F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Similar documents
Deploying the BIG-IP LTM with IBM QRadar Logging

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Deploying the BIG-IP System v11 with DNS Servers

F5 and Nuage Networks Partnership Overview for Enterprises

Citrix Federated Authentication Service Integration with APM

Deploying the BIG-IP System with CA SiteMinder

Deploying the BIG-IP System with Oracle Hyperion Applications

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Converting a Cisco ACE configuration file to F5 BIG IP Format

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

Data Center Virtualization Q&A

Geolocation and Application Delivery

VMware vcenter Site Recovery Manager

v.10 - Working the GTM Command Line Interface

Prompta volumus denique eam ei, mel autem

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

BIG IQ Reporting for Subscription and ELA Programs

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Enabling Long Distance Live Migration with F5 and VMware vmotion

F5 iapps: Moving Application Delivery Beyond the Network

Complying with PCI DSS 3.0

Load Balancing 101: Nuts and Bolts

Deploying a Next-Generation IPS Infrastructure

Large FSI DDoS Protection Reference Architecture

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

Enhancing VMware Horizon View with F5 Solutions

APM Cookbook: Single Sign On (SSO) using Kerberos

The Programmable Network

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Deploying a Next-Generation IPS Infrastructure

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Distributing Applications for Disaster Planning and Availability

Load Balancing 101: Nuts and Bolts

Unified Application Delivery

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Document version: 1.0 What's inside: Products and versions tested Important:

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Server Virtualization Incentive Program

F5 Reference Architecture for Cisco ACI

Improving VDI with Scalable Infrastructure

Cookies, Sessions, and Persistence

BIG-IP Global Traffic Manager

Resource Provisioning Hardware Virtualization, Your Way

Global Distributed Service in the Cloud with F5 and VMware

The F5 Application Services Reference Architecture

SQL Azure. Abhay Parekh Microsoft Corporation

BIG IP APM: Max Sessions Per User Enable users to terminate a specified session

One Time Passwords via an SMS Gateway with BIG IP Access Policy Manager

SNMP: Simplified. White Paper by F5

Session Initiated Protocol (SIP): A Five-Function Protocol

The F5 Intelligent DNS Scale Reference Architecture

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

Configuring Smart Card Authentication to BIG IP Management Interface

Creating a Hybrid ADN Architecture with both Virtual and Physical ADCs

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Securing the Cloud. White Paper by Peter Silva

Maintain Your F5 Solution with Fast, Reliable Support

Secure Mobile Access to Corporate Applications

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

Archived. For more information of IBM Maximo Asset Management system see:

Solutions Guide. F5 solutions for the emerging 5G landscape

Using the F5 ARX Solution for Automated Storage Tiering

NGF0502 AWS Student Slides

NGIPS Recommended Practices

Automating the Data Center

Protecting Against Online Banking Fraud with F5

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Simplifying Security for Mobile Networks

Protect Against Evolving DDoS Threats: The Case for Hybrid

How to set up a Virtual Private Cloud (VPC)

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

Amazon Virtual Private Cloud. User Guide API Version

SOA: Challenges and Solutions

Network Functions Virtualization - Everything Old Is New Again

Oracle PeopleSoft 9.2 with NetScaler for Global Server Load Balancing

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

A Guide to Architecting the Active/Active Data Center

Vulnerability Assessment with Application Security

Deploy F5 Application Delivery and Security Services in Private, Public, and Hybrid IT Cloud Environments

Considerations for VoLTE Implementation

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

Cisco APIC-EM Components and Architecture, page 3. About the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM), page 1

How to Future-Proof Application Delivery

The Myth of Network Address Translation as Security

Designing Fault-Tolerant Applications

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

OpenStack Heat Template Composition

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

The Cisco HyperFlex Dynamic Data Fabric Advantage

FortiMail AWS Deployment Guide

Unified Load Balance. User Guide. Issue 04 Date

Securely Access Services Over AWS PrivateLink. January 2019

Transcription:

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services ChrisMutzel, 2015-17-08 Thus far in our article series about running BIG-IP in EC2, we ve talked about some VPC/EC2 routing and network concepts, and we walked through the basics of running and licensing BIG-IP in this environment. It s time now to discuss some more advanced topologies that will provide highly redundant and highly available network services for your applications. As we touched upon briefly in our last article, failover between BIG-IP devices has typically relied upon L2 networking protocols to reach sub-second failover times. We ve also hinted over this series of articles as to how your applications might need to change as they move to AWS. We recognize that while some applications will see the benefit of a rewrite, and will perhaps place fewer requirements on the network for failover, other applications will continue to require stateful mechanisms from the network in order to be highly available. Below we will walk through 3 different topologies with BIG-IP that may make sense for your particular needs. We leave a 4th, auto-scale of BIG-IP released in version 12.0, for a future article. Each of the topologies we list has drawbacks and benefits, which may make them more or less useful given your tenancy models, SLAs, and orchestration capabilities. Availability Zones We've mentioned them before, but when discussing application availability in AWS, it would be negligent to skip over the concept of Availability Zones. At a high-level, these are co-located, but physically isolated datacenters (separate power/networking/etc) in which EC2 instances are provisioned. For a more detailed/accurate description, see the official AWS docs: http://docs.aws.amazon.com/awsec2/latest/userguide/using-regions-availability-zones.html Because availability zones are geographically close in proximity, the latency between them is very low (2~3 ms). Because of this, they can be treated as one logical data center (latency is low enough for DB tier communication). AWS recommends deploying services across at least two AZs for high availability. To distribute services across geographical areas, you can of course leverage AWS Regions with all the caveats that geographically dispersed datacenters present on the application or database tiers. Let's get down to it, and examine our first model for deploying BIG-IP in a highly available fashion in AWS. Our first approach will be very simple: deploy BIG-IP within a single zone in a clustered model. This maps easily to the traditional network environment approach using Device Service Clusters (DSC) we are used seeing with BIG-IP.

Note: in the following diagrams we have provided detailed IP and subnet annotations. These are provided for clarity and completeness, but are by no means the only way you may set up your network. In many cases, we recommend dynamically assigning IP addresses via automation, rather than fixing IP address to specific values (this is what the cloud is all about). We will typically use IP addresses in range 10.0.0.0/255.255.244.0 for the first subnet, 10.0.1.0/255.255.244.0 in the second subnet, and so on. 100.x.x.x/255.0.0.0 denote publicly routable IPs (either Elastic IPs or Public IPs in AWS). Option 1: HA Cluster in a single AZ Traditional HA. If a BIG-IP fails, service is "preserved". No HA across Datacenters/AZs. Like single DC deployment, if the AZ in which your architecture is deployed goes down, the entire service goes down. Single device failure = heartbeat timeout (approx. 3 sec) + API call (7-12 sec) AZ failure = entire deployment As mentioned, this approach provides the closest analogue to a traditional BIG-IP deployment in a datacenter. Because we don t see the benefits AWS availability zones in this deployment, this architecture might make most sense when your AWS deployment acts as a disaster recovery site. A question when examining this architecture might be: What if we put a cluster in each AZ?

Option 2: Clusters/HA pair in each AZ Smallest service impact for either a device failure or an AZ failure. Shared DB backend but still provides DC/AZ redundancy Similar to multiple DC deployment, generally provides Active/Active capacity. Cost: both pairs are located in a single region. Pairs are traditionally reserved for "geo/region" availability Extra dependency and cost of DNS/GSLB. Management overhead of maintaining configurations and policies of two separate systems (although this problem might be easily handled via orchestration). Single device failure = heartbeat timeout (approx. 3 sec) + API call (7-12 sec) for 1/2 Traffic AZ failure = DNS/GSLB timeout for 1/2 traffic

The above model provides a very high level of redundancy. For this reason, it seems to make most sense when incorporated into shared-service or multi-tenant models. The model also begs the question, can we continue to scale out across AZs, and can we do so for applications that do not require that the ADC manage state (e.g. no sticky sessions)? This leads us to our next approach. Option 3: Standalones in each AZ Cost Leverage availability zone concepts Similar to multiple DC deployment, Active/Active generally adds capacity. Easiest to scale Management overhead of maintaining configuration and policies across two or more separate systems; application state is not shared across systems within a geo/region. Requires DNS/GSLB even though not necessarily "geo-region" HA. Best suited for inbound traffic

For outbound use case: you have the distributed gateway issue (i.e. who will be the gateway, how will device/instance failure be handled, etc.) SNAT required (return traffic needs to return to originating device). For Internal LB model: DNS required to distribute traffic between each AZ VIP. Single device failure = DNS/GSLB timeout for 1/(N Devices) traffic.. AZ failure = DNS/GSLB timeout for 1/(N Devices) traffic One of the common themes between options 2 and 3 is that orchestration is required to manage the configuration across devices. In general, the problem is that the network objects (which are bound to layer 3 addresses) cannot be shared due to differing underlying subnets. Summary: Above, a number of options for deploying BIG-IP in highly available or horizontally-scaled models were discussed. The path you take will depend on your application needs. For example, if you have an application that requires persistent connections, you'll want to leverage one of the architectures which leverage device clustering and an Active/Standby approach. If persistence is managed within your application, you might aim to try one of the horizontally scalable models. Some of the deployment models we discussed are better enabled by the use of configuration management tools to manage the configuration objects across multiple BIG-IPs. In the next article we'll walk through how the lifecycle of BIG- IP and network services can be fully automated using open-source tools in AWS. These examples will show the power of using the icontrolsoap and icontrolrest APIs to automate your network. F5 Networks, Inc. 401 Elliot Avenue West, Seattle, WA 98119 888-882-4447 f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com 2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback