CONFIDENTIAL
C2C VISION: Expand services, deliver insights via telemetry and analytics
Code CustomerDevice
fingerprint
User identity & behavior
Future services
API
gateway
CDNIngress
controller
App / Web
server
Load
balancer
DNSApp
security
DDoSFuture Service
ContainersPurpose-built
hardwarePublic cloud
Virtual machines
Softwareas a Service
Commodityhardware
ANY INFRASTRUCTURE
Mobile POSLaptop IoT
ANY DEVICE
BIG-IP NGINX FUTURE
PLATFORM CONTROL PLANES
VISIBILTY, INSIGHTS &
ORCHESTRATION
TELEMETRY TELEMETRY
• Containerized “microservices” gaining popularity
• Orchestration is part of the application landscape
– Kubernetes, OpenShift
– Analytics now built into applications
Technology is Changing
• Cloud is here:– Currently 84% Multi-Cloud1
– 79% of workloads in cloud1
• Benefits: Faster infrastructure, greater scalability
• 68% optimizing clouds1
• 58% moving workloads to clouds1
The Future is Cloudy
• Modular application construction is now dominant
• Emergence of development integrated with operations
• Shared ownership of applications is beginning to take root
• Automation is key
DevOps is Rising
Applications are Transforming
1"State of the Cloud Report." RightScale/Flexera, 2019.
Looking trough the BIG-IP
Problem statements & opportunities
‘Around the BIG-IP’• Identifying CLOUD migration
strategy?Delivering multi cloud App availability and security
‘Behind the BIG-IP’• Identifying App Modernization strategy?
Delivering seamless service delivery between Micro-service platform and Traditional Application security perimeter (ADC & WAF)
delivering inter-container security and visibility
Narrow in on ‘around the BIG-IP’
Code CustomerDNSApp
security
DDoSLoad
balancer
Purpose-builthardware
Code CustomerDNSApp
security
DDoSLoad
balancer
Purpose-builthardware
Public cloud
Virtual machines
Active&Happening
Digital ROI
Business
agility
IMPACT: De-composing traditional F5 consolidated functionsinto dynamic SW based bahaviour
Server/ OS
Server/ OS
The challenge:
• Decomposing the BIG-IP
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
BIG-IP Virtual Edition
The options: ‘As You Know’ or ‘As You Grow’
Internet
Servers
VE, 5G
[PRIIVATE Virtualization/ SDN/ NFV or Public Cloud Zone X]
perpetual Perpetual/subscription
Subscription
Servers
VE, 200Mb
VE, 1Gb
VE, 3Gb
Servers
Scale UP VE model(quality)
Servers
VE 200Mb
Servers Servers
VE 200MbVE 200Mb
VE 1GbScale out
Scale out VE’s(quantity) 3 Y growt designed
VE model
New consumption models changes the way you can architect the capability
Perpetual Subscription ELA
Utility (PAYG)
New and improved!
TechXchangeConsumption
sessionToday 13:00
Code CustomerDNSApp
security
DDoSLoad
balancer
Purpose-builthardware
Public cloud
Virtual machines
Customer
PLATFORM CONTROL PLANES
CDNIngress
controller
App / Web
server
Load
balancer
DNSApp
security
DDoS
ContainersPurpose-built
hardwarePublic cloud
Virtual machines
Softwareas a Service
Commodityhardware
EcosystemsNGINX Controller BIG-IQ
Narrow in on ‘behind the BIG-IP’
Actual&Emerging
Digital ROI
Business
agility
IMPACT: N-S BIG-IP - K8S Ingress Architecture and E-W visibility and security with service mesh.
Service
mesh
Server/ OS
Code
‘behind the BIG-IP’
Servers
VE, 5G
[PRIIVATE Virtualization/ SDN/ NFV or Public Cloud Zone X]
perpetual Perpetual/subscription
Subscription
Servers
VE, 200Mb
VE, 1Gb
VE, 3Gb
Servers
Scale UP VE model(quality)
Servers
VE 200Mb
Servers Servers
VE 200MbVE 200Mb
VE 1GbScale out
Scale out VE’s(quantity)
3 Y growt designedVE model
Options…..
Nod
e 2
Nod
e 1
BIGIP Dynamic App servicesADC/ WAF
..
App Insight
F5 BIGIP
Container Ingress Services
Container
Orchestration
Benefit:
• A single N-S traffic entry, adopt to any environment
• K8s native way App management
• Dynamic services discovery and automatic lifecycle management
• Customers get same ADC functions in PaaS
• Smooth app migration into PaaS
• Support flannel/OVS/Calico/Canal etc. CNI plugin
• WAF/DDOS/SSL offload ability for applications in PaaS
Benefit:
• Native support to k8s Ingress
• Light and high performance
• Nginx has Configmap and Annotations to extend Ingress to adopt your production. Get all
capability of Nginx
• Integrate OpenTracing and Promethus to get App observation
• Commercial support
• Support any environment
NodePort mode uses 2-tier load balancing:The BIG-IP Platform load balances requests to Nodes (kube-proxy).Nodes (kube-proxy) load balance requests to Pods.
Considerations:The BIG-IP system can’t load balance directly to Pods, which means:
Some BIG-IP services, like L7 persistence, won’t behave as expected.Additional network latency.
Cluster mode use any type of Kubernetes Services.The BIG-IP system can load balance directly to any Pod in the Cluster, providing:
• BIG-IP services, including L7 persistence.• The BIG-IP Controller has full visibility into Pod health via
the Kubernetes API.Considerations:• Needs a VXLAN overlay network
You can now:• Add or remove Pods from an existing Service or expose a Service
with Pods.• Add or remove a Node from the Cluster.• Create a new Kubernetes Cluster from scratch.
Introducing BIG-IP Container Ingress Services (CIS)• Listens to K8S Container Orchestration on changes in
Nodes, PODS etc.• CIS will use AS-3 to change BIG-IP configs for, Pool
Pool-member, VS etc.
• BIG-IP will follow the dynamic behavior of the modern Application as it changes during operations
And more options……
Bringing DevOps and NetOps togetherNode NNode 1
BIGIP Dynamic App services/API protection
F5 CIS
Co
ntain
er Orch
estration
App/API Insight
F5 Container Ingress Services(CIS)
Nginx/Nginx Plus Ingress Controller
Architecture considerations
• It is good for period of legacy App transiting to modern application.
• It is good to converge netops/supernetops/devops/dev guys.
• Support multi cloud.
• If using NGINX as API GW, this solution is good to build F5+NGINX API M mode
Benefits to our customersWHY IS THIS BENEFICIAL TO OUR CUSTOMERS?
The best of BIG-IP
The trusted & familiar infrastructure load
balancer, providing security, visibility and
governance for enterprises across every
industry
The agility and performance of
NGINX
DevOps-centric use cases, supporting self-
service application deployment, lifecycle
management and multi-tenancy, with
consistency and reliability
Integration with the simplicity
of Public Cloud
Simple integration, with capabilities
underneath: performance and security
optimizations; self-service DNS, IP addresses
and WAF
One more step behind the App: Service Mesh
| ©2020 F5 – KPN ASPEN MESH39
CONFID
ENTIAL
Support for different deployment scenariosSERVICE PROXY WITHIN THE KUBERNETES CLUSTER
AMF-P1 AMF-P2 SMF-P1 NRF-P1
Aspen Mesh
Aspen Mesh
Aspen Mesh
Aspen Mesh
app
E1-P1
app
E2-P1
Aspen Mesh
Aspen Mesh
Node 1
AM-2 IG-1 IG-2 app N
Aspen Mesh
Aspen Mesh
Aspen Mesh
Aspen Mesh
CTSapp
E2-P1
Aspen Mesh
Aspen Mesh
Node 2
Cluster 1
Cloud Native
DC
Cloud Native
DC
BIG-IP
Service Proxy
Advantage: BIG-IP Service Proxy part of k8s orchestration environment
BIG-IP
Service Proxy
E-W E-W
N-S
East-West Inter App traffic
North-South customer – App traffic
Why service-mesh and Aspen-Mesh
• A Service Mesh answers the question, “How do I observe, control, or secure communication between services?” A Service Mesh intercepts traffic going into and out of a container
• Key Use Cases for Service Mesh• Service discovery: Service mesh provides service-level visibility and telemetry, which helps enterprises with service inventory
information and dependency analysis.• Traffic governance: With service mesh, you can configure the mesh network to perform fine-grained traffic management
policies without going back and changing the application. This includes all ingress and egress traffic to and from the mesh.• Access control: With service mesh, you can assign policy that a service request can be granted only based on the location
where the request came and can only succeed if the requester passes the health check.• Secure service-to-service communications: You can enforce mutual TLS for service-to-service communications for all your
service in mesh. Also you can enforce service-level authentication using either TLS or JSON web tokens.
• Aspen-Mesh offers:• Advanced policy and configuration options• Analytics and alerting• Multi-cluster/multi-cloud capabilities• An intuitive UI• A fully hosted SaaS platform• Complete support from our team of service mesh experts
Full architecture A-Z
F5 CIS
Co
ntain
er Orch
estration
VE 200Mb
AWAF
VE 200Mb
AWAF
VE 200Mb
VE 1GbScale out
Internet
AS-3
VXLAN
• NGINX+
➢ Proven NGINX OSS with enterprise features / support
➢ F5 WAF ported to NGINX+App Protect Essential
➢ Cloud Native experience with K8S CRDs as Ingress Resource
• BIG-IP + CIS
✓ BIG-IP functionality (LTM/ASM/APM) for your containers
✓ Route traffic to your PODs without an extra hop
✓ DevOps friendly due to the ATC and CIS K8S/OCP integration
• ASPENMESH
➢ Istio based with enterprise features / support
➢ Focus on E-W security, observability and L7 policy management
➢ Cloud Native experience as made for K8S
F5 Networks in an A-Z world..HAT DO WE OFFER TODAY – NORTH SOUTH VS EAST WEST