Build a Unified Application Delivery Architecture for Your Data Center and Cloud

Introduction

The pace of the digital economy is speeding up, which means businesses must compete to deliver new services both rapidly and at scale. This requirement has driven organizations to adopt new ways of creating, deploying, and managing applications, which in turn has led to new working practices, new application architectures, and a completely new category of IT infrastructure: the cloud.

While the speed and agility promised by cloud architectures are critical for some applications, the need for stability and resiliency of the core services that underpin business operations remains constant, as does the need for governance and risk management. These competing necessities have split IT between modes of operation and working practices, dividing systems that prioritize stability from those that prioritize agility.

At the heart of this divide seems to be the supposition that these two paradigms are irreconcilable, but what if that were not true? F5 has a unified vision for the provision of services, one that ensures that applications of all kinds stay secure, fast, and highly available.

The Problem of Fractured IT

The current division in IT delivery has arisen from the needs of applications and the business they support.

On one side, monolithic applications run on servers (physical or virtual), while relational databases hold data. Application delivery controllers manage application traffic, which is protected by firewalls. The underlying systems are mutable and usually multi-tenant. Changes to these systems are less frequent, and they’re often managed through a ticketing system, change board, and maintenance window followed by a handcrafted or lightly scripted configuration change.

This method of IT operation prioritizes security, stability, and ease of problem solving over agility. Service control is in the hands of IT operations groups, which are separate from developers or line-of-business owners, who are the consumers of IT services.

At the other end of the spectrum are teams, applications, and infrastructures designed for rapid change. Monolithic servers are decomposited into a loosely bound collection of services running on virtualized servers or lightweight containers—or simply executed on demand by an underlying, but essentially invisible, infrastructure. Applications are updated frequently and then deployed and redeployed rapidly in a system of continuous delivery and continuous integration.

The deployed objects that make up the applications are immutable: Changes to these systems are frequent but managed by changing code that describes the infrastructure and applications and then by redeploying that code. A system of automated testing—or rapid monitoring and rollback—replaces the change board.

While these two modes of IT operation both serve the needs of their applications, the gap between them prevents the most useful aspects of each modality from benefiting the other.

A more useful architecture might allow the values of stability, security, and performance to be delivered to these new-style, agile applications, enabling more automation, standardization, and speed to be injected into traditional application deployments. This better architecture enables core application delivery components to be managed by an expert team but made accessible to the application teams by whatever interface they require, delivering benefits to IT and the business.

The F5 Architectural Vision

The F5 architectural vision lays out the framework and the components that enable organizations to deliver a consistent layer of application services across the IT landscape. These services provide application security, availability, and performance, and they can be deployed reliably anywhere they are needed. Cloud platforms such as OpenStack, Amazon Web Services, or Microsoft Azure can deploy these application services using the native tools of the system. Applications can be deployed from templates for repeatability or via individual API calls to build a bespoke service. A software-defined networking (SDN) infrastructure, such as Cisco ACI or VMware NSX, can access these services as part of its own network provisioning processes.

The processing power for these services will come from a range of platforms: cloud-based services, high-capacity hardware, virtualized appliances, and a new generation of distributed, lightweight proxies all managed seamlessly and intuitively by consolidated software. And while application delivery services process traffic, they can also provide rich telemetry and visualization services to help better manage applications and infrastructure.

This F5 architectural vision has six key components:

• Application delivery services
• Service delivery platforms
• Service delivery templates
• Integration systems
• Management systems
• Visibility and insight systems

This model does not assume that every user interacts with the architecture in the same way. As a working practice, DevOps will continue to use infrastructure-as-code methods, effecting change through updating templates and redeploying immutable objects. More traditional IT services can still make changes through GUI, CLI, or scripts. The underlying architecture simply delivers the right services to the applications, irrespective of their mode of operation or their location. This model works across all compute resources, private cloud, public cloud, or more static IT infrastructures.

Application delivery services

Application delivery services keep applications secure, fast, and available. These key services are the heart of the F5 architectural vision. The rest of the architecture is simply there to deliver the right services to the right application and then to provide visibility into application and network performance.

F5 products provide a full spectrum of advanced application delivery services designed to provide scalability, availability, and multi-layered security to all kinds of application traffic. From simple load balancing of UDP packets to advanced inspection of HTTP requests or providing federated identity services for access control, F5 application delivery services are the widest and most comprehensive in the industry.

F5 application delivery services can be extended using fully application-traffic-aware data and control plane programmability features. F5® iRules®, F5 iRules® LX, and F5 iCall® offer programmatic control of application data and service configuration. This control can be used to quickly mitigate new application security vulnerabilities, provide A/B testing services, or modify application behavior.

Service delivery platforms

Application delivery services are provided by F5 software running on one of a number of service delivery platforms, including physical F5 BIG-IP® hardware devices, software appliances, lightweight proxies, or the F5 Silverline® cloud-based application services platform.

F5 BIG-IP and F5 VIPRION® hardware platforms

All BIG-IP hardware platforms are purpose-built for performance and scalability, offering robust multi-tenancy and carrier-grade reliability. The latest generation of the BIG-IP platform—the BIG-IP® iSeries—takes another step forward. In addition to providing markedly better performance, iSeries platforms are equipped with a number of unique features that position the platform at the heart of the organization's application delivery needs and serve as a foundational bridge between traditional IT models and private cloud deployments.

FPGA performance profiles

F5 hardware has always been designed to deliver exceptional application delivery performance by combining specialized hardware with industry-leading CPUs and memory. While this delivered great all-around performance, the model was essentially static, with a fixed set of hardware capabilities and features.

With its (patent pending) F5 TurboFlex™ performance profile technology, the BIG-IP iSeries breaks free of these constraints. F5 platforms now deliver in hardware the same features that solutions based on F5 TMOS® have always provided in software. This new hardware agility provides F5 customers with enhanced functionality, flexibility, and investment protection.

TurboFlex technology allows customers to choose the mix of wire-speed hardware offload for functions such as the following:

• Network virtualization and overlay protocol processing (such as VXLAN and GGRE tunneling)—increasing traffic processing capacity
• UDP traffic processing—increasing throughput and reducing both latency and jitter, and therefore improving VOIP or streaming performance
• DDoS mitigation—hugely increasing the attack size that can be absorbed

BIG-IP iSeries systems can adapt their hardware capabilities to the TMOS software modules used, and organizations can add hardware features and functionality as they become available via BIG-IP system updates.

SSL decryption (including ECC) in hardware

With the next generation of dedicated SSL decryption components, even advanced cipher suites using curve Diffie-Hellman key exchange for elliptical curve cryptography (ECC) are offloaded from the CPU. Handing off SSL key exchange to dedicated hardware both increases overall SSL connection capacity and frees the system CPU to perform more complex application delivery tasks, such as inspecting client requests for injection attacks or optimizing outbound server traffic.

Advanced software platforms

The virtual editions of BIG-IP products offer all the same application delivery services as the physical BIG-IP appliances in a platform that is available on every leading hypervisor, as well as in most public and private clouds. BIG-IP virtual editions offer flexible licensing options, including utility, license pooling, and pay-as-you grow licensing.

With the same service capabilities, consistent policies and practices can be deployed throughout the enterprise—from applications that are spun up in minutes and may only last hours to critical applications that provide foundational services (such as ERP or finance).

In cases where heavy SSL traffic might tax the underlying hypervisor infrastructure, the computationally intensive SSL key exchange process can be offloaded from BIG-IP virtual editions to a BIG-IP hardware platform, improving the overall capacity of a private cloud.

Lightweight software platforms

For applications that require simple traffic management, a lightweight proxy can provide low-cost load balancing services with a small footprint. Management of traffic to microservices components and east-west API traffic are particularly common use cases for this technology, especially when combined with more advanced application services for client to server application traffic.

While there are a number of point solutions available, a better option would be a lightweight platform designed to fit into an organization’s overall architecture. In the F5 architectural vision, the same deployment methods used to provision more advanced application delivery services will be used to create lightweight services. Telemetry and logging from all application delivery components will feed into a common aggregation point, where data will be normalized and events correlated.

Cloud services

The cloud-based F5 Silverline platform offers distributed denial-of-service (DDoS) mitigation, a web application firewall, and threat identification services to enhance the security and availability of applications. Managed by experts in the F5 Security Operations Center, Silverline services deliver protection for Internet-facing applications, no matter where they are hosted. These services are provided from a number of high-capacity data centers distributed across the globe, offering the resilience and capacity to absorb both high-volume network layer attacks and more complex, application-layer denial-of-service or compromise attempts.

Hybrid architecture

Particularly in traditional data center and private cloud designs, a multi-tier architecture can enhance capacity, scalability, and specificity.

• In the cloud, F5 Silverline services offer massive capacity to absorb DDoS attacks and scrub traffic of malicious content.
• At the edge of the network, high-capacity, multi-tenant hardware deals with network firewalling, SSL decryption, access control, and network optimization.
• Close to the application, specific tasks such as web application firewalling, load balancing, and content routing can be fulfilled by software-only platforms that service a single or a low number of applications tied to an organizational unit. Where SSL decryption closer to the app is needed, SSL key exchange can be offloaded back to the edge hardware.

Service templates

Templates save time, ensure consistent deployments, and reduce the operational risk of manual deployments by codifying standard configuration elements for a particular service, exposing only a limited number of site or application-specific options at the time of deployment. Many F5 customers have reported that it only takes a relatively small number of templates to build a catalog capable of deploying the majority of their applications. Each time an application delivery service is deployed from a template, key configurations are set to the organization’s best practices, which can be particularly useful for activities such as SSL cipher suites and traffic logging.

Service templates also allow complex application delivery services to be deployed simply and with a small number of API calls. When templates are used, the orchestration engine or configuration management tool simply requests an instance of that application type and then supplies the values required by the template. Even deploying a complex configuration—including load balancing, web application firewall services, and advanced logging—can be accomplished with a single API call. Compare this with the API calls (or GUI clicks or CLI commands) required to set these services up from scratch. The F5 iApps® service template bridges the needs for operational simplicity and a rich suite of application delivery services.

Integration systems

To accelerate the deployment of applications and services, and reduce the operational risk of manual deployments, application delivery services must integrate seamlessly with automation or configuration management systems. What integration components organizations require will depend on their chosen platforms (public cloud, private cloud, or virtualized data center) and the tools they choose to manage the infrastructure. F5 integration systems plug the power of the BIG-IP platform into any environment, empowering organizations to deploy application delivery services with the same tools they use to deploy the rest of the infrastructure stack.

iControl

F5 iControl® is a RESTful API that enables the control and configuration of BIG-IP platforms. Most integration systems use this API to make configuration changes and deploy new services. With the massively functional and highly configurable BIG-IP platform, the native API can become both extensive and complex. Some of the integration tools expose a simpler API or software development kit (SDK) to streamline operations. When combined with iApps service templates, these simplified APIs can still deliver a full range of F5 application delivery services.

iWorkflow

F5 iWorkflow™ is a multi-tenant platform that streamlines the deployment and configuration of BIG-IP platforms and services into any environment. Using a configurable library of iApps service templates, iWorkflow can cut the deployment times of application services from days or hours to minutes. iWorkflow can manage the deployment, licensing, and provisioning of new BIG-IP virtual editions, as well as the deployment of new services on existing BIG-IP platforms.

With a multi-tenant design and role-based access, iWorkflow gives application owners control over only their assigned applications and associated services. Tenants can deploy complex configurations using their assigned iApps service templates without having to perform complicated configuration procedures.

iWorkflow connects with other systems via a simple API, and it also offers connectors for selected management and orchestration systems, including Cisco ACI and VMware NSX. Custom integration into other systems is available through a well-documented SDK, which will become a key way for configuration management tools such as Puppet and Chef to deploy F5 application delivery services.

OpenStack drivers and plug-ins

OpenStack, an open-source software platform used to deliver cloud-computing services, is a popular way to deliver Infrastructure as a Service (IaaS) in private and public clouds. F5 offers integration into OpenStack through both the Load Balancing as a Service (LBaaS) component of the OpenStack Neutron networking service and by providing a plug-in for the Heat orchestration service.

With LBaaS, simple load balancing services can be configured using the Neutron AI or CLI (or via the Horizon GUI) on BIG-IP physical or virtual platforms. Although the load-balancing configuration options are simple, the power of the BIG-IP platforms enables huge scalability and consolidation of services, improving the overall scalability of OpenStack deployments.

With integration into Heat, templates can be used to deploy and configure BIG-IP instances for individual tenants or onto a consolidated multi-tenant BIG-IP platform. Heat templates allow more complex configurations, including advanced application services such as application firewalling and access management. F5 iApps service templates again simplify deployments by encoding complex actions in a reusable template.

Container management and service discovery

As container technology becomes more commonplace, the need to manage the lifecycle of containers to avoid unnecessary sprawl and wasted resources is growing. Once the lifecycle is under the control of a management framework (such as Kubernetes or Marathon), not only can the containers themselves be better managed, but essential components such as application delivery services can be automated, too.

In the F5 architectural vision, application delivery services will become tightly integrated with the container management services. When a container is provisioned, application delivery services will be provisioned concurrently. Actions might range from something as simple as placing the new container into a load balanced pool to adding a full suite of application delivery services for a new application. Data regarding traffic going to that container will feed into visibility and insight systems. When the container is retired, the associated services will be retired.

Public cloud integration with templates

Public cloud IaaS platforms like Microsoft Azure and Amazon Web Services all offer robust template systems. Organizations can download sample F5 templates for integration with Amazon via AWS CloudFormation Templates on Github. Similarly, Azure Resource Manager (ARM) templates and PowerShell commands are available for integration with Microsoft Azure.

Platform management systems

Platform management systems cut administration overheads by providing tools to manage, monitor, and upgrade BIG-IP systems.

F5 BIG-IQ® Centralized Management gives organizations the tools to manage F5 solutions more efficiently. It works across physical and virtual devices and offers central management and reporting of the BIG-IP platform and software modules.

BIG-IQ Centralized Management can manage hundreds of BIG-IP devices, allowing administrators to complete common tasks from a single pane. Using an intuitive GUI, tasks such as configuration backups, code upgrades, policy updates, and license management become simple and operationally efficient.

A key function of BIG-IQ Centralized Management is distributing security policies and profiles across an estate of F5 platforms, which centrally ensures that when an iApps service template requires a defined security policy, it will exist on all devices in the environment.

Systems for visibility and insight

Analytics and reporting have become essential features of cloud and hybrid architectures, often driven by the utility cost model that relies on measurement and variable billing. F5 service delivery platforms see all application traffic as it passes through the proxy architectures, putting them in the position to be robust analytics tools or powerful sensors. F5 systems can create custom log profiles to monitor almost any application traffic parameter and then log these details at scale.

Conclusion

The F5 architectural vision provides organizations with a map for how to deploy consistent application services across all areas of the IT domain—using whatever method is appropriate for the business’s varied operations. The F5 application delivery services incorporated into this vision are designed to bring security, availability, and performance to all applications—from the most static and carefully managed systems to the most mercurial consumer application. Whether these applications are in a public cloud, a private cloud, or running on dedicated physical servers, F5 application delivery services should be available and, just as importantly, deployed in the same way as the rest of the infrastructure components. Although the development, location, and deployment models may change, the fundamental service needs of the application are unchanged. By following the F5 architectural vision, customers can take advantage of these services while accessing all of the best features of each deployment style, across the spectrum, with none of the drawbacks.