From Code to Customer with F5 and NGNX London Nov 19

F5 & NGINX Application
Services platform
VINCENT LAVERGNE – VP SOLUTION ENGINEERS, EMEA
MILES MARTIN – NGINX TECHNICAL DIRECTOR , EMEA

| ©2019 F52 | ©2019 F52
that a company’s applications
F5 was born out of the belief
define a company’s value.

| ©2019 F53
Load
balancer
Purpose-built
hardware
Early 2000’s: Hardware load-balancers
CustomerCode

| ©2019 F54
DNSApp
Security
DDoSLoad
balancer
Purpose-built
hardware
2005 to mid 2010’s: Hardware ADCs
CustomerCode

| ©2019 F55 | ©2019 F55
As stewards of the world’s most
mission-critical
applications...

| ©2019 F56
Purpose-built
hardware
Public
cloud
Virtual
machines
Mid 2010’s: Services decoupled from
the underlying infrastructure
CustomerCode DNSApp
Security
DDoSLoad
balancer

| ©2019 F57
CENTRAL MANAGEMENT
Purpose-built
hardware
Public
cloud
Virtual
machines
BIG-IQ
Mid 2010’s: Central Management
introduced to reduce operational overhead
Security Services
CustomerCode DNSApp
Security
DDoSLoad
balancer

| ©2019 F58 | ©2019 F58
and we like it there.
…we’re behind the scenes—

| ©2019 F59
Apps are changing the way we live and work
1
2
4
5
6
3

| ©2019 F511
Digital Transformation :
The 4th Industrial revolution is now !
69% of the companies responded they have initiated their Digital
transformation https://www.f5.com/state-of-application-services-report/interactive-report-2019
Number of Apps in the World
(millions). Source : IDC , F5
Optimize resources and processes
Innovate faster
Earn market share
Our mission at F5 is
Application Centric
260
1694
2017 2022

| ©2019 F512
Digital Transformation – Influence on Applications
62%
Implementing
Automation &
Orchestration
52%
Changing
where apps are
deployed
48%
Changing
Development
Process
42%
Exploring new
application
architectures
(*) State of Application Services – 2019 report (F5 Networks)
Q. How is digital transformation influencing your application decisions? Select all that apply

| ©2019 F513
App Services – Shifting control
Cloud
Architect
DevOps
Consume & monitor
app services
Consult, validate &
review app services
TRADITIONAL APP SERVICES DEPLOYMENT
CLOUD-NATIVE APP SERVICES DEPLOYMENT
NetOps
SecOps
AppDev
NetOps
SecOps
Cloud
Architect
DevOps AppDev

| ©2019 F514
Digital Transformation made simpler & safer with F5
RETAIN
REHOST
REPLATFORM
REFACTOR
MODERN APP
Licensing models
Application services
Eco-SystemsMigration Deployment & consumption models

| ©2019 F515
Application services that go from code to customer
THE F5 SOLUTION
LOCAL LOAD
BALANCING
GLOBAL LOAD
BALANCING
FIREWALL API
MANAGEMENT
API
GATEWAY
WEB APP
FIREWALL
DDOS + BOT
PROTECTION
ACCESS
MANAGEMENT
CREDENTIAL
ENCRYPTION
APPLICATION
PERFORMANCE
MANAGEMENT
WEB/APP
SERVER
SSL DECRYPTION
and ORCHESTRATION

| ©2019 F516
API
gateway
CDNIngress
controller
App / Web
server
CustomerLoad
balancer
DNSApp
security
DDoSCode
Containers
Purpose-built
hardware
Public
cloud
Virtual
machines
Software
as a Service
Commodity
hardware
EcosystemsNGINX Controller BIG-IQ
PLATFORM CONTROL PLANES
Now: Integrating NGINX and F5 Cloud Services
BIG-IP NGINX

| ©2019 F517
HELPING OUR
CUSTOMERS SHINE
MAKING THE APPLICATION
ECONOMY THRIVE
We’re
| ©2019 F517
obsessed with
APPLICATIONS FROM
CODE TO CUSTOMER

| ©2019 F518
Our journey together is
gathering momentum

| ©2019 F519
87% of customers are
adopting multi-cloud
INFRASTRUCTURE LOCK-IN
Limits ability to move apps
to new environments
Customer challenges
100% of customers lack visibility
86% of all cyber-threats target
applications and app identities*
COMPLEX COMPLIANCE &
POLICY REQUIREMENTS
Reduces speed to market and
impacts customer experience
85% of new app workload
instances are container-based
TOOL SPRAWL
Increases operational
complexity and cost

| ©2019 F520
Customers have several services
along the application data path
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / web
server
Customer

| ©2019 F521
With each service provided by different vendors
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / Web
server
Customer

| ©2019 F522
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / Web
server
Customer
Monolithic
3-tier
Microservice
And a different set of vendors for
each application architecture

| ©2019 F523
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / Web
server
Customer
Monolithic
3-tier
Microservice
Creating operational silos, complexity & cost

| ©2019 F524
Limited orchestration across the data path
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / Web
server
Customer
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
App Developers App Architects DevOps Cloud Architects NetOps SecOps IT Leadership Support Customer Experience

| ©2019 F525
Leaving customers to stitch everything together
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / Web
server
Customer
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
Management
Automation
App Developers App Architects DevOps Cloud Architects NetOps SecOps IT Leadership Support Customer Experience

| ©2019 F526
Code Load
balancer
DNSAPI
gateway
App
security
DDoS CDNIngress
controller
App / Web
server
Customer
+? ms +? ms +? ms +? ms +? ms +? ms +? ms +500 ms+? msLatency
And unable to easily pinpoint issues

| ©2019 F527
API
gateway
CDNIngress
controller
App / Web
server
CustomerLoad
balancer
DNSApp
security
DDoSCode
Containers
Purpose-built
hardware
Public
cloud
Virtual
machines
Software
as a Service
Commodity
hardware
Now: Integrating NGINX and F5 Cloud Services
BIG-IP NGINX

| ©2019 F528
ECOSYSTEM INTEGRATIONS
API
gateway
CDNIngress
controller
App / Web
server
CustomerLoad
balancer
DNSApp
security
DDoSCode
Containers
Purpose-built
hardware
Public
cloud
Virtual
machines
Software
as a Service
Commodity
hardware
Now: Enabling ecosystems
BIG-IP NGINX

| ©2019 F529
Third-party ecosystemsBIG-IQ
Containers
Purpose-built
hardware
Public
cloud
Virtual
machines
Software
as a Service
Commodity
hardware
Future ServicesProject Overwatch Intelligent Threat Services
VISIBILITY, INSIGHTS & ORCHESTRATION
Next: Unifying our platforms
API
gateway
CDNIngress
controller
App / Web
server
Load
balancer
DNSApp
security
DDoS CustomerCode
BIG-IP NGINX FUTURE

| ©2019 F530
Future: Expand services, deliver insights
via telemetry and analytics
Device
fingerprint
User
identity &
behavior
Future
services
CustomerCode
API
gateway
CDNIngress
controller
App / Web
server
Load
balancer
DNSApp
security
DDoSFuture
Service
Containers
Purpose-built
hardware
Public
cloud
Virtual
machines
Software
as a Service
Commodity
hardware
ANY INFRASTRUCTURE
Mobile POSLaptop IoT
ANY DEVICE
BIG-IP NGINX FUTURE
VISIBILTY,
INSIGHTS &
ORCHESTRATION
TELEMETRY TELEMETRY

| ©2019 F531
Fast, Durable, Consistent, Cost Effective
31
Dynamic Application Gateway

| ©2019 F534
High Performance Webserver and Reverse Proxy
Web Server

| ©2019 F535
FlawlessApplication Delivery for the Modern Web
Load
Balancer
Content
Cache
Web
Server
Monitoring &
Management
Security
Controls

| ©2019 F536
NGINX Plus – cloud agnostic and truly portable
Bare metal Multi-cloud Containers
Linux/BSD CPUs

| ©2019 F537
NGINX Plus – Too many use-cases to list!

| ©2019 F538
What Is NGINX Plus?
• Load balancer/Reverse Proxy
• Content cache
• Web server
• Security control
• OIDC Gateway
• API Gateway
• Static/Dynamic modules
• Monitoring
• High availability (HA)
• Kubernetes Ingress Controller (KIC)
• Programmability (Javascript)
• Streaming Media
• WAF (L7 firewall)

| ©2019 F539
Dynamic Modules
Dynamically plug in additional features
• Single sign-on : Okta, IDF Connect, Ping Identity
• Device detection: WURFL, DeviceAtlas, 51Degrees
• Security: Stealth, Wallarm, NGINX WAF
• Scripting: NGINX JavaScript module, Lua
• GeoIP: Locate users by IP address (requires
MaxMind GeoIP db)
• Dynamic modules repository

| ©2019 F540
NGINX PLUS roadmap
history..
NGINX Plus enjoys a long history of roadmap
enhancements.
The original NGINX Plus evolved from the NGINX
open-source six years ago.
Only select enterprise-grade features are limited to
PLUS. All other features are available in open-source.
This situation continues today and going forward…
The multi-use case contribution to broader solutions
philosophy of NGINX is shared by F5, and is a key
enabler of the better-together philosophy.

| ©2019 F541
4
1
NGINX Plus R16
Dynamic Application
Gateway, unifying:
• Load Balancer
• API Gateway
• Microservices
networking
• And more!
Key R16 features:
• Clustered KeyVal store
• Clustered rate limits
• Expiry of KeyVal entries
• Random w/2 choices load
balancing
• Proxy Protocol v2
• OpenID opaque token
• SSL pre-read
• And more!
Released: 5 September 2018

| ©2019 F542
4
2
NGINX Plus R17
Dynamic Application
Gateway, unifying:
• Load Balancer
• API Gateway
• Microservices
networking
• And more!
Key R17 features:
• TLS 1.3
• Two stage rate limiting
• Ed25519 and Ed448 for JWT
• JWK fetch from IdP
• TCP keepalives to
upstreams
• SNI support for zonesync
• NJS updates
Released: 11 December 2018

| ©2019 F543
4
3
NGINX Plus R18
Dynamic Application
Gateway, unifying:
• Load Balancer
• API Gateway
• Microservices
networking
• And more!
Key R18 features:
• Dynamic certificate loading
• OIDC enhancements
• Port ranges for virtual
servers
• KV definition in .conf
• Active healthcheck
improvements
• NJS, Brotli updates
• HELM charts for KIC
Released: 9 April 2019

| ©2019 F544
4
4
NGINX Plus R19
Dynamic Application
Gateway, unifying:
• Load Balancer
• API Gateway
• Microservices
networking
• And more!
Key R19 features:
• Location based metrics
• Resolver metrics
• Dry run mode for ratelimiting
• KV enhancements
• Dynamic bandwidth control
Available Now!
Released: 13 August 2019

| ©2019 F545
What is the difference
between NGINX
opensource and
NGINX PLUS?
There are a few main differences:
Feature NGINX NGINX PLUS
Enterprise
Support
Community only Yes
Enterprise
feature-set
Not available Yes (next
slides…)
Modules available Community only
unsupported
modules
Fully supported
and available
from private
Repo, including
modsecurity WAF.

| ©2019 F546
Unique value of nginx plus (1)
Nginx Plus, in addition to class-leading full commercial support, has a number of value-added features over and
above the open-source version.
These unlock multiple points of additional value when deploying nginx plus as the core ‘engine’ within an
enterprise-grade deployment.
• Session Persistence – Returns the client to the same cache server pathway each time to optimize stateful
implementations
• API - Use the NGINX Plus single-endpoint REST API to update upstream configurations and key-value stores on
the fly, with zero downtime.
• Dashboard – The Nginx Plus web-UI Dashboard contains over 90 metrics including health-status and upstream
availablility. The ability to manage upstreams, including maintenance tasks such as ‘drain’ for planned
downtime is provided.
• Active Health-Checks - out-of-band application health checks (also known as synthetic transactions) and a
slow-start feature to gracefully add new and recovered servers into the load-balanced group
• Cache Purge API – This feature gives the ability to make the origin servers ‘cache aware’, and dynamically-
purge stale content from the downstream caching pools.

| ©2019 F547
Nginx Plus, in addition to class-leading full commercial support, has a number of value-added features over and above the
open-source version.
These unlock multiple points of additional value when deploying nginx plus as the core ‘engine’ within an enterprise-grade
deployment.
• Service Discovery – Enables dynamic updating of upstream server pool resources via DNS SRV records, to support fully
elastic pools of upstream resources. This is of particular value in auto-scaled microservice deployments.
• Operational Support Systems (OSS) – Built in integration with AppDynamics, Datadog, Dynatrace plug-ins
• JWT authentication/OpenID Connect SSO – json web token security implementation to reduce backend load/complexity
• NGINX Web Application Firewall – Layer 7 firewall to protect against attacks and leakage
• Active-active, active-passive HA with config sync, state sharing – deploy nginx as a web-facing frontend
• Key-value store – cluster wide dynamic persistent storage
• VOD contents – dynamic segmentation for adaptive bitrate VOD content: HLS (Apple)
• MP4 smart bandwidth limitation – A dual rate mechanism to allow an initial unrestricted bitrate implementing fast-start,
followed by a subsequent limited bitrate to prevent excessive read-ahead.
Unique value of nginx plus(2)

| ©2019 F548
Enterprise license and support –
5k USD per annum for a single ‘running instance’
A running instance is a single linux process running NGINX PLUS.
10k USD per annum for a ‘container license’
A container license covers as many NGINX PLUS containers as
required running within a single container daemon, such as a
Docker Node, or a Kubernetes master/worker node.
In addition, Application, Business Unit, and Enterprise licenses
are also offered when justified by volume.
Web Application Firewall (WAF) –
2k USD per annum for each single NGINX PLUS ‘running instance’
How much does
NGINX PLUS cost?
It’s actually very
simple.

| ©2019 F549
Kubernetes Ingress Controller
02

| ©2019 F550
50

| ©2019 F551
There’s three projects currently live!
Kubernetes-ingress ( @Kubernetes.io)
• Kubernetes community driven.
Github.com/nginxinc/Kubernetes-ingress
• Developed by nginx Inc.
• Runs with:
− NGINX OSS
− NGINX PLUS

| ©2019 F552
Expose the capabilities of NGINX to k8s
• Deployment or DaemonSet
• Consumes native k8s ingress objects
• Support for HTTP(S), TCP, UDP offload
• TLS termination, host-based and path-based routing
• Custom templates
• ConfigMaps
• Annotations and custom annotations
• Mergeable Ingress
• VirtualServer, VirtualServerRoute CRD – aggressive CRD roadmap
• Prometheus exporter
• Dashboard

| ©2019 F553
Mergeable Ingresses
Master Minion

| ©2019 F555
NGINX Controller
03

Why NGINX Controller?
Strategic Command
Prevent outages by gaining
deep visibility and following
best practice performance and
security recommendations
Agility
Enable developers to deploy
new features and applications
faster
Simplified
Management
Effortlessly deploy, validate
and troubleshoot multiple
NGINX Plus instances across
a multi-cloud environment

| ©2019 F557
What is NGINX Controller?
Centralized monitoring and management
• Alerting
• API management
• Configuration analysis
• Customizable dashboards
• Load balancer management
• Monitoring

| ©2019 F558
Configuration Analysis
Use the built-in configuration analyzer to get
• Enhanced performance and
security based on learnings from
thousands of customers
• Better SLAs by following built-in
best practices.
• Preemptive and actionable
recommendations for:
• Configuration
• Security
• SSL status

| ©2019 F559
Customizable Dashboards
All the metrics you want to see in one place
• An overview dashboard that
aggregates metrics across load
balancers
• An Application Health Score that
measures successful requests and
timely responses
• Customizable dashboards to
monitor metrics specific to your
environment

| ©2019 F560
Monitoring
Get insights into application performance:
• Graphs of key metrics such as
requests per second, active
connections, bandwidth usage
• Alert on more than 100 metrics
such as CPU usage, 400/500
errors, and health check failures
based on pre-defined thresholds
• Easy integration with any
monitoring tool of your choice
using REST API

| ©2019 F561
Load Balancer Management
Navigate a simple and intuitive wizard-like user interface
• Guided workflow for NGINX Plus
load balancer configuration
• Push-button deployments
• Traffic routing to upstream servers
• SSL key and certificate
management
• Policy-driven, create environments
for production, staging, or specific
lines of business

| ©2019 F562
API Management
Lightweight solution for managing APIs
• API is first class citizen
• Define per API policies such as rate
limiting
• Direct APIs to appropriate
upstream server
• Policy-driven, create different
environments for Production,
Staging, etc.

| ©2019 F563
6
3
Controller v2.9
Simplified Enterprise
Management at Scale,
for:
• Load Balancing
• API Management
Key features:
• Analytics module
• Simple API definition
• Apply policies, publish
• Authentication
• Rate limits
• Reusable TLS policies
• Global DNS resolver

What is NGINX Unit?
• A polyglot application server –
• Go
• Ruby
• Php
• Python
• Java
• .NET core (roadmap)
• Integrated reverse proxy (roadmap)
• Enables service-mesh functionality, without
actually needing a service mesh!
• 100 percent API driven
• Built from the ground up to support automation
led depoyment
• Free to use

Why NGINX Unit?
Dynamic by
design
Unit was created to adapt in
real time to the demands of
microservices applications
Reduce
complexity
No need to tangle with multiple
application servers and the
headaches that come with
them
Deploy with
confidence
Unit is developed by the
team behind NGINX, the
most reliable and trusted
name in application delivery

| ©2019 F567
Multi-language Support
Run all of your applications together
• Full support for Go, Node.js, Perl, PHP,
Python, and Ruby
• Run multiple applications written in
different languages on the same server
• Use multiple language versions
simultaneously on the same server (PHP
5/7, Python 2.7/3)
Coming soon: Full Java Support

| ©2019 F568
Programmable
Adapt in real time to microservice needs
• REST API-driven configuration
• JSON configuration language
• Graceful application and configuration
updates eliminates service disruptions
• Seamless zero-downtime deployment
changes

| ©2019 F569
Json-based, API-driven config automation (1)

| ©2019 F570
Json-based, API-driven config automation (2)

| ©2019 F571
7
1
Unit 1.12
Multilingual Dynamic
Application Server
• Lightweight
• Portable
• High-performance
• Built-in networking
• And Secure
Key 1.12 features:
• PHP7.4 support
• Go, Perl, PHP, Python,
Ruby, Node.js, Java
• Dynamic TLS support
• Serve static files
• Linux namespaces for
isolation
• Websockets server for java
servlet and node.js
Available Now!
Released: 3 Oct 2019

| ©2019 F572
Service Mesh? Reducing complexity
A service mesh is built upon a number of existing layers of complexity (see next slide)
Istio is the ubiquitous and most well-known player in this space. It stacks on top of Kubernetes as a control-
plane and data-plane mixer function with the ability to insert a mesh framework automatically.
It solves a number of problems including N/S and E/W security, traceability, observability and ingress
However, this stack is complex and with significant overhead…..
This overhead has a cost, regardless of the choice of hosting.

| ©2019 F573
A comparison between
a traditional service-
mesh enabled
microservice stack and
an NGINX Unit
enabled stack.
Hardware
(Blade/Rackmount C.O.T.S
compute)
Virtualization
(eg. VMWare)
Operating System
(eg. Linux Ubuntu)
Containerization Daemon
(eg. Docker)
Container Orchestration
(eg. Kubernetes)
BUSINESSAPPs
(Multiple Containers)
Hardware
(Blade/Rackmount C.O.T.S
compute)
Operating System
(eg. Linux Ubuntu)
NGINXUNIT
Service Mesh + ControlPlane
(eg. ISTIO)
BUSINESSAPPs
(polyglot portfolio)
Typical
microservice
NGNX Unit
Application stack

| ©2019 F575
d.luke@f5.com
Thank You
THE END
Learn more at nginx.com

| ©2019 F577
The Impact of Microservices
on API Management
London, 21-Nov-2019
Dan Henley
Sr. Director, WW Field Enablement – NGINX BU

| ©2019 F579
AUTHENTICATION
REQUEST ROUTING
TRAFFIC CONTROL

| ©2019 F581
Gateway vs Management
API Management
• Policy management
• Analytics &
monitoring
• Developer
documentation
API Gateway
• Request routing
• Authentication
• Rate limiting
• Exception handling

| ©2019 F583
83
Photo by Joshua Stannard on Unsplash

| ©2019 F584
84
Photo by Elisha Terada on Unsplash

| ©2019 F585
85
Photo by Artem Sapegin on Unsplash

| ©2019 F586
Photo by Sorin Tudorut on Unsplash
Application
Delivery
Controller

| ©2019 F587
Photo by Clayton Cardinalli on UnsplashPhoto by Jonny Caspari on Unsplash

| ©2019 F588
8
8
“When I started NGINX,
I focused on a very specific
problem – how to handle more
customers per a single server.”
- Igor Sysoev, NGINX creator and founder

| ©2019 F589 Source: W3Techs Web server ranking, 07-May-2019
#1“Most websites use NGINX”
The busiest sites choose NGINX
50%
61%
67%
Top 1M Top 100K Top 10K
Source: Netcraft April 2019 Web Server Survey

| ©2019 F591
Photo by AussieActive on Unsplash

| ©2019 F592
92
Photo by Cris Saur on Unsplash

| ©2019 F593
83% 40%of all hits are classified as
API traffic (JSON/XML)
of NGINX deployments
are as an API gateway
Source: Akamai State of the Internet Feb-2019 Source: NGINX User survey 2017, 2018

| ©2019 F595
Microservices is not a journey
95
!🤗

| ©2019 F596
Today’s App Infrastructure Is Complex
96

| ©2019 F597
Fast, Durable, Consistent, Cost Effective
97 E/W Solutions
Web App Firewall
N/S Solutions
Rich App Svcs
Local LB
Global LB
DNS Delivery
SSL Offload
Advanced WAF
Access Mgmt.
L4 Firewall
SSL Orchestrate
Anti-DDoS
Bot Detection
CGNAT

| ©2019 F598
85% 60%Organizations using microservices Organizations using monoliths
Source: NGINX user survey 2019

| ©2019 F599
Microservices challenges
API
management
gets distributed
Infrastructure
gets distributed
Governance
gets distributed

| ©2019 F5100
API
management
gets distributed
Infrastructure
gets distributed
Governance
gets distributed

| ©2019 F5101
API
Management
API management gets distributed
Monolith API
API
Management
Microservice
Microservice
Microservice
Microservice
Microservice

| ©2019 F5103
API
management
gets distributed
Infrastructure
gets distributed
Governance
gets distributed

| ©2019 F5104
Infrastructure gets distributed
104
DevOps has a lot to answer for!
Everybody wants to own everything
Teams with their own API gateways, looking after their own microservices
Requires architectural alignment

| ©2019 F5105
API GatewayController
Controller architecture
UI
Core
API
DB
Rec-
eiver
API
Agent
NGINX Plus api;
nginx.conf
😵

| ©2019 F5106
NGINX
Controller
API Management Gets Distributed
Monolith API
Microservice Microservice Microservice
Monolith API
Monolith API
NGINX
Controller
Policy
Metrics
M
etrics
Policy
Policy
Metrics
Policy
Metrics
Microservice
Microservice
Microservice
Microservice
Microservice
Microservice

| ©2019 F5108
API
management
gets distributed
Infrastructure
gets distributed
Governance
gets distributed

43%Cite “security governance” as the #1 feature
of an API Management solution
Source: IDC API Management Survey 2019

| ©2019 F5111
NGINX Multi-Cloud ADC,
Microservices and Service
Mesh

| ©2019 F5112
NGINX is near-ubiquitous in the Cloud
58%
Webservers on
AWS
SumoLogic Report
State of Modern Applications in
the Cloud
65%
Webservers on
DigitalOcean
DigitalOcean report
DigitalOcean Currents
60%
Containers containing
NGINX
Sysdig report
Container Usage Report
9 in 10 Enterprises are pursuing (or planning) a Multi-Cloud Infrastructure

| ©2019 F5113
Buyer
Drive to Public Cloud and Multi-Cloud
• “We’ve got a company mandate to move
more of our existing apps to the public
cloud.”
• “I want to build net new apps in public
cloud, but I need maintain my existing
ones on-premises.”
• “I need a cost-effective way to scale
capacity for new projects.”

| ©2019 F5114
CONFIDENTIAL
The shadow influencers for technology selection
UNDERSTAND THEIR RESPONSIBILITIES AND CHALLENGES
Site Reliability Eng.
(cloud native)
App Developer
w/ DevOps focus
Cloud architect DevOps engineer
Careabo
uts
Focus
Challeng
es/
pain
Team/rol
e
Constraints of
existing investments
Simplify infrastructure,
Automate reliably
Develop and install
DevOps solutions
Barriers created by
security teams
Collab with Teams
Code to Platform
Configure, integrate,
and test requirements
Vendor lock-in,
cost overruns
Automation,
Efficiency, ROI
Manage delivery
automation
Extended dev cycles
and bottlenecks
Solve problems
at scale
Triage and respond
to prod issues

| ©2019 F5115
Cost and scalability are not the only reasons for Cloud Migration
The shadow agenda
Speeding up this cycle makes you more competitive
BUILD TEST DEPLOY

| ©2019 F5116
CONTENDING WITH A LACK OF APP SERVICES CONSISTENCY AND RELIABILITY ACROSS CLOUDS
Deploying apps across Multiple Clouds
Hybrid
Cloud
Inconsistent Infrastructure
Inconsistent Cloud-provided Services
Needs New Application Architectures
CHALLENGES

| ©2019 F5117
INCONSISTENT AND UNMANAGED INFRASTRUCTURE
Despite the benefits of elasticity, scale and cost…
Performance inconsistency
Persistence and Availability
Inconsistent monitoring
Lack of strict security compliance
Inconsistent Infrastructure CHALLENGES

| ©2019 F5118
PERSISTENCE AND AVAILABILITY
From: Amazon Web Services, Inc. <no-reply-aws@amazon.com>
Subject: Amazon EC2 Instance Retirement [AWS Account ID: 418743776164]
Hello,
EC2 has detected degradation of the underlying hardware hosting
your Amazon EC2 instance (instance-ID: i-04ea4ff028d3a09) associated with your
AWS account (AWS Account ID: 418743776164) in the us-west-2 region. Due to
this degradation your instance could already be unreachable. We will stop your
instance after 2019-11-11 17:00 UTC.
* What will happen to my instance?
Your instance will be stopped after the specified retirement date. You can
start it again at any time after it’s stopped. Any data on local instance-
store volumes will be lost when the instance is stopped or terminated.
CHALLENGES

| ©2019 F5119
INCONSISTENT, ONE-SIZE-FITS-ALL BUNDLED SERVICES
Code Load
balancer
DNSAPI
gateway
App
Security
DDoS CDNIngress
Controller
App / web
server
Customer
Despite a rich set of cloud-provided services…
Lack of consistency across clouds
Limited ‘you-get-what-you’re-given’ feature set
Lock-in; you can’t passively consume, you actively integrate
CHALLENGES

| ©2019 F5120
AWS Reference Architecture: WordPress
CHALLENGES

| ©2019 F5121
Needs New Application Architectures
LIMITATIONS AND CAPABILITIES OF CLOUDS DRIVES NEW APPLICATION
ARCHITECTURES
CHALLENGES
Traditional Application Architectures are a poor fit for the cloud
Heavyweight artifacts (inefficient use of resources)
Stateful components (difficult to scale)
Single points of failure (high availability)
Pets, not cattle (not amenable to CI/CD)

| ©2019 F5122
CLOUD NATIVE DESIGN PRINCIPLES
Cloud Native Applications are:
• Designed As Loosely Coupled Microservices
• Developed With Best-of-breed Languages And Frameworks
• Centred Around APIs For Interaction And Collaboration
• Stateless And Massively Scalable
• Resiliency At The Core Of the Architecture
• Packaged As Lightweight Containers And Orchestrated
• Agile DevOps & Automation Using CI/CD
• Elastic — Dynamic scale-up/down
Needs New Application Architectures CHALLENGES

| ©2019 F5123
Hybrid
Cloud
New Application Architectures
CHALLENGES
Complex integration
Platform lock-in
High-cost of HA/perf
Duplication of testing
Application refactoring

| ©2019 F5124
NGINX Roadmap for Cloud

| ©2019 F5125
Roadmap for Cloud Migration
App App
App
App
Monitoring API Management DevOps Automation
ADC Dynamic Scaling Advanced Routing
AppApp
AppApp
ROADMAP

| ©2019 F5126
Your dataplane toolbox

| ©2019 F5127
Augment Cloud LB with NGINX Plus ADC
CLOUD LOAD BALANCERS PROVIDE LIMITED ENTERPRISE FUNCTIONALITY
Service A
Service B
Service C
SOLUTIONS

| ©2019 F5128
Use Amazon Classic or Network Load Balancer for:
• Basic TCP or HTTP load balancing to multiple NGINX
Plus instances or target application.
• High-availability load balancing across multiple
availability zones
• Auto scaling NGINX Plus instances and backend
servers
Use Amazon Application Load Balancer for:
• Simple Layer 7 routing (path and host)
• Integration with other AWS Services such as ECS
Use NGINX Plus for:
• Specific SSL/TLS/retry/error/timeout
configuration
• Advanced Layer 7 routing (e.g. conditional and
path-based routing)
• Improving performance with content caching
• WebSocket, HTTP/2 support
• Full GRPC load balancing support
• Advanced HTTP health checks
• SSO and API authentication with JWT
SOLUTIONS

| ©2019 F5129
Service A
Service B
Service C
SOLUTIONS

| ©2019 F5130
NGINX and Auto Scaling Groups (AWS/Azure)
NGINX OPEN SOURCE WORKS WITH CLOUD LOAD BALANCER
Service A
Service B
Service CStandard architecture when using NGINX OSS
Amazon Classic or Network Load Balancer sits in
front of auto scaling group
SOLUTIONS

| ©2019 F5131
NGINX and Auto Scaling Groups (AWS/Azure)
NGINX PLUS PROVIDES MULTIPLE OPTIONS
Service A
Service B
Service CNGINX Plus can perform dynamic pool configuration
If DNS is not available, use NGINX asg-sync tooling
for AWS or Azure
asg-sync
+
SOLUTIONS

| ©2019 F5132
AWS and Azure Private Link solutions
Private Link (AWS and Azure)
exposes services in consumer
VPCs.
Applications have no direct
visibility of traffic sources.
NGINX Plus can extract
source data and pass to the
application.
Consumer VPCs
Provider VPC
SOLUTIONS

| ©2019 F5133
WIDE AREA TRAFFIC RATE SYNCHRONIZATION
Multi-Cloud Rate Limiting
{"41.6.33.9":"145rps"}
🚫
41.6.33.9
{"41.6.33.9":"145rps"}
{"41.6.33.9":"145rps"}
SOLUTIONS

| ©2019 F5134
WIDE AREA OPENID CONNECT
Multi-Cloud SSO
us-west
us-east
Recruiting
app
Recruiting
app
Recruiting
appRecruiting
app
Recruiting
app
Recruiting
app
keyval sync
Identity Provider
OTP
OTPJWT
OTP
KV
K
V
SOLUTIONS
KV

| ©2019 F5135
Hybrid
Cloud
New Application Architectures
CHALLENGES
Complex integration
Platform lock-in
High-cost of HA/perf
Duplication of testing
Application refactoring

| ©2019 F5136
Rapid Integration
Platform Portability
Automatic HA/perf
Efficient testing
Application re-platform
NGINX PROVIDES CONSISTENCY AND RELIABILITY ACROSS CLOUDS
Hybrid
Cloud
Consistent Infrastructure
Consistent Services
Enable New Architectures
SOLUTIONS

| ©2019 F5138
Roadmap for Cloud Migration
App App
App
App
Monitoring API Management DevOps Automation
ADC Dynamic Scaling Advanced Routing
AppApp
AppApp
ROADMAP

| ©2019 F5139
Controller for Multi-Cloud App Delivery
WHY IS NGINX CONTROLLER THE PERFECT FIT FOR MULTI-CLOUD USE CASES?
Configuration and
visibility aligned
to how teams
develop
applications
App-Centric
Automates
services
deployment
across pipelines
reducing overhead
& complexity
Automation
Driven API
Fasted, most
lightweight and
deployable across
more platforms
anyone
Fast,
Deployable
Anywhere
Deliver self
service to line of
business w/o
compromising
Enterprise-wide
compliance
Self-Service
Consolidates team
workflows and use
cases across ADC
and API
Management
Workflow
Across Teams
MANAGE and
CONTROL

| ©2019 F5140
Controller for Multi-Cloud App Delivery
CONSISTENCY: FEATURES CONTROLLER BRINGS ACROSS MULTI-CLOUD
API Management
• Amazon API Gateway
• Azure API Management
• Google Cloud Endpoints
Infrastructure Monitoring
• Amazon CloudWatch
• Azure Monitor
• Google Stackdriver
DevOps APIs
• Amazon EC2 API
• Azure REST APIs
• Google Cloud APIs
NGINX CONTROLLER
CONFIGURE
MONITOR
TUNE
MANAGE and
CONTROL

| ©2019 F5141
Application Delivery for Multi-Cloud
BENEFITS:
• Enable the successful migration to Multi-Cloud
• Accelerate app services deployments
• Ensure reliability and consistency of app polices
• Meet demands by flexibly scaling apps and services
• Deploy and manage NGINX Plus in any cloud or
container environment
NGINX Controller
Manages NGINX Plus
instances in any public
or private cloud
MANAGE APP SERVICES IN MULTI-CLOUD
NGINX Plus
Deploys in any public
or private cloud
SUMMARY

| ©2019 F5143
Cloud-Native Apps Require a Modern Architecture
From Monolithic ... ... to Dynamic
Three-tier, J2EE-style architectures
Complex protocols (HTML, SOAP)
Persistent deployments
Fixed, static Infrastructure
Big-bang releases
Silo’ed teams (Dev, Test, Ops)
Microservices
Lightweight (REST, JSON)
Containers, VMs, Functions
Infrastructure as Code
Continuous delivery
DevOps Culture

| ©2019 F5147
49%
36%
Who uses Kubernetes in
Production?
2018 2019
27%
35%
NGINX User Survey 2018, 2019
What do they run in
their containers?
60%
21%
14%
14%
14%
14%
12%
12%
11%
11%
NGINX
redis
elastic
node.js
PostgreSQL
go
Apache
Java
RabbitMQ
mongoDB
Sysdig 2019 Container Usage Report

| ©2019 F5150
Kubernetes
Master
API Server
Scheduler
Controller-
Manager
etcd
Kubernetes
Node
Kubelet
Kubernetes
Node
Kubelet
Kubernetes
Node
Kubelet
Kubernetes Architecture
External Load
Balancer
• BIG-IP CIS
• NGINX
• Cloud LB
NGINX
Ingress
Controller
InternalNetwork
KubeProxy
KubeProxy
KubeProxy

| ©2019 F5151
Ingress Controller landscape
Default community options:
NGINX Ingress Controller for Kubernetes
Ingress Controller for Google Cloud
Standalone Ingress Controllers:
NGINX’s Kubernetes Ingress Controller
F5 K8s BIGIP Ctlr voyager
Ambassador Contour
Integrated Ingress Controllers:
Kong Ingress Controller
Istio Ingress Controller
Traefik Ingress Controller

| ©2019 F5152
Popularity of Ingress Controllers - DockerHub
nginx/nginx-ingress
f5networks/k8s-bigip-ctlr
appscode/voyager
amazon/aws-alb-ingress-controller
ibmcom/nginx-ingress-controller
haproxytech/kubernetes-ingress
bitnami/nginx-ingress-controller
datawire/ambassador
projectcontour/contour
5m+ downloads
1m+ downloads
1m+ downloads
500k+ downloads
100k+ downloads
100k+ downloads
100k+ downloads
50k+ downloads
5m+ downloads

| ©2019 F5153
Summary: What makes NGINX KIC Different?
• Long-term stability and
consistency
• Avoid breaking backward
compatibility
Development Philosophy
• Every release built and
maintained to a supportable,
production standard.
• Enterprise grade focus
Continual Production
Readiness
• NGINX is the authoritative
source for all components of
Ingress Controller.
Security
• Based on native NGINX
capabilities and directives
• No reliance on 3rd party
Lua modules
Integrated codebase
• Award winning support
available
Support
• Building a load balancer for
the Apps and DevOps people
100% App Dev Focused

| ©2019 F5155
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: hello-ingress
spec:
tls:
- hosts:
- hello.example.com
secretName: hello-secret
rules:
- host: hello.example.com
http:
paths:
- path: /
backend:
serviceName: www-svc
servicePort: 80
Ingress resource – K8s configuration primitive
K8s Ingress resource
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: api-ingress
spec:
tls:
- hosts:
- api.example.com
secretName: api-ssl-secret
rules:
- host: api.example.com
http:
paths:
- path: /
backend:
serviceName: api-svc
servicePort: 80

| ©2019 F5156
NGINX Ingress Controller future
NGINX
Ingress Resource
Definitions
• Expose more NGINX/NGINX Plus
features e.g. TCP, GRPC load
balancing, traffic splitting, rate limits…
• Easy to use, familiar concepts, familiar
processes
• Cloud native -- support Prometheus,
Helm, OpenTracing, mTLS
• Special focus on security, stability and
self-service
K8s Ingress resource

| ©2019 F5157
NGINX Futures – Cross-namespace (now!)
apiVersion: k8s.nginx.org/v1alpha1
kind: VirtualServer
metadata:
name: api-fe
namespace: frontend-ns
spec:
host: api.example.com
tls:
secret: api-ssl-secret
routes:
- path: /games/api
route: games-ns/games-route
- path: /stats/api
route: stats-ns/stats-route
Admin team
frontend-ns
Games team
games-ns
Stats team
stats-ns
/games/api
/stats/api

| ©2019 F5158
NGINX Futures – Cross-namespace (now!)
apiVersion:k8s.nginx.org/v1alpha1
kind: VirtualServerRoute
metadata:
name: games-route
namespace: games-ns
spec:
host: api.example.com
upstreams:
- name: games
service: games-svc
port: 80
subroutes:
- path: /games/api
upstream: games
Admin team
frontend-ns
Games team
games-ns
Stats team
stats-ns
/games/api
/stats/api

| ©2019 F5159
NGINX Futures – Traffic Splitting (Now / Dec 2019)
90%
10%
webapp-svc-v1
webapp-svc-v2
upstreams:
- name: webapp-v1
service: webapp-svc-v1
port: 80
- name: webapp-v2
port: 80
routes:
- path: /
splits:
- weight: 90
action:
pass: webapp-v1
- weight: 10
action:
pass: webapp-v2

| ©2019 F5160
NGINX Futures – Traffic Routing (Dec 2019)
default
Cookie:
debug=true
webapp-svc-v1
webapp-svc-v2
upstreams:
- name: webapp-v1
port: 80
- name: webapp-v2
port: 80
routes:
- path: /
matches:
- conditions:
- cookie: debug
value: true
action:
pass: webapp-v2
action:
pass: webapp-v1

| ©2019 F5162
Modern Apps Require a Modern Architecture
... to Dynamic
Three-tier, J2EE-style architectures
Complex protocols (HTML, SOAP)
Persistent deployments
Fixed, static Infrastructure
Big-bang releases
Silo’ed teams (Dev, Test, Ops)
Microservices
Lightweight (REST, JSON)
Containers, VMs, Functions
Infrastructure as Code
Continuous delivery
DevOps Culture
From Monolithic ...

| ©2019 F5163
Operating a distributed application is hard
Dynamic, Distributed App:
Fast, reliable function calls
Local debugging
Local profiling
Calendared, big-bang upgrades
‘Integration hell’ contained in dev
Slow, unreliable API calls
Distributed fault finding
Distributed tracing
In-place dynamic updates
‘Continuous integration’ live in prod
More things can go wrong, it’s harder to find the faults, everything happens live
Static, Predictable Monolith:

| ©2019 F5166
By controlling communications between pods, Service Meshes can do four main things:
What does a Service Mesh do?
Security: End-to-end encryption
(Mutual TLS / mTLS)
Traffic Management: Load Balance,
Circuit breaker, BG, Rate Limit…
Instrumentation: Measure and
accumulate metrics (Prometheus)
Debugging: Generate transaction
traces (OpenTracing)

| ©2019 F5167
A service mesh is an invisible, autonomous, L7 routing layer for distributed,
multi-service applications.
How is a Service Mesh implemented?
Most commonly implemented as a ‘sidecar proxy’
Implementations:
• Istio/Envoy
• Aspen Mesh
• Consul Connect
• Linkerd2
• Maesh, Kuma
• NGINX Service Mesh
• … and many others
to follow
Sidecar Proxy
Service A
Sidecar Proxy
Service B
Sidecar Proxy
Service C
Sidecar Proxy
Service D
Control Plane
Service Mesh Network

| ©2019 F5168
Costtooperate
Complexity, Interdependencies, Speed of Change
Single simple app Many complex, interdependent apps
Using native Kubernetes
and other services
Using
service mesh
As service meshes mature,
their cost will go down

| ©2019 F5171
Production Patterns for Microservices
THERE ARE MULTIPLE, PROVEN PRODUCTION PATTERNS FOR NGINX IN A MICROSERVICE APP
NGINX Ingress Controller
NGINX per-Service ProxyNGINX per-Pod Proxy NGINX Simple Mesh Proxy

| ©2019 F5172
NGINX per-Pod Proxy
Each Pod in Service B has a
dedicated proxy.
We rely on K8s (kubeproxy) to load-
balance traffic to Service B
Use NGINX Per-Pod Proxy:
• To intercept traffic to a single pod
• Implement access control, metrics and
tracing, web app firewall for that service
Complexity: Simple
• Single point of configuration, simple
• Fully integrated into pod – easy build,
test and deployment
Implemented by the App Developer
B
A kubeproxy

| ©2019 F5173
NGINX per-Service Proxy
When Service A wants to talk to
Service B, it talks to the Proxy
Service for service B.
The proxy can apply specific policies
and load balancing.
Use NGINX Per-Service Proxy:
• To intercept traffic to a specific service
• Implement access control, metrics and
tracing, web app firewall, smart load
balancing for that service
Complexity: Simple
• Single point of configuration, simple
• Reliable and easily scalable
Implemented by the DevOps Team
B
A

| ©2019 F5174
What about egress traffic?
PER-SERVICE AND PER-POD PROXIES ONLY HANDLE INGRESS TRAFFIC INTO A POD
Why might this be a problem?
1. Cannot automatically apply mTLS.
2. Metrics and traces are generated on server-side,
not client-side, so do not measure latency effect
of K8s network
No control of egress traffic, exiting pod Full control of ingress traffic, entering pod
Can rely on application to make TLS
requests, or rely on overlay network for
encryption.
K8s Network Policies implement access
control

| ©2019 F5175
Simple Mesh
Ingress Traffic – exactly as the per-
Pod proxy configuration.
Egress Traffic – application talks to
local NGINX IP address, achieved by
e.g. DNS manipulation or IP tables.
NGINX needs a virtual server for each
egress service.
Use NGINX Simple Mesh:
• When the application only needs to talk
to a small, well-known set of external
services
Complexity: Not as simple
• Need to know all egress targets in
advance
• Fully integrated into pod – easy build,
test and deployment
• Challenges when configuration updates
are required e.g. SSL certs

| ©2019 F5176
I’m 75%+ of the way there…
PER-POD, PER-SERVICE AND SIMPLE MESH PROVIDE 75%+ OF SERVICE MESH FUNCTIONALITY
Per-Pod
proxy
Per-
Service
Simple
Mesh
Other
Security
mTLS Y mTLS in app, or use overlay network
Access Control Y Y Y Or, use K8s network policies
Debugging and Monitoring
Instrumentation Y Y Y In the app (though inconsistent)
Tracing Y Y Y In the app
Traffic Management
Load Balancing Y Y Or, use kubeproxy and deployments
Canary/B&G Release Y Y Or, use kubeproxy and deployments
Circuit Breaking Y Y Y

| ©2019 F5177
In our assessment, you may benefit from a service mesh once:
ü You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)
ü You are deploying frequently to production (at least once per day)
ü You are fully invested in Kubernetes
ü You have a zero-trust production environment (so need mTLS)
ü Your application is complex
− 20+ different services, a service graph that is 3 levels deep or more
ü You have operational maturity and an appetite for risk
A checklist for readiness

From Code to Customer with F5 and NGNX London Nov 19

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to From Code to Customer with F5 and NGNX London Nov 19

Similar to From Code to Customer with F5 and NGNX London Nov 19 (20)

More from NGINX, Inc.

More from NGINX, Inc. (20)

Recently uploaded

Recently uploaded (20)

From Code to Customer with F5 and NGNX London Nov 19