Enhanced Security & Visibility in Microservice Based Architecture

Transcript

1. 1. Your Secure Application Services Company Enhanced Security & Visibility

   in Microservice-based Architecture A10 台灣區技術經理 Nick Chen

2. 3. Application Delivery Evolution VIRTUALIZED DC DATA CENTER PRIVATE, PUBLIC

   CLOUD Traditional ADC ADC in Cloud Virtualized ADC Secure Application Services in Cloud Infrastructure CLOUD NATIVE TRADITIONAL Applications

3. 7. 傳統資料中心 多雲資料中心 數位轉型 應用程式開發 多層式架構 3-Tier 微服務 Microservices 容器

   Containers 應用程式部署 實體資料中心 公有雲, 私有雲, 混合雲 網路維運 IT 主導 DevOps. 自動化應用交付 商業模式 一次性計價 用量計價

4. 9. Why Microservices ? Monolithic UI BUSINESS DB API GATEWAY

   PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY Microservices PASSNGER DB DRIVER DB TRIP DB • Software Development Perl, Python, Java, C++ …. • Software Release Highly Modularized • Resource Management Kubernetes, Ingress Controller Perl Python C++ MySQL Elastic Search

5. 10. Load Balancer -> ADC-WAF Monolithic UI BUSINESS DB API

   GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY Microservices PASSNGER DB DRIVER DB TRIP DB ADC ADC ADC Load Balancer UI BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB ADC WAF

6. 11. Traffic Management | Content based switching of traffic •

   Choose server Group based on any information (or its combination) in HTTP request • Segment the traffic further in the same manner and apply policies granularly A10 Lightning ADC Cluster PASSNGER WEB UI DRIVER WEB UI /driver /passnger www.online-car.com

7. 12. Security | Cloud based Web Application Firewall (WAF) •

   One click Web Application Firewall rule selection based on Application

8. 13. Application Visibility | Centralized Management Time series distribution o

   Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out)

9. 14. Per-request Log Analysis Time series distribution of o Client

   SRTT o Server RTT o APP Latency o ADC Latency(In/Out)

10. 16. Access Control Between Microservices – External Firewall Monolithic UI

    BUSINESS DB Microservices API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB FW • Network Latency ? • DevOps. Self-Service. Agile ? • Public. Private. Hybrid ? FW FW

11. 17. Secure Service Mesh – Access Control Microservices Monolithic UI

    BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SECURE MESH FW FW FW Hub-Spoke Proxy Deployment  Network Latency  DevOps. Self-Service. Agile  Public. Private. Hybrid

12. 18. Access Control Between Microservices o Lightning ADC is deployed

    as transparent proxy between micro-services o All traffic and security policies are applied on E-W traffic o Access Control policy definition use service labels instead of IP address PASSNGER WEB UI PASSNGER MGMT PASSNGER DB A10 SECURE MESH FW

13. 20. Secure Service Mesh – Data Encryption Microservices Node 1

    API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SERVICE MESH ENCRYPTION Microservices Node 2 API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SERVICE MESH ENCRYPTION

14. 21. Transparent Encryption Between Nodes o Embrace enhanced security by

    SSL communication. o Secure Service Mesh encrypt traffic flowing between nodes o Destination service gets decrypted traffic o No change is needed in application service Node 1 Node 2 PASSNGER MGMT PASSNGER DB A10 SERVICE MESH ENCRYPTION A10 SERVICE MESH ENCRYPTION

15. 25. Requirements and Solution Requirements • Provide ADC deployed within

    Kubernetes environment • Provide visibility into North-South as well as East-West application traffic • Provide Security into East-West application traffic • Deploy all config via CI/CD pipeline Solution • A10 Secure Service Mesh product is deployed • Lightning ADC cluster acts as explicit reverse proxy for North-South traffic • Another Lightning ADC cluster works as transparent proxy East-West traffic • A10 Harmony Controller acts as management control plane and CI/CD tools integration.

16. 26. 26 Deployment Architecture POD Service-1 POD POD Service-2 Service-3

    POD Service-1 POD POD Service-2 Service-3 Node 1 POD Service-1 POD POD Service-2 Service-3 Kubernetes Connector Node 2 Node 3 Harmony Controller LADC N-S LADC E-W

17. 27. A10 Lightning ADC (LADC) o Deployed as DaemonSet •

    Image on Docker Hub • Deploy to each cluster nodes o Process N-S Traffic • Implemented Ingress • Included ADC and WAF o Process E-W Traffic • Transparent Access Control • Transparent Encryption/Decryption

18. 28. Policy – N-S traffic • Deployed as Ingress Resource

    which provides configuration to N-S traffic. • Ingress definitions are extended via annotations. • Simple annotations to configure policies

19. 29. Policy – E-W traffic • E-W traffic policy is

    done via annotations in service definition. • This simplifies the config and allows respective teams to manage their own services

20. 30. Policy Configuration – E-W traffic • Transparent encryption is

    to be enabled for E-W traffic • ladc-inspection: dual • Access control between microservices is to be configured metadata: name: poc-app2 annotations: ladc.a10networks.com/access: '[ {"accessEnabled": "true", "accessElementType": "label", "accessElement": "poc-app1", "accessAction": "deny", "accessLabelResolver": "$client_label"}, ]'

21. 33. A10 Kubernetes Connector o Deployed as K8s ‘Deployment’ •

    Image on Docker Hub • One instance in a cluster o Implemented Ingress • Monitors Lifecycle of Containers and Ingress Objects • Calls APIs to update LB

22. 36. A10 Harmony Controller HARMONY CONTROLLER Data Center Private Cloud

    Public Cloud REST API Device Configuration Application Configuration Traffic Routing Traffic Policies Security Policies Alters and Events Analytics and Insights Security Metrics Infrastructure Health Metrics Traffic Metrics LADC Kubernetes Connector REST API

23. 77. Simplified and Improved Security & Analytics o Simple Architecture

    o “Config as code” for automation o Application Traffic Analytics for efficiency and security o Self-Service. Agile. o Public. Private. Hybrid. o Integrated with CI/CD tools. Node Node Central Controller Kubernetes Kubernetes Connector Kubernetes Cluster

24. 81. Thank You A10 SE Nick Chen [email protected] Line :

    nick_line Telegram : nick_a10 Steps to try @ http://docs.hc.a10networks.com/IngressController/2.0/a10-ladc-ingress-controller.html

25. 82. Applications AT THE SPEED OF CLOUD INCREASE AGILITY COMPETE

    FASTER OPERATIONAL VISIBILITY