SaaS On-prem Private Cloud Public Cloud Co-located SaaS Containers
APP SERVICES ACCESS TLS/SSL DNS NETWORK
WAF LOAD BALANCING DNS ACCESS CONTROL SECURITY POLICIES
F5 Beside the Cloud
Why Get Closer to the Cloud? Enterprise Users Enterprise Apps There s this distance between us Latency: Performance Connectivity: Security Enterprise Location Public Cloud F5 Networks, Inc 9
Existing Solutions Dedicated connection VPN Cloud Dedicated connection Connection Type Example Advantages Disadvantages Dedicated connection VPN connection AWS Direct Connect Azure Express Route Google Cloud Interconnect Oracle Fast Connect AWS Virtual Private Gateway Azure Virtual Network Gateway Private, fast(er) Cheap Cloud Cost: Pay for line and usage, multiple clouds need multiple connections Uses Internet: Latency, reliability, privacy, and congestion may be issues F5 Networks, Inc 10
Interconnection Dedicated connection Interconnection to Cloud Cloud Cloud Cloud Ready Modernize connectivity to multiple clouds at the edge of the network User Experience Shorten distance and lower latency between users and cloud apps Private/Secure Directly connect users, data and clouds bypassing the public internet Lower Cost Economical, less-complex connectivity compared to old network topologies F5 Networks, Inc 11
Interconnection Interconnection to Cloud Dedicated connection Cloud Cloud Identity Federation WAF DDoS SSLi F5 Networks, Inc 12
Use Case Scenarios Identity Federation WAF DDoS SSLi Mitigate risk by providing dynamic, centralized and adaptive access control and cloud federation for all applications anywhere. Protect your apps, and the data behind them, from evasive, targeted attacks with an industryleading WAF offering the highest level of security without impacting performance. Protect your data with a high value, easy to deploy and manage next generation DDoS solution that guards against the most aggressive and targeted DDoS attacks. Gain critical visibility and deeper intelligence to the traffic on your network and in the cloud that many traditional defenses leave exposed. F5 Networks, Inc 13
Control Public Cloud Apps Better and Avoid Cloud Vendor Lock-in Challenges Lack of control over applications and devices Lack of operational flexibility and risk of cloud provider lock-in Gap in IT resource skillsets in public cloud Recommended app delivery services Advanced local/global traffic management SSL offload and intercept App security DDoS, WAF and IAM Available via BYOL with VE and hardware appliances with GBB licensing models Key Benefits Maintain central point of control and visibility Enable flexibility and portability among clouds Reduce security risks with consistent policies Achieve user performance expectations 2017 F5 Networks 25
Only consistent services insertion across cloud providers Users Interconnect Provider AC Public App Delivery Services SSL, Access, and App Security Services AC Public APM AC LTM ASM AC Public Attacker BIG-IP platform AC Public F5 Application Connector (AC) Automatically discover public cloud-hosted apps in AWS Securely integrates all public clouds to Interconnect or DC Simplifies deploying app delivery and security services Consistent policies and configs across public clouds Reduce footprint by obfuscation / key mgmt. Key Benefits Migrate with confidence Preserves app services control Enables cloud freedom, avoiding lock-in Visibility across all apps
Interconnect Provider AC AC BIG-IP AC Consistent App Services Across Clouds Availability SSL DDoS WAF Identity Federation Achieve reliable and optimized applications. Extensible and flexible application services with programmability to manage physical, virtual, and cloud. Gain critical visibility and deeper intelligence to the traffic on your network and in the cloud that many traditional defenses leave exposed Protect your networks with a high value, easy to deploy and manage DDoS solution that guards against aggressive and targeted attacks. Protect your apps, and the data behind them, from evasive, targeted attacks with an industry-leading WAF offering the highest level of security. Mitigate risk by providing dynamic, centralized and adaptive access control and cloud federation for all applications anywhere.
Application Connector Service Center on BIG-IP: Delivered as iappslx package Application Service Management Real-time Logging and Statistics Multi-Path Workload Discovery Health Monitoring Active/Standby HA Support Touchless Recoverability Service API Application Connector Proxy in the Cloud: Delivered as Docker container Secure TLS ECC Encryption AWS Workload Auto Discovery Manual Workload Definition and State Management Touchless Recoverability Service API
Cloud Interconnect Interconnect Provider End Users AC Service Center BIG-IP AC Proxy Public Cloud Automatically discover public cloud-hosted apps Securely integrates Interconnect / DC to public clouds Simplifies deploying interconnect app services Consistent policies and configs across clouds Reduce footprint by obfuscation / key mgmt. Only consistent services insertion across cloud providers
Independent of network configuration - Deals gracefully with overlapping IP space Allows sensitive encryption keys to be stored outside the cloud environment - Can leave serverssl none towards the node and traffic is protected until it gets into the environment Hides original environment entirely from clients - Does not require mapping to public IPs in the CSP - Significantly reduces potential attack surface Keeps BIG-IP configuration automatically notified of changes within the environment User Key Reduced attack surface no visible public IP addressing Encryption Keys stored centrally (not in the cloud instances) Amazon Rackspace Azure AC BIG-IP SoftLayer Amazon AWS AC AC IBM SoftLayer AC Rackspace AC Azure Workload nodes can be auto discovered in AWS by the proxy instance. Manual integration for all clouds.
F5 Application Connector: Four Use Case Examples SSL Protect Your Cloud Apps from Attack Control Cloud Access Improve Public Cloud Encryption Auto-Discover Public Cloud Workloads Maximize Your Protection Investments Consolidate and Automate Access Control Simplify and Centralize SSL Reduce App Sprawl Lift and shift apps with confidence without sacrificing security configurations Insert public cloud access control at cloud interconnect Manage public cloud app encryption at cloud interconnect Auto-search public clouds to reveal app deployments Leverage app protection and extend to public cloud workloads Enable SSO with OAuth, and SAML insertion across clouds Avoids cloud provider lock-in and preserves your control Securely connect to BIG-IP and enable app services insertion Lower your attack surface - no public IP addresses in the cloud All policies managed in one location for all apps Reduce footprint by obfuscation / key mgmt. Deliver approved app services to multiple public clouds
Users Interconnect Provider Or Data Center LTM APM AC BIG-IP Security Services Access IPS, IDS, DLP Control Problem: App sprawl and access decentralized Admin. fatigue on policy for cloud and SaaS apps User password fatigue across multi-cloud apps Need uniform cloud access control services Example (steps for every app): Deploying multi-cloud and SaaS apps Select app and access configs for each app Decentralized app and access changes Separate app sign-in for IT and user across apps VPC Public Cloud All Your Access Policies Managed In One Location for All Public Cloud Apps AC VPC Public Cloud Solution: Application Connector in Public Cloud and on BIG-IP leveraging existing infrastructure at Interconnect Enable SSO with OAuth and SAML assertion for all public cloud and SaaS apps Benefits: Consolidate access control policies in one solution Easily make policy changes across app deployments Access control continuity when migrating apps AC Example apps: Salesforce Office 365 Concur Google docs
Supported
Supported
Application Security Auto Scale Cloud WAF [AWS, Azure] Advanced Traffic Management Auto Scale Cloud LTM [AWS, Azure] Deployment Topologies 1NIC VE Deployment [AWS, Azure, Google, OpenStack] 2NIC VE Deployment [AWS, Azure, Google, OpenStack] 3NIC VE Deployment [AWS, Azure, Google] n-nic VE Deployment [Azure, OpenStack] HA (Active/Active) [AWS, Azure] HA (Active/Standby) [Azure, OpenStack]
VE is available from AWS Marketplace in Good, Better & Best bundles, as well as more specific integrated solutions. Supports all core BIG-IP modules including LTM, DNS, ASM, AFM & APM as well as BIG-IQ Throughput options for BIG-IP VE s include: BYOL: 25Mbps, 200Mbps, 1Gbps & 5Gbps & 10Gbps PAYG: 25Mbps, 200Mbps, 1Gbps & 5Gbps Supports Multi-NIC configuration & Configuration Sync Deployable with CloudFormation Templates from GitHub The following integrated marketplace solutions are available using CFT s: Auto Scale WAF Auto Scale LTM (Coming Soon!) HA Pair (Coming Soon!) 2017 F5 Networks
Auto Scale WAF deployment on AWS For consistent application protection regardless of traffic volume or CPU utiiization Launches a PAYG BIG-IP VE instance with LTM and ASM provisioned for intelligent traffic management and application security. As traffic or vcpu consumption fluctuates, identical instances are automatically spun up or down to provide the optimal solution for processing application traffic. The BIG-IP instances operate with 1 network interface Scale up & Scale down events based on a pre-defined % of traffic or vcpu thresholds, typically 80% for scale up, 20% for scale down. AWS resources required include: S3 bucket, IAM role, CloudWatch, Auto Scale Group and SNS Topic. Available with PAYG instances or with BYOL licenses when used in conjuction with BIG-IQ License Manager (free). Pre-requisites to this template can be found here Manual Deployment ~ 7+ hours Templated Deployment ~ 40 mins Link to GitHub
VE is available from Azure Marketplace in Good, Better & Best bundles, as well as more specific integrated solutions. Supports all core BIG-IP modules including LTM, DNS, ASM, AFM & APM Throughput and licensing options for BIG-IP VE s include: BYOL: 25Mbps, 200Mbps, 1Gbps & 3Gbps PAYG: 25Mbps, 200Mbps & 1Gbps Supports Multi-NIC configuration & Configuration sync Deployable with Azure Resource Manager Templates from GitHub The following integrated marketplace solutions are available using ARM templates: WAF for inside ASC (BYOL) WAF for outside ASC (BYOL & PAYG) O365 Federated Access for Office365 apps (BYOL & PAYG) * Derived from Gartner G00301285 (March 24th 2016) 2017 F5 Networks
Auto Scale WAF Deployment in Azure For deploying an optimized application availability solution Deploys BIG-IP with LTM/ASM provisioned in an Auto Scaling group, to consistently provide intelligent traffic management services to applications under varying traffic loads or vcpu strain As traffic or vcpu utilization increases or decreases and crosses pre-defined thresholds, BIG-IP LTM instances are either spun up or spun down, accordingly. This solution is deployed into a new networking stack which is created along with the solution. The BIG-IP VE instance operates with 1 network interface used for both management and data plane traffic. Requires use of an Azure Load Balancer (ALB) Multiple email addresses can be added to templates to receive notifications when scaling events occur Scaling events based on either traffic throughput or vcpu consumption Available with PAYG instances or with BYOL licenses when used in conjuction with BIG-IQ License Manager (free). Manual Deployment ~ 6+ hours Templated Deployment ~ 40 mins Pre-requisites to this template can be found here Link to GitHub
VE is available from Google Cloud Launcher in Good, Better & Best bundles Supports all core BIG-IP modules including LTM, DNS, ASM, AFM & APM Throughput and licensing options include: BYOL: 25Mbps, 200Mbps, 1Gbps & 5Gbps Operates behind a Google Load Balancer for address translation Supports single NIC configuration & configuration Sync Deployable with Google Deployment Templates from GitHub * Derived from Gartner G00301285 (March 24th 2016) 2017 F5 Networks
3-NIC BIG-IP VE Deployment in Google For deploying single, standalone BIG-IP device(s) with two network interfaces Deploys a standalone BIG-IP VE in a Google VPC, where traffic automatically flows via the VE to the application servers. The BIG-IP VE instance operates with 3 network interfaces and is most similar to an on-premise deployment, with one interface for management, one for front-end application traffic and one for back end application traffic Multi-NIC configurations are necessary when deploying multiple applications on different IP addresses, or multitenant configurations. BYOL and PAYG templates available Pre-requisites to this template can be found here Google Cloud VPC Manual Deployment ~ 3+ hours Templated Deployment ~ 40 mins Link to GitHub
BIG-IP VE Client App BIG-IP instanc es
BIG-IP VE Client App BIG-IP instanc es
Enabling IT and DevOps Productivity Challenges Scale deployment of app services Agile app deployment Enable service catalogs Programmatic interfaces and tools irule traffic manipulation Cloud Solution Templates for AWS, Azure & Google icontrol API for 3 rd party integration iapp self service deployment template Key Benefits Integration with DevOps and automation toolchains (Chef, Ansible, Puppet) Automated end to end deployments reduce human errors Self service portals 2017 F5 Networks 26