F5 Future

[51CTO.com original article] Expert introduction: Wu Jingtao, Chief Technology Officer of F5 Greater China. In 1999, he entered the field of load balancing, the predecessor of application delivery, and joined F5 Networks in 2002. He is able to put forward his own unique insights on how to deploy agilely from the perspective of system architecture. The technologies involved include application high availability technology, optimization technology, and application security protection technology. He has a deep understanding and control of new Internet technologies.

How should application delivery develop in the future technological era?

In the past, major customers in the financial and telecommunications industries were very happy to choose F5's active-active data center solution, because this F5 solution could quickly transform a disaster recovery center into an active-active data center that could be used simultaneously, doubling the return on investment.

As the times change, these customers are beginning to hope to find a new balance between public cloud, private cloud and hybrid cloud construction. Some customers already have a very good active-active data center, but they also want to choose another public cloud. As we all know, the environments of the data center and the public cloud are different, and the operation methods are also different. Take the security policy of application delivery as an example. The operation methods of different public clouds are inconsistent. So how can we ensure that the customer's own active-active data center, public cloud, and even different clouds can achieve a completely consistent application delivery strategy?

[[221950]]

[[221951]]

Wu Jingtao, Chief Technology Officer of F5 Greater China

This problem confuses many customers and is also one of the directions F5 is working towards. F5 hopes to help enterprise customers solve this most direct challenge in an environment full of new technologies.

F5 believes that the first step is that customers need to enjoy better application delivery services in the north-south traffic of traditional data centers; the second step is how to better schedule east-west traffic between applications in different cloud environments. This involves many aspects of collaboration, such as how to implement DevOp operations on the same platform, how to achieve delivery and scheduling on the same platform, how to optimize external mobile Internet users, how to resolve new security risks, and how to provide programmable anti-counterfeiting protection at the application level or even the API level. This will be a stage of exploration, research and development, and output.

When north-south traffic enters the active-active data center...

When north-south traffic reaches the customer's active-active data center from the external user end, what kind of application delivery technology should the user adopt? F5 has recently made significant improvements to the hardware performance of the entire platform. In the past, every two or three years, F5 would improve the platform performance to keep up with the development of the industry.

BIG-IP's 2000 series will gradually withdraw from the market. The new generation of platforms is the i2600 and i4600 series based on the X600 template. The biggest feature of this series is that the performance has doubled without changing the price. In the past, F5's product performance has always led the application delivery market. Now the country is once again advocating for customer access bandwidth upgrades. As more and more bandwidth is accessed, customers' data centers will inevitably require greater throughput. Therefore, during this period, F5 timely launched the next generation of high-performance platforms, which can provide a better application delivery service for north-south traffic.

In addition to the need to improve performance, the application environment has also changed greatly. Now most applications are not just a simple environment such as WEB, APP, and DB. For example, when a user accesses the application, he may first pass through a login authentication gateway, and may also involve a GPS positioning gateway and a payment gateway. Many of them are complex environments composed of API interfaces. Traditional load balancing or application delivery capabilities can no longer meet actual needs.

F5's idea is to be able to deliver east-west traffic in the form of virtual machines in the Docker environment during the process of calling various API interfaces in the cloud. This is a brand-new architecture that will play a very important role in private and public clouds, especially in Docker and DevOps environments.

How to schedule on the same platform?

There is a common phenomenon in our daily life: when people open the mobile phone APP and walk from the office to the parking lot, the network changes from Wi-Fi to ordinary 4G. Obviously, the original address of the mobile phone network access will change. So when the source IP address of the client changes, during the service process of the data center, will the system think that this is not a person, and interrupt the application service? And then require the customer to log in again for authentication?

Customers will definitely not accept this approach. So how should it be handled? F5 has a very good solution: During the transition process between active-active data centers and the cloud, F5 can assign a DCID to the client after the first login authentication. No matter how the access environment changes, as long as the DCID remains unchanged, the system can quickly determine the entire service link of the user, so that services can continue to be provided at the original address, ensuring that user applications are not interrupted.

There is no doubt that this is a technology that must be implemented in the multi-cloud scheduling process, and it is also a phenomenon that customers often ask when F5 promotes the same platform service. F5's vision is to enable customers' applications in data centers and different cloud environments to be scheduled on a unified platform, and in each scheduling process, they can be directly called through the API interface instead of the previous manual configuration.

How to optimize mobile applications?

Nowadays, the usage rate of apps is increasing. Mobile banking has accounted for half of online banking customer visits in just a few years, and this proportion is still rising. The increasing usage rate of apps also means that the optimization of mobile users is becoming a very important issue.

F5 once found in the process of application monitoring in the data center that sometimes from the perspective of data center operation and maintenance, customer access is very normal and there is no problem, but in fact, it constantly receives complaints from mobile users. This obviously brings a very bad experience to users. F5 believes that in the process of building a new platform that is truly user-centric, every user is very important, so the optimization that mobile should have needs to be more reasonable and universal. Take a bank customer as an example. The bank's external network accesses the Internet through more than a dozen lines from different operators. The operator's routing protocol BGP is adjusted every two weeks, which may cause some customers to have a tortuous link to access the network. Some Shanxi users have to use the Japanese routing address to connect back to the data center, which is slow and the experience is very poor.

To solve this problem, F5 can make quasi-dynamic adjustments every two weeks or every month based on actual user needs to match the real changes in the external network. In this way, the real-time experience of external network users can be improved without increasing bandwidth costs. This is what F5 has done to optimize user experience.

Programmable on-site confrontation brings a higher level of security protection

F5 is currently the manufacturer with the highest shipment volume of application security firewalls in the world. In the past few years, F5 has invested more and more in application security. So how does F5 help customers in the field of application security?

First, let's look at API and Serverless (serverless architecture). In the past two or three months, Serverless has become very popular. It provides a possibility for everyone to break down applications into more and more components and modules, and each component and module calls each other to form the final application service. In fact, these modules were originally used for internal scheduling and there were no security considerations. However, when these APIs are packaged to provide services externally, they may be subject to security attacks and abnormal traffic.

So how should we protect APIs? In fact, what customers really need is to use programming to reinforce the security of applications at the user site. It is unlikely that each API can be developed and reinforced by itself. A more feasible method is to use a programmable adversarial system to provide application security protection and link management, as well as reinforcement services, based on application characteristics and actual API needs. This is exactly F5's strength. In terms of programmability, on-site processing, and application coordination, F5 can completely build an entire API security protection system to ensure the security of applications.

Most of the conventional security solutions on the market, whether firewalls, IPS, IDS, ICS, or WAF, can only prevent some fixed, characteristic, or known attacks and abnormal traffic. If there are DDoS attacks, RST attacks, or semi-connection attacks in a 10G traffic attack, for example, there are 5,000 accesses on a specific link, and one of them is an unknown attack traffic, then there is almost no security that can be effectively protected. F5 believes that most of the current situational awareness systems can do very good data collection and analysis, but in fact, how to control the business traffic of the existing network and control the application routing is actually a process of using the API interface to enable the device to perform on-site confrontation in a programmable way. Programmable on-site confrontation is precisely one of F5's greater advantages in security protection.

F5 has now officially changed the name of its Application Delivery Controller to Integrated Application Service, a new concept of fully integrated application services, hoping to help large enterprise customers in the future development process, especially in terms of delivery services, without worries, and support their business more quickly.

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]