CONFIDENTIAL

C2C VISION: Expand services, deliver insights via telemetry and analytics

Code CustomerDevice

fingerprint

User identity & behavior

Future services

API

gateway

CDNIngress

controller

App / Web

server

Load

balancer

DNSApp

security

DDoSFuture Service

ContainersPurpose-built

hardwarePublic cloud

Virtual machines

Softwareas a Service

Commodityhardware

ANY INFRASTRUCTURE

Mobile POSLaptop IoT

ANY DEVICE

BIG-IP NGINX FUTURE

PLATFORM CONTROL PLANES

VISIBILTY, INSIGHTS &

ORCHESTRATION

TELEMETRY TELEMETRY

• Containerized “microservices” gaining popularity

• Orchestration is part of the application landscape

– Kubernetes, OpenShift

– Analytics now built into applications

Technology is Changing

• Cloud is here:– Currently 84% Multi-Cloud1

– 79% of workloads in cloud1

• Benefits: Faster infrastructure, greater scalability

• 68% optimizing clouds1

• 58% moving workloads to clouds1

The Future is Cloudy

• Modular application construction is now dominant

• Emergence of development integrated with operations

• Shared ownership of applications is beginning to take root

• Automation is key

DevOps is Rising

Applications are Transforming

1"State of the Cloud Report." RightScale/Flexera, 2019.

Looking trough the BIG-IP

Problem statements & opportunities

‘Around the BIG-IP’• Identifying CLOUD migration

strategy?Delivering multi cloud App availability and security

‘Behind the BIG-IP’• Identifying App Modernization strategy?

Delivering seamless service delivery between Micro-service platform and Traditional Application security perimeter (ADC & WAF)

delivering inter-container security and visibility

Narrow in on ‘around the BIG-IP’

Code CustomerDNSApp

security

DDoSLoad

balancer

Purpose-builthardware

Code CustomerDNSApp

security

DDoSLoad

balancer

Purpose-builthardware

Public cloud

Virtual machines

Active&Happening

Digital ROI

Business

agility

IMPACT: De-composing traditional F5 consolidated functionsinto dynamic SW based bahaviour

Server/ OS

Server/ OS

The challenge:

• Decomposing the BIG-IP

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

BIG-IP Virtual Edition

The options: ‘As You Know’ or ‘As You Grow’

Internet

Servers

VE, 5G

[PRIIVATE Virtualization/ SDN/ NFV or Public Cloud Zone X]

perpetual Perpetual/subscription

Subscription

Servers

VE, 200Mb

VE, 1Gb

VE, 3Gb

Servers

Scale UP VE model(quality)

Servers

VE 200Mb

Servers Servers

VE 200MbVE 200Mb

VE 1GbScale out

Scale out VE’s(quantity) 3 Y growt designed

VE model

New consumption models changes the way you can architect the capability

Perpetual Subscription ELA

Utility (PAYG)

New and improved!

TechXchangeConsumption

sessionToday 13:00

Code CustomerDNSApp

security

DDoSLoad

balancer

Purpose-builthardware

Public cloud

Virtual machines

Customer

PLATFORM CONTROL PLANES

CDNIngress

controller

App / Web

server

Load

balancer

DNSApp

security

DDoS

ContainersPurpose-built

hardwarePublic cloud

Virtual machines

Softwareas a Service

Commodityhardware

EcosystemsNGINX Controller BIG-IQ

Narrow in on ‘behind the BIG-IP’

Actual&Emerging

Digital ROI

Business

agility

IMPACT: N-S BIG-IP - K8S Ingress Architecture and E-W visibility and security with service mesh.

Service

mesh

Server/ OS

Code

‘behind the BIG-IP’

Servers

VE, 5G

[PRIIVATE Virtualization/ SDN/ NFV or Public Cloud Zone X]

perpetual Perpetual/subscription

Subscription

Servers

VE, 200Mb

VE, 1Gb

VE, 3Gb

Servers

Scale UP VE model(quality)

Servers

VE 200Mb

Servers Servers

VE 200MbVE 200Mb

VE 1GbScale out

Scale out VE’s(quantity)

3 Y growt designedVE model

Options…..

Nod

e 2

Nod

e 1

BIGIP Dynamic App servicesADC/ WAF

..

App Insight

F5 BIGIP

Container Ingress Services

Container

Orchestration

Benefit:

• A single N-S traffic entry, adopt to any environment

• K8s native way App management

• Dynamic services discovery and automatic lifecycle management

• Customers get same ADC functions in PaaS

• Smooth app migration into PaaS

• Support flannel/OVS/Calico/Canal etc. CNI plugin

• WAF/DDOS/SSL offload ability for applications in PaaS

Benefit:

• Native support to k8s Ingress

• Light and high performance

• Nginx has Configmap and Annotations to extend Ingress to adopt your production. Get all

capability of Nginx

• Integrate OpenTracing and Promethus to get App observation

• Commercial support

• Support any environment

NodePort mode uses 2-tier load balancing:The BIG-IP Platform load balances requests to Nodes (kube-proxy).Nodes (kube-proxy) load balance requests to Pods.

Considerations:The BIG-IP system can’t load balance directly to Pods, which means:

Some BIG-IP services, like L7 persistence, won’t behave as expected.Additional network latency.

Cluster mode use any type of Kubernetes Services.The BIG-IP system can load balance directly to any Pod in the Cluster, providing:

• BIG-IP services, including L7 persistence.• The BIG-IP Controller has full visibility into Pod health via

the Kubernetes API.Considerations:• Needs a VXLAN overlay network

You can now:• Add or remove Pods from an existing Service or expose a Service

with Pods.• Add or remove a Node from the Cluster.• Create a new Kubernetes Cluster from scratch.

Introducing BIG-IP Container Ingress Services (CIS)• Listens to K8S Container Orchestration on changes in

Nodes, PODS etc.• CIS will use AS-3 to change BIG-IP configs for, Pool

Pool-member, VS etc.

• BIG-IP will follow the dynamic behavior of the modern Application as it changes during operations

And more options……

Bringing DevOps and NetOps togetherNode NNode 1

BIGIP Dynamic App services/API protection

F5 CIS

Co

ntain

er Orch

estration

App/API Insight

F5 Container Ingress Services(CIS)

Nginx/Nginx Plus Ingress Controller

Architecture considerations

• It is good for period of legacy App transiting to modern application.

• It is good to converge netops/supernetops/devops/dev guys.

• Support multi cloud.

• If using NGINX as API GW, this solution is good to build F5+NGINX API M mode

Benefits to our customersWHY IS THIS BENEFICIAL TO OUR CUSTOMERS?

The best of BIG-IP

The trusted & familiar infrastructure load

balancer, providing security, visibility and

governance for enterprises across every

industry

The agility and performance of

NGINX

DevOps-centric use cases, supporting self-

service application deployment, lifecycle

management and multi-tenancy, with

consistency and reliability

Integration with the simplicity

of Public Cloud

Simple integration, with capabilities

underneath: performance and security

optimizations; self-service DNS, IP addresses

and WAF

One more step behind the App: Service Mesh

| ©2020 F5 – KPN ASPEN MESH39

CONFID

ENTIAL

Support for different deployment scenariosSERVICE PROXY WITHIN THE KUBERNETES CLUSTER

AMF-P1 AMF-P2 SMF-P1 NRF-P1

Aspen Mesh

Aspen Mesh

Aspen Mesh

Aspen Mesh

app

E1-P1

app

E2-P1

Aspen Mesh

Aspen Mesh

Node 1

AM-2 IG-1 IG-2 app N

Aspen Mesh

Aspen Mesh

Aspen Mesh

Aspen Mesh

CTSapp

E2-P1

Aspen Mesh

Aspen Mesh

Node 2

Cluster 1

Cloud Native

DC

Cloud Native

DC

BIG-IP

Service Proxy

Advantage: BIG-IP Service Proxy part of k8s orchestration environment

BIG-IP

Service Proxy

E-W E-W

N-S

East-West Inter App traffic

North-South customer – App traffic

Why service-mesh and Aspen-Mesh

• A Service Mesh answers the question, “How do I observe, control, or secure communication between services?” A Service Mesh intercepts traffic going into and out of a container

• Key Use Cases for Service Mesh• Service discovery: Service mesh provides service-level visibility and telemetry, which helps enterprises with service inventory

information and dependency analysis.• Traffic governance: With service mesh, you can configure the mesh network to perform fine-grained traffic management

policies without going back and changing the application. This includes all ingress and egress traffic to and from the mesh.• Access control: With service mesh, you can assign policy that a service request can be granted only based on the location

where the request came and can only succeed if the requester passes the health check.• Secure service-to-service communications: You can enforce mutual TLS for service-to-service communications for all your

service in mesh. Also you can enforce service-level authentication using either TLS or JSON web tokens.

• Aspen-Mesh offers:• Advanced policy and configuration options• Analytics and alerting• Multi-cluster/multi-cloud capabilities• An intuitive UI• A fully hosted SaaS platform• Complete support from our team of service mesh experts

Full architecture A-Z

F5 CIS

Co

ntain

er Orch

estration

VE 200Mb

AWAF

VE 200Mb

AWAF

VE 200Mb

VE 1GbScale out

Internet

AS-3

VXLAN

• NGINX+

➢ Proven NGINX OSS with enterprise features / support

➢ F5 WAF ported to NGINX+App Protect Essential

➢ Cloud Native experience with K8S CRDs as Ingress Resource

• BIG-IP + CIS

✓ BIG-IP functionality (LTM/ASM/APM) for your containers

✓ Route traffic to your PODs without an extra hop

✓ DevOps friendly due to the ATC and CIS K8S/OCP integration

• ASPENMESH

➢ Istio based with enterprise features / support

➢ Focus on E-W security, observability and L7 policy management

➢ Cloud Native experience as made for K8S

F5 Networks in an A-Z world..HAT DO WE OFFER TODAY – NORTH SOUTH VS EAST WEST