4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive

Size: px

Start display at page:

Download "4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive"

Hollie Singleton
5 years ago
Views:

1 4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive Ryan Johnson Federal System Engineer

PRO Private Cloud Pros and Cons Strong Security (sensitive data, keys) Full Control (policies & compliance) Easily Customizable Public Cloud Pros and Cons Time to Market Low initial costs (Pay per

3 PRO Private Cloud Pros and Cons Strong Security (sensitive data, keys) Full Control (policies & compliance) Easily Customizable Public Cloud Pros and Cons Time to Market Low initial costs (Pay per use) Flexible & unlimited capacity growth CON Cost / upfront investment Under-utilization Capacity Ceiling Security: private keys, policies, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: policies, data transfer cost Performance: Higher latency PRIVATE CLOUD On premises HYBRID CLOUD User PUBLIC CLOUD Off premises

4 ADC & Security AWS Tools ADC & Security Private Cloud Public Internet Application Data Application Data ADC & Security Application Azure Tools Data How about migrating/scaling or adding new apps to a public cloud provider to get the benefits of public cloud : cost, time to market and scale?

5 PROS CONS ADC & Security AWS Tools Private Cloud Public Internet Application Data ADC & Security Application Data Migrate/Scale out Orange App to AWS ADC & Security Application Azure Tools New Green App to Azure Data Time to Market Low initial costs (Pay per use) Flexible & unlimited capacity growth Security: private keys, policy, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: policy, data transfer cost Performance: Higher latency

6 PROS CONS App Connector AC ADC & Security Private Cloud Public Internet Secure Reverse Tunnel Application Data Application Data Colo Facility ADC & Security App Connector AC Private Interconnect Application Storage Public Cloud XChange Application Data Extend your Private Cloud into Colo Facility Sensitive data securely stored in Colo Colo brings app closer to end users Moving data in/out colo at low cost Low latency towards all public cloud providers Security: sensitive data Storage: cost, data to/from the cloud Cloud lock-in: data transfer cost Performance: Higher latency

7 App Connector AC ADC & Security Private Cloud Public Internet Secure Reverse Tunnel Application Data Application Data Colo Facility ADC & Security App Connector AC Private Interconnect Application Storage Public Cloud XChange Application Data Extend your Private Cloud into Colo Facility

9 Multi-Cloud Challenges Operational Agility Manual IT processes impede developer s agility needs Feature gaps in cloud native services result in longer time to value Basic native services tied to each cloud provider infrastructure Insufficient/basic security services make apps more vulnerable to attacks Inconsistent security services increase compliance gaps and audit risks No centralized method to manage policy and enforce compliance Poor cross-environment visibility/analytics Lack of standardized and common set of app services result in complexity and costs Disparate platforms and toolsets exacerbate IT skillset gaps and lead to cloud lock-in Higher costs and inability to scale with multiple different app services to deploy and maintain

10 Making Your Cloud Apps Go Smarter, Faster, Safer Simple Operations Reduce complexity across multiple clouds Scale deployments with increased agility Reduced risk Consistent Policy maintain compliance and control Service abstraction Cloud independence with portable multi-cloud app services Integration with application ecosystem Turnkey solutions validated and tested in multiple clouds Library of automation and DevOps toolsets Enable NetOps with SuperNetOps training Consistent security policies Simplified policy deployment and compliance Advanced app protection Centralized visibility for control F5 transforms app services delivering consistency and security to Multi-Cloud deployments

11 Cloud Solution Templates for Multi-Cloud Quickly deploy common F5 services for your applications in the infrastructure of your choice in one-click supported by F5 Available on GitHub And cloud provider product pages

Cloud Solution Templates by Platform https://github.

3- Receive licensing Existing Prod stack, no public IPs Autoscale: SvcDisc Support Autoscale: Cloud WAF and v13 Autoscale: Master Election Autoscale: BYOL

MultiNIC support HA, WAF HA across AVset HA across AVset + 2 TGs (no ALB) WAF ASC, Tier 2 Service Discovery All templates BIG-IQ: 5.2, 5.

12 Cloud Solution Templates by Platform 1, 2, 3 NIC HA BYOL & Hourly HA across AZ Cloud WAF in MP Cloud LTM Service Discovery 1, 2, 3 NIC, HA BIG-IQ: 5.2, 5.3- Receive licensing Existing Prod stack, no public IPs Autoscale: SvcDisc Support Autoscale: Cloud WAF and v13 Autoscale: Master Election Autoscale: BYOL (BIG-IQ) Autoscale: on vcpu Marketplace: LTM, WAF, HA across Azs Marketplace: Autoscale update GovCloud Template Support 1, 2, 3 NIC, HA BYOL & Hourly MultiNIC support HA, WAF HA across AVset HA across AVset + 2 TGs (no ALB) WAF ASC, Tier 2 Service Discovery All templates BIG-IQ: 5.2, 5.3- Receive licensing Deploy into existing VNET: HA, Cloud LTM, Cloud WAF V13 WAF support Autoscale: Master Election Autoscale BYOL (BIG-IQ) Marketplace: LTM, WAF, ASC Marketplace: O365 SSO Solution 1/2/3 NIC BYOL Templates 1/2/3 NIC Utility Templates Hourly billing now available in Google Launcher Service Discovery

13 Simplified Cloud Deployments Solution Templates for the EZ Button ERA Tested & Validated Simple & Automated Consistency Across Clouds VE Deployments in minutes Familiar tool sets Cloud Security Consistency

Globally Deployed + Gov Cloud and C2S BYOL or PAYG 15 supported Cloud Solution Templates Top 5 ISV with 2+ Competencies In GovCloud and C2S Marketplaces Enterprise Contracts Partner Deep Technical

15 Globally Deployed + Gov Cloud and C2S BYOL or PAYG 15 supported Cloud Solution Templates Top 5 ISV with 2+ Competencies In GovCloud and C2S Marketplaces Enterprise Contracts Partner Deep Technical Alignment Partner Programs in Marketplace PAYGO includes F5 support Refer Resale Private Offer 19 Products Listings on F5 Product Size Option BIG-IP Good 25MB, 200MB, 1GB, 5GB PAYGO or BYOL BIG-IP Better 25MB, 200MB, 1GB, 5GB PAYGO or BYOL BIG-IP Best 25MB, 200MB, 1GB, 5GB PAYGO or BYOL BIG-IP Good 3GB, 10GB BYOL only BIG-IP Better 3GB, 10GB BYOL only BIG-IP Best 3GB, 10GB BYOL only BIG-IQ B BYOL only * - caveat any gotcha s for GovCloud

16 (Procurement Process and can be used by BIG-IQ Lic Manager) (One-time purchase)

18 Feature F5 BIGIP LTM VE Amazon ELB Local Load Balancing X X Application Acceleration X SSL and Compression Offload X X Content Caching X Scripted Traffic Handling X Ipv6 Support X X Global Load Balancing X 1 Bandwidth Management X Transaction Rate Shaping X 1 Service Level Monitoring X Application Integration X Application Access Control X 1 L3/L4 Firewall X 1 Community Support Devcentral.f5.com forum 1 Add-on functionality

19 In a Nutshell: Why ELB? Auto scaling of servers Dynamic scaling load balancer itself Cookie persistency HTTP monitor with 200OK Cheap DevOPs do not have to login to my console Good enough Load balancer

20 Why not F5 in AWS? Customer responses: Feature Rich but complicated Expensive No Auto scaling of Servers No Auto scaling of BIG-IP Challenge Accepted

22 How AWS Charges With ELB ELB instance + ELB Traffic + EC2 traffic + EC2 compute Without ELB EC2 traffic + EC2 compute

23 ELB pricing Price per instance + traffic cost $0.025/hour $0.008/GByte $219/year Is variable cost a problem for federal agencies?

24 Cost comparison: ELB vs LTM single instance AWS makes it s money with charging for Traffic. If you don t use ELB for your Service it s cheap but why use it? $35, $30, $25, $20, $15, $10, LTM/year ELB/yr Breakeven traffic: ~ 140Mbps with 200Mbps license ~300Mbps with 1Gig license $5, $0.00

27 BIG-IP #1 us-east-1a Availability Zone instances us-east-1 Region (N. VA)

28 BIG-IP #1 BIG-IP #2 us-east-1a Availability Zone instances us-east-1 Region (N. VA)

29 LTM LTM DNS instances us-gov-east-1a Availability Zone LTM LTM DNS instances us-gov-east-1b Availability Zone us-gov-east-1 Region

VPC = 10.0.0.0/16 AZ1 Mgmt Vlan = 10.0.0.0/24 AZ1 External Vlan = 10.0.1.0/24 AZ1 Internal Vlan = 10.0.2.0/24 AZ2 Mgmt Vlan = 10.0.10.0/24 AZ2 External Vlan = 10.0.11.0/24 AZ2 Internal Vlan = 10.0.12.

30 VPC = /16 AZ1 Mgmt Vlan = /24 AZ1 External Vlan = /24 AZ1 Internal Vlan = /24 AZ2 Mgmt Vlan = /24 AZ2 External Vlan = /24 AZ2 Internal Vlan = /24 DNS LB/GSLB EIP for Virtual in AZ 1 = EIP for Virtual in AZ 2 = Availability Zone 1 Availability Zone 2 AZ1 Default Gateway = AZ2 Default Gateway = Sync-Failover Group Sync-Failover Group VIP = (tg = traffic-group-1) VIP = (tg = traffic-group-1)

31 LTM: Active Elastic IP address instances Elastic IP moves on failover us-gov-east-1a Availability Zone LTM: Standby instances us-gov-east-1b Availability Zone us-gov-east-1 Region

32 VPC = /16 AZ1 Mgmt Vlan = /24 AZ1 External Vlan = /24 AZ1 Internal Vlan = /24 AZ1 Pool Vlan = /24 AZ2 Mgmt Vlan = /24 AZ2 External Vlan = /24 AZ2 Internal Vlan = /24 AZ2 Pool Vlan = /24 NOTE: Pool s members can span AZs: Ex. VIP & VIP Are the same service and both use: my_pool: AZ1 Default Gateway = Sync-Failover Group Availability Zone 1 EIP (VIP1) = Availability Zone 2 VIP = (traffic-group-none) Self IP = AZ1 Mgmt IP = HA Across AZs Traffic Group = traffic-group-1 Dictates Active AZ2 Default Gateway = VIP = (traffic-group-none) Self IP = AZ2 Mgmt IP = Self IP = Self IP =

35 HSM Active HSM Standby instances us-gov-east-1a Availability Zone HSM Active HSM Standby instances us-gov-east-1b Availability Zone us-gov-east-1 Region

36 F5 BIG-IP v-F Active AWS Direct Connect Active instances us-gov-east-1a Availability Zone Active Active instances us-gov-east-1b Availability Zone us-gov-east-1 Region

38 Shared Responsibility Model Cloud vendors leave layer 4-7 services to the cloud customer Your Customer s Responsibility Cloud Vendor Responsibility Amazon Web Services Microsoft Azure Google Cloud Platform Data Applications Runtime Middleware Operating System Virtualization Physical Servers Storage Networking Functions Public Cloud Infrastructure (IaaS/PaaS/SaaS) Local Traffic Management Global Traffic Management Web Application Firewall Access & Identity Federation Network Firewall

39 Bolster your Existing AWS WAF F5 s Three Managed Rulesets Prevent Leading Attack Mechanisms Ruleset 1: Web Exploits OWASP Top 10 Protects against web exploits that are a part of the OWASP Top 10 including: Including: SQLi, XSS, command injection, No-SQLi injection, path traversal, and predictable resource Ruleset 2: Common Vulnerabilities & Exposures (CVE) Provides high profile protection for CVE s for major systems including: Apache, Apache Struts, Bash, Elasticsearch, IIS, JBoss, JSP, Java, Joomla, MySQL, Node.js, PHP, PHPMyAdmin, Perl, Ruby On Rails, and WordPress Ruleset 3: Bot Protection Protect against automated attacks - Bot Protections Rules stop a broad range of malicious bots including: Vulnerability scanners, web scrapers, DDoS tools, and forum spam tools. 40

40 Enhance Your AWS Security Posture F5 s Managed Rules for AWS WAF

41 AWS WAF & F5 Managed Rules is Good... But F5 s Dedicated Web Application Firewall is Better! AWS WAF Basic WAF protection : Limited protection against OWASP 10 Simplified deployment native service AWS WAF + F5 Managed Rules Basic WAF protection : Enhanced protection against OWASP 10 web exploits, Bots or CVE s Simplified deployment native service F5 Web Application Firewall Comprehensive, complete WAF : L7 DoS mitigation Proactive bot defense Complete OWASP 10 protection Automated policy learning Context-aware risk management Virtual patching Advanced compliance & many more features Simplified deployment from the AWS MP with F5 CloudFormation Templates Hourly Licensing Hourly Licensing Hourly, Subscription, ELA and Perpetual Licensing

43 GitHub and Cloud Product Pages

Save costs by ondemand scalability of F5 app services Availability Zone 1 Availability Zone 2 Availability Zone 3 Capacity on-demand Public subnet Public subnet Public subnet Autoscale

44 Save costs by ondemand scalability of F5 app services Availability Zone 1 Availability Zone 2 Availability Zone 3 Capacity on-demand Public subnet Public subnet Public subnet Autoscale BIG-IPs and Poolmembers Integrates with AWS Autoscale and CloudWatch BYOL BIG-IP Hourly BIG-IP BIG-IP EC2 Autoscale Group Hourly BIG-IP Leverages Cloud-init App subnet BYOL and/or Hourly

45 BIG-IP Auto Scaling group

46 BIG-IP BIG-IP BIG-IP Auto Scaling group

47 LTM: Active LTM: Active Auto Scaling group instances us-gov-east-1a Availability Zone LTM: Active LTM: Active instances us-gov-east-1b Availability Zone us-gov-east-1 Region

50 Securing and automating app delivery in public cloud App Connector AC ADC & Security Private Cloud Private keys Public Internet Application Data Application Data Secure Reverse Tunnel App Connector AC Application Data Application Connector F5 Solution for Private Public Cloud inter-connect Secure reverse tunnel between Private Public cloud (SSL keys on BIG-IP in Private Cloud/DC) Public cloud resources auto-discovered and managed by BIG-IP in Private Cloud/DC

51 PROS CONS App Connector AC ADC & Security Private Cloud Private keys Public Internet Application Data Application Data Secure Reverse Tunnel App Connector AC Application Data Private keys stored in Private Cloud App front-end via BIG-IP in Private Cloud Auto-discovery of Public Cloud resources All resources managed from Private Cloud Security: private keys, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: data transfer cost Performance: Higher latency

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

SaaS. Public Cloud. Co-located SaaS Containers. Cloud SaaS On-prem Private Cloud Public Cloud Co-located SaaS Containers APP SERVICES ACCESS TLS/SSL DNS NETWORK WAF LOAD BALANCING DNS ACCESS CONTROL SECURITY POLICIES F5 Beside the Cloud Why Get Closer to