mmc3406bus cloudy days ahead!! distribution publication or · 2019-06-27 · servers servers...

MMC3406BUS

#VMworld #MMC3406BUS

Cloudy Days Ahead!! Leverage F5 to provide application continuity andconsistent security policy provisioning and enforcement in an inter-cloud world.VMworld 2017 Content: N

ot for publicatio

n or distribution

Cloudy Days Ahead!! Leverage F5 to provide application continuity and

consistent security policy provisioning and enforcement in an inter-cloud world.

VMworld 2017 Content: Not fo

r publication or distri

bution

CLOUD

VIRTUALIZATION

WAN

LAN



bution



bution

Sales on Cyber Monday increased 12.1 percent over the prior year, to

$3.45 billion, according to Adobe Digital Insights. That handily topped

the firm's projection for 9.4 percent growth, despite greater-than-

expected sales on Black Friday.



bution



bution

SECURITY PERFORMANCEAVAILABILITYVMworld 2017 Content: Not fo


bution

• Multiple entry points

• Consistent security policies

• Authentication

• Data security

• DDOS Mitigation

FirewallApplication

Security

Identity and Access

DDoSProtection

Secure Web

Gateway



bution

• Multiple entry points

• Application accessibility

ADCLocal LoadBalancing

Global Load Balancing

Application Performance

Application

Proxies



bution



bution

SECURITY AVAILABILITY PERFORMANCE

ADC

FirewallApplication Security

Identity and Access

DDoSProtection

Local LoadBalancing

Global Load Balancing

Application Performance

Secure Web

Gateway

Application

Proxies



bution



bution

Site1–PaloAlto,CA Site2–SanJose,CA

Site1NSXManager1

Primary

Site2NSXManager2

Secondary

vCenter1 vCenter2

Universal

Controller

Cluster

CompueCluster1 CompueCluster2 EdgeCluster

MgmtvCenter


UniversalTransportZone

UniversalDistributedFirewall(UDFW)

ComputeVDS EdgeVDS ComputeVDS EdgeVDS

UniversalDistributedLogicalRouter(UDLR)

UniversalTransit:172.39.39.0/28

.1 .2

Universal

ControlVM

.14

VLAN279

10.100.9.2/28VLAN280

10.100.11.2/28

VLAN379

10.200.9.2/28VLAN380

10.200.11.2/28

.1 .1.1 .1

ESXi1-1:10.100.0.50/24

ESXi1-2:10.100.0.51/24ESXi1-3:10.100.0.52/24 ESXi1-4:10.100.1.51/24

ESXi1-5:10.100.1.52/24

ESXi1-6:10.100.1.53/24

ESXi2-1:10.200.0.50/24

ESXi2-2:10.200.0.51/24ESX2-3:10.200.0.52/24 ESXi2-4:10.200.1.51/24

ESXi2-5:10.200.1.52/24

ESXi1-6:10.200.1.53/24

UniversalWeb2:172.20.8.0/24

.1 .2

UniversalApp2:172.20.9.0/24

UniversalDB2:172.20.10.0/24

.1

.1

UniversalWeb:172.20.1.0/24

UniversalApp:172.20.2.0/24

UniversalDB:172.20.3.0/24

.254 .254 .254.254 .254.254

.1

.1

.1

SummaryRoute:

172.20.0.0/20

10.100.1.71/2410.100.1.72/24 10.200.1.71/2410.200.1.72/24

10.100.1.73-74/24

Cluster1 Cluster2

iBGP

BGPWeight:60

iBGP

BGPWeight:30

eBGPeBGP

Laptop

1. DNS Request

2. DNS Return IP in PA or SJ

3. Client Connects to ESG VIP

4. ESG LBs to application



bution

Site1–PaloAlto,CA Site2–SanJose,CA

Site1NSXManager1

Primary

Site2NSXManager2

Secondary

vCenter1 vCenter2

Universal

Controller

Cluster


MgmtvCenter




ComputeVDS EdgeVDS ComputeVDS EdgeVDS

UniversalDistributedLogicalRouter(UDLR)

UniversalTransit:172.39.39.0/28

.1 .2

Universal

ControlVM

.14

VLAN279

10.100.9.2/28VLAN280

10.100.11.2/28

VLAN379

10.200.9.2/28VLAN380

10.200.11.2/28

.1 .1.1 .1

ESXi1-1:10.100.0.50/24

ESXi1-2:10.100.0.51/24ESXi1-3:10.100.0.52/24 ESXi1-4:10.100.1.51/24

ESXi1-5:10.100.1.52/24

ESXi1-6:10.100.1.53/24

ESXi2-1:10.200.0.50/24

ESXi2-2:10.200.0.51/24ESX2-3:10.200.0.52/24 ESXi2-4:10.200.1.51/24

ESXi2-5:10.200.1.52/24

ESXi1-6:10.200.1.53/24

UniversalWeb2:172.20.8.0/24

.1 .2

UniversalApp2:172.20.9.0/24

UniversalDB2:172.20.10.0/24

.1

.1

UniversalWeb:172.20.1.0/24

UniversalApp:172.20.2.0/24

UniversalDB:172.20.3.0/24

.254 .254 .254.254 .254.254

.1

.1

.1

SummaryRoute:

172.20.0.0/20

10.100.1.71/2410.100.1.72/24 10.200.1.71/2410.200.1.72/24

10.100.1.73-74/24

Cluster1 Cluster2

iBGP

BGPWeight:60

iBGP

BGPWeight:30

eBGPeBGP

Mgmt:10.200.1.80 Mgmt:10.200.1.81Internal(Web):172.20.8.248 Internal(Web):172.20.8.249

HA:172.90.90.2/30

InternalFloa?ngIP(Web):

172.20.8.250

ExternalFloa?ngIP(Web):

10.200.9.14

External(Edge):10.200.9.12 External(Edge):10.200.9.13

Mgmt:10.100.1.80/24 Mgmt:10.100.1.81Internal(Web):172.20.8.251 Internal(Web):172.20.8.252

HA:172.80.80.1/30 HA:172.80.80.2/30

InternalFloa?ngIP(Web):

172.20.8.253

ExternalFloa?ngIP(Web):

10.100.9.14

External(Edge):10.100.9.12 External(Edge):10.100.9.13

[BIG-IP DNS VE]

Mgmt:10.114.223.75 Dataplane:10.100.1.190

[BIG-IP DNS VE]

Mgmt:10.114.223.78 Dataplane:10.200.1.190

Laptop

1. DNS Request

2. Intelligent DNS response

3. Client Connects to LTM VIP

4. LB to local application



bution


Laptop

[BIG-IP Local Traffic Manager VE] [BIG-IP Local Traffic Manager VE]

[BIG-IP DNS VE] [BIG-IP DNS VE]

Servers Servers Servers Servers




bution



bution

Built on BIG-IP Application Security Manager (ASM)

VIPRION Platform BIG-IP Platform BIG-IP Virtual Edition F5 Silverline

WAFVMworld 2017 Content: N

ot for publicatio

n or distribution

Proven security effectiveness as a convenient cloud-based service

LegitimateUser

L7 Protection:

Geolocation attacks, DDoS,

SQL injection, OWASP Top

Ten attacks, zero-day threats,

AJAX applications, JSON

payloads

Public Cloud Hosted Web

App

Private Cloud Hosted Web

App

VA/DAST Scans

Policy can be built from 3rd Party

DAST

Web Application Firewall Services

WAF

Cloud

Physical Hosted Web App

Attackers F5 Silverline

WAFVMworld 2017 Content: N

ot for publicatio

n or distribution

Service Deployment Tiers

Managed Full-service

ExpressSelf-service

Per-FQDN Pre-config. Policies

Load Balancing

Self Service Portal

Email, Phone 24x7

Support for what’s in the Portal: Portal-based Policy Deployment

+Tailored Policies +Policies from VA/DAST Scans

+Violation Reviews

+24x7 Full SOC Analyst Access

+Service Customization



bution



bution

Security

Services

BIG-IP VE

Availability

Challenges: Requiring consistent app services across cloud services

Deliver high availability across all public clouds environments:

• Search your public cloud, discover apps (AWS), and securely connect

• Simplify deploying pure in cloud deployments of full stack

• Enable app services insertion across hybrid environments

• Leverage virtual app services for replication

• Virtual local and global app delivery services across VPCs

User

AWS:

• Online services

• Gov. cloud

• Data repository

Azure:

• Online services

• Gov. cloud

• Data repository

ACLTM

Only common stack app configurations across cloud services

Born in the Cloud

VPC

AC

VPC

AC



bution

EtherIP over IPSec

Secure L2 between Data Centres



bution

VLAN GROUP_1VLAN GROUP_1

1.1 - (INTERNAL)

1.2 - (EXTERNAL)

1.1 - (INTERNAL)

1.2 - (EXTERNAL)

10.128.1.252

00:0c:29:32:f9:e510.128.1.253

00:0c:29:9d:c3:88

10.128.1.2 10.128.1.3

10.10.30.2 10.10.40.2

EtherIP_Tunnel EtherIP_Tunnel

Route 10.10.40.0/24 Gateway 10.10.30.1 Route 10.10.30.0/24 Gateway 10.10.40.1

10.10.40.110.10.30.1

FWD_V

S

FWD_V

S

EtherIP IPSec Tunnel



bution

Direct C

onnect

/ In

terc

onnect O

fferings

Interconnect Provider

Security

Services

Interconnect Provider

Security

Services

AWS

Azure & Others

VPC

VPC

VPC

VPC

VPC

VPC

Customer DC1

Corp

Users

Security

Services

Customer DC2

Corp

Users

Security

Services

Cage

Cage

VPC

BIG-IP VE

Security

Services

VPC

BIG-IP VE

Security

Services

Cloud Interconnect• App Delivery

deployed within

interconnect

provider facilities

Lift and Shift• Traditional

datacenters App

Delivery services

with workloads in

cloud

Born in Cloud• Virtual App Delivery

within a services

VPC delivering

services

End Users

BIG-IP

BIG-IP



bution

User

AmazonAWS

Rackspace

Azure

IBM SoftLayer

Amazon

Rackspace

Azure

SoftLayer

Key

Encryption Keys stored centrally (not in the cloud instances)

Reduced attack surface – no visible public IP addressing

Workload nodes can be autodiscovered by the proxy instance

• Independent of network configuration- Deals gracefully with overlapping IP space

• Allows sensitive encryption keys to be

stored outside the cloud environment- Can leave “serverssl none” towards the

node and traffic is protected until it gets into

the environment

• Hides original environment entirely from

clients- Does not require mapping to public IPs in

the CSP

- Significantly reduces potential attack surface

• Keeps BIG-IP configuration

automatically notified of changes within

the environment



bution

BIG-IP side• Delivered as iAppLX package

• GUI for configuration of “Service

Center”- Visually represents discovered items within

the environments that have registered

- Allows registration of the proxy instances

• Allows full interaction via REST APIs

Cloud side• Delivered as instance image, container,

agent (future)

• Easy to configure via GUI, REST API- “To which service centers should I attach?”

- “Do I automatically or manually publish

what’s nearby?”



bution

Configuration

AWS1

AWS2

AZ1

1 2

1 2

1 2

%AWS1

%AWS2

%AZ1

• Based on Open

Standards (Websockets,

SOCKS, TLS)

• Automates creation of

BIG-IP-side objects

• Cloud Proxy inside cloud

environment can be

rendered as instance,

container, or agent



bution



bution

mmc3406bus cloudy days ahead!! distribution publication or · 2019-06-27 · servers servers...

Documents