F5 corporate template · F5 Networks in the Container World ... MICROSERVICES USE MULTIPLE...

Aspen Mesh

Enterprise Service Mesh

June 18 2020 – TechXChange NL

| ©2020 F5 – ASPEN MESH – TECHXCHANGE NL2

➢ Infra and application evolution

➢ F5 Networks in the container world

➢ Do I need a service mesh?

➢ Aspen Mesh – value adds

➢ Demo

➢ Try it out yourself !

Presentation overview

| ©2020 F5 – ASPEN MESH3

INFRA & APPLICATION

EVOLUTION


CONTAINERS ARE HERE TO STAY

The container landscape


CNCF RESEARCH DATA

Service Mesh adoption


CONTAINER SECURITY BECAME THE BIGGEST CONCERN

Container security


MONOLITHS TO MICRO SERVICES – AN INCREASING AMOUNT OF EAST-WEST TRAFFIC

Application architecture


Microservices at scale is hard


F5 NETWORKS IN

THE CONTAINER WORLD


Application

business logic

End-user

API

gateway

Web app

firewall

Ingress

controller

App / web

server

Denial of

service

Anti-fraud

& anti-bot

Load

balancer

Secure

access

WHERE ASPEN MESH FITS IN

Code to customer


NGINX+

➢ Proven NGINX OSS with

enterprise features / support

➢ F5 WAF ported to NGINX+

App Protect Essential

➢ K8S CRDs as

Ingress Resource and API

Gateway features

BIG-IP + CIS

✓ BIG-IP functionality

(LTM/ASM/APM) for your

containers

✓ Route traffic to your PODs

without an extra hop

✓ DevOps friendly due to the

ATC and CIS K8S/OCP

integration

ASPENMESH

➢ Istio based with enterprise

features / support

➢ Focus on E-W security,

observability and

L7 policy management

➢ Cloud Native experience as

made for K8S

F5 Networks in the Container WorldWHAT DO WE OFFER TODAY – NORTH SOUTH VS EAST WEST


master control planeYAML

Service A Service B Service C


DO I NEED A

SERVICE MESH?


WHEN DO YOU NEED ONE ? IF YOU CANNOT DRAW YOUR MICROSERVICE ARCHITECTURE ON A NAPKIN

East – West Service Mesh Treshold


MICROSERVICES USE MULTIPLE LANGUAGES, STITCH THEM TOGETHER

Polyglot application service architecture


ISTIO CONTROL PLANE EXTENDED

Aspen Mesh architecture


ASPEN MESH

VALUE ADDS


➢Predictive alterting and application health

scores

➢Data flows are visualised in Aspen Mesh

dashboard – service graph

➢Network, security and configuration issues

visualised in Aspen Mesh dashboard

➢Use Prometheus for metrics and Alert

Manager for alerting

Technical Value AddVISIBILITY AND REPORTING

Technical

Business

Visibilty & Reporting

Resilience & Fault Tolerance

Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


➢Retries

➢Circuit breaker / request pool

➢Outlier detection (endpoint pool ejection)

➢Timeouts

➢Fault injection

➢Aspen Mesh deliverably is tested and

validated

Technical Value AddRESILIENCE AND FAULT TOLERANCE

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


➢Different load balancing (round robin, least

request, random, …)

➢Traffic shifting/distribution between services

➢Routing based on HTTP header

➢Traffic mirroring

➢Traffic tapping

➢Integration with External DNS

Technical Value AddROUTING AND TRAFFIC

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


➢Authorization with JWT

➢Authentication with mTLS

➢mTLS (client-server certificates SPIFFE)

➢White and black listing

➢RBAC

➢Aspen Mesh installed with security tied

down by default

Technical Value AddIDENTITY AND SECURITY

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


➢Policy enforcement Istio global or per

namespace

➢Support for fine grained policy control

between ClusterOps and AppOps teams

➢Quota

➢RBAC

Technical Value AddPOLICY ENFORCEMENT

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


Business Value AddMTTR – MEAN TIME TO RECOVERY / REPAIR / RESOLUTION

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise

➢ Aspen Mesh reduces MTTR for application, network and security issues


➢Setting up Istio yourself is complex and time

consuming

➢3 to 6 months by 2 FTEs for initial setup

➢Istio expertise is hard to find and expensive

(outsourced to external consultants)

➢Istio evolves and a full time job to stay up to

speed – OSS is always a risk

➢Aspen Mesh reduces ramp-up cost and risk

Business Value AddCOST AND RISK

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


➢Working with Istio since v0.2.4 (Sept 2017)

➢Active contributors to Istio and Envoy and

participants in Istio Working Groups and TOC

➢Member of early disclosure lists for security

vulnerabilities (CVE) for Istio and Envoy

➢Custodians of the utility to validate the

configuration of Istio (Istio-vet)

➢We are silver members at Cloud Native

Computing Foundation (CNCF)

Business Value AddSUPPORT AND EXPERTISE

Technical

Business



Routing & Traffic

Identity & Security

Policy Enforcement

MTTR

Cost & Risk

Support & Expertise


DEMO TIME


MICROSERVICE GRAPH – VISUALISING TRAFFIC AND SECURITY ISSUES

Aspen Mesh Demo


TRY IT OUT

YOURSELF !!!


➢Contact your local F5 sales representative

➢https://aspenmesh.io

➢free registration and try out

➢documentation

➢Aspen Mesh University – 7 introduction videos

➢https://aspenmesh.io/service-mesh-university

➢Drop us an email at [email protected]

WHERE TO START?

Try it out yourself

https://aspenmesh.io/

https://aspenmesh.io/service-mesh-university

mailto:[email protected]

F5 corporate template · F5 Networks in the Container World ... MICROSERVICES USE MULTIPLE...

Documents

Transcript of F5 corporate template · F5 Networks in the Container World ... MICROSERVICES USE MULTIPLE...