In this post in our series of F5’s application services, we’re looking at how F5 and specifically NGINX help application development and DevOps teams, with features like the NGINX Ingress Controller and NGINX App Protect.
This is post 2 of 4 in the Amazic World series sponsored by F5. 1. F5: from Code to Customer 2. Containers and CI/CD 3. Multi-cloud 4. Security & Data Centers |
With F5’s acquisition of NGINX, the high-performance load balancer, web server and reverse proxy, they are uniquely positioned to support application development and DevOps teams.
As developers are embracing cloud services, as well as cloud-native architectures and microservice approaches, the way infrastructure components, like load balancers and web servers, are consumed, changes drastically.
Application-centric means self-service infrastructure components
The key change is who is in the lead. With more traditional IT Operations teams, they ‘own’ the infrastructure components, and configure them using a strict change management process. Each subsequent set of changes is subject to that same stringent process. While these processes took some time before changes were actually made, frequency of changes often wasn’t high enough to warrant fundamental change to these service management processes.
eBook: The App Factory, A Slow Movement Towards Rapid Change
Organizations release apps that do not adhere to established security and compliance policies. Leveraging a Secure Cloud Architecture (SCA) framework helps you overcome these challenges. F5 can help you enable a SCA so you can prioritize business outcomes when making important decisions about the best way to optimize efficiency in operations, governance, security, and compliance. Download this eBook by F5 now
But as the public cloud changed the self-service and on-demand aspects of infrastructure consumption, so did the expectations. Developers and DevOps (or Cloud Platform) teams started to expect self-service abilities for infrastructure components, and expects these to be available on-demand, without long waiting times.
Containers, not VMs
As most other humans, developers do not like to wait or be dependent on others. One of the major technical shifts in public cloud resources was the shift from physical and virtual machines to container-based workloads, which enabled developers to build their own infrastructure stacks they needed to run their applications, without requiring IT Ops to provision the right VMs, configure the networking, apply the right firewall settings, and more.
And public cloud gave them this flexibility. Teams could now consume infrastructure resources, without waiting for change management approval, and build the infrastructure they needed for their application(s) specifically. This allowed them to quickly modernize application stacks and use containers as the basis for their application stacks.
By leveraging Infrastructure-as-Code and automatic build, configuration and testing pipelines (also known as CI/CD pipelines), teams would automatically provision, re-configure and decommission cloud resources as needed.
Unfortunately, this also led to some loss of visibility from an IT perspective, as many teams were flying solo, re-inventing the wheel, forgetting to implement security best practices, or otherwise not optimizing their usage of cloud infrastructure, leading to cost increases, complexity and duplication of effort and resources across the organization.
Enter DevSecOps with NGINX App Protect
The DevSecOps movement aims to ‘shift security left’, a way to insert security best practices early into application development processes, without delaying development teams, while maintaining security compliance.
For F5, there are a few important ways to support the DevSecOps movement. For developers, the most directly tangible way, is NGINX, the default choice for webservers, load balancing and ingress control (or reverse proxy). By adding security features to NGINX, F5 helps development teams ‘do’ DevSecOps by integrating security into their pipelines, and increasing their security posture from code to customer.
A great example of F5’s commitment to add security features to NGINX is App Protect. App Protect is an application-focused security solution, which means developers can easily integrate it into their workflows to get high-performing and scalable security, protecting against application-level attacks, like data thefts. App Protect is based on F5’s proven Web Application Firewall (or WAF), that enables consistent app security controls for web applications, microservices, containers and APIs.
Security for Containers with NGINX Ingress Controller for Kubernetes
Recently, F5 made NGINX available as an ingress controller (see F5’s website for more info) for Kubernetes-based container deployments.
The NGINX Ingress Controller for Kubernetes is a production-grade application delivery controller for Kubernetes, giving developers immediate access to a slew of security features, including load balancing, SSL/TLS termination, session persistence and JSON Web Token (JWT) authentication.
The controller also integrated with App Protect, which means the WAF sits inside the Kubernetes cluster, so that security teams can enforce security policies closer to the app, and without delaying the dev team’s delivery.
The controller enables central management and re-usability of traffic management configuration across many different applications and different teams, further increasing visibility and improving the security posture.
Security at scale with Aspen Mesh
Scaling microservices in production is non-trivial. Without the right tooling, maintaining security at scale is nearly impossible. Service Meshes like Istio aim to solve these issues for Kubernetes-based microservices architectures.
Aspen Mesh, built on Istio, is an enterprise-grade distribution of Aspen Mesh helps organizations maintain operational control over their ever-evolving microservices landscape, delivering features for resilience like circuit-breakers, zero-trust security management and more.
Summary
Summarizing, F5 is on a journey to deliver security features for container-based workloads and supporting the DevSecOps way-of-work.
By delivering solutions at every step of that journey, customers can take full advantage of F5’s application delivery and security solutions for container-based workloads.