2018 F5 Networks
Feature F5 BIGIP LTM VE Amazon ELB
Local Load Balancing X X
Application Acceleration X
SSL and Compression Offload X X
Content Caching X
Scripted Traffic Handling X
Ipv6 Support X X
Global Load Balancing X1
Bandwidth Management X
Transaction Rate Shaping X1
Service Level Monitoring X
Application Integration X
Application Access Control X1
L3/L4 Firewall X1
Community Support Devcentral.f5.com forum
1 Add-on functionality
© 2018 F5 Networks
In a Nutshell: Why ELB?
• Auto scaling of servers
• Dynamic scaling load balancer itself
• Cookie persistency
• HTTP monitor with 200OK
• Cheap
• DevOPs do not have to login to my console
Good enough Load balancer
© 2018 F5 Networks
Why not F5 in AWS?Customer responses:
• Feature Rich but complicated
• Expensive
• No Auto scaling of Servers
• No Auto scaling of BIG-IP
Challenge Accepted
© 2018 F5 Networks
How AWS Charges
With ELB
ELB instance + ELB Traffic + EC2 traffic + EC2 compute
Without ELB
EC2 traffic + EC2 compute
© 2018 F5 Networks
ELB pricing
Price per instance + traffic cost
$0.025/hour $0.008/GByte
$219/year
Is variable cost a problem for federal agencies?
© 2018 F5 Networks
Cost comparison: ELB vs LTM single instance
Breakeven traffic:~ 140Mbps with 200Mbps license
~300Mbps with 1Gig license
AWS makes it’s money with charging for Traffic.
If you don’t use ELB for your Service it’s cheap – but why use it?
$0.00
$5,000.00
$10,000.00
$15,000.00
$20,000.00
$25,000.00
$30,000.00
$35,000.00
LTM/year
ELB/yr
© 2018 F5 Networks
•
•
•
•
•
© 2018 F5 Networks
•
•
us-east-1a Availability Zone
us-east-1 Region (N. VA)
BIG-IP #1
instances
© 2018 F5 Networks
•
•
•
us-east-1a Availability Zone
us-east-1 Region (N. VA)
BIG-IP #1 BIG-IP #2
instances
© 2018 F5 Networks
••
•
•
•
us-gov-east-1 Region
us-gov-east-1a Availability Zone
LTM LTM
instances
us-gov-east-1b Availability Zone
LTM LTM
instances
DNS
DNS
© 2018 F5 Networks
Sync-Failover Group
AZ1 Mgmt Vlan = 10.0.0.0/24
AZ1 Internal Vlan = 10.0.2.0/24
AZ1 External Vlan = 10.0.1.0/24
AZ1 Default Gateway =
10.0.1.1
VPC = 10.0.0.0/16
AZ2 Mgmt Vlan = 10.0.10.0/24
AZ2 Internal Vlan = 10.0.12.0/24
AZ2 External Vlan = 10.0.11.0/24
VIP = 10.0.11.100 (tg = traffic-group-1)
AZ2 Default Gateway =
10.0.11.1
Availability Zone 1 Availability Zone 2
VIP = 10.0.1.100 (tg = traffic-group-1)
EIP for Virtual in AZ 1 =
100.0.0.0
EIP for Virtual in AZ 2 =
100.0.0.1
DNS LB/GSLB
Sync-Failover Group
10.0.2.201 10.0.2.202 10.0.2.203 10.0.12.201 10.0.12.202 10.0.12.203© 2018 F5 Networks
•
•
•
us-gov-east-1 Region
us-gov-east-1a Availability Zone
LTM: Active
instances
us-gov-east-1b Availability Zone
LTM: Standby
instances
Elastic IP
address
Elastic IP moves
on failover
© 2018 F5 Networks
Sync-Failover Group
Self IP = 10.0.2.200 Self IP = 10.0.12.101
Self IP = 10.0.11.101Self IP = 10.0.1.101
Traffic Group = traffic-group-1
Dictates Active
AZ1 Mgmt Vlan = 10.0.0.0/24
AZ1 Internal Vlan = 10.0.2.0/24
AZ1 External Vlan = 10.0.1.0/24
AZ1 Default Gateway =
10.0.1.1
AZ1 Mgmt IP = 10.0.0.100AZ2 Mgmt IP = 10.0.10.100
VPC = 10.0.0.0/16
AZ2 Mgmt Vlan = 10.0.10.0/24
AZ2 Pool Vlan = 10.0.13.0/24
AZ2 External Vlan = 10.0.11.0/24
EIP (VIP1) = 55.55.55.55
VIP = 10.0.1.100 (traffic-group-none) VIP = 10.0.11.100 (traffic-group-none)
AZ2 Default Gateway =
10.0.11.1
Availability Zone 1 Availability Zone 2
10.0.3.201 10.0.3.202 10.0.3.203 10.0.13.201 10.0.13.202 10.0.13.203
AZ1 Pool Vlan = 10.0..3.0/24
AZ2 Internal Vlan = 10.0.12.0/24
HA Across AZs
NOTE:
Pool’s members can span AZs:
Ex.
VIP 10.0.1.100
&
VIP 10.0.11.100
Are the same service
and both use:
my_pool:
10.0.3.201
10.0.3.202
10.0.3.203
10.0.13.201
10.0.13.202
10.0.13.203
© 2018 F5 Networks
© 2018 F5 Networks
•
•
•
© 2018 F5 Networks
•
us-gov-east-1 Region
us-gov-east-1a Availability Zone
Active
instances
us-gov-east-1b Availability Zone
Active
instances
Standby
Standby
HSM
HSM
HSM
HSM
© 2018 F5 Networks
•
AWS Direct
Connect
F5 BIG-IP 10350-v-F
us-gov-east-1 Region
us-gov-east-1a Availability Zone
Active
instances
us-gov-east-1b Availability Zone
Active
instances
Active
Active
Shared Responsibility Model
Cloud vendors leave layer 4-7 services to the cloud customer
Runtime
Middleware
Operating System
Physical Servers
Storage
Your
Customer’s
Responsibility
Cloud Vendor
ResponsibilityAccess & Identity
Federation
Web Application Firewall
Local Traffic Management
Global Traffic Management
Network Firewall
Data
Virtualization
Public Cloud Infrastructure (IaaS/PaaS/SaaS)
Applications
Microsoft Azure
Amazon Web
Services
Google Cloud
Platform
Networking Functions
© 2018 F5 Networks
40
Bolster your Existing AWS WAFF5’s Three Managed Rulesets Prevent Leading Attack Mechanisms
Ruleset 1: Web Exploits OWASP Top 10• Protects against web exploits that are a part of the OWASP Top 10 including:
• Including: SQLi, XSS, command injection, No-SQLi injection, path traversal, and predictable resource
Ruleset 2: Common Vulnerabilities & Exposures (CVE)• Provides high profile protection for CVE’s for major systems including:
• Apache, Apache Struts, Bash, Elasticsearch, IIS, JBoss, JSP, Java, Joomla, MySQL, Node.js, PHP, PHPMyAdmin, Perl, Ruby On Rails, and WordPress
Ruleset 3: Bot Protection• Protect against automated attacks - Bot Protections Rules stop a broad range of
malicious bots including:
• Vulnerability scanners, web scrapers, DDoS tools, and forum spam tools.
1
2
3
© 2018 F5 Networks
•
•
•
•
•
Enhance Your AWS Security PostureF5’s Managed Rules for AWS WAF
© 2018 F5 Networks
Basic WAF protection :
• Limited protection against OWASP 10
Basic WAF protection :
• Enhanced protection against OWASP
10 web exploits, Bots or CVE’s
Comprehensive, complete WAF :
• L7 DoS mitigation
• Proactive bot defense
• Complete OWASP 10 protection
• Automated policy learning
• Context-aware risk management
• Virtual patching
• Advanced compliance
• … & many more features
Simplified deployment – native service Simplified deployment – native serviceSimplified deployment from the AWS MP
with F5 CloudFormation Templates
Hourly Licensing Hourly LicensingHourly, Subscription, ELA and Perpetual
Licensing
AWS WAF & F5 Managed Rules is Good... …But F5’s Dedicated Web Application Firewall is Better!
AWS WAF +
F5 Managed RulesAWS WAF F5 Web Application Firewall
© 2018 F5 Networks
GitHub and Cloud Product Pages
© 2018 F5 Networks
Availability Zone 1
BYOL BIG-IP
App subnet
Public subnet
Availability Zone 2
Hourly BIG-IP
Public subnet
Availability Zone 3
Public subnet
Hourly BIG-IP
BIG-IP EC2 Autoscale Group
• Save costs by on-
demand scalability of F5
app services
• Capacity on-demand
• Autoscale BIG-IPs and
Poolmembers
• Integrates with AWS
Autoscale and
CloudWatch
• Leverages Cloud-init
• BYOL and/or Hourly
© 2018 F5 Networks
•
•BIG-IP
Auto Scaling group
© 2018 F5 Networks
•
•
•BIG-IP
Auto Scaling group
BIG-IP
BIG-IP
© 2018 F5 Networks
•
•
•
Auto Scaling group
us-gov-east-1 Region
us-gov-east-1a Availability Zone
LTM: Active
instances
us-gov-east-1b Availability Zone
LTM: Active
instances
LTM: Active
LTM: Active
© 2018 F5 Networks
•
•
•
•
•
•
•
•
Securing and automating app delivery in public cloud
• F5 Solution for Private–Public Cloud inter-connect
• Secure reverse tunnel between Private–Public cloud (SSL keys on BIG-IP in Private Cloud/DC)
• Public cloud resources auto-discovered and managed by BIG-IP in Private Cloud/DC
Application Connector
Private Cloud
ADC & Security
App Connector
App Connector
AC
AC
Private keys
Application
Data
Application
Data
Public Internet
Application
Data Secure Reverse Tunnel
© 2018 F5 Networks
• Security: private keys, sensitive data
• Storage: cost, data to/from the cloud
• Cloud lock-in: data transfer cost
• Performance: Higher latency CO
NSPrivate keys stored in Private Cloud
App front-end via BIG-IP in Private Cloud
Auto-discovery of Public Cloud resources
All resources managed from Private Cloud
Private Cloud
ADC & Security
App Connector
App Connector
AC
AC
Private keys
Application
Data
Application
Data
Public Internet
Application
Data
PR
OS
Secure Reverse Tunnel
© 2018 F5 Networks