Download
1 / 18
180 likes | 204 Views
A10 Networks Presentation for Akshay Mathur
E N D
Securing East-West TrafficEnhanced Security and Visibility For Microservice-Based Architectures Akshay Mathur A10 Networks
Growing Industry Trend: Containers and Kubernetes APPLICATIONS NEW DE-FACTO STANDARDS: Moving from Monolith to Micro Services Growing Kubernetes Adoption APPLICATION DEPLOYMENTS • Adopted by all industry major players – AWS, Azure, Google, VMWare, RedHat. • 10X increase in usage in Azure and GCP last year • 10X increase in deployment last 3 years • Deployment Size increased 75% in a year Moving from Hardware Servers or Virtual Machines to Containers Moving from Monolith to Micro Services
Key Requirements of Modern Teams … EFFICIENT OPERATIONS VISIBILITY & CONTROL Application Security • Central Management • Multi-services • Multi-cloud • Analytics • Faster troubleshooting • Operational intelligence • SSL Encryption • Access Control • Attack Protection and Mitigation
Challenges In Kubernetes Environment
Challenges in Kubernetes Environment • Internal and External Networks are isolated • IP addresses of Pods keep changing • No access control between microservices • No application layer visibility Kubernetes Node Kubernetes Node
An E-Com Company: Access Control between Microservices • For Security and compliance reason, communication between microservices must be controlled • In absence of logical policy enforcement, this company isolated clusters Kubernetes Node Kubernetes Node Kubernetes Node Kubernetes Node
A FinTech Company: Blind on Traffic Flow Information • This company implements all important microservices in separate namespace • Traffic between microservices across namespaces must pass through application gateway • Some information about the traffic is collected from application gateway Kubernetes Node Kubernetes Node Kubernetes Node Kubernetes Node
A Media Service Company: Worried about Cost of Operations • Sidecar deployment model significantly enhances the resource requirement • Management overhead also increases with size of deployment Kubernetes Node Kubernetes Node OR
Deployment Architecture – Distributed and Elastic • ADC as DaemonSet • Hub-Spoke within node • Active-Active cluster within namespace • Monitoring of infrastructure • Updates at per pod lifecycle events • Central Controller • Keep all configuration in sync Kubernetes Cluster Kubernetes Node Kubernetes Node
Access Control between Microservices • Transparent Proxy • Automatically intercept the traffic and enforce policy • Policy using service labels • No IP addresses
Node 1 Node 2 Transparent Encryption S2 • Intelligent SSL • Only the traffic between nodes is encrypted • No code change • App service need not implement SSL S1
Application Traffic and Security Analytics ADAPTIVE CONTROLS FASTER TROUBLE- SHOOTING • Prescriptive Analytics • Policy updates • Behavior Analysis • Predictive Analytics • Anomalies/Threats • Correlation PERFORMANCE MONITORING • Diagnostic Analytics • Per-App metrics • Trend Analysis INSIGHTS • Descriptive Analytics • Health Status • Logs & Events
Anomalies and their Sources • Time series distribution of • Requests • Bandwidth consumption • IP addresses clients sending high traffic • Drill down to their transaction logs to confirm genuineness
Troubleshooting Response Time Issues View segmentation of response time by various properties like URLs, countries, servers etc. Keep a tab on end-to-end response time and time taken in various portions of request/response cycle Reach to individual transaction(s) for identifying the root cause
Summary: Security with Simplicity • Simple architecture with unified solution and central management and control • ADC Config ‘as code’ in Kubernetes format • No change in microservices’ code • Traffic visibility for optimizations and enhancements
