PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack

F5 i OpenStack
PLNOG 2016
Grzegorz Kornacki
Systems Engineer

© F5 Networks, Inc 2
Virtual Edition ChassisAppliance
TMOS
F5 High Performance Application Services Fabric
Helping you meet today's challenges and future proofing for tomorrow’s architectures
iRules
Programmable
iCall iControl

Application Delivery Firewall (ADF) Solution
Bringing deep application fluency and price performance to firewall security
EAL2+
EAL4+ (in process)
Network
Firewall
One Platform
Traffic
Management
Application
Security
DNS
Security
SSLAccess
Control
DDoS
Protection
Web Fraud
Protection
DC FW (in process)
WAF (in process)
DDoS (pending)

Cloud Technology Stack Choices
VMware vRealize Suite
OpenStack
Microsoft Azure Stack
Cisco ACI Nuage VMware NSX Juniper Contrail
Cloud
Stack
SDN
Controllers
OpenStack

• Open source cloud platform based on community-defined standards
• Manages compute, storage, and network resources
• Release names origin and meanings
• Juno, Kilo, Liberty, Mitaka, etc.
• Project code names
• Heat, Neutron, Glance,
Nova, etc.
• Expose standard APIs
for tenants
• Python API and REST methods
What is OpenStack?

• Well-defined tenant
model and service
catalogue
• Programmable,
scalable infrastructure
• Orchestration via Heat
OpenStack Overview
Deployment and Scalability (Heat)
Metering (Ceilometer)
Compute (Nova)
Identity (Keystone)
Images (Glance) Object Store (Swift)
Storage (Cinder)Network (Neutron)
LBaaS VPNaaS FWaaS
DNSDHCPL2/L3
ManagementConsole(Horizon)

9
OpenStack High Availability Guide
Overview of highly-available controllers
© F5 Networks, Inc
http://docs.openstack.org/ha-guide/intro-ha-controller.html

10
OpenStack High Availability Guide
© F5 Networks, Inc
http://docs.openstack.org/ha-guide/intro-ha-arch-pacemaker.html

11
… and the answer is:
© F5 Networks, Inc

13
Referencja
© F5 Networks, Inc

15
• HAProxy is NOT HA, while F5 works as cluster
• High performance
• F5 HW can be used (contains specialized chipsets) for e.g. hardware syn cookie, SSL termination
• Elastic tenants -> F5 devices mappings
• Multiple deployment options:
a) Provider VLANs
b) Tenant VLANs
c) Tenant GRE
d) Tenant VxLAN
Why F5 as LBaaS?
© F5 Networks, Inc

16
Tenants separtion
© F5 Networks, Inc

17
Tennancy mapping
© F5 Networks, Inc

18
F5 High availability
© F5 Networks, Inc

19
F5 LBaaS Plugin & Agen High availability
© F5 Networks, Inc

20
Capacity scale out
© F5 Networks, Inc

21
Capacity scale out
© F5 Networks, Inc
Where F5 cluster’s capacity is defined as:
• throughput - total throughput in bps of the TMOS devices
• inbound_throughput - throughput in bps inbound to TMOS devices
• outbound_throughput - throughput in bps outbound from TMOS devices
• active_connections - number of concurrent active actions on a TMOS device
• tenant_count - number of tenants associated with a TMOS device
• node_count - number of nodes provisioned on a TMOS device
• route_domain_count - number of route domains on a TMOS device
• vlan_count - number of VLANs on a TMOS device
• tunnel_count - number of GRE and VxLAN overlay tunnels on a TMOS
device
• ssltps - the current measured SSL TPS count on a TMOS
device
• clientssl_profile_count - the number of clientside SSL profiles defined

22
Elastic resources management
© F5 Networks, Inc
http://f5-openstack-lbaasv1.readthedocs.io/en/latest/map_multi-controller-agent-redundancy.html
Tenant chooses.

23
Barbican (certificate manager) integration
© F5 Networks, Inc

24
SDN integrated
© F5 Networks, Inc

25
LBaaS with DDoS protection
© F5 Networks, Inc
Internet router
F5 Physical appliance
as LBaaS
LB
VE
VE
VE
VXLAN
Tenant 1
VE
VE
VE
VXLAN
Tenant 2
VE
VE
VE
VXLAN
Tenant 3
LB
LB
HWDDoSprotection
VIP 1
VIP 2
VIP 3

27
Orkiestracja
© F5 Networks, Inc

28
• Declarative text files that
describe a cloud application
• Extendable to non-OpenStack
resources via plugins
• Integration with software tools
(Puppet, Chef, Ansible, Salt)
• ADC hardware, virtual editions
• In the provider space, or as a
dedicated VE in the tenant
Heat Implementation

29
Heat– your orchestration service example
© F5 Networks, Inc
…..
cl1:
type: OS::Nova::Server
properties:
name: { get_param: cl1_name }
image: { get_param: cl1_image }
flavor: { get_param: cl1_flavor }
key_name: { get_resource: mgmt_keypair }
networks:
- port: { get_resource: cl1_mgmt_port }
- port: { get_resource: cl1_subscriber_port }
metadata:
groups: client
user_data_format: RAW
user_data:
get_resource: cloud_config_subscriber

30
Example 1: deploying 3-NIC F5 VE
F5 supported Heat template
© F5 Networks, Inc

Solutions for Every Need
LBaaS
L4-7 Basic Load Balancing
Heat
L4-7 Advanced App Delivery
App Security + Firewall
Traffic Optimisation
HTTP/2 Gateway
LBaaS + Heat
HTTP/2 Gateway

34
• Orchestration and Management
• Heat orchestration with a self-service catalogue
• Heat templates for advanced app/security services
• Provider Tier
• L2-L4 and L4-L7 services
• License manager: Pools of
virtual edition licenses
• Tenant Tier
• App delivery, management,
protection services
Case Study: Large Transportation Customer

35
• Open source
• Documented
• Other F5 open source
projects
• Ansible, Puppet, Chef
• AWS CloudFormation
Templates
• Python
• More
Get it on GitHub

36
• Look for
• 24x7 multi-lingual
technical support
• Deep technical
expertise
• ISO 9001
certification
• Search "GitHub"
on Support site
Enterprise Support for App Delivery in OpenStack
SEATTLE
SPOKANE LOWELL
LONDON
SINGAPORE
TOKYO
BEIJING
SHANGHAI
TEL AVIV
AUCKLAND

37
• Member of OpenStack foundation
• Open source LBaaS plug-in and
Heat templates
• Certification with popular distributions
• GitHub: Plugins, Heat template library,
technical documentation
OpenStack Community Collaboration
StackForge
Certified Drivers

38
OpenStack Ecosystem ‒ Certified Integrations
• Certified version Red Hat OSP v6.0 April
2015
• OSP v7.0 certification completed June 2016
• Certification and Runbook approved by
Mirantis on Jan 1, 2016
• Certified version HPE Helion Enterprise
(HOS v2 / LBaaS v1)
• Certification of HPE Helion Carrier Grade
in process
• Validation completed on April 24, 2016
• Documentation to be posted shortly

40
The right set of hardware/software for your tenancy model
• Deploy in the tenant project or provider space
• Same interface, same functionality
• Continue to utilise your ADC hardware
Full integration with OpenStack enabled by Heat templates
• Prepares stock VE images for OpenStack
• Deploys vADCs onto OpenStack
• Can upgrade and cluster any set of ADC products
Additional networking and security capabilities
• Future Heat templates
• Additional Neutron plugins
• Building a wider ecosystem
Application Delivery Services and OpenStack

41
Spis treści: https://devcentral.f5.com/openstack
LBaaS v1: http://f5-openstack-lbaasv1.readthedocs.io
LBaaS v2: http://f5-openstack-lbaasv2-driver.readthedocs.io
Heat Plugin-y: https://f5-openstack-heat-plugins.readthedocs.io
Heat Templaty: http://f5-openstack-heat.readthedocs.io
OpenStack in a backpack (zrób to sam): Publikacja październik/listopad info
g.kornacki@f5.com
Pozostałe: http://f5-openstack-docs.readthedocs.io
Co dalej?

Driving Toward an Application-Centric World

Innovation and low risk are competing priorities
31% 30%
22%
25% 21%
20%
22%
21%
23%
11%
14%
17%
12% 15% 17%
2013 2014 2015
Lower Risk
Speed Time to Market
Improve Product or Service Quality
Lower Costs
Increase Revenue
Your Priorities: Innovate without Risk
Sample sizes: 2013 had 1,540 respondents, 2014 had 2,041, and 2015 had 1,736
Source: 451 Group Commissioned by Microsoft

67% of Customers Employ a Cloud-First Strategy
Source: F5 The State of App Delivery, 2016
CUSTOMERS
SURVEYED
3,002 81% 66%
43% 34%
PLAN A MIX OF PUBLIC
AND PRIVATE CLOUD
INFRASTRUCTURES
PLAN TO MIGRATE UP
TO HALF THEIR APPS
TO THE CLOUD
IDENTIFIED PUBLIC CLOUD
AS STRATEGICALLY
IMPORTANT
IDENTIFIED PRIVATE CLOUD
AS STRATEGICALLY
IMPORTANT
43%
IDENTIFIED PRIVATE CLOUD
AS STRATEGICALLY
IMPORTANT

What Is a Private Cloud?

Private Cloud Architecture
GUI API DASHBOARD
SERVICE CATALOGUE
AUTOMATION METERING
STORAGE APPLICATIONS APP DELIVERY
SERVERS TEMPLATES
NETWORKS
COMPUTE NETWORKING STORAGE
SHARED INFRASTRUCTURE

Cloud Technology Stack Choices
VMware vRealize Suite
OpenStack
Microsoft Azure Stack
Cisco ACI Nuage VMware NSX Juniper Contrail
Cloud
Stack
SDN
Controllers
OpenStack

• Open source cloud platform based on community-defined standards
• Manages compute, storage, and network resources
• Release names origin and meanings
• Juno, Kilo, Liberty, Mitaka, etc.
• Project code names
• Heat, Neutron, Glance,
Nova, etc.
• Expose standard APIs
for tenants
• Python API and REST methods
What is OpenStack?

• Well-defined tenant
model and service
catalogue
• Programmable,
scalable infrastructure
• Orchestration via Heat
OpenStack Overview
Compute (Nova)
Identity (Keystone)
LBaaS VPNaaS FWaaS
DNSDHCPL2/L3

• Integrates with both
Heat and LBaaS to
deliver services
• Using virtual editions or
high capacity hardware
• Use either or both
LBaaS and Heat
Compute (Nova)
Identity (Keystone)
LBaaS VPNaaS FWaaS
DNSDHCPL2/L3

• LBaaS V1 and V2 available
• Access using CLI, API, or
GUI (Horizon)
• Supports standalone, HA
pairs, and N+1 clustering
• Software virtual editions and
hardware
• Hardware supports VLAN,
VXLAN, and GRE Tunneling
LBaaS Implementation

Multi-Tenant or Dedicated
Multi-tenant ADC platform Dedicated vADCs per tenant

Heat Templates and Application Templates
• Define the ADC
• Or launch a new one
• Call/define a template
• Supply parameters
Simple
• Network Firewall
• SSL Decryption
• Application Firewall
• TCP Optimisation
• Acceleration
• Application Monitoring
• Content Switching
• Load Balancing
Rich
• Defines services
• ADC configuration
• Reusable
• Reentrant
Repeatable

Solutions for Every Need
LBaaS
Heat
HTTP/2 Gateway
LBaaS + Heat
HTTP/2 Gateway

• Their challenge
• Offer a one-stop managed services solution for their large enterprise customers
which includes development, test, deployment, and management of apps
• Current customers are using advanced LB and WAF features
• The solution
• OpenStack private cloud
• Heat templates and multi-tenant ADC hardware, network overlay
Case Study: Managed Service Provider

• Orchestration and Management
• Heat orchestration with self-service catalogue
• Heat templates for advanced app/security services
• Provider Tier
• Multi-tenant hardware
• L4-L7 services
• Tenant Tier
• Deliver application services
Case Study: Managed Service Provider
Multi-tenant services

The right set of hardware/software for your tenancy model
• Deploy in the tenant project or provider space
• Same interface, same functionality
• Continue to utilise your ADC hardware
Full integration with OpenStack enabled by Heat templates
• Prepares stock VE images for OpenStack
• Deploys vADCs onto OpenStack
• Can upgrade and cluster any set of ADC products
Additional networking and security capabilities
• Future Heat templates
• Additional Neutron plugins
• Building a wider ecosystem
Application Delivery Services and OpenStack

F5 Offers Comprehensive DDoS Protection
Scanner Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS
Attackers
Cloud
Scrubbing
Service
Volumetric attacks and
floods, operations
center experts, L3-7
known signature attacks
ISPa/b
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
IPS
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Next-Generation
Firewall Corporate Users
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
E-Commerce
Subscriber
Strategic Point of Control

Application attacksNetwork attacks Session attacks
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods,
DNS NXDOMAIN Floods, SSL Floods,
SSL Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-
proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized
hardware solution that increases scale by an order of magnitude above
software-only solutions.
F5MitigationTechnologies
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS
at all layers – 38 vectors
covered
• Withstand the
largest attacks
• Gain visibility and
detection of SSL
encrypted attacks
F5mitigationtechnologies
OSI stackOSI stack
DDoS detection and mitigation
Protect against DDoS at all
layers
Withstand the largest attacksGain visibility and detection of
SSL encrypted attacks

PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack

Similar to PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack (20)

Recently uploaded

Recently uploaded (20)

PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack

Editor's Notes