Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to F5 Distributed Cloud.pptx
Similar to F5 Distributed Cloud.pptx (20)
More from abenyeung1
Recently uploaded
Recently uploaded (20)
F5 Distributed Cloud.pptx
- 2. ©2022 F5 2 Network-based Communication Fundamental shift in how apps are designed & deployed IP HTTP HTTP Microservices-based Apps Multi-cloud and Edge Computing API-based Communication Monolithic Apps One Cloud Provider
- 3. ©2022 F5 3 Application delivery is changing CDNs Scale out static object serving Cloud Scale out app servers Distributed Cloud Scale and connect everything Origin Site Origin Site Origin Site(s) Data Center Distributed Cloud Hybrid Cloud Multi-Cloud Cloud Cloud(s)
- 4. ©2022 F5 4 Technical challenges of delivering apps End-user Experience Public Clouds Legacy & Modern Apps On-prem / Private Clouds Legacy & Modern Apps Edge Modern / Distributed Apps NETOPS APPDEV DEVOPS SECOPS Web app firewall Secure access Ingress controller Denial of service API gateway App/web server Load balancer Anti-fraud & anti-bot APPLICATION SECURITY APPLICATION DELIVERY Web app firewall Secure access Ingress controller Denial of service API gateway App/web server Load balancer Anti-fraud & anti-bot APPLICATION SECURITY APPLICATION DELIVERY Web app firewall Secure access Ingress controller Denial of service API gateway App/web server Load balancer Anti-fraud & anti-bot APPLICATION SECURITY APPLICATION DELIVERY #1 Complex coordination because of technology inconsistencies between teams and across environments #3 Security difficulties due to multiple different attack surfaces and sophistication of bad actors #2 Automation challenge ”stitching” multiple environments, layering net, security, and apps, at scale #4 Limited observability of silo’d telemetry trapped in disjointed systems & environments
- 5. ©2022 F5 5 Application and Infrastructure insights End-user Experience Public Clouds Legacy & Modern Apps On-prem / Private Clouds Legacy & Modern Apps Edge Modern / Distributed Apps Unified SaaS Console for all Stakeholders Web app firewall Secure access Ingress controller Denial of service API gateway App/web server Load balancer Anti-fraud & anti-bot APPLICATION SECURITY POLICIES APPLICATION DELIVERY CONFIGURATIONS SaaS TELEMETRY TELEMETRY TELEMETRY NETOPS APPDEV DEVOPS SECOPS #1 Collaborate across teams with a centralized SaaS console to simplify planning and streamline execution #3 Advanced security filters out bad traffic before it hits customer networks, stays up to date #2 Automate network configs and security deployment to reduce effort, errors, and gaps in coverage #4 Full stack observability of network, security, and application performance, cloud-agnostic and exportable Distributed Cloud Services for Modern App Delivery
- 6. ©2022 F5 6 Distributed Cloud Services Use Cases Networking: Hybrid and Multi-cloud Uniform multi- and hybrid- cloud connectivity for workloads deployed across clouds • Multi-cloud transit • Multi-cloud load balancing • Multi-cluster app mesh • Global high-speed high-capacity backbone network Security: Web App and API Protection API security, WAF, DDoS protection, firewall, bot defense, anomaly detection • Streamline multi-cloud security orchestration • Manage and secure APIs • Reduce fraud and abuse • Simplify security to aid app development Application Delivery: Cloud and Edge Run microservice-based apps wherever you require, globally, in the cloud, data center, or the edge • Secure Kubernetes gateway • Managed Kubernetes • Edge infrastructure & application management • Distributed apps
- 7. ©2022 F5 7 Key Building Blocks Understanding the Critical Components Centralized Operations Visibility and Analytics Artificial Intelligence/ Advanced Insights App Security Distributed Cloud Console SaaS-based centralized console managing application lifecycle and visibility WAF Firewall DDoS Mitigation (Layer 7) Bot Defense API security Networking Router Firewall ADC DDoS Mitigation (Layer 3-4) API Gateway App Development & Delivery K8s Compute Platform Identity Service Discovery Secrets Management K8s Cluster Management Distributed Networking and Security Services Kubernetes Platform Services for Distributed Applications
- 8. ©2022 F5 8 A Distributed Node Architecture Flexible deployment options across cloud and edge sites Distributed Cloud Mesh Integrated High Performance Networking and Advanced Security Stack [L3-L7] API Gateway Load balancer VPN SDN BGP Bot Defense Anomaly detection WAF Firewall DDoS Mitigation API Security ADC Cloud IaC Controller Router Fraud & Abuse App Security Network Security Distributed Cloud App Stack Simplified Application Infrastructure Stack Identity Service Discovery Secrets Mgmt. Distributed Application [Fleet] Service Control Cluster Management Compute Platform
- 9. ©2022 F5 9 Headquarters Linking everything together Building an Application Edge F5 Global Network [Private Backbone] Public Cloud Site 1 Site N Edge Deployments Admin | SecOps | NetOps | DevOps End Users | Clients | Consumers | Constituents Private cloud Networks Global External Internal www.mywebsite.com Site Token Regional Edge (RE) Customer Edge (CE) Key Click to add text
- 10. ©2022 F5 10 Delivered Across F5’s Global Private Network 12+ Tbps capacity (Tier-1 Carriers: NTT, Telia, Level3) Multi-Tbps private backbone (Zayo, Telia, CenturyLink) Dedicated connectivity (Cloud providers, SaaS providers)
- 11. ©2022 F5 11 Providing value across DevOps, SecOps & NetOps Simpler, more agile operations via easy-to-use SaaS services More effective for modern, distributed apps and multi-cloud End-to-end visibility and policy enforcement Lower TCO with SaaS model, multiple services, unified management Accelerate app deliver and reduce operational complexity
- 12. ©2022 F5 12 VENDORS REPLACED ROBUST SECURITY, SIMPLIFIED CLOUD MIGRATION AND IMPROVED RESILIENCY OUTCOMES F5 Distributed Cloud Services allowed this customer to seamlessly move to the cloud, increase scale and resiliency while improving collaboration across teams, simplifying operations and enhancing their security posture: • Increased collaboration across siloed technical functions • End-to-end security – reduced risk across multiple environments • Vendor consolidation - replaced between 3-5 vendors B2C GAMING CUSTOMER Private data center was under a DDoS attack that was impacting business, and they needed a quick solution to resolve the attack. MULTI-CLOUD ADOPTION After the attack had been mitigated, they realized they needed to think more critically about security and redundancy – how they would prevent such events in the future with back-up/duplication of key business functions. SOLUTION Following the initial engagement, they expanded use of the platform and our global private backbone. We worked with them to migrate to the cloud, expand out of their private DC, consolidate network services, WAF and security capabilities to support this transition. 3-5 Security and Multi-Cloud Networking Industry: Online Gaming & Poker
- 13. ©2022 F5 13 EDGE DEVICE LOCATIONS DISTRIBUTED APP DELIVERY TO THE CUSTOMER EDGE, AND CLOSER TO THE INTERACTION OUTCOMES F5 Distributed Cloud Services allowed this customer to simplify the operations of distributed apps across a large network: • Simplified operations • End-to-end security and telemetry • Increased agility and time to service ELECTRONICS CUSTOMER Large Japanese electronics manufacturer needed a solution to support their digital signage and public surveillance applications. SCALABLE DELIVERY OF APPS Building a solution in-house to accommodate the deployment and operation of applications across thousands of device locations proved to be costly and complicated. SOLUTION F5 Distributed Cloud Services was deployed as a lightweight network across their edge locations to simplify security, app delivery and lifecycle management for applications across a large distributed edge environment. 54K Security and Multi-Cloud Networking Industry: Information Technology & Electronics
- 14. ©2022 F5 14 ...The [F5 Distributed Cloud Platform] has demonstrated that it solves critical operational challenges within existing telco service offerings, increasing operator efficiency and revenue streams...” #5 Global Telco $92B Annual Revenues - Keiichi Makizono, SVP & CIO
- 15. ©2022 F5 15 We have worked very closely with [F5] to maximize our resiliency and security, as well as our user experience, and have been able to build a complete application delivery network and several security tools with their Distributed Cloud Platform #2 French Ecommerce $3.6B Annual Revenues - Romain Broussard, IT Director
Editor's Notes
- The past decade saw massive move towards virtualization with monolithic applications running as VMs in private / public cloud. The next decade will be marked by newer application architectures that not only includes monolithic apps but also distributed application architecture led by Containerization & Serverless. This movement has significant impact on how apps are architected, networked, and secured. 2010-2020 has been about migration from centralized data center to hybrid clouds with adoption of public cloud providers like AWS. The reason for this change was all about operational simplification and reduced time to market 2020+ -- this trend is continuing with digital transformation - driven by adoption of multiple cloud providers for reasons like performance, risk reduction, acquisitions, etc. In addition, there is newer emerging trend of running applications in the edge. Traditionally, the security policies and connectivity was managed at the network level and http level. There was growing adoption of microsegmentation where policies were written and enforced at the network level. All of this will no longer work as with microservices and serverless, all the traffic between apps is REST/gRPC APIs that are multiplexed on same network port (eg. HTTP 443) and as a result, the network level security and connectivity is not very useful anymore What if We Have Legacy Infrastructure in Place? To recap: apps are changing, driven by critical business needs. ← Read above. These changes, as noted above, have a significant impact to enterprise architectures in WHERE apps run and HOW those apps and data are connected, secured and operated. The properties for dealing with the requirements of distributed apps and data are driving the following shifts: Transformation from locations, application types to connectivity WHERE — Multiple Clouds and Edge Data gravity for performance reasons, risk reductions, edge AI use cases, etc. HOW — Hybrid Applications Containerization of apps and serverless environments, as well as the need to connect/discover legacy apps are driving new architectural, network and security challenges HOW — Layer 3 (Network) → Layer 7 (App/Proxy/API) Connectivity is changing from traditional network-level (IP) access to app-to-app communication using REST/gRPC APIs which are usually delivered over HTTPS (TCP/443) Apps Have Changed — So Have the Required Capabilities for Networking + Securing Them App-2-App Networking— micro-services and containers communicate to each other in addition to the end user, and over wider locations, making reliability/performance an even greater consideration Higher-layer Security — app-to-app and micro-services architectures require zero-trust at the API layer, because that’s how they communicate API-first — apps are written to be API producers and consumers Day 1. This has fundamental implications on how those APIs are delivered, connected, and secured To summarize — there are several technical and architectural trends (driven by business needs) around the types of applications, their locality, and the means of how they are delivered/accessed. As they converge together, it is creating major challenges for traditional networking, security and app services infrastructures.
- CDN/Edge 1.0 Assumed a limited number of origin sites Designed to deal with “dumb” clients with bad connectivity options Requires massive number of PoPs and immense storage Cloud/Edge 1.5 Assumes multiple origin sites, manually interconnected Still presumes clients might have bad connectivity More storage-efficient but still requires massive number of PoPs Distributed Cloud/Edge 2.0 Creates mesh of all origin sites Assumes clients are modern and well connected Does not require a high number of PoPs supplements with client assist, app distribution and excellent peering Distributed applications and data, which we call a distributed cloud. In this environment you can take advantage of anywhere compute/network/storage exists to offer the applications and services you need. We will go deeper into this in a moment but it begs the question, what’s changed that requires this distributed cloud? It would seem this would make the operational challenges of multi-cloud worse? Those thougthts aren’t wrong but let me start with WHY we think this is happening. We believe a Distributed Cloud architecture is required to address the demand of modern apps.
- Why today's infrastructure is obsolete for/to support modern apps Legacy vendors, limited approaches + mixed results - Multiple components (software and services) that are disparate/not connected and don’t work together well (very complex to manage, maintain etc.) - Varying operations teams and models – teams are siloed, working with/on their own software/apps specific to their role/mandates/scope of work - Varying configs and intent – different systems with different code bases, interfaces...hard to maintain unified policy, controls across disparate software/systems - Siloed monitoring and visibility - Really impossible to get end-to-end/layer-to-layer visibility across users, perf, security etc. When it comes to distributed apps and the need to process distributed data; traditional networking and security tools (and their operations) are unsustainable. The result of all these trends and changing models is that organizations struggle to deliver, scale, and secure their applications, potentially leading to diminished business success and damaged customer relationships. You start to quickly see why delivering and securing extraordinary end-user experiences has become infinitely more complex. Companies are at an inflection point where this is no longer sustainable. This fragmented approach to application security and delivery if fundamentally flawed. And it is all manifested as OPERATIONAL COMPLEXITY caused by: #1 - Inconsistency of technologies across environments is creating unsustainable technical and operational debt Developers must get their apps to market and fast – and they’ve been empowered to acquire and deploy the tools they see fit. However, traditional multi-vendor (5+ products/services) approach to app networking and security for each target deployment location (on-prem, cloud, edge) is unsustainable. (NOTE: These 5+ services do things like physical connectivity, network routing, application load balancing, API gateway, and security at both the network level and application level.) There’s a separate cloud or management solution that each team needs to configure, operate & automate to make the whole delivery chain work. #2 - Manual stitching together is not fast or scalable, and it leaves you vulnerable. DevOps teams are forced to hard code the automation. And without visibility across these environments, when something goes wrong and you find out about it via an angry customer on Twitter, the mean time to resolution can be days or weeks, resulting in lost customers. #3 – The attack surface and the sophistication of attacks has increased. Attacks have evolved in their sophistication, often faster than security teams can keep up. The days of blocking an IP address from an attacker are gone. There’s brute force attacks from multiple sources (classic DDoS) in the cloud and on prem, plus more elaborate attacks targeted at specific system exploits (like feed streaming, or content delivery at the edge). Bad actors have access to millions of usernames and passwords, and they are stealing from you and your customers. #4 - Rich telemetry is trapped in silos, limiting insights into app performance and the end-users digital experience. Left-to-right insights – gleaning telemetry across all the touch points between the application logic through to the end-user’s digital experience say like an Amazon does – is not possible in this current state. Telemetry and data are trapped in silos. Since the systems are disjointed (even when two or more services are coming from the same vendor, for example, VMware), their policy management and visibility systems are all very different and its even harder to do policy and observability across the systems. This is a big and consistent struggle for the teams. The other issue is that given the nature of how these systems are deployed and managed, it leads to operational silos where doing shared services becomes challenges. Each cluster requires may require SecOps teams to provide some shared policy rules, etc. This becomes hard to deliver without more automation, tooling, and processes.
- This combination delivers a new solution for delivering adaptive applications. Helping you… 1.) Reduce Operational Complexity: making it easier to deploy, scale and maintain critical app network components and services 2.) Better End User Performance/Enhanced end user experience 3.) Faster, Improve Time To Value/Service: less effort, less wasted time and resources and more results Detailed outcomes F5 Distributed Cloud can deliver: Consolidated Services – lower TCO and reduced complexity/simplified, consistent operations/mgt with consistent tooling from prem to cloud to edge SaaS Based Operations offering greater agility and scale – lower OPEX, greater scale and reduced time to market/faster Policy and Observability – centralized and unified, capturing network, app and user telemetry across deployments Multi-tenant platform – shared with separation of duties, checks and balances Security – robust multi-layered security services (L3-L7), including access controls across multiple environments
- Multi-Cloud Networking: App-level networking across clouds with common services, integrated security and end-to-end visibility 1)Connecting Workloads – Location-to-Location Universal "build once, deploy globally" network Rapid deployment, easy operation Uniform multi- and hybrid- cloud connectivity Built-in multi-layer security, no integration needed Common configurability and visibility 2) Connecting Workloads – Resource-to-Resource Easily link workloads across and within clouds SaaS based Kubernetes ingress-egress controller Integrated load balancing, API gateway Integrated multi-layer app and API security Common control plane, policies, and observability Application Delivery: Cloud and Edge Automated deployment and cloud-native environment for Kubernetes workloads on the network edge 1) Running Workloads – Moving Resources Closer Run microservice-based apps wherever you want Distributed execution on cloud, DC, or edge Load-balances workload location, not just traffic Secure e2e multi-layer policy and secret sharing Looks like Kubernetes, runs like it's globally local
- Distributed Cloud Console – SaaS based centralized controller that managed the lifecycle service components and provides a common point for all applications and services, including analytics
- Distributed Cloud Mesh – routing and services engine, a data plane which runs anywhere and enables network stitching and other services including comprehensive app security Distributed Cloud Stack – platform service for distributed Kubernetes clusters Delivers: Fill app deliver stack and services End-to-end traceability and observability Full data path programmability Portable between edge, private and public clouds with global service mesh Distributed control plane for vK8s (virtual K8s) Infrastructure as code Secrets management providing security controls for App2App GitOps for fleets between edge, private and public clouds
- F5 Distributed Cloud allows you to manage all of your sites as a “logical cloud” Portable platform that spans multiple sites/clouds Private backbone connects all sites Connecting those sites is done through these nodes (Distributed Cloud Mesh and Distributed Cloud App Stack) Nodes can be virtual machines, live on hardware within customer data centers, sites etc or cloud instances (e.g. EC2) Nodes provide vK8s (virtual K8s), network and security services Services managed through F5 Distributed Cloud’s SaaS base console
- Reduce Operational Complexity & Improve visibility: Simplified network + security vendor stack Multitenancy with self-service improves productivity & collaborations Centralized observability across your entire environment Improve Time to Services Consolidated service with common API and networking + security capabilities Improved developer experience Enhanced End User Experience App workloads offloaded anywhere, closer to the interaction Reduced latency for apps and APIs Avoid unwanted interruptions with built in security and intelligent traffic routing Reduce Operational Complexity: Increase Productivity Gains and Cost Optimization ---- NetOps can speed up migration to infra-as-code (SaaS Based operations) with built-in automation assistance and lifecycle management with end-to-end visibility. Potential OPEX Reductions --- via consolidated, simplified vendor stack (network + security) and secure global connectivity (cut in transit costs/network costs) SaaS-based operation --- with a single pane-of-glass for policy, lifecycle management and end-to-end observability Multi-tenancy and Self-Services --- self-serve with separation of duties allows developers, DevOps, NetOps and SecOps to openly collaborate (e.g. NetOps can deploy VoltMesh in their services VPC and configure networking + security while DevOps configures DNS, load balancing, API gateway on the same deployment with their global, private, and service rich network being avail. within minutes) Simplify Infrastructure and Operations, Lower complexity --- SaaS-managed VoltMesh nodes in your cloud VPC with the option to use our global network helps you deliver a secure multi-cloud network without worrying about complex network ops. Consistent platform with SaaS based operations across heterogeneous infrastructure reduces complexity and cost Seamless Scalability --- globally distributed control plane with resource orchestration across distributed clouds/clusters enables massive scale Faster Deployment & Simplified Ops --- DevOps and developers can significantly simplify deployment operations of one or more Kubernetes/K8s ingress and egress controllers with our SaaS-based lifecycle management and multi-cluster control plane. Simplified Infrastructure Ops --- Deploying directly to Volterra’s global network allows you to focus on your apps, while we manage the K8s control plane, worker nodes, security, DNS and load balancing Improve Time to Service: Significantly faster deployments ---- Accelerate cloud migration or adoption of a new cloud provider using a consolidated service that exposes the same API and networking + security capabilities across any cloud provider. Rapid Service Delivery --- SaaS-based deployments and lifecycles management across clouds/clusters with centralized intent and policy increases agility Improved Developer Experience --- Increase productivity by delivering APIs without VPNs or complex firewall configs. Giving simple and secure access to backend services to accelerate testing, and the ability to expose services for inbound testing Leverage Automation, including native support for developer tools --- support automation needs of app teams, simplify and leverage automation with Volterra public APIs, terraform providers and vestctl including identity and access management and multi-tenancy providing app teams self-service capability. Users can use their existing CI/CD tools like CircleCI, Spinnaker and GitLab. Enhance End User Experience: Dramatically Faster Apps --- Offloading cloud workloads to our global network of edge PoPs and/or remote site or customer edge locations can help you achieve in app latency — resulting in a more powerful user experience Maximum Reliability & Performance --- Your apps can be automatically deployed across our global network, leveraging built-in app security and intelligent traffic routing around failures to be delivered with maximum uptime and resiliency Increased Uptime and Reliability --- Delivering highly available services across clusters or clouds. Use our global network to connect across clusters and expose services to the Internet - with built-in L3-L7 DDoS mitigation, WAF, DNS, and TLS certificate management with end-to-end encryption for compliance. Maximum Security with Zero Trust --- Implement multi-layer security in and across clusters, including ingress + egress, WAF and DDoS mitigation. Automate zero-trust at the API-level with API Discovery and policy-based control. Reduced Risk --- uniform identity, zero trust security and centralized observability with continuous verification removes blind spots and reduces risk
- Customer overview: Industry: B2C – online gambling and poker website Tech sophistication: Private data center and no cloud environments Buyers: Private data center manager; other stakeholders included public cloud manager, DevOps, and CTO Pain points: Hacker attack at private data center Project-at-a-glance: Initial engagement was in response to/in order to address DDoS attack on their private Data center and we helped them develop an immediate DDoS mitigation approach via VoltMesh (infrastructure play) After initial engagement-built trust, expanded how VoltMesh was used: over time replaced private DC, internet service provider, WAF and supported transition to public cloud environment and back-up / duplication of key business functions to reduce risk Primary use case: multi-cloud networking and security Results – Critical outcomes in BOLD: “To provide the best playing experience for our players and the most secure environment we use Volterra's VoltMesh service and global private backbone” --- Head of Operations Increased collaboration across siloed technical functions Ability to scale out / flex capacity to respond to business needs End-to-end security -- Reduced risk across multiple environments Vendor consolidation (replaced 3-5 vendors) Shift from Capex to Opex
- Customer overview: Industry: Information technology and electronics Tech sophistication: Edge, private data center/cloud and AWS public cloud environment Buyers: Cloud engineering team (VP/GM and Director) Pain points: Operational bottlenecks / agility of complex workloads in distributed environment (15K - 54K edge devices); Large engineering team facing challenges with homegrown solution Project-at-a-glance: Primary use case (Modern Apps in Distributed Cloud) focused on application delivery and lifecycle management, and security for a large distributed customer edge environment Initial engagement was set to develop customer edge solution for digital signage and public surveillance; distributed app delivery using VoltMesh and VoltStack Results – Critical outcomes in BOLD: Simplified operations across large distributed edge environment Ability to scale out at the edge based on business needs End-to-end security and visibility (to the edge) Reduced risk across complicated edge environments Vendor consolidation via integrated stack (driving simplified operation and lower TCO) Agility/Decreased time to service