on-prem private cloud · • admin. fatigue on policy for cloud and saas apps • user password...
TRANSCRIPT
•
•
•
•
•
On-prem PrivateCloud
PublicCloud
Co-located SaaS Containers
SaaS
APP SERVICES
ACCESS
TLS/SSL
DNS
NETWORK
ACCESS
CONTROLDNSWAF
SECURITY
POLICIES
LOAD
BALANCING
F5 Beside the Cloud
© F5 Networks, Inc 9
Why Get Closer to the Cloud?
Enterprise Apps Enterprise Users
Latency: Performance
Connectivity: Security
Enterprise Location Public Cloud
“There’s this distance between us”
© F5 Networks, Inc 10
Existing Solutions
Cloud
Cloud
VPN
Dedicated
connection
Dedicated
connection
Connection Type Example Advantages Disadvantages
Dedicated connection AWS Direct Connect
Azure Express Route
Google Cloud Interconnect
Oracle Fast Connect
Private, fast(er) Cost: Pay for line and usage, multiple
clouds need multiple connections
VPN connection AWS Virtual Private Gateway
Azure Virtual Network Gateway
Cheap Uses Internet: Latency, reliability,
privacy, and congestion may be issues
© F5 Networks, Inc 11
Interconnection
Cloud
Cloud
Dedicated
connection
Interconnection
to Cloud
• Cloud Ready Modernize connectivity to multiple clouds at the edge of the network
• User Experience Shorten distance and lower latency between users and cloud apps
• Private/Secure Directly connect users, data and clouds—bypassing the public internet
• Lower Cost Economical, less-complex connectivity compared to old network topologies
© F5 Networks, Inc 12
Interconnection
Cloud
Dedicated
connection
Identity Federation DDoSWAF SSLi
Cloud
Interconnection
to Cloud
© F5 Networks, Inc 13
Use Case Scenarios
Mitigate risk by
providing dynamic,
centralized and adaptive
access control and
cloud federation for all
applications anywhere.
Protect your apps, and
the data behind them,
from evasive, targeted
attacks with an industry-
leading WAF offering the
highest level of security
without impacting
performance.
Protect your data with a
high value, easy to
deploy and manage next
generation DDoS
solution that guards
against the most
aggressive and targeted
DDoS attacks.
Gain critical visibility and
deeper intelligence to
the traffic on your
network and in the cloud
that many traditional
defenses leave
exposed.
Identity Federation DDoSWAF SSLi
Challenges
• Lack of control over applications and devices
• Lack of operational flexibility and risk of cloud
provider lock-in
• Gap in IT resource skillsets in public cloud
Recommended app delivery services
• Advanced local/global traffic management
• SSL offload and intercept
• App security – DDoS, WAF and IAM
• Available via BYOL with VE and hardware
appliances with GBB licensing models
Key Benefits
• Maintain central point of control and visibility
• Enable flexibility and portability among clouds
• Reduce security risks with consistent policies
• Achieve user performance expectations
Control Public Cloud Apps Better and Avoid Cloud Vendor Lock-in
© 2017 F5 Networks 25
Only consistent services insertion across cloud providers
F5 Application Connector (AC)
• Automatically discover public cloud-hosted apps in AWS
• Securely integrates all public clouds to Interconnect or DC
• Simplifies deploying app delivery and security services
• Consistent policies and configs across public clouds
• Reduce footprint by obfuscation / key mgmt.
Key Benefits
• Migrate with confidence
• Preserves app services control
• Enables cloud freedom, avoiding lock-in
• Visibility across all apps
BIG-IP platform
Users
Public
AC
Public
Public
Public
Interconnect Provider
AC
AC
AC
AC
ASMLTMAPM
App Delivery Services
SSL, Access, and
App Security Services
Attacker
Interconnect Provider
Gain critical
visibility and
deeper intelligence
to the traffic on
your network and
in the cloud that
many traditional
defenses leave
exposed
SSL
Mitigate risk by
providing dynamic,
centralized and
adaptive access
control and cloud
federation for all
applications
anywhere.
Identity Federation
Achieve reliable and
optimized
applications.
Extensible and
flexible application
services with
programmability to
manage physical,
virtual, and cloud.
Availability
Protect your apps,
and the data
behind them, from
evasive, targeted
attacks with an
industry-leading
WAF offering the
highest level of
security.
Protect your
networks with a
high value, easy to
deploy and
manage DDoS
solution that
guards against
aggressive and
targeted attacks.
DDoS WAF
Consistent App Services Across Clouds
AC
AC
ACBIG-IP
Application Connector Proxy in the Cloud:• Delivered as Docker container
• Secure TLS ECC Encryption
• AWS Workload Auto Discovery
• Manual Workload Definition and State Management
• Touchless Recoverability
• Service API
Application Connector Service Center on BIG-IP:• Delivered as iAppsLX package
• Application Service Management
• Real-time Logging and Statistics
• Multi-Path Workload Discovery
• Health Monitoring
• Active/Standby HA Support
• Touchless Recoverability
• Service API
Only consistent services insertion across cloud providers
Public Cloud
AC Proxy
BIG-IP
AC Service Center
End Users
Clo
ud
In
terc
on
ne
ct
Interconnect Provider
• Automatically discover public cloud-hosted apps
• Securely integrates Interconnect / DC to public clouds
• Simplifies deploying interconnect app services
• Consistent policies and configs across clouds
• Reduce footprint by obfuscation / key mgmt.
User
AmazonAWS
Rackspace
Azure
IBM SoftLayer
Amazon
Rackspace
Azure
SoftLayer
Key
Encryption Keys stored centrally (not in the cloud instances)
Reduced attack surface – no visible public IP addressing
Workload nodes can be auto discovered in AWS by the proxy instance. Manual integration for all clouds.
• Independent of network configuration- Deals gracefully with overlapping IP space
• Allows sensitive encryption keys to be
stored outside the cloud environment- Can leave “serverssl none” towards the
node and traffic is protected until it gets into
the environment
• Hides original environment entirely from
clients- Does not require mapping to public IPs in
the CSP
- Significantly reduces potential attack surface
• Keeps BIG-IP configuration
automatically notified of changes within
the environment
BIG-IP
AC
AC
AC
AC
AC
F5 Application Connector: Four Use Case Examples
Lift and shift apps with confidence
without sacrificing security
configurations
Leverage app protection and
extend to public cloud workloads
Lower your attack surface - no
public IP addresses in the cloud
Protect Your Cloud
Apps from Attack
Maximize Your Protection
Investments
Insert public cloud access
control at cloud interconnect
Enable SSO with OAuth, and
SAML insertion across clouds
All policies managed in one
location for all apps
Control Cloud Access
Consolidate and Automate
Access Control
SSL
Manage public cloud app
encryption at cloud
interconnect
Avoids cloud provider lock-in
and preserves your control
Reduce footprint by
obfuscation / key mgmt.
Improve Public
Cloud Encryption
Simplify and Centralize
SSL
Auto-search public clouds to
reveal app deployments
Securely connect to BIG-IP
and enable app services
insertion
Deliver approved app services
to multiple public clouds
Auto-Discover Public
Cloud Workloads
Reduce App Sprawl
VPC
Security
Services
IPS, IDS, DLP
BIG-IP Access
Control
Public Cloud
ACAPMLTM
All Your Access Policies Managed In One Location for All Public Cloud Apps
Users
VPC
Public Cloud
Problem: • App sprawl and access decentralized • Admin. fatigue on policy for cloud and SaaS apps• User password fatigue across multi-cloud apps• Need uniform cloud access control services
Example (steps for every app): • Deploying multi-cloud and SaaS apps• Select app and access configs for each app • Decentralized app and access changes • Separate app sign-in for IT and user across apps
Solution:• Application Connector in Public Cloud and on BIG-IP
leveraging existing infrastructure at Interconnect• Enable SSO with OAuth and SAML assertion for all
public cloud and SaaS apps
Benefits: • Consolidate access control policies in one solution• Easily make policy changes across app deployments• Access control continuity when migrating apps
AC
AC
Interconnect Provider
Or Data Center
Example apps:
• Salesforce
• Office 365
• Concur
• Google docs
Supported
Supported
• 1NIC VE Deployment [AWS, Azure, Google, OpenStack]
• 2NIC VE Deployment [AWS, Azure, Google, OpenStack]
• 3NIC VE Deployment [AWS, Azure, Google]
• n-NIC VE Deployment [Azure, OpenStack]
• HA (Active/Active) [AWS, Azure]
• HA (Active/Standby) [Azure, OpenStack]
Deployment Topologies
Application Security
• Auto Scale Cloud LTM [AWS, Azure]
• Auto Scale Cloud WAF [AWS, Azure]
Advanced Traffic Management
• VE is available from AWS Marketplace in Good, Better & Best bundles, as well as more specific integrated solutions.
• Supports all core BIG-IP modules including LTM, DNS, ASM, AFM & APM as well as BIG-IQ
• Throughput options for BIG-IP VE’s include:
BYOL: 25Mbps, 200Mbps, 1Gbps & 5Gbps & 10Gbps
PAYG: 25Mbps, 200Mbps, 1Gbps & 5Gbps
• Supports Multi-NIC configuration & Configuration Sync
• Deployable with CloudFormation Templates from GitHub
• The following integrated marketplace solutions are available using CFT’s:
Auto Scale WAF
Auto Scale LTM (Coming Soon!)
HA Pair (Coming Soon!)
© 2017 F5 Networks
•
•
•
••
•
•
Auto Scale WAF deployment on AWSFor consistent application protection regardless of traffic volume or CPU utiiization
Launches a PAYG BIG-IP VE instance with LTM and ASM
provisioned for intelligent traffic management and application
security. As traffic or vCPU consumption fluctuates, identical
instances are automatically spun up or down to provide the
optimal solution for processing application traffic.
• The BIG-IP instances operate with 1 network interface
• Scale up & Scale down events based on a pre-defined % of traffic
or vCPU thresholds, typically 80% for scale up, 20% for scale down.
• AWS resources required include: S3 bucket, IAM role, CloudWatch,
Auto Scale Group and SNS Topic.
• Available with PAYG instances or with BYOL licenses when used in
conjuction with BIG-IQ License Manager (free).
• Pre-requisites to this template can be found here
Link to GitHub Manual Deployment ~ 7+ hours
Templated Deployment ~ 40 mins
* Derived from Gartner G00301285 (March 24th 2016)
• VE is available from Azure Marketplace in Good, Better & Best bundles, as well as more specific integrated solutions.
• Supports all core BIG-IP modules including LTM, DNS, ASM, AFM & APM
• Throughput and licensing options for BIG-IP VE’s include:
BYOL: 25Mbps, 200Mbps, 1Gbps & 3Gbps
PAYG: 25Mbps, 200Mbps & 1Gbps
• Supports Multi-NIC configuration & Configuration sync
• Deployable with Azure Resource Manager Templates from GitHub
• The following integrated marketplace solutions are available using ARM templates:
WAF for inside ASC (BYOL)
WAF for outside ASC (BYOL & PAYG)
O365 Federated Access for Office365 apps (BYOL & PAYG)
© 2017 F5 Networks
•
•
•
••
•
•
Auto Scale WAF Deployment in Azure For deploying an optimized application availability solution
Link to GitHubManual Deployment ~ 6+ hours
Templated Deployment ~ 40 mins
Deploys BIG-IP with LTM/ASM provisioned in an Auto Scaling
group, to consistently provide intelligent traffic management
services to applications under varying traffic loads or vCPU
strain As traffic or vCPU utilization increases or decreases and
crosses pre-defined thresholds, BIG-IP LTM instances are
either spun up or spun down, accordingly.
• This solution is deployed into a new networking stack which
is created along with the solution.
• The BIG-IP VE instance operates with 1 network interface
used for both management and data plane traffic.
• Requires use of an Azure Load Balancer (ALB)
• Multiple email addresses can be added to templates to
receive notifications when scaling events occur
• Scaling events based on either traffic throughput or vCPU
consumption
• Available with PAYG instances or with BYOL licenses when
used in conjuction with BIG-IQ License Manager (free).
Pre-requisites to this template can be found here
* Derived from Gartner G00301285 (March 24th 2016)
• VE is available from Google Cloud Launcher in Good, Better & Best bundles
• Supports all core BIG-IP modules including LTM, DNS, ASM, AFM & APM
• Throughput and licensing options include:
BYOL: 25Mbps, 200Mbps, 1Gbps & 5Gbps
• Operates behind a Google Load Balancer for address translation
• Supports single NIC configuration & configuration Sync
• Deployable with Google Deployment Templates from GitHub
© 2017 F5 Networks
••
3-NIC BIG-IP VE Deployment in GoogleFor deploying single, standalone BIG-IP device(s) with two network interfaces
Link to GitHub
Deploys a standalone BIG-IP VE in a Google VPC, where traffic
automatically flows via the VE to the application servers. The
BIG-IP VE instance operates with 3 network interfaces and is
most similar to an ‘on-premise’ deployment, with one interface
for management, one for front-end application traffic and one
for back end application traffic
• Multi-NIC configurations are necessary when deploying
multiple applications on different IP addresses, or multi-
tenant configurations.
• BYOL and PAYG templates available
Pre-requisites to this template can be found here
Manual Deployment ~ 3+ hours
Templated Deployment ~ 40 mins
Google Cloud VPC
••
BIG-IP VE
Client
App
BIG-IP
instanc
es
BIG-IP VE
Client
App
BIG-IP
instanc
es
Enabling IT and DevOps Productivity
Challenges
• Scale deployment of app services
• Agile app deployment
• Enable service catalogs
Programmatic interfaces and tools
• iRule traffic manipulation
• Cloud Solution Templates for AWS, Azure & Google
• iControl API for 3rd party integration
• iApp self service deployment template
Key Benefits
• Integration with DevOps and automation
toolchains (Chef, Ansible, Puppet)
• Automated end to end deployments reduce human
errors
• Self service portals
© 2017 F5 Networks 26