Dynamic App Services in Containerized EnvironmentsF5 Government Technology Symposium

Mark Dittmer

Sr Product Management Engineer

Understanding the Container Market and Customer Challenges

Container environments brings new customer

challenges and opportunities for F5

Organization are evolving and apps are transforming1

Container adoption driven by agile app dev., DevOps

teams using microservices, and faster time to market2

3

2000

Long lived

Monolithic and built on a single

stack

Deployed to a single server

2018

Development is iterative and

constant

Built from loosely coupled

components

Deployed to a multitude of servers

• Cloud is here:

• Currently 85% Multi-Cloud

• 41% of workloads in cloud

• Benefits: Faster infrastructure, greater scalability

• 53% optimizing clouds 52% moving workloads to clouds

• Modular application construction is now dominant

• Emergence of development integrated with operations

• Shared ownership of applications is beginning to take root

• Automation is key

• Containerized “microservices” gaining popularity

• Orchestration is part of the application landscape

• Kubernetes, OpenShift, Cloud Foundry, Mesos

• Analytics now built into applications

Key Products

Automation

Service

Creation Time

Service

Lifetime

Data Center Provides

Gen 1

Virtualized

Gen 2

Cloud

Gen 3

Resource Pool

Gen 0

Hardware

Hardware

server running

single service/app

Virtualized

server running

single service/app

Self-serve virtualized

server running

single service/app

Pools of CPU,

memory, storage +

PaaS Framework

None Little Mixed 100%

Weeks/Ticket Days/TicketMinutes/Self-Serve

+ AutoscaleSub-second

Years Years Months/Years Seconds

Dell, HP,

BIG-IP Hardware

VMWare, Xen,

BIG-IP VE

AWS, OpenStack,

Cisco ACI

Kubernetes,

OpenShift, Mesos,

Docker

• Lightweight alternative for app development

• App runs without guest VMs

• Portability: Easy lift and shift to clouds or vice versa

Review Using Docker Container Technology with F5 Products and Services on F5.com.

•

•

• 2016: 8% deployed, 76% eval.

• 2017: 45% deployed, 55% eval.

• Future: containers become dominant AppDev platform

How can I

support new

container

environments?

How do I

support DevOps’

needs for speed

and agility?

How do I

respond to

constant

requests for

container app

services?

How can I

maintain

compliance

across container

environments?

How can I

secure

containers

without upfront

IT investments?

How can I drive

operational

and cost

efficiencies?

Rethink Container Environments with F5

App Services

Learn about container environments to help you

recommend the best solutions

Understand the new application architectures1

F5 Dynamic App Services for Containerized Environments

enables self-services and automation for DevOps process2

3

Automation

Orchestration

Container

Formats

Monolithic

Application

Physical/Virtual Infrastructure

Network Compute Storage

ADC

Internet

NetOps Centric

Architecture

Transition Is A Continuum - Models Will Co-Exist

ADC

Network Compute Storage

Internet

DevOps Centric

Architecture

DOCKER RKT

CHEF PUPPETANSIBLE

MESOSREDHAT

OPENSHIFTKUBERNETES

OSV

Physical/Virtual Infrastructure

App Disruption: New Architectures

Container-as-a-Service

(CaaS)

Platform-as-a-Service

(PaaS)

• Open-Source app

development environments

• Enhanced agility and scaling

• Platform independence &

portability - containers can be

transferred between public and

private clouds

• Platform automatically packages

software into containers and

provides compute resources

• Allows developers to focus on

writing code for greater agility

• Provide container engines,

orchestration tools and

compute resources

• Requires the developer to

package software into

containers

Container

Environments

Examples:

• Application data exchange

• VM-to-VM, Container traffic

• API traffic

Generally speaking:

• Machine-to-machine

• Application-to-application

• Disaggregated service bus

Ap

plic

atio

n S

erv

ice

s N

ort

h-S

ou

th T

raffic

Application Services Across Containers and PaaS

Container Environment

Orchestration

Generally speaking:

• Traffic across network

• Client to app server

• Front-door services

Examples:

• App Services

• Into containers

• ADC and Ingress Control

ADC

Ingress Point

“Ingress” = HTTP routing:

• Currently defined as only HTTP routing (L7)

• Kubernetes/OpenShift Resource

• Handled by Ingress Controller:• Container Connector + BIG-IP

“ingress” = Access into the container environment:• L4 traffic

• UDP traffic management

• Non-HTTP L7 routing

• Handled by ingress controller:• Container Connector + BIG-IP

What’s the difference?

Ingress can refer to HTTP Routing or a collection of rules to reach the cluster services and

ingress refers to inbound connections, app load balancing, programmability and security services.

Introducing Dynamic App Services for Containerized and PaaS Environments

• Native open-source integration in container environments for F5 BIG-IP Ingress control

• Enable self-service selection in orchestration for app services

• Scale and secure apps through automated event discovery and service insertion

F5 Container Connector

© 2018 F5 Networks

• Reduced hops/latency - Route traffic directly to application front end

• Enable IPv6 clients to use IPv4 containerized applications

• Apply advanced services such as WAF and DDoS mitigation

• TLS Offload – Re-encrypt with self-signed certificates

• Leverage advanced traffic management capabilities:

• LBing methods, health monitors, programmability etc.

• Application acceleration

• Hybrid Container/VM

• External Service Endpoints or

• VIP-targeting-VIP

Service MeshEnterprise Service Mesh Built on Istio

THEN NOW

FORWARD PROXY

REVERSE PROXY

SIDECAR PROXY

Building a Service Mesh

A SERVICE MESH

Circuit breakers

Auto-Retries

A network of sidecar proxies that form a reliable method of scale that includes:

Health monitoring

HTTP Routing

Aspen Mesh is a fully supported enterprise service mesh that provides observability, analytics and security

The Aspen Mesh – Contacts and Distribution success on your microservices journey.

Highlighting F5 Application Services for Containers

F5 Container Connector for RedHat OpenShift

F5 BIG-IP Load Balancer

Master Master Master

RHEL VM RHEL VM RHEL VM

Node Node

RHEL VM RHEL VM

Node Node

RHEL VM RHEL VM

Node

RHEL VM

Persistent Storage

Hypervisor

Masters Nodes

RHEL VM RHEL VM

External Requests

Outbound-VIP 0.0.0.0.0 SNAT

ocp3-master-vip.lab.fp.f5net.com

VIP – OpenShift-Master

Pool List – ocp3-master ocp3-master1:8443 ocp3-master2:8443 ocp3-master3:8443

192.168.200.X

Container Connector

Apps Apps

Container

Orchestration

Node

2

Node 1

Container

Environment

BIG-IP Application

Performance and Security

Services

User

Visibility and

AnalyticsTraffic

Integration

VM Network 10.192.75.82

f5-bigip-node01 f5-bigip-node02

1-2VM Network 10.192.75.83 1-2

Internal 192.168.200.82

vxlan 10.129.6.82

1-1

Internal 192.168.200.83 vxlan

10.130.4.83

1-1

f5-bigip-float 192.168.200.84

vxlan-float 10.128.6.84 tunnel openshift_vlan

Container

EnvironmentsNode 1 Node 2 Orchestration

tunnel openshift_vlan local address 192.168.200.84

secondary address 192.168.200.82

tunnel openshift_vlan local address 192.168.200.84

secondary address 192.168.200.83

F5 Container Connector

oc get hostsubnet

NAME HOST HOST IP SUBNET

f5-bigip-float f5-bigip-float 192.168.200.84 10.128.6.0/23f5-bigip-node01. f5-bigip-node01 192.168.200.82 10.129.6.0/23f5-bigip-node02. f5-bigip-node02 192.168.200.83 10.130.4.0/23

Showcase F5 Solutions in Container Environments

Kubernetes, Red Hat OpenShift, Pivotal Cloud Foundry, and Mesos

Showcase the value of F5 integrations to container

orchestration

Highlight F5 container integrations to Kubernetes, Red

Hat OpenShift, Pivotal Cloud Foundry, and Mesos

Stress data stream export in a Splunk or SIEM

compatible format for visibility and analytics

1

2

3

Share the value of container integration solutions

focus4

Node 2Node 1

Kubernetes or OpenShift

Ap

p S

erv

ice

s A

cro

ss N

etw

ork

Dynamic App Services Across Kubernetes or OpenShift

F5 BIG-IP App Performance

and Security Services

Visibility and Analytics

Integrate and enable container app

services in Kubernetes or OpenShift

• Easily configure ingress control on

BIG-IP with app routing, automatic

traffic policy creation, and health

monitoring

• Enables app routing, availability,

and scale across Kubernetes

container environments

• Subscribes to Kubernetes or

OpenShift events to automatically

create, scale, or remove app

performance and security services

• Traffic visibility via data stream

export for analytics review

F5 Container Connector

Orchestration

Tip:Your SEs have access to

blueprint environment in UDF for Kubernetes or OpenShift

demos

Rapid App Services Selection in Kubernetes

•

•

• Automated discovery and services insertion

•

• Scale apps and enable security services

•

© 2018 F5 Networks

Ap

plic

atio

n S

erv

ice

s A

cro

ss N

etw

ork

Scale and secure container apps in

Pivotal Cloud Foundry PaaS

• Easily configure ingress control on

BIG-IP with app routing, SSL,

automatic policy creation, and

health monitoring

• Subscribes to Cloud Foundry routes

to automatically scale app traffic

with Layer 7 policies

• Deploy app performance faster with

pre-defined policy templates on

BIG-IP

• Traffic visibility via data stream

export for analytics review

Node 2Node 1

Pivotal Cloud Foundry

Visibility and Analytics F5 BIG-IP

App Performance and Security

Services

GoRouter GoRouter

F5 Container Connector

Orchestration

Cluster

Mesos

Ap

p S

erv

ice

s A

cro

ss N

etw

ork

Visibility and Analytics

F5 BIG-IP App Delivery and Security Services

Enable app self-services and

automation in Mesos

• Improve app availability through

integration with existing native Mesos

container app workflows

• Scale app performance with BIG-IP

across network with app routing,

programmability, and monitoring

• Enable security services – access

control, app encryption and protection

• Gain end to end visibility and analytics

by exporting data metrics from BIG-IP

F5 Container Connector

Marathon

Orchestration

Tip:Your SEs have access to

blueprint environment in UDF for Mesos demos

•

•

• Automated discovery and services insertion

•

• Scale apps and enable security services

•

• Enables end-to-end visibility, analytics, and insights for fast

resolution of container traffic anomalies

• Export data stream from BIG-IP

LocationFuture

Location

FutureFutureFuture

F5 CONTAINER CONNECTOR

SERVICE MESHVISUALIZATION AND

ANALYTICSPROGRAMMABILITY AND INTEGRATION

F5 iRules LXF5 BIG-IP

Application Services ProxyContainer Connector

F5 DevCentral

REST API(End of Sale May 31, 2018)

Containers Strengths Weakness F5’s Value

Mesos /

Mesosphere

Integrated internal traffic management

(using HAProxy), their preference is to

partner with F5 as we increase deal

velocity.

Overall traffic management capabilities

needed from front-end traffic management

are limited. No SSL offload to HW, limited

LB methods, limited as the Ingress point

(HAProxy at the heart), no DDoS

protection, etc.

Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich

set of application delivery/performance services we offer – the set of services our customers really want.

Kubernetes Integrated internal traffic management

(using IP Tables). Leading container

environment with industry moving toward

standardizing on.

Overall traffic management capabilities

needed from front-end traffic management

are limited. No SSL offload to HW, limited

LB methods, no DDoS protection, etc.

Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich

set of application delivery/ingress control services we offer – the set of services our customers really want.

RedHat OpenShift Integrated internal traffic management

(using IP Tables). Full Platform as a

Service (PaaS) stack. Strong RedHat and

F5 partnership sharing deals. Container

Connector is referenced on the RedHat

Marketplace.

Overall traffic management capabilities

needed from front-end traffic management

are limited. No SSL offload to HW, limited

LB methods, no DDoS protection, etc.

Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich

set of application delivery/ingress control services we offer – the set of services our customers really want.

Pivotal Cloud

Foundry

Integrated internal traffic management

(using Go Router). Container Connector is

referenced on the Pivnet marketplace.

Overall traffic management capabilities

needed from front-end traffic management

are limited. No SSL offload to HW, limited

LB methods, no DDoS protection, etc.

Through the Container Connector we integrate the BIG-IP fronting the containerized environment to provide the rich

set of application delivery/ingress control services we offer – the set of services our customers really want.

Docker DC/ Swarm Integrated internal traffic management

(using L3 routing)

Overall traffic management capabilities

needed from front-end traffic management

are limited. No SSL offload to HW, limited

LB methods, no DDoS protection, etc.

Future Integration

How Customer Obtains F5

Services: Select a variety of F5 services and

support options to help customers succeed

Platforms: Create great customer value with

blended platform options for pull through revenue

Licensing: Choose flexible options for BIG-IP across Good, Better, and Best offerings

2

3

4

Simplified Container Integrations ordering by

selecting no charge solutions for quick adoption1

• Clouddocs.f5.com • Kubernetes Concepts

© 2018 F5 Networks

Good, Better, Best Platforms

F5 physical ADCs

High-performance w/dedicated hardware

Physical ADC is best for:

• Fastest performance

• Highest scale

• SSL offload, compression, and accelerated

DoS mitigation

• An all F5 solution: integrated HW+SW

• Edge and ingress control front door services

• Purpose-built isolation for

application delivery workloads

• iSeries have FPGA based TurboFlex for

chip-level customization

Physical + virtual =

hybrid ADC infrastructure

Ultimate flexibility and performance

Hybrid ADC is best for:

• Transitioning from physical to

virtual and private data center to

cloud

• Cloud bursting

• Splitting large workloads

• Tiered levels of service

• Private Cloud

F5 Virtual Editions

Provide flexible deployment options for

virtual environments and the cloud

Virtual ADC is best for:

• Accelerated deployment

• Maximizing data center efficiency

• Private and public cloud deployments

• Application or tenant-based pods

• Keeping security close to the app

• Lab, test, and QA deployments

• License Management with BIG-IQ

Physical HybridVirtual

i4000 series i10000/i11000

Series

i5000 Series i7000 Series

5Gbps3Gbps1Gbps200M25MVIPRION 2400

VIPRION 4480 VIPRION 4800i2000 series*

10GbpsVIPRION 2200

*i2600 does not support GBB Note: iSeries does not support AAM module