Transcription
SOLUTIONS PLAYBOOKSeptember 2016 - March 2017
F5 NETWORKSSECTION CONTENTSOLUTIONS PLAYBOOKAPPLICATION DELIVERYCLOUD (PRIVATE AND PUBLIC)SECURITYSERVICE PROVIDERMANAGED SERVICES
F5 NETWORKSSOLUTIONS 0910111213141516171819202122232425262728Global traffic balancingLocal traffic balancingBalancing environments through multi-homingBusiness continuity with DPC minimum back-up ServicesBusiness continuity for systemic institutionsBusiness continuity and Access congestion controlServer resources cost controlFirewalls scalabilityDNS scalability solutionsFederation and simplification of VDI environmentsIntegration of hyperconvergent platforms – NutanixMigrating Exchange environmentsOptimization of DC access based on geolocationOptimized cache balancing (CARP)TCP optimizationRewriting gateway domainsHTTP/2 gatewayIPv6 gatewayGeo-location solution with EDNSHA and DC solution in HUB & spoke topologiesInterconnect solution for overlapping networksData centre persistence solutionCustomized portals solutionDNS64 solutionMulti-Language solution in web environmentsNAT64 solutionIntelligent packet brokering solutionCisco ACE replacement
01APPLICATION DELIVERYGLOBAL TRAFFICBALANCINGPROBLEMF5 DNS SOLUTIONThe globalisation of companies plus theincreasing trend to distribute applicationsacross multiple data centres and cloud servicesproviders has come at a time when workingpractices have also changed to encourage amore flexible distributed and mobile work force.The DNS module from F5 (formerly known as GTM), allows you to distribute client traffic across multiple locations(either DC or cloud services), based on multiple business metrics. Thus users located across the globe requiringaccess to an application can use a single service name (FQDN). Depending on their location, the applicationsavailability, the DC’s availability, link speeds, number of hops, etc the user is directed to the most suitable locationto service their needs. This allows:The result is the need to enable customers,employees, and automated services to connectto this newly distributed applications based on anumber of business parameters such as serviceavailability, geo-location, response times, costs,etc. Simply providing a DNS record is no longerenough. The guarantee of the continuous service through the constant monitoring the status of the applications in eachlocation. Reduction in latency issues by directing the user to the closest or fastest responding instance therebyimproving the user experience, response times and productivity. Deployments of applications in active-active data centres to deliver highly available soultions. The optimal use of data centres (or the Cloud) depending on cost, response time, etc.REFERENCE ARCHITECTURE GLOBAL TRAFFIC BALANCINGALTERNATIVES CloudLack of business continuity in cases where acomplete data centre goes down.Only being able to implement activepassive strategies with the consequentunderutilisation of infrastructure and highfailover costs (involving time and processes).Cloud Service forbursting / backupfailover / geolocationCloud Hosted AppsData Center 2Data Center 1Excessive latencies and degradation ofservice for roaming users.BIG-IP DNS with IPgeolocation databaseBIG-IP DNS with IPgeolocationdatabase
02APPLICATION DELIVERYBALANCINGLOCAL TRAFFICPROBLEMF5 LTM SOLUTIONOne of the main problems with both internal andcustomer facing application is how to deliverservice in an efficient manner as the number ofusers grows at a rapid rate. A rapid growth incustomer base or spikes in traffic can put stresson servers and increase response times oradversely affect the availability the service.The result is a poor or unstable service to theuser.With advanced monitoring of data centre resources and a choice of load balancing algorithms youcan make intelligent decisions on how to distribute traffic to provide a highly available solution withunprecedented scalability.ALTERNATIVES Manage multiple input lines and divide therequests manually in different services. Use bigger servers which is neither costeffective or flexible. Using more traditional and less intelligentbalancing mechanisms, which impacts theefficiency of the service and restricts howscalable the solution can be.With the BIG-IP LTM (Local Traffic Manager) solution, while continuing to present a single service (FQDN)to users, it will distribute the traffic evenly across the resources that are available to run the application.Even in environments where specific bespoke or dated applications are used, F5 enable custom monitorsto be used to deliver the same level of scalability and performance without the need to re-write or reengineer the current solution.REFERENCE ARCHITECTURE BALANCING LOCAL TRAFFICData CenterLoad BalancingCustomersDDoSAttackISPFirewallBIG-IP PlatformEmployees
03APPLICATION DELIVERYBALANCING ENVIRONMENTSTHROUGH MULTI-HOMINGPROBLEMF5 LTM DNS SOLUTIONMechanisms for deploying applications havechanged due to the use of cloud services whichoffer new models for IT consumption, allowingcompanies more flexibility in their service models,time to market, cost management, etc.F5’s DNS module (formerly known as GTM) makes it possible to distribute traffic from users or clientsbetween different data centres or cloud services based on a wide variety of business metrics.Other similar alternatives can include thedevelopment of private clouds, generating newmodels of deployment in hybrid architecturesmaking it possible to make use of the bestadvantages of each type of deployment.These capabilities are complemented by the use of the LTM (Local Traffic Manager) module, whichallows you to redirect traffic between different locations through the visibility of the traffic at layer 7. Thecombination of both modules gives you fine grain control over how a user can connect to an applicationregardless of its location or the architecture being used.REFERENCE ARCHITECTURE BALANCING ENVIRONMENTS THROUGH MULTI-HOMINGFor this reason, it is increasingly common forapplications to be deployed using “multi homing”,which requires there to be monitoring of howservices are consumed based on new businessparameters such as costs, proximity, availability,etc. These are parameter that have not beenwidely considered to date.UsuariosBIG-IP DNS BusinessLogic applied onDNS ResolutionTraffic redirectionbased on L7 businesslogicALTERNATIVES Manual configuration on a user-to-user basisor mandatory connection to a DPC. Lack of business continuity if there is acomplete failure of a DPC. Active-passive strategies with consequentunder-utilization of infrastructure and fail-overcosts (time and processes implications).CloudData Center1Cloud Hosted AppsCloudData Center2Cloud Hosted Apps
04APPLICATION DELIVERYBUSINESS CONTINUITY WITH DPCMINIMUM BACK-UP SERVICESPROBLEMF5 DNS SOLUTIONBusiness continuity cannot be impacted in acontingency situation. However, the deploymentof back-up centres with full capacity can be a veryexpensive investment, not forgetting the difficultyof complying with the regulatory requirements.The DNS solution enables intelligent traffic-balancing between different data centres in both Active-Active andActive-Passive deployments.Ensuring access to the services of the back-upcentre should be able to be undertaken on aselective basis for those users who have SLA’sthat demand it.ALTERNATIVES Manual procedures do not ensure businesscontinuity, and require «human» intervention. Building back-up «mirroring» centres impactson CAPEX/OPEX.Once critical services requiring business continuity have been determined and users who must have guaranteedaccess to these services have been defined, F5 provides the automated mechanisms to direct all users to theprimary DC then in the case of a failure automatically redirect selected users to the back-up centre. This user-levelgranularity is critical for compliance with SLAs.By using data structures in LTM (Local Traffic Manager) (where the specific information for «VIP» users is stored), it isfurther possible to determine the different services to which these users have access in the back-up centre. If a userdoes not have access to a service, it will display a message along the lines of «service temporarily unavailable».By using iControl, it is possible to integrate the management of these data structures with third party tools, whichmakes it possible, for example, to import data files for «VIP» users into the solution.REFERENCE ARCHITECTURE BUSINESS CONTINUITY WITH DPC MINIMUM BACK-UP SERVICESDMZDMZDNS ServicesDNS ServicesDNSDNSBIG-IP PlatformBIG-IP PlatformInternetData Center 1Data Center 2Load BalancingLoad BalancingBIG-IP PlatformBIG-IP PlatformServersAppsDatabaseServersAppsDatabase
APPLICATION DELIVERYBUSINESS CONTINUITY FORSYSTEMICALLY IMPORTANT FINANCIAL INSTITUTIONS05PROBLEMF5 DNS AAM SOLUTIONCompanies required to comply with the Basel IIIand Sarbanes-Oxley regulations face the risk ofincurring penalties when operating distributeddata centres dispersed between differentcontinents without the capability to meet failovertimes.Using the DNS product, F5 go beyond RTO standards by enabling the recovery or forwarding of a serviceto another DC both automatically and in real time.The requirement is to have an RTO (RECOVERTIME OBJECTIVE) of less than an hour to ensurethe business cannot stop for more than an hour.Additionally the business must have an RPO(RECOVER POINT OBJECTIVE) of less than 24hours to ensure data consistency must be able tobe recovered in less than 24 hours.Using F5 AAM (Application Acceleration Manager) enables companies to achieve RPO standards whilereducing costs (less bandwidth) by applying compression and deduplication techniques to remote copiesand back-ups. We are certified in the most important replication solutions: TrueCopy (HDS), SRDF (EMC)and IBM. These techniques reduce both the bandwidth and the time required to back-up and to replicatean asynchronous copy affected by latency.REFERENCE ARCHITECTURE BUSINESS CONTINUITY FOR SYSTEMICALLYIMPORTANT FINANCIAL INSTITUTIONSCloudALTERNATIVES Manual redirecting of IPs to cover the RTO.This is time consuming and are prone todelays due to network convergence. Increasing the number of lines or expandingthe bandwidth of existing lines to cover RPO.This is a very expensive solution.Cloud Service forbursting / backupfailover / geolocationCloud Hosted AppsData Center 2Data Center 1BIG-IP DNS with IPgeolocation databaseBIG-IP DNS with IPgeolocationdatabase
06APPLICATION DELIVERYBUSINESS CONTINUITY AND ACCESSCONGESTION CONTROLPROBLEMF5 LTM SOLUTIONSometimes companies are in a position wherethe use of an online service goes beyond thecapabilities of their server infrastructure. Thiscan happen for a number of reasons such asmarketing campaigns, online ticketing releases,product promotions, online flight-searchservices, etc. During these events, there will bea significant spike in the number of requestsdirected towards a particular web service.Thanks to LTM (Local Traffic Manager) standard functionality plus the programmability of F5 (iRules),it is possible to establish mechanisms for the management of traffic spikes, which are well above thecapabilities of the servers.On all of these occasions, the availability of theservice can be compromised (similar to sufferinga DDoS attack but with legal traffic) and userssuffer a bad experience affecting their impressionof the company. Users rarely return to sites afterbeing affected by poor quality of service and poorquality of the user experience.Users who want to access a service at a time of excess demand can be handled directly by BIG-IP,which queues the user (first come, first served) in the form of a «waiting room». This absorbs the flood ofrequests, ensuring service availability and preserving the quality of the user experience.REFERENCE ARCHITECTURE BUSINESS CONTINUITY AND ACCESS CONGESTION CONTROLServiceClientsNormal SituationBIG-IPALTERNATIVES Outage during peak traffic. Investment in additional hardware to processpeak traffic correctly. Users making repeated attempts to accessthe service, which can extend the denial ofservice period.Avalanche“ Waiting room ”
07APPLICATION DELIVERYCOST CONTROLOF SERVER RESOURCESPROBLEMF5 LTM AAM SOLUTIONEach year, companies commit to providing moreservices via the internet with the consequence ifsignificantly increasing spend on new and powerfulservers. This means that they are not able toaddress projects in other areas, such as security, forlack of funds.This expenditure is increased by the fact thatincreasingly-complex applications are beingdeveloped, which make intensive use of CPUresources and the RAM on servers. In addition,operations such as TLS/SSL encryption orcompression, consume many more resources whenrunning on generic operating systems and generichardware.Moreover, the current standard of using 2048-bitencryption keys in internet communications hasincreased CPU consumption on servers by almost80%, compared with the 1K-bit keys which wereused previously.If we then factor in the energy and hosting costs ofthese new servers, the costs skyrocket and requirespecific monitoring.This F5 solution incorporates hardware and software component dedicated reducing the impact of intensive tasks.Techniques used include: Balancing/intelligent distribution of traffic. F5 can distribute traffic based on advanced rules, for exampleto permit one group of servers, (which are less powerful but have more storage) to be used to serve staticimages and another group to manage dynamic requests, as this imply greater cpu processing. Offloading compression and SSL from the servers. This frees up numerous CPU cycles on the servers. Caching. F5 caches many objects, which removes the need to make repeat requests for them to theservers. The AAM (Application Acceleration Manager) module makes it easier for users to cache objects intheir browsers, removing the need for users to make repeat unnecessary requests. Multiplexing Connections. OneConnect is able to open a number of connections to the servers, andmultiplex the user connections, thus relieving servers of the management of TCP connections (pooling).Moreover, Crypto Off-loader technology, allows us to scale the performance of SSL trafficIn this scenario, the ROI on the procurement of F5 equipment is very high; it reduces the cost of newservers by up to 60%.REFERENCE ARCHITECTURE COST CONTROL OF SERVER RESOURCESData CenterALTERNATIVES More powerful servers which significantlyincrease overall cost of a solution.Use of specific devices to cache, compressand SSL terminate. This results in moredevices to manage and build.CompressionUsuariosLoad Balance Caching SSL CompressionServer 1AppsInternetCachingSSL OffloadBIG-IPServer 2Database
08APPLICATION DELIVERYFIREWALLS SCALABILITYPROBLEMF5 LTM SOLUTIONThe traditional approach of deploying firewalls/NGFWs in clusters does not scale in proportion tothe needs of the users and services they protect.In most cases, the scalability of these securitysolutions is based solely on the over-sizing of theplatform and not on a real capacity for increasedperformance on demand. This has a strongfinancial and operational impact.The LTM (Local Traffic Manager) module by F5 makes it possible to balance any element of security,maintaining session persistence and avoiding flows of asymmetric traffic between the elements whichmake up the group of firewalls/NGFW, using a «sandwich»-type architecture. This architecture allows thedeployment of additional elements based on service needs. These new elements can have a differentlevel of performance from the existing ones (and even be from a different manufacturer!). They can alsobe deployed without loss of service.This lack of flexibility means that it is oftennecessary to replace a security platformcompletely in order to increase performance, withconsequent economic and operational impact.Moreover, the number of connections per secondand simultaneous connections is the «Achillesheel» of these security platforms. Both factors arecritical in perimeter security environments andoften it is the same firewalls/NGFW, which sufferfrom compromised performance (for exampleunder DDoS).ALTERNATIVES Over-sizing of the firewall / NGFW securityplatform, with consequent impact on CAPEX/OPEX. Reduction of these platforms’ ROI due to theimpossibility of real growth on demand.All the intelligence required to control the distribution of traffic and to manage the availability of elementsis delegated to F5. This intelligence allows you to monitor and protect the resources of the firewalls/NGFW in order not to compromise performance.REFERENCE ARCHITECTURE FIREWALLS SCALABILITYFirewall/NGFWEmployeesFirewall/NGFWLoad BalancingLoad BalancingCustomersFirewall/NGFWISPBIG-IP PlatformBIG-IP PlatformDDoSAttackFirewall/NGFW
APPLICATION DELIVERYDNS SCALABILTYSOLUTIONS09PROBLEMF5 DNS SOLUTIONThe DNS protocol has become a critical point inthe operation of the internet, and its importanceis set to grow with the progressive adoption ofIPv6, in which IP addresses have a length of 128bits (instead of 32-bit IPv4). The large increase inthe number of mobile devices and the imminentarrival of the IoT, have also contributed to thegreat increase in the number of DNS requestswhich these solutions must resolve.The F5 DNS solution makes it possible to scale existing DNS solutions in an effective and safe way,making use of diverse capacities, such as balancing and monitoring traditional DNS systems. DNSExpress is a technology which is proprietary to F5 and which makes it possible to transfer zones fromthe traditional DNS infrastructure to a BIG-IP device, where it is served from RAM and with hardwareacceleration. Another great advantage of DNS Express from F5 is that it is a proprietary implementation,not based on BIND.Some 41% of the time, loss of web serviceinfrastructure is due to DNS-related problems,so it is essential to maintain the availability of theDNS service. The loss (or degradation) of theservice adversely affects service users, leading toloss of revenue and loss of productivity for usersattempting to access corporate resources such ase-mail.REFERENCE ARCHITECTURE DNS SCALABILITY SOLUTIONSALTERNATIVES Risking losing the DNS service, thusendangering business continuity and theproductivity of the company’s employees, isdifficult to justify. Adding more and more DNS servers, withoutintelligent balancing which can monitorserver performance, is also not particularlyadvisable.In addition, IP multicast can be used by F5 DNS to distribute the DNS services between multiple datacentres. The nearest or fastest connection to the originating query responds to the request.
10APPLICATION DELIVERYFEDERATION AND SIMPLIFICATIONOF VDI ENVIRONMENTSPROBLEMF5 APM SOLUTIONVDI environments are often used to make itpossible for users to connect to enterpriseenvironments without the need for heavy,expensive end user devices. However their useentails other problems implicit in the architecturesof this type of technology.The F5 APM (Access Policy Manager) solution authenticates users and establishes SSL-secured VPNtunnels to the network, replacing the security-gateway solution in VDI environments.Each VDI environment requires a userauthentication element, another element topresent the options available for each user andfinally an element, which acts as a «broker» andwhich manages access to the VDI.In addition, APM presents the user with different options on the screen, consolidating functionality onto asingle platform therefore saving the need for this element to be incorporated in the VDI solution.APM is independent of the VDI solution implemented, making it possible to standardize the «look andfeel» of the solution to the client, presenting the same format and options on the screen regardlessof the VDI solution deployed.REFEREN
Cisco ACE replacement F5 NETWORKS SOLUTIONS PLAYBOOK CONTENT APPLICATION DELIVERY. ALTERNATIVES PROBLEM The globalisation of companies plus the increasing trend to distribute applications across multiple data centres and cloud services providers has come at a
