1. Your Secure Application Services Company Enhanced Security & Visibility in Microservice-based Architecture A10 台灣區技術經理 Nick Chen 

3. Application Delivery Evolution VIRTUALIZED DC DATA CENTER PRIVATE, PUBLIC CLOUD Traditional ADC ADC in Cloud Virtualized ADC Secure Application Services in Cloud Infrastructure CLOUD NATIVE TRADITIONAL Applications 

7. 傳統資料中心 多雲資料中心 數位轉型 應用程式開發 多層式架構 3-Tier 微服務 Microservices 容器 Containers 應用程式部署 實體資料中心 公有雲, 私有雲, 混合雲 網路維運 IT 主導 DevOps. 自動化應用交付 商業模式 一次性計價 用量計價 

9. Why Microservices ? Monolithic UI BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY Microservices PASSNGER DB DRIVER DB TRIP DB • Software Development Perl, Python, Java, C++ …. • Software Release Highly Modularized • Resource Management Kubernetes, Ingress Controller Perl Python C++ MySQL Elastic Search 

10. Load Balancer -> ADC-WAF Monolithic UI BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY Microservices PASSNGER DB DRIVER DB TRIP DB ADC ADC ADC Load Balancer UI BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB ADC WAF 

11. Traffic Management | Content based switching of traffic • Choose server Group based on any information (or its combination) in HTTP request • Segment the traffic further in the same manner and apply policies granularly A10 Lightning ADC Cluster PASSNGER WEB UI DRIVER WEB UI /driver /passnger www.online-car.com 

12. Security | Cloud based Web Application Firewall (WAF) • One click Web Application Firewall rule selection based on Application 

13. Application Visibility | Centralized Management Time series distribution o Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out) 

14. Per-request Log Analysis Time series distribution of o Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out) 

16. Access Control Between Microservices – External Firewall Monolithic UI BUSINESS DB Microservices API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB FW • Network Latency ? • DevOps. Self-Service. Agile ? • Public. Private. Hybrid ? FW FW 

17. Secure Service Mesh – Access Control Microservices Monolithic UI BUSINESS DB API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SECURE MESH FW FW FW Hub-Spoke Proxy Deployment  Network Latency  DevOps. Self-Service. Agile  Public. Private. Hybrid 

18. Access Control Between Microservices o Lightning ADC is deployed as transparent proxy between micro-services o All traffic and security policies are applied on E-W traffic o Access Control policy definition use service labels instead of IP address PASSNGER WEB UI PASSNGER MGMT PASSNGER DB A10 SECURE MESH FW 

20. Secure Service Mesh – Data Encryption Microservices Node 1 API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SERVICE MESH ENCRYPTION Microservices Node 2 API GATEWAY PASSNGER WEB UI DRIVER WEB UI PASSNGER MGMT DRIVER MGMT TRIP MGMT BILLING PAYMENTS NOTIFY PASSNGER DB DRIVER DB TRIP DB A10 SERVICE MESH ENCRYPTION 

21. Transparent Encryption Between Nodes o Embrace enhanced security by SSL communication. o Secure Service Mesh encrypt traffic flowing between nodes o Destination service gets decrypted traffic o No change is needed in application service Node 1 Node 2 PASSNGER MGMT PASSNGER DB A10 SERVICE MESH ENCRYPTION A10 SERVICE MESH ENCRYPTION 

25. Requirements and Solution Requirements • Provide ADC deployed within Kubernetes environment • Provide visibility into North-South as well as East-West application traffic • Provide Security into East-West application traffic • Deploy all config via CI/CD pipeline Solution • A10 Secure Service Mesh product is deployed • Lightning ADC cluster acts as explicit reverse proxy for North-South traffic • Another Lightning ADC cluster works as transparent proxy East-West traffic • A10 Harmony Controller acts as management control plane and CI/CD tools integration. 

26. 26 Deployment Architecture POD Service-1 POD POD Service-2 Service-3 POD Service-1 POD POD Service-2 Service-3 Node 1 POD Service-1 POD POD Service-2 Service-3 Kubernetes Connector Node 2 Node 3 Harmony Controller LADC N-S LADC E-W 

27. A10 Lightning ADC (LADC) o Deployed as DaemonSet • Image on Docker Hub • Deploy to each cluster nodes o Process N-S Traffic • Implemented Ingress • Included ADC and WAF o Process E-W Traffic • Transparent Access Control • Transparent Encryption/Decryption 

28. Policy – N-S traffic • Deployed as Ingress Resource which provides configuration to N-S traffic. • Ingress definitions are extended via annotations. • Simple annotations to configure policies 

29. Policy – E-W traffic • E-W traffic policy is done via annotations in service definition. • This simplifies the config and allows respective teams to manage their own services 

30. Policy Configuration – E-W traffic • Transparent encryption is to be enabled for E-W traffic • ladc-inspection: dual • Access control between microservices is to be configured metadata: name: poc-app2 annotations: ladc.a10networks.com/access: '[ {"accessEnabled": "true", "accessElementType": "label", "accessElement": "poc-app1", "accessAction": "deny", "accessLabelResolver": "$client_label"}, ]' 

33. A10 Kubernetes Connector o Deployed as K8s ‘Deployment’ • Image on Docker Hub • One instance in a cluster o Implemented Ingress • Monitors Lifecycle of Containers and Ingress Objects • Calls APIs to update LB 

36. A10 Harmony Controller HARMONY CONTROLLER Data Center Private Cloud Public Cloud REST API Device Configuration Application Configuration Traffic Routing Traffic Policies Security Policies Alters and Events Analytics and Insights Security Metrics Infrastructure Health Metrics Traffic Metrics LADC Kubernetes Connector REST API 

77. Simplified and Improved Security & Analytics o Simple Architecture o “Config as code” for automation o Application Traffic Analytics for efficiency and security o Self-Service. Agile. o Public. Private. Hybrid. o Integrated with CI/CD tools. Node Node Central Controller Kubernetes Kubernetes Connector Kubernetes Cluster 

81. Thank You A10 SE Nick Chen [email protected] Line : nick_line Telegram : nick_a10 Steps to try @ http://docs.hc.a10networks.com/IngressController/2.0/a10-ladc-ingress-controller.html 

82. Applications AT THE SPEED OF CLOUD INCREASE AGILITY COMPETE FASTER OPERATIONAL VISIBILITY