In our first article we have touched upon the nature of F5 BIG-IP Cloud Edition and some of its features and advantages. The idea behind this article is to provide more details on how the product functions and how it can be used to improve everyday business operations.
Let us again refer to the figures from the F5 State of Application Delivery Report stating that 36% of organizations plan to protect less than a quarter of their applications. Though it is common to think that only the most at-risk and important applications have to be secured, that isn’t really true. All applications have inherent vulnerabilities which pose an additional security risk by their very existence. Many applications are interlinked, meaning that a specific security risk affecting a single application may also present a security issue for other applications.
User-facing applications are considered critical and are thought to have the highest security risk. However, such applications depend on other applications in order to function as designed, which adds additional risk to the entire system. These interdependency layers between applications create an ideal opening for various malicious activities, such as:
- Data exfiltration
- East-west network traversal
- Island hopping attacks
Architecture of BIG-IP Cloud Edition
F5 BIG-IP Cloud Edition is made up of two infrastructure components: specially licensed BIG-IP Per-App Virtual Editions – one for each application, and F5 BIG-IQ Centralized Management – providing management, visibility, and licensing services across all available virtual instances. Auto Scaling feature comes enabled in Amazon Web Services (AWS) or VMware vCenter environments. BIG-IP Cloud Edition can be used on BIG-IP 13.1.0.5. and higher, and BIG-IQ version 6.0.
BIG-IP Cloud Edition is built on several key logical components as shown in the following figure:
BIG-IP Cloud Edition is built on several key logical components as shown in the following figure:
Cloud service providers
BIG-IP Cloud Edition currently supports deployment and auto scale on the following cloud platforms:
- Amazon Web Services (AWS)
- VMware vCenter-based private cloud environments
Support for additional public and private cloud environments is planned for future releases.
Application templates
Application templates define application deployment and security options that will be applied for each application, including all BIG-IP objects such as virtual servers, profiles, monitors, SSL certificates, security policies, etc. They also include monitoring and alerting features for specific events for that application. These templates can be created by the system administrator, and application owners can use such templates for faster deployments and use the BIG-IQ dashboard to monitor and manage their applications. In addition, BIG-IQ comes with a set of predefined templates for most common applications.
Service scaling groups
As we’ve already mentioned, Auto Scaling works in AWS and VMware vCenter environments. System administrator can take advantage of this option by creating a service scaling group which enables BIG-IQ to manage availability and scaling of resources, as well as the upgrade process for BIG-IP devices.
License management
With BIG-IP Cloud Edition, management of licenses for virtual instances is handled automatically by BIG-IQ. This system allows licenses to be pooled in groups so that BIG-IQ can activate or deactivate individual virtual instance licenses as needed.
Application performance visibility
BIG-IQ collects analytics data on application and infrastructure performance and displays them in a visual format on the dashboard. This kind of visibility helps application owners to easily monitor their application and its performance, and to determine and identify possible problems and causes of delays.
Granular access control
BIG-IQ Cloud Edition employs granular access control to ensure that everyone has access to what they need, no more, no less – e.g. application owners can use templates created by the NetOps or SecOps teams, and system administrators can maintain control over the network and system.
Let’s look at one example of roles and tasks:
- SecOps team can create a library of security policies covering most commonly used applications and deployment scenarios
- NetOps team then builds application templates that are attached to these security policies
- NetOps team is also responsible for creating service scaling groups and performing basic admin and management device tasks
- The application teams take advantage of all created templates to publish their applications and select a service scaling group whose resources will be consumed by the application
BIG-IP Per-App VE
BIG-IP Per-App is a BIG-IP instance with a special licensing model that has been designed to provide services dedicated to a single application. All features and functions of the BIG-IP software tool are available, with specific limitations:
- Single virtual IP address
- Three virtual servers (a combination of a virtual address and a listening port)
- 25 Mbps or 200 Mbps throughput
- There are two software module options available: BIG-IP Local Traffic Manager and F5 Advanced WAF
How many BIG-IP Per-App VEs do I need?
As mentioned in the previous paragraph, there are two limitations on BIG-IP Per-App VE instances:
- Number of objects
- Throughput
Unlike more traditional environments, BIG-IP Per-App VEs are generally deployed in an all-active configuration with a traffic management device taking care of high availability and scaling. Generally, this means more real throughput per created VE instance than if using active/standby hardware devices where it is necessary to maintain spare capacity for failover. BIG-IP Per-App VEs are available in 25 Mbps and 200 Mbps throughput models and are designed to scale out using service scaling groups.
Before selecting licenses, consider the following:
- Determine the required throughput, possible growth and volatility for each application
- It is better to select the 200 Mbps license if you want to maximize your throughput, as this means fewer VE instances
- For smaller or more fine-grained requirements, the 25 Mbps license is more appropriate
- It is possible to mix-and match license types within the same environment, however a single application can use only one license type.
When talking about application volatility, we are primarily thinking about the volatility of resource requirements. Scaling event thresholds is based on throughput, CPU and memory load of the busiest device in a service scaling group, measured every 5 minutes. Each new VE instance takes some time to become active and provide required resources for approx. 20 minutes of maximum expected growth.
Too many people at the party
We are often faced with two different scenarios in any organization:
- Lack of necessary services and technologies to ensure efficient deployment and application security
- Large number of different services and applications are used sparingly or not at all
None of the two mentioned scenarios are good – applications should always have all services and technologies at their disposal in order to function properly, no more, no less. As it turns out, this is not that simple. For example, let’s analyze the workings of a webshop. Throughout the year there is a continuous inflow of users. However, number of users may increase rapidly during the holidays or special promotions and discounts – creating a need for more application resources. This constitutes an ideal scenario for F5 BIG-IP Cloud Edition, providing auto-scaling to application services using the BIG-IQ product:
- Monitors application operation and performance
- Compares this data with key parameters such as application response, CPU threshold, memory load, utilized bandwidth
- Administrators of specific systems can easily identify anomalies or determine when it’s necessary to add more resources based on CPU/memory load and utilized bandwidth
- Automated adding/removal of resources based on predefined volatility thresholds
- No need to manage licenses because BIG-IQ automatically applies licenses when required and returns them to the license pool when they are no longer needed
What does all of this really mean? This means that when you determine more resources are needed, BIG-IQ can automatically activate an additional VE instance so that the application can continue to be used without interruptions, and later deactivate said instance when the level of resource use returns to normal. All of this is done on a per-app basis to avoid any interference with other applications and their allocated resources.
And all your guests are happy.
Why choose BIG-IP Cloud Edition?
BIG-IP Cloud Edition delivers the power, security, and flexibility of F5 products in a new format. This includes a new per-app platform that can scale in both directions on demand, where security teams can create security policies, enabling network teams to then attach these policies to application deployment templates. This approach empowers the application owners to deploy and monitor their applications quicker and easier.
The end result is a highly flexible and scalable solution that enables each team inside your organization to carry out specific tasks, contributing to higher productivity and efficiency, increased performance, availability and security of all applications, and the satisfaction of end-users.
Contact us with any questions you might have about BIG-IP Cloud Edition and its implementation.