In this demo we will be showcasing the F5 BIG-IP with native connectivity to the Equinix SmartKey HSM in the Equinix Cloud Exchange. We’ll also be showing F5 Service Discovery in three public clouds. We’re going to demonstrate importing a RSA key into the SmartKey UI, configuring BIG-IP to use SmartKey, and how to use F5 Service Discovery to update back-end apps in the public cloud.

We start by looking at the demo scenario. The first building block will be in an Equinix facility which provides internet connectivity. The F5 BIG-IP will be our demarcation point, and the corresponding key will be stored in the Equinix Marquis HSM. It will perform the asymmetric encryption without the key ever leaving the HSM itself. The backend servers will be in the public clouds, connectivity via Equinix low-latency Cloud Exchange. The F5 has a wide range of functionalities from Layer 4 to advanced Layer 7 features, thanks to SSL termination. F5 Silverline managed DDoS service can also be integrated for the most effective anti-DDoS protection.

We will now deploy a VPC in each cloud provider. The same physical links to the ECX can be shared to access a different cloud providers. In the cloud provider side, we will configure logical routers in each VPC. VLANs are typically used to connect the F5 with the logical routers. When we use redundant logical paths to the cloud providers, BGP is required. We will also enable service discovery, which can automatically populate the pool members without any user reconfiguration. This handles scaling in and scaling out of the backend applications

The first step is to set up the private key and SmartKey. In this demo, we will use the UI and we will up-load the key manually. The name of the key is the security object name, plus the dot key extension. We assign it to the group to make it visible. And finally, we will import it as a RSA key 64-base encoded. It’s a good idea to disable exporting the key to minimize security risk. And we’re done.

Equinix Product Readiness

S P O T L I G H T O N Network EdgeFUNCTIONAL LEARNING DEMOS

F5 BIG-IP and Equinix SmartKey for Multi-cloud

1

2

F5 BIG-IP AND EQUINIX SMARTKEY FOR MULTI-CLOUD

Next we will configure the F5 BIG-IP so it can make use of SmartKey. We have the key stored in Smart-Key HSM. It is used just like a regular key. Just by indicating that the key is stored in a network HSM with the right partition. The key itself will never leave the SmartKey HSM

Next, we need to import their certificate, as well. The public certificate instead can be directly stored in the F5 BIG-IP without reducing the security level. We can keep the name consistent with the names of both private key, this way the system will match them both.

Moving forward, we’ll create a service to use a SmartKey. We will use Application Service 3 or AS3 to create a full-service configuration with a single rest call, to include the SSL TLS configuration and Ser-vice Discovery. To submit the AS3 rest call, to configure the BIG-IP, we would use the Postman utility. Let’s look at the JSON file. The tenant element defines a partition, the class service HTTP defines some functionalities of the service that will make use of the SmartKey HSM.

3

F5 BIG-IP AND EQUINIX SMARTKEY FOR MULTI-CLOUD

Service Discovery is actually configured in the pool, where we will have three member sets, one for each public cloud, AWS Azure, and GCE. The elements that the key select which VMs are to be as-signed for the pool are based on the tag key and the tag value we configured. We are ready to submit our service definition, and after a few seconds the operation is completed, and we can see that the return code is OK, it indicates that the configuration was successful.

Let’s check the configuration in the BIG-IP itself. We can see that a new partition has been created which contains two virtual servers - the main one with the expected SSL profiles. The other VIP is a sim-ple HTTP to HTTPS redirection for convenience. We can see that service discovery has found four VMs.

We now take a look at pool number update with Cloud Auto-Discovery. We log into the AWS console, go to EC2 to access the VMs, and select one running VM to edit the tags. We change the tag value from enabled to disabled. Now we switch back to the F5 UI, we can see that the Service Discovery process automatically takes the disabled member out of the pool.

4

F5 BIG-IP AND EQUINIX SMARTKEY FOR MULTI-CLOUD

© 2019 Equinix, Inc.

If we use a browser and point to the VIP, we can see the application is up and running and it works just as expected. We go ahead to refresh the page to generate a few requests to create some activity in the HSM, we verify the HSM activity in the SmartKey audit trail, where we can see both the encryption operations and the management operations.

And with this we conclude our demo. We hope that you find it useful and many thanks for your at-tention.