Azure F5 Solutions
2 likes•2,003 views
The document outlines F5 solutions for Microsoft Azure, detailing the connectivity options, security configurations, and deployment strategies for applications. It highlights the use of Azure Resource Manager templates, virtual networks, and the F5 Web Application Firewall for enhanced security and compliance. Additionally, it discusses hybrid cloud deployment scenarios and the integration of F5 services with existing identity infrastructure for secure access.
Azure F5 Solutions
- 1. F5Solutions
- 2. Locations: • Azure has regions around the world. Availability Sets: • Azure provides the redundancy option for VMs by isolating them in different fault and update domains. Virtual Networks (VNETs) • Logically isolated network. You can create subnets, route tables. Subnets: Fixed address blocked within a VNET (ex. 10.0.1.0/24 ) User Defined Routes (UDRs): Route table for next hop Network Security Groups (NSGs): network firewall rules used to secure resources Azure Resource Manager Templates: Used to orchestrate resources and deliver services in Azure
- 3. VNET Connectivity: • On Prem to VNET • Two methods. 1. VPN Gateway 2. ExpressRoute™ – secure dedicated connection • VNET to VNET F5 available as a drop down option to connect to your remote BIG -IP
- 4. © 2016 F5 Networks, Inc 4 https://blog.kloud.com.au/2016/04/05/azure-classic-vs-azure-resource-manager/ https://azure.microsoft.com/en-us/documentation/articles/resource-manager-deployment-model/ •ARM Templates: Can be used ONLY in ARM mode.
- 7. • 1 NIC for Management and External • Change configuration utility port 443 => 8443 • Use a Transparent/forward virtual server per service port. • Separation of traffic via iRule, SNI or traffic policy. • Networking objects (vNIC 1.0, an internal VLAN, and an internal self IP address) are created automatically for you. • Supports One-Armed and DSR mode.
- 8. • Supports one-armed, two armed and DSR mode use cases. • Still only one public IP address available • Change BIG-IP configuration utility port 443 => 8443 • You can’t use BIG-IP GUI to create this configuration. - An Azure template - PowerShell - The Azure command-line interface (CLI) • Supported in version 12.0 HF1 and later
- 9. • • • •
- 11. Public Cloud - Shared Responsibility Security Model CP Global Infrastructure Data Centers Zones Regions Edge Locations Networking Services Compute Database Storage Deployment & Management Client-Side Data Encryption & Data Integrity Authentication Server-Side Encryption (File System and/or Data) Network Traffic Protection (Encryption, Integrity, Identity) Operating System, Network and Firewall Configuration Platform, Applications, Identity & Access Management Customer Data Customer’s responsibility • Protecting the confidentiality, integrity, and availability of their data in the cloud • OS and application-level security Cloud Provider responsibility • Providing a global secure infrastructure and services PhysicaltoHypervisorOSandApplication CloudProviderCustomer
- 12. Preconfigured WAF with Azure Security Center Product : F5 Web Application Firewall (WAF) Solution • Simple deployment experience integrated with Azure workflow and services • Out-of-the-box choice of security settings preconfigured by F5 experts • Comprehensive application security and compliance with advanced Layer 7 attack protections • Consistent policy management and user experience across Cloud and Datacenter apps • Integration with Azure dashboard and alerts / visualization services F5 WAF Solution Integrated With Azure Security Center (ASC) Use Case Example F5 provides ARM template to configure Preconfigure WAF outside of Azure Security Center to support broader customer needs. WAF
- 13. • Strengthens security posture by enabling device checks, multifactor authentication, up- leveling authentication and AD & AAD Integration • Consolidates & centralizes security when offering hybrid services across cloud and on- prem datacenters • Streamlines access by providing federation & single sign on across all SAML/OAuth enabled on-prem, O365, Azure, and SAAS apps • Reduces configuration complexity simplified deployment using Azure Solution Template • Enables migration with context aware, user & device based traffic redirection Office 365 Identity Federation & Single Sign On Product : F5 BIG-IP Best (BIG-IP Access Policy Manager) Azure Private Cloud Unauthorized User Authorized Users Use Case Example BIG-IP SSO
- 14. AD SAML FEDERATIONSAML IDP SAML SP App A App B Employee Contractor/Partner SSL-VPN On premises BIG-IP • Back Ground • Need secure access (SSL-VPN) to Azure for employees, contractors and partners. • Integration with existing identity infrastructure • Solution • Secure access by enabling SAML for all the apps in Azure. • Federate ID with existing AD and SAML IDP • Endpoint security check and SSL VPN enables secure remote access to Azure • Increase high availability by deploying F5 into multiple Azure regions SSL VPN and secure access to Azure Product : F5 BIG-IP Best (BIG-IP Access Policy Manager) Use Case Example Azure SSL-VPN
- 15. SQL Backend Active Directory End Users Internet ACTIVE BIG-IP STANDBY BIG-IP Use Case 1: Cloud Deployment with Single Sign On and Firewall Pre-authentication Traffic Backend Data Communication Load Balancing + App Delivery + SSLLTM Access ManagementAPM Web Application FirewallingASM • Secure, policy driven single sign-on Access Management • Web application security, firewalling and DDOS protection • Stateful Layer 4-7 load balancing, SSL offloading and application delivery Firewalling + DDoS protectionAFM LTMAFM APM ASM
- 16. • Consistent settings and policies on prem and off • Single-Sign-On for both on prem and cloud based apps • Web-Application Firewall where-ever your app resides Azure Virtual Net On-Premise Net S2S VPN IPsec Pre-authentication Traffic Backend Data Communication ACTIVE BIG-IP STANDBY BIG-IP SQL Backend On Premise DC Active Directory BIG-IP Platform Use Case 2: Hybrid Cloud with site to site VPN Internet End Users LTMAFM APM ASM Load Balancing + App Delivery + SSLLTM Access ManagementAPM Web Application FirewallingASM Firewalling + DDoS protectionAFM
- 17. WEST US EAST US Authentication Traffic GSLB Use Case 3: Hybrid Cloud with GSLB and SAML • Delivers Business Continuity • Users get the best possible QoE because the service comes from the closest available source Internet End Users Load Balancing + App Delivery + SSLLTM Identity Access ManagementAPM Web Application FirewallingASM Business Continuity + DNSGTM
- 19. • • • • • • •
- 21. • • • • • •
- 23. OFFERING • Certified Images in marketplace and on downloads.f5.com • All BIG-IP Modules (GBB and standalone) in Classic and ARM • Performance: 25M, 200M, 1G BYOL and Utility • Single and Multi NIC deployments • Available in Azure Government Marketplace • Available 30 day evaluation and lab licenses • WAF offering in Azure Security Center
- 24. © 2016 F5 Networks, Inc 24 Parameters BYOL (1)(2) Utility Presence Currently Available Releasing Dec. 2016 as 12.1.2 • Commercial Y (3) (4) Y (4) • Government Y (5) Max throughput SKU 1 Gbps 1 Gbps Modules Stand alone and GBB GBB downloads.f5.com 12.0.0HF4, 12.1.0 HF2, 12.1.1 HF1 NOTES
- 26. • • https://github.com/F5Networks/ • https://github.com/f5devcentral/ • • • https://github.com/F5Networks/f5-azure-arm-templates •