WIXLIB

ntainers

APP SERVICESACCESSTLS/SSLDNSNETWORK

WAFLOADBALANCINGDNSACCESSCONTROLSECURITYPOLICIES

F5 Beside the Cloud

Why Get Closer to the Cloud?Enterprise AppsEnterprise Users“There’s this distance between us”Latency: PerformanceConnectivity: SecurityEnterprise Location F5 Networks, IncPublic Cloud9

Existing ctionCloudConnection TypeExampleAdvantagesDisadvantagesDedicated connectionAWS Direct ConnectAzure Express RouteGoogle Cloud InterconnectOracle Fast ConnectPrivate, fast(er)Cost: Pay for line and usage, multipleclouds need multiple connectionsVPN connectionAWS Virtual Private GatewayAzure Virtual Network GatewayCheapUses Internet: Latency, reliability,privacy, and congestion may be issues F5 Networks, Inc10

InterconnectionInterconnectionto CloudCloudDedicatedconnectionCloud Cloud Ready Modernize connectivity to multiple clouds at the edge of the networkUser Experience Shorten distance and lower latency between users and cloud appsPrivate/Secure Directly connect users, data and clouds—bypassing the public internetLower Cost Economical, less-complex connectivity compared to old network topologies F5 Networks, Inc11

InterconnectionInterconnectionto CloudCloudDedicatedconnectionCloudIdentity Federation F5 Networks, IncWAFDDoSSSLi12

Use Case ScenariosIdentity FederationWAFMitigate risk byproviding dynamic,centralized and adaptiveaccess control andcloud federation for allapplications anywhere.Protect your apps, andthe data behind them,from evasive, targetedattacks with an industryleading WAF offering thehighest level of securitywithout impactingperformance. F5 Networks, IncDDoSProtect your data with ahigh value, easy todeploy and manage nextgeneration DDoSsolution that guardsagainst the mostaggressive and targetedDDoS attacks.SSLiGain critical visibility anddeeper intelligence tothe traffic on yournetwork and in the cloudthat many traditionaldefenses leaveexposed.13

Control Public Cloud Apps Better and Avoid Cloud Vendor Lock-inChallenges Lack of control over applications and devices Lack of operational flexibility and risk of cloudprovider lock-in Gap in IT resource skillsets in public cloudRecommended app delivery services Advanced local/global traffic management SSL offload and intercept App security – DDoS, WAF and IAM Available via BYOL with VE and hardwareappliances with GBB licensing modelsKey Benefits Maintain central point of control and visibility Enable flexibility and portability among clouds Reduce security risks with consistent policies Achieve user performance expectations 2017 F5 Networks25

Only consistent services insertion across cloud providersUsersACInterconnect ProviderPublicACApp Delivery ServicesSSL, Access, andApp Security ServicesPublicACACAPM LTM ASMPublicAttackerBIG-IP platformACPublicF5 Application Connector (AC) Automatically discover public cloud-hosted apps in AWS Securely integrates all public clouds to Interconnect or DC Simplifies deploying app delivery and security services Consistent policies and configs across public clouds Reduce footprint by obfuscation / key mgmt.Key Benefits Migrate with confidence Preserves app services control Enables cloud freedom, avoiding lock-in Visibility across all apps

ACInterconnect ProviderACBIG-IPACConsistent App Services Across CloudsAvailabilitySSLDDoSWAFIdentity FederationAchieve reliable andoptimizedapplications.Extensible andflexible applicationservices withprogrammability tomanage physical,virtual, and cloud.Gain criticalvisibility anddeeper intelligenceto the traffic onyour network andin the cloud thatmany traditionaldefenses leaveexposedProtect yournetworks with ahigh value, easy todeploy andmanage DDoSsolution thatguards againstaggressive andtargeted attacks.Protect your apps,and the databehind them, fromevasive, targetedattacks with anindustry-leadingWAF offering thehighest level ofsecurity.Mitigate risk byproviding dynamic,centralized andadaptive accesscontrol and cloudfederation for allapplicationsanywhere.

Application Connector Service Center on BIG-IP:Application Connector Proxy in the Cloud: Delivered as iAppsLX packageApplication Service ManagementReal-time Logging and StatisticsMulti-Path Workload DiscoveryHealth MonitoringActive/Standby HA SupportTouchless RecoverabilityService APIDelivered as Docker containerSecure TLS ECC EncryptionAWS Workload Auto DiscoveryManual Workload Definition and State ManagementTouchless RecoverabilityService API

AC Service CenterBIG-IPEnd Users Cloud InterconnectInterconnect ProviderAC ProxyPublic CloudAutomatically discover public cloud-hosted appsSecurely integrates Interconnect / DC to public cloudsSimplifies deploying interconnect app servicesConsistent policies and configs across cloudsReduce footprint by obfuscation / key mgmt.Only consistent services insertion across cloud providers

Reduced attack surface – novisible public IP addressing Independent of network configurationAC- Deals gracefully with overlapping IP spaceEncryption Keys stored centrally(not in the cloud instances) Allows sensitive encryption keys to bestored outside the cloud environmentAC- Can leave “serverssl none” towards thenode and traffic is protected until it gets intothe environment Hides original environment entirely fromclients- Does not require mapping to public IPs inthe CSP- Significantly reduces potential attack surface Keeps BIG-IP configurationautomatically notified of changes withinthe eAmazonRackspaceACAzureSoftLayerWorkload nodes can be auto discoveredin AWS by the proxy instance. Manualintegration for all clouds.IBMSoftLayer

F5 Application Connector: Four Use Case ExamplesSSLProtect Your CloudApps from AttackControl Cloud AccessImprove PublicCloud EncryptionAuto-Discover PublicCloud WorkloadsMaximize Your ProtectionInvestmentsConsolidate and AutomateAccess ControlSimplify and CentralizeSSLReduce App SprawlLift and shift apps with confidencewithout sacrificing securityconfigurationsInsert public cloud accesscontrol at cloud interconnectLeverage app protection andextend to public cloud workloadsLower your attack surface - nopublic IP addresses in the cloudEnable SSO with OAuth, andSAML insertion across cloudsAll policies managed in onelocation for all appsManage public cloud appencryption at cloudinterconnectAvoids cloud provider lock-inand preserves your controlReduce footprint byobfuscation / key mgmt.Auto-search public clouds toreveal app deploymentsSecurely connect to BIG-IPand enable app servicesinsertionDeliver approved app servicesto multiple public clouds

ACInterconnect ProviderOr Data CenterVPCUsersLTMAPMACPublic CloudBIG-IPSecurityServicesIPS, IDS, DLPExample apps:AccessControlACVPCPublic Cloud SalesforceOffice 365ConcurGoogle docsProblem:App sprawl and access decentralizedAdmin. fatigue on policy for cloud and SaaS appsUser password fatigue across multi-cloud appsNeed uniform cloud access control services Example (steps for every app):Deploying multi-cloud and SaaS appsSelect app and access configs for each appDecentralized app and access changesSeparate app sign-in for IT and user across apps Solution:Application Connector in Public Cloud and on BIG-IPleveraging existing infrastructure at InterconnectEnable SSO with OAuth and SAML assertion for allpublic cloud and SaaS appsBenefits:Consolidate access control policies in one solutionEasily make policy changes across app deploymentsAccess control continuity when migrating appsAll Your Access Policies Managed In One Location for All Public Cloud Apps

Supported

Supported

Application Security Auto Scale Cloud WAF[AWS, Azure]Advanced Traffic Management Auto Scale Cloud LTM[AWS, Azure]Deployment Topologies 1NIC VE Deployment2NIC VE Deployment3NIC VE Deploymentn-NIC VE DeploymentHA (Active/Active)HA (Active/Standby)[AWS, Azure, Google, OpenStack][AWS, Azure, Google, OpenStack][AWS, Azure, Google][Azure, OpenStack][AWS, Azure][Azure, OpenStack]

VE is available from AWS Marketplace in Good, Better & Bestbundles, as well as more specific integrated solutions. Supports all core BIG-IP modules including LTM, DNS, ASM,AFM & APM as well as BIG-IQ Throughput options for BIG-IP VE’s include: BYOL: 25Mbps, 200Mbps, 1Gbps & 5Gbps & 10Gbps PAYG: 25Mbps, 200Mbps, 1Gbps & 5Gbps Supports Multi-NIC configuration & Configuration Sync Deployable with CloudFormation Templates from GitHub The following integrated marketplace solutions are availableusing CFT’s: Auto Scale WAF Auto Scale LTM (Coming Soon!) HA Pair (Coming Soon!) 2017 F5 Networks

Auto Scale WAF deployment on AWSFor consistent application protection regardless of traffic volume or CPU utiiizationLaunches a PAYG BIG-IP VE instance with LTM and ASMprovisioned for intelligent traffic management and applicationsecurity. As traffic or vCPU consumption fluctuates, identicalinstances are automatically spun up or down to provide theoptimal solution for processing application traffic.Manual Deployment 7 hoursTemplated Deployment 40 mins The BIG-IP instances operate with 1 network interface Scale up & Scale down events based on a pre-defined % of trafficor vCPU thresholds, typically 80% for scale up, 20% for scale down. AWS resources required include: S3 bucket, IAM role, CloudWatch,Auto Scale Group and SNS Topic. Available with PAYG instances or with BYOL licenses when used inconjuction with BIG-IQ License Manager (free). Pre-requisites to this template can be found hereLink to GitHub

VE is available from Azure Marketplace in Good, Better & Bestbundles, as well as more specific integrated solutions. Supports all core BIG-IP modules including LTM, DNS, ASM, AFM& APM Throughput and licensing options for BIG-IP VE’s include: BYOL: 25Mbps, 200Mbps, 1Gbps & 3Gbps PAYG: 25Mbps, 200Mbps & 1GbpsSupports Multi-NIC configuration & Configuration sync Deployable with Azure Resource Manager Templates from GitHub The following integrated marketplace solutions are availableusing ARM templates: WAF for inside ASC (BYOL) WAF for outside ASC (BYOL & PAYG) O365 Federated Access for Office365 apps (BYOL & PAYG)* Derived from Gartner G00301285 (March 24th 2016) 2017 F5 Networks

Auto Scale WAF Deployment in AzureFor deploying an optimized application availability solutionDeploys BIG-IP with LTM/ASM provisioned in an Auto Scalinggroup, to consistently provide intelligent traffic managementservices to applications under varying traffic loads or vCPUstrain As traffic or vCPU utilization increases or decreases andcrosses pre-defined thresholds, BIG-IP LTM instances areeither spun up or spun down, accordingly. This solution is deployed into a new networking stack whichis created along with the solution. The BIG-IP VE instance operates with 1 network interfaceused for both management and data plane traffic. Requires use of an Azure Load Balancer (ALB) Multiple email addresses can be added to templates toreceive notifications when scaling events occur Scaling events based on either traffic throughput or vCPUconsumption Available with PAYG instances or with BYOL licenses whenused in conjuction with BIG-IQ License Manager (free).Pre-requisites to this template can be found hereManual Deployment 6 hoursTemplated Deployment 40 minsLink to GitHub

VE is available from Google Cloud Launcher in Good,Better & Best bundles Supports all core BIG-IP modules including LTM, DNS,ASM, AFM & APM Throughput and licensing options include: BYOL: 25Mbps, 200Mbps, 1Gbps & 5Gbps Operates behind a Google Load Balancer for addresstranslation Supports single NIC configuration & configuration Sync Deployable with Google Deployment Templates fromGitHub* Derived from Gartner G00301285 (March 24th 2016) 2017 F5 Networks