mmc3406bus cloudy days ahead!! distribution publication or · 2019-06-27 · servers servers...
TRANSCRIPT
MMC3406BUS
#VMworld #MMC3406BUS
Cloudy Days Ahead!! Leverage F5 to provide application continuity andconsistent security policy provisioning and enforcement in an inter-cloud world.VMworld 2017 Content: N
ot for publicatio
n or distribution
Cloudy Days Ahead!! Leverage F5 to provide application continuity and
consistent security policy provisioning and enforcement in an inter-cloud world.
VMworld 2017 Content: Not fo
r publication or distri
bution
CLOUD
VIRTUALIZATION
WAN
LAN
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Sales on Cyber Monday increased 12.1 percent over the prior year, to
$3.45 billion, according to Adobe Digital Insights. That handily topped
the firm's projection for 9.4 percent growth, despite greater-than-
expected sales on Black Friday.
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
SECURITY PERFORMANCEAVAILABILITYVMworld 2017 Content: Not fo
r publication or distri
bution
• Multiple entry points
• Consistent security policies
• Authentication
• Data security
• DDOS Mitigation
FirewallApplication
Security
Identity and Access
DDoSProtection
Secure Web
Gateway
VMworld 2017 Content: Not fo
r publication or distri
bution
• Multiple entry points
• Application accessibility
ADCLocal LoadBalancing
Global Load Balancing
Application Performance
Application
Proxies
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
SECURITY AVAILABILITY PERFORMANCE
ADC
FirewallApplication Security
Identity and Access
DDoSProtection
Local LoadBalancing
Global Load Balancing
Application Performance
Secure Web
Gateway
Application
Proxies
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Site1–PaloAlto,CA Site2–SanJose,CA
Site1NSXManager1
Primary
Site2NSXManager2
Secondary
vCenter1 vCenter2
Universal
Controller
Cluster
CompueCluster1 CompueCluster2 EdgeCluster
MgmtvCenter
CompueCluster1 CompueCluster2 EdgeCluster
UniversalTransportZone
UniversalDistributedFirewall(UDFW)
ComputeVDS EdgeVDS ComputeVDS EdgeVDS
UniversalDistributedLogicalRouter(UDLR)
UniversalTransit:172.39.39.0/28
.1 .2
Universal
ControlVM
.14
VLAN279
10.100.9.2/28VLAN280
10.100.11.2/28
VLAN379
10.200.9.2/28VLAN380
10.200.11.2/28
.1 .1.1 .1
ESXi1-1:10.100.0.50/24
ESXi1-2:10.100.0.51/24ESXi1-3:10.100.0.52/24 ESXi1-4:10.100.1.51/24
ESXi1-5:10.100.1.52/24
ESXi1-6:10.100.1.53/24
ESXi2-1:10.200.0.50/24
ESXi2-2:10.200.0.51/24ESX2-3:10.200.0.52/24 ESXi2-4:10.200.1.51/24
ESXi2-5:10.200.1.52/24
ESXi1-6:10.200.1.53/24
UniversalWeb2:172.20.8.0/24
.1 .2
UniversalApp2:172.20.9.0/24
UniversalDB2:172.20.10.0/24
.1
.1
UniversalWeb:172.20.1.0/24
UniversalApp:172.20.2.0/24
UniversalDB:172.20.3.0/24
.254 .254 .254.254 .254.254
.1
.1
.1
SummaryRoute:
172.20.0.0/20
10.100.1.71/2410.100.1.72/24 10.200.1.71/2410.200.1.72/24
10.100.1.73-74/24
Cluster1 Cluster2
iBGP
BGPWeight:60
iBGP
BGPWeight:30
eBGPeBGP
Laptop
1. DNS Request
2. DNS Return IP in PA or SJ
3. Client Connects to ESG VIP
4. ESG LBs to application
VMworld 2017 Content: Not fo
r publication or distri
bution
Site1–PaloAlto,CA Site2–SanJose,CA
Site1NSXManager1
Primary
Site2NSXManager2
Secondary
vCenter1 vCenter2
Universal
Controller
Cluster
CompueCluster1 CompueCluster2 EdgeCluster
MgmtvCenter
CompueCluster1 CompueCluster2 EdgeCluster
UniversalTransportZone
UniversalDistributedFirewall(UDFW)
ComputeVDS EdgeVDS ComputeVDS EdgeVDS
UniversalDistributedLogicalRouter(UDLR)
UniversalTransit:172.39.39.0/28
.1 .2
Universal
ControlVM
.14
VLAN279
10.100.9.2/28VLAN280
10.100.11.2/28
VLAN379
10.200.9.2/28VLAN380
10.200.11.2/28
.1 .1.1 .1
ESXi1-1:10.100.0.50/24
ESXi1-2:10.100.0.51/24ESXi1-3:10.100.0.52/24 ESXi1-4:10.100.1.51/24
ESXi1-5:10.100.1.52/24
ESXi1-6:10.100.1.53/24
ESXi2-1:10.200.0.50/24
ESXi2-2:10.200.0.51/24ESX2-3:10.200.0.52/24 ESXi2-4:10.200.1.51/24
ESXi2-5:10.200.1.52/24
ESXi1-6:10.200.1.53/24
UniversalWeb2:172.20.8.0/24
.1 .2
UniversalApp2:172.20.9.0/24
UniversalDB2:172.20.10.0/24
.1
.1
UniversalWeb:172.20.1.0/24
UniversalApp:172.20.2.0/24
UniversalDB:172.20.3.0/24
.254 .254 .254.254 .254.254
.1
.1
.1
SummaryRoute:
172.20.0.0/20
10.100.1.71/2410.100.1.72/24 10.200.1.71/2410.200.1.72/24
10.100.1.73-74/24
Cluster1 Cluster2
iBGP
BGPWeight:60
iBGP
BGPWeight:30
eBGPeBGP
Mgmt:10.200.1.80 Mgmt:10.200.1.81Internal(Web):172.20.8.248 Internal(Web):172.20.8.249
HA:172.90.90.2/30
InternalFloa?ngIP(Web):
172.20.8.250
ExternalFloa?ngIP(Web):
10.200.9.14
External(Edge):10.200.9.12 External(Edge):10.200.9.13
Mgmt:10.100.1.80/24 Mgmt:10.100.1.81Internal(Web):172.20.8.251 Internal(Web):172.20.8.252
HA:172.80.80.1/30 HA:172.80.80.2/30
InternalFloa?ngIP(Web):
172.20.8.253
ExternalFloa?ngIP(Web):
10.100.9.14
External(Edge):10.100.9.12 External(Edge):10.100.9.13
[BIG-IP DNS VE]
Mgmt:10.114.223.75 Dataplane:10.100.1.190
[BIG-IP DNS VE]
Mgmt:10.114.223.78 Dataplane:10.200.1.190
Laptop
1. DNS Request
2. Intelligent DNS response
3. Client Connects to LTM VIP
4. LB to local application
VMworld 2017 Content: Not fo
r publication or distri
bution
UniversalTransportZone
Laptop
[BIG-IP Local Traffic Manager VE] [BIG-IP Local Traffic Manager VE]
[BIG-IP DNS VE] [BIG-IP DNS VE]
Servers Servers Servers Servers
UniversalDistributedFirewall(UDFW)
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Built on BIG-IP Application Security Manager (ASM)
VIPRION Platform BIG-IP Platform BIG-IP Virtual Edition F5 Silverline
WAFVMworld 2017 Content: N
ot for publicatio
n or distribution
Proven security effectiveness as a convenient cloud-based service
LegitimateUser
L7 Protection:
Geolocation attacks, DDoS,
SQL injection, OWASP Top
Ten attacks, zero-day threats,
AJAX applications, JSON
payloads
Public Cloud Hosted Web
App
Private Cloud Hosted Web
App
VA/DAST Scans
Policy can be built from 3rd Party
DAST
Web Application Firewall Services
WAF
Cloud
Physical Hosted Web App
Attackers F5 Silverline
WAFVMworld 2017 Content: N
ot for publicatio
n or distribution
Service Deployment Tiers
Managed Full-service
ExpressSelf-service
Per-FQDN Pre-config. Policies
Load Balancing
Self Service Portal
Email, Phone 24x7
Support for what’s in the Portal: Portal-based Policy Deployment
+Tailored Policies +Policies from VA/DAST Scans
+Violation Reviews
+24x7 Full SOC Analyst Access
+Service Customization
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Security
Services
BIG-IP VE
Availability
Challenges: Requiring consistent app services across cloud services
Deliver high availability across all public clouds environments:
• Search your public cloud, discover apps (AWS), and securely connect
• Simplify deploying pure in cloud deployments of full stack
• Enable app services insertion across hybrid environments
• Leverage virtual app services for replication
• Virtual local and global app delivery services across VPCs
User
AWS:
• Online services
• Gov. cloud
• Data repository
Azure:
• Online services
• Gov. cloud
• Data repository
ACLTM
Only common stack app configurations across cloud services
Born in the Cloud
VPC
AC
VPC
AC
VMworld 2017 Content: Not fo
r publication or distri
bution
EtherIP over IPSec
Secure L2 between Data Centres
VMworld 2017 Content: Not fo
r publication or distri
bution
VLAN GROUP_1VLAN GROUP_1
1.1 - (INTERNAL)
1.2 - (EXTERNAL)
1.1 - (INTERNAL)
1.2 - (EXTERNAL)
10.128.1.252
00:0c:29:32:f9:e510.128.1.253
00:0c:29:9d:c3:88
10.128.1.2 10.128.1.3
10.10.30.2 10.10.40.2
EtherIP_Tunnel EtherIP_Tunnel
Route 10.10.40.0/24 Gateway 10.10.30.1 Route 10.10.30.0/24 Gateway 10.10.40.1
10.10.40.110.10.30.1
FWD_V
S
FWD_V
S
EtherIP IPSec Tunnel
VMworld 2017 Content: Not fo
r publication or distri
bution
Direct C
onnect
/ In
terc
onnect O
fferings
Interconnect Provider
Security
Services
Interconnect Provider
Security
Services
AWS
Azure & Others
VPC
VPC
VPC
VPC
VPC
VPC
Customer DC1
Corp
Users
Security
Services
Customer DC2
Corp
Users
Security
Services
Cage
Cage
VPC
BIG-IP VE
Security
Services
VPC
BIG-IP VE
Security
Services
Cloud Interconnect• App Delivery
deployed within
interconnect
provider facilities
Lift and Shift• Traditional
datacenters App
Delivery services
with workloads in
cloud
Born in Cloud• Virtual App Delivery
within a services
VPC delivering
services
End Users
BIG-IP
BIG-IP
VMworld 2017 Content: Not fo
r publication or distri
bution
User
AmazonAWS
Rackspace
Azure
IBM SoftLayer
Amazon
Rackspace
Azure
SoftLayer
Key
Encryption Keys stored centrally (not in the cloud instances)
Reduced attack surface – no visible public IP addressing
Workload nodes can be autodiscovered by the proxy instance
• Independent of network configuration- Deals gracefully with overlapping IP space
• Allows sensitive encryption keys to be
stored outside the cloud environment- Can leave “serverssl none” towards the
node and traffic is protected until it gets into
the environment
• Hides original environment entirely from
clients- Does not require mapping to public IPs in
the CSP
- Significantly reduces potential attack surface
• Keeps BIG-IP configuration
automatically notified of changes within
the environment
VMworld 2017 Content: Not fo
r publication or distri
bution
BIG-IP side• Delivered as iAppLX package
• GUI for configuration of “Service
Center”- Visually represents discovered items within
the environments that have registered
- Allows registration of the proxy instances
• Allows full interaction via REST APIs
Cloud side• Delivered as instance image, container,
agent (future)
• Easy to configure via GUI, REST API- “To which service centers should I attach?”
- “Do I automatically or manually publish
what’s nearby?”
VMworld 2017 Content: Not fo
r publication or distri
bution
Configuration
AWS1
AWS2
AZ1
1 2
1 2
1 2
%AWS1
%AWS2
%AZ1
• Based on Open
Standards (Websockets,
SOCKS, TLS)
• Automates creation of
BIG-IP-side objects
• Cloud Proxy inside cloud
environment can be
rendered as instance,
container, or agent
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution