10-Apr-2022 09:00 - edited 19-Apr-2022 14:12
In this article we will show you how to quickly deploy and operate external services of your choice across multiple public clouds. For this article I will select the BIG-IP Advanced WAF (PAYG), future articles will cover additional solutions.
F5’s Distributed Cloud Securtiy Service Insertion solution allows enterprises to deploy and operate external services of their choice across multiple public clouds.
Let's start by looking at a real-world customer example. The enterprise has standardized on an external firewall in their private data center. Their network and security team are very familiar with using BIG-IP AWAF. They want to deploy the same security firewall solution that they use in the private datacenter in the public cloud.
The requirements are:
Customers have identified several challenges in moving to the cloud. Initallly, teams that are very familiar with supporting services in their private data center usually do not have the expertise in designing, deploying and supporting in public clouds. If the same team then is tasked with deploying to multiple clouds the gap widens, terminology, archtitecture tools and constructs are all unique.
Second, the operational models are different across different clouds. In AWS, you use either a VPC or a transit gateway (TGW), in Azure you use a VNET and Google has VPC’s.
Let's look at how F5’s Distributed Cloud Security Service insertion solution helps simplify and unify security solution deployments in multi-cloud and hybrid cloud environments:
Infrastructure-as-code: Implementation and policy configuration can be automated and run as infrastructure-as-code across clouds and regions, allowing policies to be repeatable in any major public or private cloud.
This walk thru assumes you already have an AWS VPC deployed. Have handy the VPC id.
You are presented with the Dashboard where you can choose which deployment option you want to work with. We will be working with Cloud and Edge Sites.
This brings up the Services VPC Configuration Page
This will take you back to the last screen, where you need to either create or select your cloud credentials. These are Programmatic Access Credentials allowing API access.
This takes you to the previous screen where we connect your current VPC to the Service VPC we are creating. (have VPC id available)
Click Configure under VPC attachments
This takes you back once again to the AWS TWG Site Screen.
You are now deploying your new Security VPC via Terraform.
While that is deploying we will move on to the External Services.
For this article we will select the F5 BIG-IP Advanced WAF (PAYG), future articles will cover additional solutions.
Service nodes
This will take you back to the original screen.
At the end, the External Security Service is deployed, and you are taken to all the External Services.
From this screen you are able to access several items, the two I want to point out are the TGW stats and the BIG-IP you deployed by clicking the Management Dashboard URL.
Here you are able to see fine grained stats under all the tabs.
Going back click the hyperlink to the BIG-IP if you wish to look at the configuration.
F5 Distributed Cloud Service Insertion automatically configured your BIG-IP with the following information:
• Interfaces
• Self IPs
• Routes
• Management and credentials
• VLANs
• IPoIP tunnel SI<-> BIG-IP
• VIP
The following two items will need to be configured on your BIG-IP. This configuration
At the end of this step, you can see traffic getting diverted to BIG-IP and getting inspected by BIG-IP.
As you can see, F5 Distributed Cloud Security Service Insertion dramatically reduces the operation complexity for deploying external services in public clouds, it greatly enhances the security posture and it vastly improves productivity for all the operations teams such as NetOps, SecOps or DevOps.