Advance Load Balancers in containerized form can provide security and observability into traffic, improve application response time and lower down overall operational burden.
In Kubernetes env East-West traffic security and access control between microservices is very important especially when it is done effectively without imposing a lot of cost overhead.
2. 2.
Multi Clouds Will be Dominant Deployment Model
71%
Multi
18%
PUBLIC
CLOUD ONLY
6%
PRIVATE
CLOUD ONLY
Source: RightScale State of the Cloud Report
3. GLOBAL HYBRID CLOUD MARKET
Asia Pacific region would exhibit the
highest CAGR of 25.3% during 2018 - 2025
Source: https://www.alliedmarketresearch.com/hybrid-cloud-market
Growing Industry Trend: Multi-Cloud
4. 4
NEW DE-FACTO STANDARDS:
Growing Industry Trend: Containers and Kubernetes
APPLICATIONS
Moving from Monolith to Micro Services
APPLICATION DEPLOYMENTS
Moving from Hardware Servers or
Virtual Machines to Containers
o Adopted by all industry major players
– AWS, Azure, Google, VMWare, RedHat.
o 10X increase in usage in Azure and GCP last year
o 10X increase in deployment last 3 years
o Deployment Size increased 75% in a year
Growing Kubernetes Adoption
5. 5
APP/IT
TEAMS
NEED
Speed Roll-out
Of Revenue-
Generating
Services
Team Agility
Self-Service
BUSINESS
NEEDS
Data Security
& Privacy
Protection For
Customers
Prevent
External Attacks
& Access Control
Between
Distributed
Microservices
Ease-of-
Operations &
Improved Team
Efficiency
Ensure
Excellent &
Consistent User
Experience
6. 6
Cloud Provider Is One Piece of The Ecosystem
They secure only Infrastructure - Application owners need to do their bit
AWS
Source: https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-
responsibility-model-in-gke-container-security-shared-responsibility-model-gke
Source :https://www.redhat.com/en/topics/security/cloud-security
7. OpenShift Shared Security Model
Secure
Container host
and platform on
any cloud
Secure container registry
Secure container deployments
Secure networking
Secure build pipeline
8. OpenShift Shared Security Model
Secure
Container host
and platform on
any cloud
Secure container registry
Secure container deployments
Secure networking
Secure build pipeline
App Svc App Svc App Svc App Svc App Svc
Load Balancing and Security
for North-South TrafficSecurity for East-West Traffic
10. 10
An E-Com Company: Access Control between Microservices
• Security and compliance require
monitoring traffic between
microservices
• In absence of policy
enforcement, this company
isolated clusters
Kubernetes Node
Kubernetes Node
Kubernetes Node
Kubernetes Node
11. 11
A FinTech Company: Access Control and Traffic Flow Visibility problem
• Separated microservices via
namespaces
• Controlled traffic flow via
application Gateway
Kubernetes Node Kubernetes Node
Kubernetes NodeKubernetes Node
12. 12
All Companies: Need to keep latency at minimum
• Multiple traffic handling layers
add its own latency
◦ IPS/IDS
◦ L7 LB
◦ Kube Proxy
Kubernetes Node
13. 13
A Media Service Company: Security Increased Cost of Operations
• Istio sidecar model was tried
for security implementation
• Sidecar model increased
resource requirement leading
to increased cost
Kubernetes Node
14. 14
All Companies: Need to Manage Security across Environments
• Not all workloads are in
Kubernetes
• Managing security separately
for each env was challenging
Public Private
Data
Center
16. Security is Required
One need to know how to embrace it
Security built into application Security provided by ecosystem
17. 17
Combine Traffic Handling and Security
Modern Approach:
Unified solution providing load
balancing as well as application
traffic security
Pros:
• Operational simplicity
• Better application
performance
Kubernetes Node
Traditional Approach:
Load Balancing and application
traffic security deployed
separately
Cons:
• Operational Complexity
• Increased latency
18. 18
For East-West Traffic
• Access control between
microservices
• Transparent encryption for traffic
between nodes
• Lower resource requirement as
compare to sidecar service mesh
model
• Application layer traffic visibility
and analytics
Node 1 Node 2
S1
S2
19. 19
For North-South Traffic
• Container-native load balancer for L7 traffic
routing (with ability to route traffic based
on any info in HTTP header)
• SSL offload
• Reduced application response time
• Web Application Firewall
• L7 DDoS protection
• Central management for load balancer
• Application layer traffic visibility and
analytics
Kubernetes Cluster
20. 20
More about the LB
• Deployed as DaemonSet
◦ Image on Docker Hub
◦ Uses host networking
• Based on NginX core
◦ 3rd party modules – ModSec, LuaJit
etc.
◦ Custom modules
• Connection Pooling
• Distributed Limit Enforcement
• Dynamic Upstream
21. 21
More about the Kubernetes Connector
• Deployed as K8s ‘Deployment’
◦ Image on Docker Hub
◦ One instance in a cluster
• Monitors Lifecycle of Containers
and Ingress Resource
• Calls APIs to update LB
22. 22
Policy Configuration
• Infrastructure as code
• Kubernetes Service aand
Ingress definitions are
extended via annotations
• Simple annotations to
configure policies
25. 25.
Per-Service Visibility, Analytics & Reporting
o Comprehensive
metrics & logs
o View, monitor and
analyze
o Efficient
troubleshooting
o Generate custom
reports
27. 27.
A10 ADC: Per-app Visibility : End-to-End Latency
o Distinguish between application,
client and infrastructure issues
o Quickly identify consistent or
one-off glitch
o Pinpoint concerns and take
corrective action
29. 29
Blue-Green through Advance Load Balancer
with control over user experience
• Split traffic based on any info in
HTTP header
◦ Browser, Device, OS
◦ Country, IP Network
◦ User Identification
• Move with Confidence
◦ Compare Before/After Metrics
• 1-click Roll-out or Roll-backA10 Lightning ADC Cluster
Harmony Controller
Harmony Portal
Version 1
Version 2
Let’s take a look at some of the struggles and business challenges IT experts and CISO’s are dealing with on a daily basis:
The average enterprise is running applications in at least 5 clouds. That represents quite a complex application networking and security environment.
According to a recent survey by 451 Research, 71% of enterprises are either using or evaluating container orchestration options like Kubernetes and Docker.
On the other hand and according to a study by Ponemon, 65% of all security issues are due to human error and inadequate in-house security expertise.
The Ponemon Institute published a study recently whereas 79% of enterprises lack a comprehensive DDoS attack and mitigation strategy.