F5 corporate template · F5 Networks in the Container World ... MICROSERVICES USE MULTIPLE...
Transcript of F5 corporate template · F5 Networks in the Container World ... MICROSERVICES USE MULTIPLE...
Aspen Mesh
Enterprise Service Mesh
June 18 2020 – TechXChange NL
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL2
➢ Infra and application evolution
➢ F5 Networks in the container world
➢ Do I need a service mesh?
➢ Aspen Mesh – value adds
➢ Demo
➢ Try it out yourself !
Presentation overview
| ©2020 F5 – ASPEN MESH3
INFRA & APPLICATION
EVOLUTION
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL4
CONTAINERS ARE HERE TO STAY
The container landscape
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL5
CNCF RESEARCH DATA
Service Mesh adoption
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL6
CONTAINER SECURITY BECAME THE BIGGEST CONCERN
Container security
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL7
MONOLITHS TO MICRO SERVICES – AN INCREASING AMOUNT OF EAST-WEST TRAFFIC
Application architecture
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL8
Microservices at scale is hard
| ©2020 F5 – ASPEN MESH9
F5 NETWORKS IN
THE CONTAINER WORLD
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL10
Application
business logic
End-user
API
gateway
Web app
firewall
Ingress
controller
App / web
server
Denial of
service
Anti-fraud
& anti-bot
Load
balancer
Secure
access
WHERE ASPEN MESH FITS IN
Code to customer
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL11
NGINX+
➢ Proven NGINX OSS with
enterprise features / support
➢ F5 WAF ported to NGINX+
App Protect Essential
➢ K8S CRDs as
Ingress Resource and API
Gateway features
BIG-IP + CIS
✓ BIG-IP functionality
(LTM/ASM/APM) for your
containers
✓ Route traffic to your PODs
without an extra hop
✓ DevOps friendly due to the
ATC and CIS K8S/OCP
integration
ASPENMESH
➢ Istio based with enterprise
features / support
➢ Focus on E-W security,
observability and
L7 policy management
➢ Cloud Native experience as
made for K8S
F5 Networks in the Container WorldWHAT DO WE OFFER TODAY – NORTH SOUTH VS EAST WEST
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL12
master control planeYAML
Service A Service B Service C
| ©2020 F5 – ASPEN MESH13
DO I NEED A
SERVICE MESH?
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL14
WHEN DO YOU NEED ONE ? IF YOU CANNOT DRAW YOUR MICROSERVICE ARCHITECTURE ON A NAPKIN
East – West Service Mesh Treshold
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL15
MICROSERVICES USE MULTIPLE LANGUAGES, STITCH THEM TOGETHER
Polyglot application service architecture
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL16
ISTIO CONTROL PLANE EXTENDED
Aspen Mesh architecture
| ©2020 F5 – ASPEN MESH17
ASPEN MESH
VALUE ADDS
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL18
➢Predictive alterting and application health
scores
➢Data flows are visualised in Aspen Mesh
dashboard – service graph
➢Network, security and configuration issues
visualised in Aspen Mesh dashboard
➢Use Prometheus for metrics and Alert
Manager for alerting
Technical Value AddVISIBILITY AND REPORTING
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL19
➢Retries
➢Circuit breaker / request pool
➢Outlier detection (endpoint pool ejection)
➢Timeouts
➢Fault injection
➢Aspen Mesh deliverably is tested and
validated
Technical Value AddRESILIENCE AND FAULT TOLERANCE
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL20
➢Different load balancing (round robin, least
request, random, …)
➢Traffic shifting/distribution between services
➢Routing based on HTTP header
➢Traffic mirroring
➢Traffic tapping
➢Integration with External DNS
Technical Value AddROUTING AND TRAFFIC
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL21
➢Authorization with JWT
➢Authentication with mTLS
➢mTLS (client-server certificates SPIFFE)
➢White and black listing
➢RBAC
➢Aspen Mesh installed with security tied
down by default
Technical Value AddIDENTITY AND SECURITY
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL22
➢Policy enforcement Istio global or per
namespace
➢Support for fine grained policy control
between ClusterOps and AppOps teams
➢Quota
➢RBAC
Technical Value AddPOLICY ENFORCEMENT
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL23
Business Value AddMTTR – MEAN TIME TO RECOVERY / REPAIR / RESOLUTION
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
➢ Aspen Mesh reduces MTTR for application, network and security issues
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL24
➢Setting up Istio yourself is complex and time
consuming
➢3 to 6 months by 2 FTEs for initial setup
➢Istio expertise is hard to find and expensive
(outsourced to external consultants)
➢Istio evolves and a full time job to stay up to
speed – OSS is always a risk
➢Aspen Mesh reduces ramp-up cost and risk
Business Value AddCOST AND RISK
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL25
➢Working with Istio since v0.2.4 (Sept 2017)
➢Active contributors to Istio and Envoy and
participants in Istio Working Groups and TOC
➢Member of early disclosure lists for security
vulnerabilities (CVE) for Istio and Envoy
➢Custodians of the utility to validate the
configuration of Istio (Istio-vet)
➢We are silver members at Cloud Native
Computing Foundation (CNCF)
Business Value AddSUPPORT AND EXPERTISE
Technical
Business
Visibilty & Reporting
Resilience & Fault Tolerance
Routing & Traffic
Identity & Security
Policy Enforcement
MTTR
Cost & Risk
Support & Expertise
| ©2020 F5 – ASPEN MESH26
DEMO TIME
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL27
MICROSERVICE GRAPH – VISUALISING TRAFFIC AND SECURITY ISSUES
Aspen Mesh Demo
| ©2020 F5 – ASPEN MESH28
TRY IT OUT
YOURSELF !!!
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL29
➢Contact your local F5 sales representative
➢https://aspenmesh.io
➢free registration and try out
➢documentation
➢Aspen Mesh University – 7 introduction videos
➢https://aspenmesh.io/service-mesh-university
➢Drop us an email at [email protected]
WHERE TO START?
Try it out yourself
| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL30