dynamic app services in containerized environments · infrastructure, greater scalability •53%...
TRANSCRIPT
Dynamic App Services in Containerized EnvironmentsF5 Government Technology Symposium
Mark Dittmer
Sr Product Management Engineer
Understanding the Container Market and Customer Challenges
Container environments brings new customer
challenges and opportunities for F5
Organization are evolving and apps are transforming1
Container adoption driven by agile app dev., DevOps
teams using microservices, and faster time to market2
3
2000
Long lived
Monolithic and built on a single
stack
Deployed to a single server
2018
Development is iterative and
constant
Built from loosely coupled
components
Deployed to a multitude of servers
• Cloud is here:
• Currently 85% Multi-Cloud
• 41% of workloads in cloud
• Benefits: Faster infrastructure, greater scalability
• 53% optimizing clouds 52% moving workloads to clouds
• Modular application construction is now dominant
• Emergence of development integrated with operations
• Shared ownership of applications is beginning to take root
• Automation is key
• Containerized “microservices” gaining popularity
• Orchestration is part of the application landscape
• Kubernetes, OpenShift, Cloud Foundry, Mesos
• Analytics now built into applications
Key Products
Automation
Service
Creation Time
Service
Lifetime
Data Center Provides
Gen 1
Virtualized
Gen 2
Cloud
Gen 3
Resource Pool
Gen 0
Hardware
Hardware
server running
single service/app
Virtualized
server running
single service/app
Self-serve virtualized
server running
single service/app
Pools of CPU,
memory, storage +
PaaS Framework
None Little Mixed 100%
Weeks/Ticket Days/TicketMinutes/Self-Serve
+ AutoscaleSub-second
Years Years Months/Years Seconds
Dell, HP,
BIG-IP Hardware
VMWare, Xen,
BIG-IP VE
AWS, OpenStack,
Cisco ACI
Kubernetes,
OpenShift, Mesos,
Docker
• Lightweight alternative for app development
• App runs without guest VMs
• Portability: Easy lift and shift to clouds or vice versa
Review Using Docker Container Technology with F5 Products and Services on F5.com.
•
•
• 2016: 8% deployed, 76% eval.
• 2017: 45% deployed, 55% eval.
• Future: containers become dominant AppDev platform
How can I
support new
container
environments?
How do I
support DevOps’
needs for speed
and agility?
How do I
respond to
constant
requests for
container app
services?
How can I
maintain
compliance
across container
environments?
How can I
secure
containers
without upfront
IT investments?
How can I drive
operational
and cost
efficiencies?
Rethink Container Environments with F5
App Services
Learn about container environments to help you
recommend the best solutions
Understand the new application architectures1
F5 Dynamic App Services for Containerized Environments
enables self-services and automation for DevOps process2
3
Automation
Orchestration
Container
Formats
Monolithic
Application
Physical/Virtual Infrastructure
Network Compute Storage
ADC
Internet
NetOps Centric
Architecture
Transition Is A Continuum - Models Will Co-Exist
ADC
Network Compute Storage
Internet
DevOps Centric
Architecture
DOCKER RKT
CHEF PUPPETANSIBLE
MESOSREDHAT
OPENSHIFTKUBERNETES
OSV
Physical/Virtual Infrastructure
App Disruption: New Architectures
Container-as-a-Service
(CaaS)
Platform-as-a-Service
(PaaS)
• Open-Source app
development environments
• Enhanced agility and scaling
• Platform independence &
portability - containers can be
transferred between public and
private clouds
• Platform automatically packages
software into containers and
provides compute resources
• Allows developers to focus on
writing code for greater agility
• Provide container engines,
orchestration tools and
compute resources
• Requires the developer to
package software into
containers
Container
Environments
Examples:
• Application data exchange
• VM-to-VM, Container traffic
• API traffic
Generally speaking:
• Machine-to-machine
• Application-to-application
• Disaggregated service bus
Ap
plic
atio
n S
erv
ice
s N
ort
h-S
ou
th T
raffic
Application Services Across Containers and PaaS
Container Environment
Orchestration
Generally speaking:
• Traffic across network
• Client to app server
• Front-door services
Examples:
• App Services
• Into containers
• ADC and Ingress Control
ADC
Ingress Point
“Ingress” = HTTP routing:
• Currently defined as only HTTP routing (L7)
• Kubernetes/OpenShift Resource
• Handled by Ingress Controller:• Container Connector + BIG-IP
“ingress” = Access into the container environment:• L4 traffic
• UDP traffic management
• Non-HTTP L7 routing
• Handled by ingress controller:• Container Connector + BIG-IP
What’s the difference?
Ingress can refer to HTTP Routing or a collection of rules to reach the cluster services and
ingress refers to inbound connections, app load balancing, programmability and security services.
Introducing Dynamic App Services for Containerized and PaaS Environments
• Native open-source integration in container environments for F5 BIG-IP Ingress control
• Enable self-service selection in orchestration for app services
• Scale and secure apps through automated event discovery and service insertion
F5 Container Connector
© 2018 F5 Networks
• Reduced hops/latency - Route traffic directly to application front end
• Enable IPv6 clients to use IPv4 containerized applications
• Apply advanced services such as WAF and DDoS mitigation
• TLS Offload – Re-encrypt with self-signed certificates
• Leverage advanced traffic management capabilities:
• LBing methods, health monitors, programmability etc.
• Application acceleration
• Hybrid Container/VM
• External Service Endpoints or
• VIP-targeting-VIP
Service MeshEnterprise Service Mesh Built on Istio
THEN NOW
FORWARD PROXY
REVERSE PROXY
SIDECAR PROXY
Building a Service Mesh
A SERVICE MESH
Circuit breakers
Auto-Retries
A network of sidecar proxies that form a reliable method of scale that includes:
Health monitoring
HTTP Routing
Aspen Mesh is a fully supported enterprise service mesh that provides observability, analytics and security
The Aspen Mesh – Contacts and Distribution success on your microservices journey.
Highlighting F5 Application Services for Containers
F5 Container Connector for RedHat OpenShift
F5 BIG-IP Load Balancer
Master Master Master
RHEL VM RHEL VM RHEL VM
Node Node
RHEL VM RHEL VM
Node Node
RHEL VM RHEL VM
Node
RHEL VM
Persistent Storage
Hypervisor
Masters Nodes
RHEL VM RHEL VM
External Requests
Outbound-VIP 0.0.0.0.0 SNAT
ocp3-master-vip.lab.fp.f5net.com
VIP – OpenShift-Master
Pool List – ocp3-master ocp3-master1:8443 ocp3-master2:8443 ocp3-master3:8443
192.168.200.X
Container Connector
Apps Apps
Container
Orchestration
Node
2
Node 1
Container
Environment
BIG-IP Application
Performance and Security
Services
User
Visibility and
AnalyticsTraffic
Integration
VM Network 10.192.75.82
f5-bigip-node01 f5-bigip-node02
1-2VM Network 10.192.75.83 1-2
Internal 192.168.200.82
vxlan 10.129.6.82
1-1
Internal 192.168.200.83 vxlan
10.130.4.83
1-1
f5-bigip-float 192.168.200.84
vxlan-float 10.128.6.84 tunnel openshift_vlan
Container
EnvironmentsNode 1 Node 2 Orchestration
tunnel openshift_vlan local address 192.168.200.84
secondary address 192.168.200.82
tunnel openshift_vlan local address 192.168.200.84
secondary address 192.168.200.83
F5 Container Connector
oc get hostsubnet
NAME HOST HOST IP SUBNET
f5-bigip-float f5-bigip-float 192.168.200.84 10.128.6.0/23f5-bigip-node01. f5-bigip-node01 192.168.200.82 10.129.6.0/23f5-bigip-node02. f5-bigip-node02 192.168.200.83 10.130.4.0/23
Showcase F5 Solutions in Container Environments
Kubernetes, Red Hat OpenShift, Pivotal Cloud Foundry, and Mesos
Showcase the value of F5 integrations to container
orchestration
Highlight F5 container integrations to Kubernetes, Red
Hat OpenShift, Pivotal Cloud Foundry, and Mesos
Stress data stream export in a Splunk or SIEM
compatible format for visibility and analytics
1
2
3
Share the value of container integration solutions
focus4
Node 2Node 1
Kubernetes or OpenShift
Ap
p S
erv
ice
s A
cro
ss N
etw
ork
Dynamic App Services Across Kubernetes or OpenShift
F5 BIG-IP App Performance
and Security Services
Visibility and Analytics
Integrate and enable container app
services in Kubernetes or OpenShift
• Easily configure ingress control on
BIG-IP with app routing, automatic
traffic policy creation, and health
monitoring
• Enables app routing, availability,
and scale across Kubernetes
container environments
• Subscribes to Kubernetes or
OpenShift events to automatically
create, scale, or remove app
performance and security services
• Traffic visibility via data stream
export for analytics review
F5 Container Connector
Orchestration
Tip:Your SEs have access to
blueprint environment in UDF for Kubernetes or OpenShift
demos
Rapid App Services Selection in Kubernetes
•
•
• Automated discovery and services insertion
•
• Scale apps and enable security services
•
© 2018 F5 Networks
Ap
plic
atio
n S
erv
ice
s A
cro
ss N
etw
ork
Scale and secure container apps in
Pivotal Cloud Foundry PaaS
• Easily configure ingress control on
BIG-IP with app routing, SSL,
automatic policy creation, and
health monitoring
• Subscribes to Cloud Foundry routes
to automatically scale app traffic
with Layer 7 policies
• Deploy app performance faster with
pre-defined policy templates on
BIG-IP
• Traffic visibility via data stream
export for analytics review
Node 2Node 1
Pivotal Cloud Foundry
Visibility and Analytics F5 BIG-IP
App Performance and Security
Services
GoRouter GoRouter
F5 Container Connector
Orchestration
Cluster
Mesos
Ap
p S
erv
ice
s A
cro
ss N
etw
ork
Visibility and Analytics
F5 BIG-IP App Delivery and Security Services
Enable app self-services and
automation in Mesos
• Improve app availability through
integration with existing native Mesos
container app workflows
• Scale app performance with BIG-IP
across network with app routing,
programmability, and monitoring
• Enable security services – access
control, app encryption and protection
• Gain end to end visibility and analytics
by exporting data metrics from BIG-IP
F5 Container Connector
Marathon
Orchestration
Tip:Your SEs have access to
blueprint environment in UDF for Mesos demos
•
•
• Automated discovery and services insertion
•
• Scale apps and enable security services
•
• Enables end-to-end visibility, analytics, and insights for fast
resolution of container traffic anomalies
• Export data stream from BIG-IP
LocationFuture
Location
FutureFutureFuture
F5 CONTAINER CONNECTOR
SERVICE MESHVISUALIZATION AND
ANALYTICSPROGRAMMABILITY AND INTEGRATION
F5 iRules LXF5 BIG-IP
Application Services ProxyContainer Connector
F5 DevCentral
REST API(End of Sale May 31, 2018)
Containers Strengths Weakness F5’s Value
Mesos /
Mesosphere
Integrated internal traffic management
(using HAProxy), their preference is to
partner with F5 as we increase deal
velocity.
Overall traffic management capabilities
needed from front-end traffic management
are limited. No SSL offload to HW, limited
LB methods, limited as the Ingress point
(HAProxy at the heart), no DDoS
protection, etc.
Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich
set of application delivery/performance services we offer – the set of services our customers really want.
Kubernetes Integrated internal traffic management
(using IP Tables). Leading container
environment with industry moving toward
standardizing on.
Overall traffic management capabilities
needed from front-end traffic management
are limited. No SSL offload to HW, limited
LB methods, no DDoS protection, etc.
Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich
set of application delivery/ingress control services we offer – the set of services our customers really want.
RedHat OpenShift Integrated internal traffic management
(using IP Tables). Full Platform as a
Service (PaaS) stack. Strong RedHat and
F5 partnership sharing deals. Container
Connector is referenced on the RedHat
Marketplace.
Overall traffic management capabilities
needed from front-end traffic management
are limited. No SSL offload to HW, limited
LB methods, no DDoS protection, etc.
Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich
set of application delivery/ingress control services we offer – the set of services our customers really want.
Pivotal Cloud
Foundry
Integrated internal traffic management
(using Go Router). Container Connector is
referenced on the Pivnet marketplace.
Overall traffic management capabilities
needed from front-end traffic management
are limited. No SSL offload to HW, limited
LB methods, no DDoS protection, etc.
Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich
set of application delivery/ingress control services we offer – the set of services our customers really want.
Docker DC/ Swarm Integrated internal traffic management
(using L3 routing)
Overall traffic management capabilities
needed from front-end traffic management
are limited. No SSL offload to HW, limited
LB methods, no DDoS protection, etc.
Future Integration
How Customer Obtains F5
Services: Select a variety of F5 services and
support options to help customers succeed
Platforms: Create great customer value with
blended platform options for pull through revenue
Licensing: Choose flexible options for BIG-IP across Good, Better, and Best offerings
2
3
4
Simplified Container Integrations ordering by
selecting no charge solutions for quick adoption1
• Clouddocs.f5.com • Kubernetes Concepts
© 2018 F5 Networks
Good, Better, Best Platforms
F5 physical ADCs
High-performance w/dedicated hardware
Physical ADC is best for:
• Fastest performance
• Highest scale
• SSL offload, compression, and accelerated
DoS mitigation
• An all F5 solution: integrated HW+SW
• Edge and ingress control front door services
• Purpose-built isolation for
application delivery workloads
• iSeries have FPGA based TurboFlex for
chip-level customization
Physical + virtual =
hybrid ADC infrastructure
Ultimate flexibility and performance
Hybrid ADC is best for:
• Transitioning from physical to
virtual and private data center to
cloud
• Cloud bursting
• Splitting large workloads
• Tiered levels of service
• Private Cloud
F5 Virtual Editions
Provide flexible deployment options for
virtual environments and the cloud
Virtual ADC is best for:
• Accelerated deployment
• Maximizing data center efficiency
• Private and public cloud deployments
• Application or tenant-based pods
• Keeping security close to the app
• Lab, test, and QA deployments
• License Management with BIG-IQ
Physical HybridVirtual
i4000 series i10000/i11000
Series
i5000 Series i7000 Series
5Gbps3Gbps1Gbps200M25MVIPRION 2400
VIPRION 4480 VIPRION 4800i2000 series*
10GbpsVIPRION 2200
*i2600 does not support GBB Note: iSeries does not support AAM module