Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Enhanced Security & Visibility in Microservice Based Architecture

Phil Huang
August 31, 2019

Enhanced Security & Visibility in Microservice Based Architecture

分享於 SDN x Cloud Native Meetup #19
https://www.meetup.com/CloudNative-Taiwan/events/263353256/

探討 DevOps 團隊在現實層面可能面臨的挑戰,例如:

- 基於微服務架構中的延遲問題
- 針對東西向/南北向網路流量的單一管理平台
- 跨雲端環境部署的 4-7 層流量可視化分析

Speaker: 陳志緯(Nick Chen)
陳志緯於2012年加入 A10 Networks,目前擔任台灣區技術經理,主要負責電信及遊戲產業解決方案與技術支援。在 IT 產業有 15 年的經驗橫跨應用軟體開發、資訊安全與網路建置規劃。

Phil Huang

August 31, 2019
Tweet

More Decks by Phil Huang

Other Decks in Technology

Transcript

  1. 1. Your Secure Application Services Company Enhanced Security & Visibility

    in Microservice-based Architecture A10 台灣區技術經理 Nick Chen
  2. 3. Application Delivery Evolution VIRTUALIZED DC DATA CENTER PRIVATE, PUBLIC

    CLOUD Traditional ADC ADC in Cloud Virtualized ADC Secure Application Services in Cloud Infrastructure CLOUD NATIVE TRADITIONAL Applications
  3. 7. 傳統資料中心 多雲資料中心 數位轉型 應用程式開發 多層式架構 3-Tier 微服務 Microservices 容器

    Containers 應用程式部署 實體資料中心 公有雲, 私有雲, 混合雲 網路維運 IT 主導 DevOps. 自動化應用交付 商業模式 一次性計價 用量計價
  4. 9. Why Microservices ? Monolithic UI BUSINESS DB API GATEWAY

    PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY Microservices PASSNGER DB DRIVER DB TRIP DB • Software Development Perl, Python, Java, C++ …. • Software Release Highly Modularized • Resource Management Kubernetes, Ingress Controller Perl Python C++ MySQL Elastic Search
  5. 10. Load Balancer -> ADC-WAF Monolithic UI BUSINESS DB API

    GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY Microservices PASSNGER DB DRIVER DB TRIP DB ADC ADC ADC Load Balancer UI BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB ADC WAF
  6. 11. Traffic Management | Content based switching of traffic •

    Choose server Group based on any information (or its combination) in HTTP request • Segment the traffic further in the same manner and apply policies granularly A10 Lightning ADC Cluster PASSNGER WEB UI DRIVER WEB UI /driver /passnger www.online-car.com
  7. 12. Security | Cloud based Web Application Firewall (WAF) •

    One click Web Application Firewall rule selection based on Application
  8. 13. Application Visibility | Centralized Management Time series distribution o

    Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out)
  9. 14. Per-request Log Analysis Time series distribution of o Client

    SRTT o Server RTT o APP Latency o ADC Latency(In/Out)
  10. 16. Access Control Between Microservices – External Firewall Monolithic UI

    BUSINESS DB Microservices API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB FW • Network Latency ? • DevOps. Self-Service. Agile ? • Public. Private. Hybrid ? FW FW
  11. 17. Secure Service Mesh – Access Control Microservices Monolithic UI

    BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SECURE MESH FW FW FW Hub-Spoke Proxy Deployment  Network Latency  DevOps. Self-Service. Agile  Public. Private. Hybrid
  12. 18. Access Control Between Microservices o Lightning ADC is deployed

    as transparent proxy between micro-services o All traffic and security policies are applied on E-W traffic o Access Control policy definition use service labels instead of IP address PASSNGER WEB UI PASSNGER MGMT PASSNGER DB A10 SECURE MESH FW
  13. 20. Secure Service Mesh – Data Encryption Microservices Node 1

    API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SERVICE MESH ENCRYPTION Microservices Node 2 API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SERVICE MESH ENCRYPTION
  14. 21. Transparent Encryption Between Nodes o Embrace enhanced security by

    SSL communication. o Secure Service Mesh encrypt traffic flowing between nodes o Destination service gets decrypted traffic o No change is needed in application service Node 1 Node 2 PASSNGER MGMT PASSNGER DB A10 SERVICE MESH ENCRYPTION A10 SERVICE MESH ENCRYPTION
  15. 25. Requirements and Solution Requirements • Provide ADC deployed within

    Kubernetes environment • Provide visibility into North-South as well as East-West application traffic • Provide Security into East-West application traffic • Deploy all config via CI/CD pipeline Solution • A10 Secure Service Mesh product is deployed • Lightning ADC cluster acts as explicit reverse proxy for North-South traffic • Another Lightning ADC cluster works as transparent proxy East-West traffic • A10 Harmony Controller acts as management control plane and CI/CD tools integration.
  16. 26. 26 Deployment Architecture POD Service-1 POD POD Service-2 Service-3

    POD Service-1 POD POD Service-2 Service-3 Node 1 POD Service-1 POD POD Service-2 Service-3 Kubernetes Connector Node 2 Node 3 Harmony Controller LADC N-S LADC E-W
  17. 27. A10 Lightning ADC (LADC) o Deployed as DaemonSet •

    Image on Docker Hub • Deploy to each cluster nodes o Process N-S Traffic • Implemented Ingress • Included ADC and WAF o Process E-W Traffic • Transparent Access Control • Transparent Encryption/Decryption
  18. 28. Policy – N-S traffic • Deployed as Ingress Resource

    which provides configuration to N-S traffic. • Ingress definitions are extended via annotations. • Simple annotations to configure policies
  19. 29. Policy – E-W traffic • E-W traffic policy is

    done via annotations in service definition. • This simplifies the config and allows respective teams to manage their own services
  20. 30. Policy Configuration – E-W traffic • Transparent encryption is

    to be enabled for E-W traffic • ladc-inspection: dual • Access control between microservices is to be configured metadata: name: poc-app2 annotations: ladc.a10networks.com/access: '[ {"accessEnabled": "true", "accessElementType": "label", "accessElement": "poc-app1", "accessAction": "deny", "accessLabelResolver": "$client_label"}, ]'
  21. 33. A10 Kubernetes Connector o Deployed as K8s ‘Deployment’ •

    Image on Docker Hub • One instance in a cluster o Implemented Ingress • Monitors Lifecycle of Containers and Ingress Objects • Calls APIs to update LB
  22. 36. A10 Harmony Controller HARMONY CONTROLLER Data Center Private Cloud

    Public Cloud REST API Device Configuration Application Configuration Traffic Routing Traffic Policies Security Policies Alters and Events Analytics and Insights Security Metrics Infrastructure Health Metrics Traffic Metrics LADC Kubernetes Connector REST API
  23. 77. Simplified and Improved Security & Analytics o Simple Architecture

    o “Config as code” for automation o Application Traffic Analytics for efficiency and security o Self-Service. Agile. o Public. Private. Hybrid. o Integrated with CI/CD tools. Node Node Central Controller Kubernetes Kubernetes Connector Kubernetes Cluster
  24. 81. Thank You A10 SE Nick Chen [email protected] Line :

    nick_line Telegram : nick_a10 Steps to try @ http://docs.hc.a10networks.com/IngressController/2.0/a10-ladc-ingress-controller.html