Transcription

4/4/2018F5 Government Symposium 2018AWS and F5 Deep DiveRyan Johnson Federal System Engineer

Public Cloud – Pros and ConsPrivate Cloud – Pros and ConsPROCON Strong Security (sensitive data, keys)Full Control (policies & compliance)Easily Customizable Time to MarketLow initial costs (Pay per use)Flexible & unlimited capacity growth Cost / upfront investmentUnder-utilizationCapacity Ceiling Security: private keys, policies, sensitive dataStorage: cost, data to/from the cloudCloud lock-in: policies, data transfer costPerformance: Higher latencyPRIVATE CLOUDPUBLIC CLOUDOn premisesOff premisesHYBRID CLOUDUser

ADC & SecurityAWS ToolsApplicationPrivate CloudPublic InternetDataADC & SecurityApplicationADC & SecurityAzure ToolsDataApplicationDataHow about migrating/scaling or adding new apps to a public cloud providerto get the benefits of public cloud : cost, time to market and scale ?

ADC & SecurityAWS ToolsApplicationPrivate CloudDataPublic InternetADC & SecurityApplicationADC & SecurityAzure ToolsDataPROSNew Green App to AzureTime to MarketLow initial costs (Pay per use)Flexible & unlimited capacity growth ApplicationDataSecurity: private keys, policy, sensitive dataStorage: cost, data to/from the cloudCloud lock-in: policy, data transfer costPerformance: Higher latencyCONSMigrate/Scale out Orange App to AWS

App ConnectorACApplicationPrivate CloudPublic InternetSecureReverseTunnelADC & SecurityApplicationDataColo FacilityApp ConnectorADC & SecurityACDataApplicationPrivateInterconnectPublic CloudXChangeApplicationDataStorageSensitive data securely stored in ColoColo brings app closer to end usersMoving data in/out colo at low costLow latency towards all public cloud providers Security: sensitive dataStorage: cost, data to/from the cloudCloud lock-in: data transfer costPerformance: Higher latencyCONSPROSExtend your Private Cloud into Colo Facility

App ConnectorACApplicationPrivate CloudPublic InternetADC & SecurityApplicationSecureReverseTunnelDataColo FacilityApp ConnectorADC & SecurityACDataApplicationPrivateInterconnectExtend your Private Cloud into Colo Facility 2018 F5 NetworksStoragePublic CloudXChangeApplicationData

Multi-Cloud ChallengesOperationalAgility Manual IT processes impededeveloper’s agility needs Feature gaps in cloud nativeservices result in longer timeto valueInsufficient/basic securityservices make apps morevulnerable to attacks Basic native services tiedto each cloud providerinfrastructureInconsistent security servicesincrease compliance gapsand audit risks No centralized method tomanage policy and enforcecompliancePoor cross-environmentvisibility/analytics Lack of standardized andcommon set of appservices result incomplexity and costs Disparate platforms andtoolsets exacerbate ITskillset gaps and lead tocloud lock-in Higher costs and inability toscale with multiple differentapp services to deploy andmaintain

Making Your Cloud Apps Go Smarter, Faster, SaferSimpleOperationsReduce complexity acrossmultiple cloudsScale deployments withincreased agilityReduced risk – Consistent Policymaintain compliance and control Service abstraction Cloud independence withportable multi-cloud appservicesConsistent securitypolicies Simplified policy deploymentand compliance Advanced app protection Centralized visibility forcontrol Integration with applicationecosystem Turnkey solutions validatedand tested in multiplecloudsLibrary of automation andDevOps toolsetsEnable NetOps withSuperNetOps trainingF5 transforms app services delivering consistency and security to Multi-Cloud deployments

Cloud Solution Templates for Multi-Cloud Quickly deploy common F5 services for your applications in the infrastructure of your choice in “one-click” supported by F5 Available on GitHub And cloud provider product pages 2018 F5 Networks

Cloud Solution Templates by Platformhttps://github.com/f5networks 1, 2, 3 NIC HA BYOL & HourlyHA across AZCloud WAF in MPCloud LTMService Discovery – 1, 2, 3 NIC, HABIG-IQ: 5.2, 5.3- Receive licensingExisting Prod stack, no public IPsAutoscale: SvcDisc SupportAutoscale: Cloud WAF and v13Autoscale: Master ElectionAutoscale: BYOL (BIG-IQ)Autoscale: on vCPUMarketplace: LTM, WAF, HA across AzsMarketplace: Autoscale updateGovCloud Template Support 2018 F5 Networks 1, 2, 3 NIC, HA BYOL & HourlyMultiNIC support – HA, WAFHA across AVsetHA across AVset 2 TGs (no ALB)WAF ASC, Tier 2Service Discovery– All templatesBIG-IQ: 5.2, 5.3- Receive licensingDeploy into existing VNET: HA, Cloud LTM, CloudWAFV13 WAF supportAutoscale: Master ElectionAutoscale BYOL (BIG-IQ)Marketplace: LTM, WAF, ASCMarketplace: O365 SSO Solution 1/2/3 NIC BYOL Templates 1/2/3 NIC Utility Templates Hourly billing now available in GoogleLauncher Service Discovery

Simplified Cloud DeploymentsSolution Templates for the EZ Button ERATested & Validatedhttps://github.com/f5networksVE Deployments in minutesSimple & AutomatedConsistency Across Cloudshttp://clouddocs.f5.com/Familiar tool setsCloud Security Consistency

Globally Deployed Gov Cloud and C2S 19 Products Listings onBYOL or PAYG 15 supported Cloud Solution Templates Top 5 ISV with 2 Competencies In GovCloud and C2S Marketplaces Enterprise Contracts Partner F5 ProductSizeOptionBIG-IP Good25MB, 200MB, 1GB, 5GBPAYGO or BYOLBIG-IP Better25MB, 200MB, 1GB, 5GBPAYGO or BYOLDeep Technical AlignmentBIG-IP Best25MB, 200MB, 1GB, 5GBPAYGO or BYOL Partner Programs in MarketplaceBIG-IP Good3GB, 10GBBYOL only PAYGO includes F5 supportBIG-IP Better3GB, 10GBBYOL onlyBIG-IP Best3GB, 10GBBYOL onlyBIG-IQBBYOL only Refer Resale Private Offer* - caveat any gotcha’s for GovCloud 2018 F5 Networks

(Procurement Process andcan be used by BIG-IQ LicManager)(One-time purchase) 2018 F5 Networks

FeatureF5 BIGIP LTM VEAmazon ELBLocal Load BalancingXXApplication AccelerationXSSL and Compression OffloadXContent CachingXScripted Traffic HandlingXIpv6 SupportXGlobal Load BalancingX1Bandwidth ManagementXTransaction Rate ShapingX1Service Level MonitoringXApplication IntegrationXApplication Access ControlX1L3/L4 FirewallX1Community SupportDevcentral.f5.com1 Add-on 2018 F5 NetworksfunctionalityXXforum

In a Nutshell: Why ELB? Auto scaling of servers Dynamic scaling load balancer itself Cookie persistency HTTP monitor with 200OK Cheap DevOPs do not have to login to my consoleGood enough Load balancer 2018 F5 Networks

Why not F5 in AWS?Customer responses: Feature Rich but complicated Expensive No Auto scaling of Servers No Auto scaling of BIG-IPChallenge Accepted 2018 F5 Networks

How AWS ChargesWith ELBELB instance ELB Traffic EC2 traffic EC2 computeWithout ELBEC2 traffic EC2 compute 2018 F5 Networks

ELB pricingPrice per instance traffic cost 0.025/hour 0.008/GByte 219/yearIs variable cost a problem for federal agencies? 2018 F5 Networks

Cost comparison: ELB vs LTM single instanceAWS makes it’s money with charging for Traffic.If you don’t use ELB for your Service it’s cheap – but why use it? 35,000.00 30,000.00 25,000.00Breakeven traffic: 20,000.00 140Mbps with 200Mbpslicense 300Mbps with 1Gig licenseLTM/year 15,000.00 10,000.00 5,000.00 0.00 2018 F5 NetworksELB/yr

2018 F5 Networks

BIG-IP #1us-east-1a Availability Zoneus-east-1 Region (N. VA) 2018 F5 Networksinstances

BIG-IP #1us-east-1a Availability Zoneus-east-1 Region (N. VA) 2018 F5 NetworksBIG-IP #2instances

LTMDNSLTMinstancesus-gov-east-1a Availability ZoneLTMDNSLTMinstancesus-gov-east-1b Availability Zoneus-gov-east-1 Region 2018 F5 Networks

DNS LB/GSLBVPC 10.0.0.0/16AZ1 Mgmt Vlan 10.0.0.0/24AZ1 External Vlan 10.0.1.0/24AZ1 Internal Vlan 10.0.2.0/24AZ2 Mgmt Vlan 10.0.10.0/24AZ2 External Vlan 10.0.11.0/24AZ2 Internal Vlan 10.0.12.0/24EIP for Virtual in AZ 1 100.0.0.0Availability Zone 1EIP for Virtual in AZ 2 100.0.0.1Availability Zone 2AZ2 Default Gateway 10.0.11.1AZ1 Default Gateway 10.0.1.1Sync-Failover GroupSync-Failover GroupVIP 10.0.1.100 (tg traffic-group-1) 2018 F5 Networks10.0.2.20110.0.2.20210.0.2.203VIP 10.0.11.100 (tg traffic-group-1)10.0.12.20110.0.12.20210.0.12.203

Elastic IP moveson failoverLTM: ActiveElastic IPaddressinstancesus-gov-east-1a Availability ZoneLTM:Standbyinstancesus-gov-east-1b Availability Zoneus-gov-east-1 Region 2018 F5 Networks

VPC 10.0.0.0/16AZ1 Mgmt Vlan 10.0.0.0/24AZ1 External Vlan 10.0.1.0/24AZ1 Internal Vlan 10.0.2.0/24HA Across AZsAZ1 Pool Vlan 10.0.3.0/24AZ2 Mgmt Vlan 10.0.10.0/24AZ2 External Vlan 10.0.11.0/24Availability Zone 1EIP (VIP1) 55.55.55.55Availability Zone 2AZ2 Internal Vlan 10.0.12.0/24AZ2 Pool Vlan 10.0.13.0/24AZ2 Default Gateway 10.0.11.1AZ1 Default Gateway 10.0.1.1NOTE:Pool’s members can span AZs: Sync-Failover GroupEx.VIP 10.0.1.100 (traffic-group-none)VIP 10.0.1.100Self IP 10.0.1.101&VIP 10.0.11.100Are the same serviceand both use:AZ1 Mgmt IP 10.0.0.100my pool:10.0.3.20110.0.3.20210.0.3.203Self IP 10.0.2.20010.0.13.20110.0.13.20210.0.13.203 2018 F5 Networks10.0.3.20110.0.3.20210.0.3.203Traffic Group traffic-group-1Dictates ActiveVIP 10.0.11.100 (traffic-group-none)Self IP 10.0.11.101AZ2 Mgmt IP 10.0.10.100Self IP 10.0.12.10110.0.13.20110.0.13.20210.0.13.203

2018 F5 Networks

HSMActiveStandbyHSMinstancesus-gov-east-1a Availability ZoneHSMHSMActiveStandbyinstancesus-gov-east-1b Availability Zoneus-gov-east-1 Region 2018 F5 Networks

ActiveF5 BIG-IP 10350-v-FAWS DirectConnectActiveinstancesus-gov-east-1a Availability ZoneActiveActiveinstancesus-gov-east-1b Availability Zoneus-gov-east-1 Region 2018 F5 Networks

Shared Responsibility ModelCloud vendors leave layer 4-7 services to the cloud customerDataYourCustomer’sResponsibilityLocal TrafficManagementApplicationsRuntimeGlobal TrafficManagementMiddlewareOperating SystemCloud VendorResponsibilityWeb ApplicationFirewallVirtualizationPhysical ServersAmazon WebServicesAccess & IdentityFederationStorageMicrosoft AzureNetworking FunctionsGoogle CloudPlatformPublic Cloud Infrastructure (IaaS/PaaS/SaaS) 2018 F5 NetworksNetwork Firewall

Bolster your Existing AWS WAFF5’s Three Managed Rulesets Prevent Leading Attack Mechanisms123 2018 F5 NetworksRuleset 1: Web Exploits OWASP Top 10 Protects against web exploits that are a part of the OWASP Top 10 including: Including: SQLi, XSS, command injection, No-SQLi injection, path traversal, andpredictable resourceRuleset 2: Common Vulnerabilities & Exposures (CVE) Provides high profile protection for CVE’s for major systems including: Apache, Apache Struts, Bash, Elasticsearch, IIS, JBoss, JSP, Java, Joomla,MySQL, Node.js, PHP, PHPMyAdmin, Perl, Ruby On Rails, and WordPressRuleset 3: Bot Protection Protect against automated attacks - Bot Protections Rules stop a broad range ofmalicious bots including: Vulnerability scanners, web scrapers, DDoS tools, and forum spam tools.40

Enhance Your AWS Security PostureF5’s Managed Rules for AWS WAF 2018 F5 Networks

AWS WAF & F5 Managed Rules is Good. But F5’s Dedicated Web Application Firewall is Better!AWS WAFAWS WAF F5 Managed RulesF5 Web Application FirewallBasic WAF protection : Limited protection against OWASP 10Basic WAF protection : Enhanced protection against OWASP10 web exploits, Bots or CVE’sSimplified deployment – native serviceSimplified deployment – native serviceSimplified deployment from the AWS MPwith F5 CloudFormation TemplatesHourly LicensingHourly LicensingHourly, Subscription, ELA and PerpetualLicensing 2018 F5 NetworksComprehensive, complete WAF : L7 DoS mitigation Proactive bot defense Complete OWASP 10 protection Automated policy learning Context-aware risk management Virtual patching Advanced compliance & many more features

GitHub and Cloud Product Pages 2018 F5 Networks

Save costs by ondemand scalability of F5app services Capacity on-demandAvailability Zone 1Public subnetAvailability Zone 2Public subnetAvailability Zone 3Public subnet Autoscale BIG-IPs andPoolmembers Integrates with AWSAutoscale andCloudWatchBYOL BIG-IPHourly BIG-IPBIG-IP EC2 Autoscale Group Leverages Cloud-initApp subnet BYOL and/or Hourly 2018 F5 NetworksHourly BIG-IP

BIG-IPAuto Scaling group 2018 F5 Networks

BIG-IPBIG-IPBIG-IPAuto Scaling group 2018 F5 Networks

Auto Scaling groupLTM: ActiveLTM: Activeinstancesus-gov-east-1a Availability ZoneLTM: ActiveLTM: Activeinstancesus-gov-east-1b Availability Zoneus-gov-east-1 Region 2018 F5 Networks

Securing and automating app delivery in public cloudApp ConnectorACApplicationPrivate CloudPrivate keysDataPublic InternetADC & SecurityApplicationDataSecure Reverse TunnelApp ConnectorACApplicationDataApplication Connector F5 Solution for Private–Public Cloud inter-connect Secure reverse tunnel between Private–Public cloud (SSL keys on BIG-IP in Private Cloud/DC) Public cloud resources auto-discovered and managed by BIG-IP in Private Cloud/DC 2018 F5 Networks

App ConnectorACApplicationPrivate CloudPrivate keysDataPublic InternetADC & SecurityApplicationDataSecure Reverse TunnelApp ConnectorACApplicationPrivate keys stored in Private CloudApp front-end via BIG-IP in Private CloudAuto-discovery of Public Cloud resourcesAll resources managed from Private Cloud 2018 F5 Networks Security: private keys, sensitive dataStorage: cost, data to/from the cloudCloud lock-in: data transfer costPerformance: Higher latencyCONSPROSData

F5 Product Size Option BIG-IP Good 25MB, 200MB, 1GB, 5GB PAYGO or BYOL BIG-IP Better 25MB, 200MB, 1GB, 5GB PAYGO or BYOL BIG-IP Best 25MB, 200MB, 1GB, 5GB PAYGO or BYOL BIG-IP Good 3GB, 10GB BYOL only BIG-IP Better 3GB, 10GB BYOL only BIG-IP Best 3GB, 10GB BYOL only BIG-IQ B