Advance Load Balancers in containerized form can provide security and observability into traffic, improve application response time and lower down overall operational burden. In Kubernetes env East-West traffic security and access control between microservices is very important especially when it is done effectively without imposing a lot of cost overhead.

1. Reliable Security Always™
Security and Observability of
Application Traffic in
Kubernetes
Akshay Mathur
@akshaymathu

2. 2.
Multi Clouds Will be Dominant Deployment Model
71%
Multi
18%
PUBLIC
CLOUD ONLY
6%
PRIVATE
CLOUD ONLY
Source: RightScale State of the Cloud Report

3. GLOBAL HYBRID CLOUD MARKET
Asia Pacific region would exhibit the
highest CAGR of 25.3% during 2018 - 2025
Source: https://www.alliedmarketresearch.com/hybrid-cloud-market
Growing Industry Trend: Multi-Cloud

4. 4
NEW DE-FACTO STANDARDS:
Growing Industry Trend: Containers and Kubernetes
APPLICATIONS
Moving from Monolith to Micro Services
APPLICATION DEPLOYMENTS
Moving from Hardware Servers or
Virtual Machines to Containers
o Adopted by all industry major players
– AWS, Azure, Google, VMWare, RedHat.
o 10X increase in usage in Azure and GCP last year
o 10X increase in deployment last 3 years
o Deployment Size increased 75% in a year
Growing Kubernetes Adoption

5. 5
APP/IT
TEAMS
NEED
Speed Roll-out
Of Revenue-
Generating
Services
Team Agility
Self-Service
BUSINESS
NEEDS
Data Security
& Privacy
Protection For
Customers
Prevent
External Attacks
& Access Control
Between
Distributed
Microservices
Ease-of-
Operations &
Improved Team
Efficiency
Ensure
Excellent &
Consistent User
Experience

6. 6
Cloud Provider Is One Piece of The Ecosystem
They secure only Infrastructure - Application owners need to do their bit
AWS
Source: https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-the-shared-
responsibility-model-in-gke-container-security-shared-responsibility-model-gke
Source :https://www.redhat.com/en/topics/security/cloud-security

7. OpenShift Shared Security Model
Secure
Container host
and platform on
any cloud
Secure container registry
Secure container deployments
Secure networking
Secure build pipeline

8. OpenShift Shared Security Model
Secure
Container host
and platform on
any cloud
Secure container registry
Secure container deployments
Secure networking
Secure build pipeline
App Svc App Svc App Svc App Svc App Svc
Load Balancing and Security
for North-South TrafficSecurity for East-West Traffic

9. 9
Real-world Challenges

10. 10
An E-Com Company: Access Control between Microservices
• Security and compliance require
monitoring traffic between
microservices
• In absence of policy
enforcement, this company
isolated clusters
Kubernetes Node
Kubernetes Node
Kubernetes Node
Kubernetes Node

11. 11
A FinTech Company: Access Control and Traffic Flow Visibility problem
• Separated microservices via
namespaces
• Controlled traffic flow via
application Gateway
Kubernetes Node Kubernetes Node
Kubernetes NodeKubernetes Node

12. 12
All Companies: Need to keep latency at minimum
• Multiple traffic handling layers
add its own latency
◦ IPS/IDS
◦ L7 LB
◦ Kube Proxy
Kubernetes Node

13. 13
A Media Service Company: Security Increased Cost of Operations
• Istio sidecar model was tried
for security implementation
• Sidecar model increased
resource requirement leading
to increased cost
Kubernetes Node

14. 14
All Companies: Need to Manage Security across Environments
• Not all workloads are in
Kubernetes
• Managing security separately
for each env was challenging
Public Private
Data
Center

15. 15
Security & Policy
Enforcement

16. Security is Required
One need to know how to embrace it
Security built into application Security provided by ecosystem

17. 17
Combine Traffic Handling and Security
Modern Approach:
Unified solution providing load
balancing as well as application
traffic security
Pros:
• Operational simplicity
• Better application
performance
Kubernetes Node
Traditional Approach:
Load Balancing and application
traffic security deployed
separately
Cons:
• Operational Complexity
• Increased latency

18. 18
For East-West Traffic
• Access control between
microservices
• Transparent encryption for traffic
between nodes
• Lower resource requirement as
compare to sidecar service mesh
model
• Application layer traffic visibility
and analytics
Node 1 Node 2
S1
S2

19. 19
For North-South Traffic
• Container-native load balancer for L7 traffic
routing (with ability to route traffic based
on any info in HTTP header)
• SSL offload
• Reduced application response time
• Web Application Firewall
• L7 DDoS protection
• Central management for load balancer
• Application layer traffic visibility and
analytics
Kubernetes Cluster

20. 20
More about the LB
• Deployed as DaemonSet
◦ Image on Docker Hub
◦ Uses host networking
• Based on NginX core
◦ 3rd party modules – ModSec, LuaJit
etc.
◦ Custom modules
• Connection Pooling
• Distributed Limit Enforcement
• Dynamic Upstream

21. 21
More about the Kubernetes Connector
• Deployed as K8s ‘Deployment’
◦ Image on Docker Hub
◦ One instance in a cluster
• Monitors Lifecycle of Containers
and Ingress Resource
• Calls APIs to update LB

22. 22
Policy Configuration
• Infrastructure as code
• Kubernetes Service aand
Ingress definitions are
extended via annotations
• Simple annotations to
configure policies

23. 23
Application Layer Visibility

24. 24
Descriptive Analytics
• Health Status
• Logs & Events
PERFORMANCE
MONITORING Diagnostic Analytics
• Per-App metrics
• Trend Analysis
FASTER
TROUBLESHOOTING Predictive Analytics
• Anomalies/Threats
• Correlation
INSIGHTS
Prescriptive Analytics
• Policy updates
• Behavior Analysis
ADAPTIVE
CONTROLS
Visibility, Analytics & Insights

25. 25.
Per-Service Visibility, Analytics & Reporting
o Comprehensive
metrics & logs
o View, monitor and
analyze
o Efficient
troubleshooting
o Generate custom
reports

26. 26.

27. 27.
A10 ADC: Per-app Visibility : End-to-End Latency
o Distinguish between application,
client and infrastructure issues
o Quickly identify consistent or
one-off glitch
o Pinpoint concerns and take
corrective action

28. 28.
Detecting And Blocking Application Attack

29. 29
Blue-Green through Advance Load Balancer
with control over user experience
• Split traffic based on any info in
HTTP header
◦ Browser, Device, OS
◦ Country, IP Network
◦ User Identification
• Move with Confidence
◦ Compare Before/After Metrics
• 1-click Roll-out or Roll-backA10 Lightning ADC Cluster
Harmony Controller
Harmony Portal
Version 1
Version 2

30. Offline Payment for Online Service – Blue-Green Roll-out At A Few Clicks

31. 31
Minimizing Cost of Operations
vs
Kubernetes NodeKubernetes Node
Sidecar Proxy Deployment Hub-Spoke Proxy Deployment
Resource intensive
Expensive TCO
Low overhead
Lower TCO

32. 32
Takeaways: Simplified and Improved Security & Analytics
• Simple Architecture
• Clear ‘Dev’ and ‘Ops’ separation
• ‘Config as code’ for automation
• Application Traffic Analytics for efficiency

33. 33
Thank You
@akshaymathu
amathur@a10networks.com
Skype: mathurakshay
Sample Config Files @ https://gist.github.com/c-success
Steps to try @ http://docs.hc.a10networks.com/IngressController/2.0/a10-ladc-ingress-controller.html

34. Thank You
Reliable Security Always™