More Related Content Similar to Securing Your Apps & APIs in the Cloud (20) Securing Your Apps & APIs in the Cloud6. | ©2020 F5 NETWORKS - CONFIDENTIAL6
The Cloud Offers Promise
7. | ©2020 F5 NETWORKS - CONFIDENTIAL7
More Specifically…
8. | ©2020 F5 NETWORKS - CONFIDENTIAL8
VirtuallyAll Managed CloudApp Delivery and
WAF ServicesAre Actually Managed Versions
of…
&
But with a limited subset of config
options exposed for both
Legacy workloads are difficult to
migrate without fully refactoring your
apps first, increasing migration time
and decreasing the chance of
success
And the limited feature set exposed is
often lacking key needed functionality
for greenfield apps as well
9. | ©2020 F5 NETWORKS - CONFIDENTIAL9
And each cloud provider tends to tightly couple
services with their own cloud
10. | ©2020 F5 NETWORKS - CONFIDENTIAL10
Flexibility – Same configurations and software in
every environment, and can be used to solve many
different potential problems
Simplicity – Potential for a single platform for App
Delivery and Security to manage and monitor.
Strategic Outcomes – Solve application routing and
security problems once
NGINX Plus RunsAnywhere
11. The NGINX
Application
Platform
A suite of products that
together form the core of
what organizations need
to create applications with
performance, reliability,
security, and scale.
11
The NGINX Application Platform is a suite of products that together form the core of what organizations need to create applications with performance, reliability, security,
and scale. The NGINX Application Platform includes NGINX Plus for load balancing and application delivery, the NGINX WAF for security, and NGINX Unit to run the
application code, all monitored and managed by NGINX Controller.
Ingress
Controller
12. | ©2020 F5 NETWORKS - CONFIDENTIAL12
12
NGINX Plus R22
Dynamic Application
Gateway, unifying:
• Load Balancer
• API Gateway
• Kubernetes IC
• Cache Proxy
• And more…
Key R22 features:
• OCSP Support
• OIDC w/Multiple IDP’s
• Enhanced OIDC metrics
• Enhanced rate and connection
limiting metrics
• Nginx JS Support for Raw Header
Object
• And more…
14. | ©2020 F5 NETWORKS - CONFIDENTIAL14
FEATURES COMPARISON
CONFIDENTIAL
NginxPlus vs CloudLBs
• Advanced L7 routing
• Layer 4 & Layer 7 mixed
• Dynamic Reconfiguration– No downtime
• 120 Realtime L4-L7statistics
• K-V Memory Store
• HighAvailability options
• Authenticationoptions
• Rate Limiting
• Advanced Caching
• Health Checks
• UpstreamAPI
• CLI access
• App Protect WAFoption ( New )
• Kubernetes Ingress Controller option
• Cost
15. | ©2020 F5 NETWORKS - CONFIDENTIAL15
15
• NGINX commonly used as Ingress
Controller
• Dynamic reconfiguration of endpoints (no
configuration reloading - downtime)
• Move Layer7 logic closer to the App,
managed by DevOps
• Additional metrics, provided by a
streamlined Prometheus exporter
• Dedicated Helm chart repository
• Support for Custom resources to expose
more NGINX Plus features
• Health checks
Nginx Plus Kubernetes Ingress Controller
An advancedLayer 7 load-balancingsolution for exposingKubernetes Services
16. kubernetes/ingress-nginx
• Kubernetes community
• Custom NGINX build based on
OpenResty/LUA that includes
third-party code
• Community support only
nginxinc/kubernetes-ingress
• NGINX Inc Commercial software
• NGINX Plus KIC
• Significant Performance Increase
• Enterprise support
NGINX Ingress Controllers
18. DemoArchitecture
3-node Kubernetes cluster, NginxPlus Ingress Controllers, for URL path
routing with TLS.
coffee
service
tea
service
pod
pod
example.com/coffee
example.com/tea
LoadBalancer
(CloudProvider)
Ingress
Ingress
K8s 3-
node
Cluster
19. | ©2020 F5 NETWORKS - CONFIDENTIAL19
MORE INFORMATION AT
NGINX.COM
Demo Config of the IngressController
• Kind = Ingress
• Host = Host Header
• TLS = True
• Layer 7 url Path Routing
• /tea and /coffee
• Health Checks
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: cafe-ingress
spec:
tls:
- hosts:
- cafe.example.com
secretName: cafe-secret
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
backend:
serviceName: tea-svc
servicePort: 80
- path: /coffee
backend:
serviceName: coffee-svc
servicePort: 80
20. | ©2020 F5 NETWORKS - CONFIDENTIAL20
● NGINX Ingress Controller
https://github.com/nginxinc/kubernetes-ingress/
● Examples https://github.com/nginxinc/kubernetes-
ingress/tree/master/examples-of-custom-resources
● Testing the Performance of the NGINX Ingress Controller for
Kubernetes
https://www.nginx.com/blog/testing-performance-nginx-ingress-controller-
kubernetes/
● Release 1.8.0 blog post https://www.nginx.com/blog/announcing-nginx-ingress-
controller-for-kubernetes-release-1-8-0/
Try it out
22. | ©2020 F5 NETWORKS - CONFIDENTIAL22
0
2000
4000
6000
8000
10000
12000
14000
16000
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
YoY Increase in CVEs
Note: Excludes any rejections or disputes.
New vulnerabilities are
discovered in all
manner of software all
the time
They are exploited by both
malicious bots and human attackers
Do you know how many affect your
application stack(s)?
Can you keep up with the pace of
published vulnerabilities?
Do you want to?
23. | ©2020 F5 NETWORKS - CONFIDENTIAL24
How do you protect apps?
Active attacks
Vulnerabilities
Risk and address
compliance
24. | ©2020 F5 NETWORKS - CONFIDENTIAL25
Strong App
Security
Built for
Modern Apps
CI/CD
Friendly
NGINX App Protect
25. | ©2020 F5 NETWORKS - CONFIDENTIAL26
Declarative Policy Helps CI/CD Motion
INFRASTRUCTURE AND SECURITY AS CODE
SourceCode Repository CI/CD Pipeline Tool IT Automation
Applicationcode/config forApp X
security policy/config forApp X
Pipeline for build/test/deployof App X
Ansible playbook for deployment
of App X with its app services
Owned by SecOps Operated by DevOps
{
"entityChanges": {
"type": "explicit"
},
"entity": {
"name": "bak"
},
"entityKind": "tm:asm:policies:filetypes:filetypestate",
"action": "delete",
"description": "Delete Disallowed File Type"
}
26. | ©2020 F5 NETWORKS - CONFIDENTIAL27
Deployment
options
27. | ©2020 F5 NETWORKS - CONFIDENTIAL28
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Kubernetes adds several more locations
to deploy Application Services
API Gateway
Load Balancer
App Security
Four locations to deploy Application Services:
• Edge: External load balancers and proxies
• Ingress Controller: Entry-point into Kubernetes
• Per-Service Proxy: Interior service proxy tier
• Per-Pod Proxy: Proxy embedded in pod
Edge
Standard App Protect
NGINX-Proxy deployment
29. | ©2020 F5 NETWORKS - CONFIDENTIAL30
INSTALL NGINX APP PROTECT
Demo Setup
10.1.1.4 Artifactory (App Protect)
10.1.1.7 Clean CentOS
10.1.1.5 App
8080
Host:
InstallNGINX App Protect on NGINX+
@10.1.1.7 (VM)
31. | ©2020 F5 NETWORKS - CONFIDENTIAL32
Linux Linux Linux Linux Linux
Cloud
NGINX+ NGINX+ NGINX+ NGINX+ NGINX+
OWASP
ZAP
Ansible
Ansible Role Demo
RAPID, CONSISTENT DEPLOYMENT AND PROTECTION
🔥
NGINX
App
Protect
NGINX
App
Protect
NGINX
App
Protect
NGINX
App
Protect
NGINX
App
Protect
32. | ©2020 F5 NETWORKS - CONFIDENTIAL34
Questions?
33. | ©2020 F535
September 15-17, 2020
VIRTUAL EVENT
Sprint is a three-day virtual event designed to inspire and
engage developers, architects, and operators looking to
use NGINX technologies to develop and deliver modern
applications at scale.
www.nginx.com/events/nginx-sprint-2020
GOALS
• Introduce solutions and evolution of NGINX.
• Engage with the NGINX community and users.
• Attract 1,500 live attendees/day.
34. | ©2020 F536
Day One: Keynotes
SEPTEMBER 15
Duration: 2 hours
Pre-recorded and streamed “live”
• Provide thought leadership,
roadmap review, and announce
new solutions
• Invite external influencers and
maybe customers to present
• Engage audience with post-keynote
analysis from Tech Field Day
Day Two: Demos
SEPTEMBER 16
Duration: 1.5 hours
Live, interactive session
• Provide 6-7 short demos showing of
NGINX and F5 products
• Have demos build on each other,
creating a single app by the end
• Use delegates from TechField Day
as audience proxy
Day Three: Hackathon
SEPTEMBER 17
Duration: 2-3 hours
Live streamed session
• Have teams present ideas and
prototypes
• Judge and award winners
35. | ©2020 F5 NETWORKS - CONFIDENTIAL37
Thank You!