Deploy an Auto-Scaled BIG-IP VE WAF in AWS
Today let’s look at how to create and deploy an auto-scaled BIG-IP Virtual Edition Web Application Firewall by using a Cloud Formation Template (CFT) in AWS. CFTs are simply a quick way to spin up solutions that otherwise, you may have to create manually. The idea behind this CFT is it is going to create BIG-IP VE instances for you. These instances function as a firewall in front of your application. Depending on the limits you specify, when more traffic is going to your application, new instances will launch…and when there is less traffic, instances will terminate. This solution has a few prerequisites: A Virtual Private Cloud (VPC) with at least two subnets, each in its own availability zone An AWS Elastic Load Balancer (ELB), which serves traffic to the BIG-IP VE instances An SSH key pair which you need to access the instances. I have these already created, so we’ll proceed to deploying the template. You have two choices on how you want to deploy. You can go to the AWS Marketplace and search ‘f5 waf’ or you can go to the F5 Networks GitHub site. GitHub usually has the latest and greatest, so we’ll use that. Click on the f5-aws-cloudformation spot. And then click Supported. And then click solutions/autoscale. Then waf. We scroll down a little bit and click Launch Stack. We click Next at the Select Template screen and fill out the template. When you get to the template, the Deployment Name will be appended to all the instances so you can tell which ones are yours. Since we already set up a VPC with two subnets in two zones (not regions), we’ll select those in the VPC ID field. The Restricted Source Address is available if you only want to allow specific IP addresses to your BIG-IP VE instances. Next is the AWS Elastic Load Balancer name, then choose your SSH key – which is needed to connect to the instances. And we’ll leave the defaults for the rest. Then you’ll get to the Auto Scaling Configuration section which is where you’ll determine when to create the new WAF instances. You’ll want to configure the Scale Up & Scale Down Bytes Threshold which will, obviously, determine when one gets launched/added and when it is removed. Under WAF Virtual Service Configuration, is where you’ll enter the application’s Service Port and DNS. In addition, if you wanted to automatically add application servers to the pool to have traffic will go to those without having to manually configure the BIG-IP, you can also add the Application Pool Tag Values which works great. Next choose your WAF Policy Level (low, medium, high) and click Next and Next. Also, click the check box with indicates that you have the appropriate credentials to set some IAM roles and create a S3 Bucket. Click Create and the CFT will start creating resources. This process can take about 15 minutes to complete and when it is done, you’ll get the CREATE_COMPLETE on your dashboard. The resources might be available right away but it is recommended to wait at least 30 minutes before digging into things. To see what the CFT created and confirm completion, go to: Services>EC2>Auto Scaling Groups. You can see that there is a BIG-IP VE instance created and added to the group. Also, be aware that the default for Scaling Policies is to wait 40 minutes to launch a new instance. You may want to adjust that to your preference. However, to be clear, AWS is always monitoring the traffic and want to know if you are exceeding the limits you’ve set. The Scaling Policies setting simply means that after one instance is launched – you hit the limit and one is up – AWS should wait 40 minutes (or whatever your value is) to launch another. It’ll keep going until you’ve hit the max number of instances specified. We put three. While in Services>EC2, you can also inspect the ELB and see that the BIG-IP VE instance is there and in service. Traffic is going through the Load Balancer and then to the BIG-IP VE, then to the application server. Lastly, let’s look at the list of instances in Services>EC2>Instances and the instances are there and ready to go! And then when there is too much traffic, another is added. Since the limit was exceeded, AWS has launched new instances, up to three. And when the traffic falls, the instance shuts down. That’s it! Easily scale your BIG-IP application security on AWS. Thanks to our TechPubs group and watch the video demo here. psLightboard Lessons: DNS Scalability & Security
The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries. DNS lookups has exploded in recent years with mobile, IoT and the applications to support the growth. It is also a vulnerable target. In my first Lightboard Lesson, I show you how to scale, secure and consolidate your DNS infrastructure. ps Related: The Dangerous Game of DNS The DNS of Things Is 2016 Half Empty or Half Full?The IoT Ready Platform
Over the last couple months, in between some video coverage for events, I've been writing a series of IoT stories. From the basic What are These "Things”? and IoT Influence on Society to the descriptive IoT Effect on Applications and the IoT Ready Infrastructure. I thought it only fair to share how F5 can play within an IoT infrastructure. Because F5 application services share a common control plane—the F5 platform—we’ve simplified the process of deploying and optimizing IoT application delivery services. With the elastic power of Software Defined Application Services (SDAS), you can rapidly provision IoT application services across the data center and into cloud computing environments, reducing the time and costs associated with deploying new applications and architectures. The beauty of SDAS is that it can provide the global services to direct the IoT devices to the most appropriate data center or hybrid cloud depending on the request, context, and application health. Customers, employees, and the IoT devices themselves receive the most secure and fastest experience possible. F5's high-performance services fabric supports traditional and emerging underlay networks. It can deployed a top traditional IP and VLAN-based networks, works with SDN overlay networks using NVGRE or VXLAN (as well as a variety of less well-known overlay protocols) and integrates with SDN network fabrics such as those from Cisco/Insieme, Arista and BigSwitch among others. Hardware, Software or Cloud The services fabric model enables consolidation of services onto a common platform that can be deployed on hardware, software or in the cloud. This reduces operational overhead by standardizing management as well as deployment processes to support continuous delivery efforts. By sharing service resources and leveraging fine-grained multi-tenancy, the cost of individual services is dramatically reduced, enabling all IoT applications - regardless of size - to take advantage of services that are beneficial to their security, reliability and performance. The F5 platform: Provides the network security to protect against inbound attacks Offloads SSL to improve the performance of the application servers Not only understands the application but also know when it is having problems Ensures not only the best end user experience but also quick and efficient data replication F5 Cloud solutions can automate and orchestrate the deployment of IoT application delivery services across both traditional and cloud infrastructures while also managing the dynamic redirection of workloads to the most suitable location. These application delivery services ensure predictable IoT experiences, replicated security policy, and workload agility. F5 BIG-IQ™ Cloud can federate management of F5 BIG-IP® solutions across both traditional and cloud infrastructures, helping organizations deploy and manage IoT delivery services in a fast, consistent, and repeatable manner, regardless of the underlying infrastructure. In addition, BIG-IQ Cloud integrates or interfaces with existing cloud orchestration engines such as VMware vCloud Director to streamline the overall process of deploying applications. Extend, Scale - and Secure F5 Cloud solutions offer a rapid Application Delivery Network provisioning solution, drastically reducing the lead times for expanding IoT delivery capabilities across data centers, be they private or public. As a result, organizations can efficiently: Extend data centers to the cloud to support IoT deployments Scale IoT applications beyond the data center when required. Secure and accelerate IoT connections to the cloud For maintenance situations, organizations no longer need to manually redirect traffic by configuring applications. Instead, IoT applications are proactively redirected to an alternate data center prior to maintenance. For continuous DDoS protection, F5 Silverline DDoS Protection is a service delivered via the F5 Silverline cloud-based platform that provides detection and mitigation to stop even the largest of volumetric DDoS attacks from reaching your IoT network. The BIG-IP platform is application and location agnostic, meaning the type of application or where the application lives really does not matter. As long as you tell the BIG-IP platform where to find the IoT application, the BIG-IP platform will deliver it. Bringing it all together, F5 Synthesis enables cloud and application providers as well as mobile network operators the architectural framework necessary to ensure the performance, reliability and security of IoT applications. Connected devices are here to stay—forcing us to move forward into this brave new world where almost everything generates data traffic. While there’s much to consider, proactively addressing these challenges and adopting new approaches for enabling an IoT-ready network will help organizations chart a clearer course toward success. An IoT-ready environment enables IT to begin taking advantage of this societal shift without a wholesale rip-and-replace of existing technology. It also provides the breathing room IT needs to ensure that the coming rush of connected devices does not cripple the infrastructure. This process ensures benefits will be realized without compromising on the operational governance required to ensure availability and security of IoT network, data, and application resources. It also means IT can manage IoT services instead than boxes. However an IoT ready infrastructure is constructed, it is a transformational journey for both IT and the business. It is not something that should be taken lightly or without a long-term strategy in place. When done properly, F5-powered IoT ready infrastructure can bring significant benefits to an organization and its people. ps Related: The Digital Dress Code Is IoT Hype For Real? What are These "Things”? IoT Influence on Society IoT Effect on Applications CloudExpo 2014: The DNS of Things Intelligent DNS Animated Whiteboard The Internet of Me, Myself & I Technorati Tags: f5,iot,things,sensors,silverline,big-ip,scale,sdas,synthesis,infrastructure Connect with Peter: Connect with F5:IoT Effect on Applications
As more applications are needed to run those Things, traditional infrastructure concerns like scale and reliability will become paramount. Additional challenges with identity and access, improving the user experience, and the need for faster provisioning of services could overwhelm IT departments. A robust, scalable and intelligent infrastructure will be necessary to handle the massive traffic growth. IT professionals are tasked with designing and building the infrastructure that’s ready for the challenges that lie ahead, including IoT. But many of today’s traditional architectures will buckle under the increasing demand of all the connected devices. According to IDC, the rate at which applications double in the enterprise is every four years. This is likely to be cut in half as more IoT devices need applications supporting them and organizations need to be ready for the deluge. The Domain Name System (DNS) is the most likely method for connected devices to locate needed services, and it’s potentially the means by which people will locate the devices themselves. There might be other schemas in the planning process, but those would require the adoption of a new technology naming standard, which would be costly, slow and highly unlikely. Clearly, security must also be present since Iot has the potential to weave vulnerabilities throughout the system. Unless organizations remain proactive, the ubiquity of connected devices presents a gold mine for attackers. Outpacing attackers in our current threat landscape will require more resources in order to minimize risk. Organizations will need to continue to harden our own infrastructures and look to cloud services like DoS mitigation to lessen the effects of attacks. At the same time, the explosion of embedded devices may well be the event that drives more mainstream IPv6 adoption. There are several advantages to IPv6 such as a large namespace, address self-configuration, and the potential to remove Network Address Translation (NAT) problems. The data center will require some planning to embrace this shift. Components such as routers, firewalls, and application delivery controllers will need to be IPv6-ready, capable of understanding the protocols and data that devices will use to communicate. To ensure security, intelligent routing, and analytics, networking layers will need to be fluent in the language your devices use. Understanding these protocols within the network will allow traffic to be secured, prioritized, and routed accordingly. Recognizing and prioritizing these messages will enable better scale and manageability of the onslaught of device traffic and data. Intelligence will also be needed to categorize what data needs attention (like a health monitor alert) and what doesn’t (temperature is good). According to TechTarget, to ensure high availability of IoT services, enterprises must consider boosting traffic management and monitoring. This will both mitigate business continuity risks, and prevent potential losses. From a project planning standpoint, organizations need to do capacity planning and watch the growth rate of the network so that the increased demand for the required bandwidth can be met. ps Related The Digital Dress Code Is IoT Hype For Real? What are These "Things”? IoT Influence on Society CloudExpo 2014: The DNS of Things Intelligent DNS Animated Whiteboard The Internet of Me, Myself & I Technorati Tags: devices,f5,iot,m2m,security,sensors,silva,things,wearables,dns,applicatons Connect with Peter: Connect with F5:
Synthesis has expanded: What does this mean for service providers?
In recent blog posts by my colleague Lenny Burakovsky, the issues facing service providers (SPs) around mobile security were discussed. It’s something we’re speaking to operators about a lot as we help them figure out how to address the inherent security weaknesses in 4G networks. F5 followers will know that at the end of last year we announced our new Synthesis architecture, to promote the delivery and orchestration of software defined application services (SDAS) throughout data centre, cloud, and hybrid environments. While the challenges they’re facing aren’t dissimilar to those faced by businesses in other industries who have to deliver applications to users quickly and securely, service providers clearly have very specific needs, extremely demanding end users and operate in a rapidly changing market. So, just before Mobile World Congress starts, we were excited to announce that the benefits of Synthesis were being expanded specifically for service providers, focusing on enabling operators to optimise, secure and monetise services. What does this mean? Firstly, security is key. There are several reasons why security is weaker on LTE / 4G networks and I would suggest watching this video which explains why the network is facing scrutiny over security concerns. As F5’s research showed, if security isn’t improved quickly consumers will lose trust in their service providers and are at risk of leaving for an alternative provider. Annoyed customers equals lost customers equals lost revenues, so it’s a pressing issue, particularly when operators are spending billions on next generation networks. Synthesis is designed to protect end-user devices, networks, and cloud deployments with industry-leading performance and scale. It offers dynamic, intelligent security which is implemented at the network, session, and application layers, to give service providers a scalable and transparent solution. However, although security is extremely important, this is about more than just securing apps. The expansion of our architecture will enable SPs to optimise service offerings that generate new and enhanced revenue streams. For example, the Synthesis expansion will unleash broadband services for optimum performance. This will be done by giving providers an intelligent service chaining, dynamic policy enforcement, Diameter routing and interworking, and DNS functionality, which will drive performance levels and make for happy consumers. Another benefit will be the delivery of future-proof scale and extensibility for ultimate value. We will give organisations a multi-service platform that provides important network services, such as security, policy enforcement, local DNS, IPv6 migration, and content filtering, with additional granular control over traffic policies and steering provided by programmable iRules capabilities, which is an unrivalled offering. Importantly, the developments will also provide integration points with an ecosystem of technology partners. We pride ourselves on our seamless integration with technology partners in the next-generation service provider ecosystem, allowing us to fit in with the customer’s needs and allow for collaboration and joint offerings. So, as SPs expand the breadth of their offerings, and cater for increasingly demanding consumers using more data and more advanced devices, it's imperative that they can orchestrate many disparate services into a seamless delivery network. We can help them do this.
