Documente Academic
Documente Profesional
Documente Cultură
Martin Oravec
F5 System Engineer
m.oravec@f5.com +421 908 747633
Services and Applications in the Hybrid Cloud
F5 partnerships
Cloud Service Providers Managed Service Providers
© F5 Networks, Inc 2
Public Clouds
© F5 Networks, Inc 3
Public Cloud
Integrating with the Big Four
Now Coming
© F5 Networks, Inc 4
Public Cloud - marketplace
© F5 Networks, Inc 5
Simplify Protection of Apps in Azure
Integrated F5 WAF Solution For Azure Security Center
©©©2016
2016 F5 IncNetworks
F5 Networks
F5 Networks, 6 66
Automation & Orchestration
© F5 Networks, Inc 7
Traditional way
• Imperative – What we’ve done for years (design, HW install, networking,
configs, scripting, ...)
• Imperative methodology implies that you define the flow of an operation
implicitly. It also implies that domain-specific knowledge is required to
interact with the system.
© F5 Networks, Inc 8
Orchestration / Automation
• Declarative – What we’re evolving to. Declarative methodology implies
that you define the desired outcome and depend on underlying
mechanisms to deliver that outcome. This methodology tries to reduce or
eliminate the need for domain specific knowledge.
© F5 Networks, Inc 9
F5 Management and Orchestration Strategy
iApp Catalogue
Rest Proxy
iWorkflow 2.0 Enables programmatic management of many
BIG-IPs
BIG-IQ
© F5 Networks, Inc 10
iWorkflow 2.0
Control
Plane
Orchestrator or REST APIs/
iWorkflow
APIC, NSX Device F5 iApp
Package Catalogue
iApps
Data
Plane
HW (includes Viprion),
BIG-IP vCMP and VE
© F5 Networks, Inc 11
iWorkflow – Key Takeaways
© F5 Networks, Inc 12
Cisco ACI
Automation/Orchestration
© F5 Networks, Inc 13
F5 and Cisco ACI Integration Models
iWorkflow
Option B
Basic Integration
Basic – Service Insertion with BIG-IP Device Package
Option A
No integration
BIG-IP connects to ACI Option C
NOT Managed by APIC Enhanced Integration
Enhanced – Service Insertion with iWorkflow
© F5 Networks, Inc 14
Adding Application Intelligence to Cisco APIC
© F5 Networks, Inc. 15
NSX
Automation/Orchestration
© F5 Networks, Inc 16
NSX-v and F5 Service Insertion Architecture
iWorkflow
© F5 Networks, Inc 21
Really easy to deploy
and maintain
L4-L7 Network Services
+ = for Openstack:
Infrastructure &
Tenants
© F5 Networks, Inc 22
Openstack - Heat Architecture
THIRD-PARTY
KEYSTONE
NEUTRON
GLANCE
CINDER
TROVE
SWIFT
BIGIP
NOVA
© F5 Networks, Inc 23
LBaaSv1.0.10
Functionality Overview HA Pair HA Pair
F5 LBaaS Agent
Capacity Metrics
ScaleN Cluster ScaleN Cluster
Heat Throughput Total
Intelligent Load
(Orchestration) Throughput (in)
Capacity Policy
Throughput (out)
Placement
LBaaS API
Connections
Tenant
Capacity Measurement
CLI Tenants
Nodes
Route Domains
Horizon VLANs
Tunnels ScaleN VIPRION Cluster
(GUI) SSL TPS
Profile Count
API Scope
VIP / Pool / Pool members iControl ADC
Provisioning
ScaleN VIPRION Cluster
Health monitors (ICMP, TCP, HTTP, HTTPS)
Session persistence (Source IP, HTTP Cookie, App
provided cookie)
Method (Least connections, Round robin)
Statistics (Bytes in / out, Active connections, Total
connections)
F5 Extensions
Differentiated Environments (Production, Test or Dev)
© F5 Networks, Inc 24
Global Routed Mode
For Edge Routed Networks – Multi-Tenant from L4-L7 Only
• Simplest form of deployment.
• BIG-IP reaches its loads balanced via pre-configured routing.
• Each tenant can create LBaaS services and provide VIPs and Pool Members.
• Designed for environments, typically, without overlays, such as VXLAN or GRE.
VIP, pool and monitor CRUD.
iControl Multi-tenant.
LBaaS
Agent
VIPRION 4480
Compute Nodes
© F5 Networks, Inc 25
Layer 2 Adjacent Mode
BIG-IP with support for VLANs, GRE and VXLAN
• BIG-IP participates in the tenant VLAN or tunnel (using VXLAN or GRE).
• Automatic population with tunnel information when an LBaaS service is created for a tenant.
• Most typical use case for an SDDC.
Tenant Network Data
(Layer 2 Endpoints, SNI, Tunnel type etc)
VIP, pool and monitor CRUD.
iControl Multi-tenant.
LBaaS
OpenStack Agent
Controller
© F5 Networks, Inc 26
Simultaneous Support for Multiple LBaaS Services
Dev, Test and Production services in distinct BIG-IP Clusters
• Administrator defines an ADC “service” and maps it to Virtual or Physical BIG-IPs.
• Examples
• Development on Virtualized BIG-IP instances.
• Test on BIG-IP appliances.
• Production scale using VIPRION chassis.
• Or perhaps, for an all virtual environment, they map to BIG-IP VE 2Gbps, 5Gbps and 10Gbps.
© F5 Networks, Inc 27
Capacity-based Scale-out Capabilities
Assign LBaaS services intelligently to BIG-IP clusters
• Administrator defines mappings of ADC services to pools of BIG-IP resources.
• Active Capacity the measured using administratively definable metrics
• Throughput Total
• Throughput (in) capacity_policy =
• Throughput (out)
• Connections throughput:100000000
active_connections: 250000
• Tenants route_domain_count: 512
• Nodes tunnel_count: 2048o
• Route Domains
• VLANs
• Tunnel count Intelligent load assignment supports Sticky
assignments, such that normally a single tenant’s
• SSL TPS pools will be on a common BIG-IP group, unless the
• Profile Count limits in the policy are exceeded.
• Create customized loading formulas for specific needs
© F5 Networks, Inc 28
SDN vs VNF – Choosing the Right Tool for the Job
LBaaS deploys a load balancing network service Application infrastructure
© F5 Networks, Inc 29
Martin Oravec
m.oravec@f5.com
+421 908 747 633