BLOG

Three Scenarios where Policy Consistency is Beneficial

Tom Atkins Thumbnail
Tom Atkins
Published August 01, 2019

Wasn’t cloud supposed to be simple?

When dealing with a single cloud the answer is typically a resounding Yes. The caveat, however, is that most organizations these days aren’t utilizing a single cloud (as F5’s 2019 SOAS Report states) but are in fact using an amalgamation of multiple public and private providers. The adoption of multiple clouds adds operational complexity as each one introduces its own unique set of infrastructure, services, and tools, as well as differences in interfaces and terminology. The key to simplifying multi-cloud architectures is to standardize elements wherever possible. By employing tools that can be used across environments, much of this complexity is abstracted away as you move from a cloud-specific to a cloud-agnostic service portfolio.

One of the many benefits of using F5 in a multi-cloud architecture is the ability to easily reuse and replicate application service policies across platforms, owing to the consistent nature of F5 services across environments. Let’s take a closer look at a selection of situations where using consistent policies across clouds can benefit your organization.

1)    Patch Multi-Cloud Security Vulnerabilities Quickly

Consider a scenario where you have applications using common frameworks and libraries running across AWS, Azure, and in your on-premises data center. Because security is important to your business, you have deployed web application firewalls (WAFs) in front of each application. If you have used a combination of the cloud-native services with your chosen data center vendor, now each location each is protected by a different web application firewall with different policy implementations, tools, and processes. And when the inevitable vulnerability is discovered in one of the components: What do you do?

Since you’ve taken the cloud-specific approach to multi-cloud security, a resolution would likely entail examining each WAF policy individually and conjuring up a unique patch for each – which isn’t exactly the quickest or simplest of tasks. Had you taken the cloud-agnostic approach however and provisioned an F5 WAF in each environment then you’d have only had to modify a single policy that spanned across all WAF instances. You’d also have the ability to automatically push that updated policy out from a centralized console to each instance via an API call or at the click of a button, saving yourself a considerable amount of that precious resource we call time.

Additionally, once that policy has been approved for use by your security team it can be stored as a template within a BIG-IQ policy catalog. From here, DevOps or App teams can quickly pull this pre-authorized policy into their CI/CD pipelines via an API call to streamline their end-to-end app deployment. This way, SecOps can sleep easy in the knowledge that the most current security policies are enforced for all apps (both new and existing), and the application deployment process is accelerated.

2)    Evolve Seamlessly

Quiz corporations about their long-term cloud strategy and responses are typically marred by an air of uncertainty as the rate of cloud innovation makes confident forecasting difficult. Most have a good idea of what cloud(s) they’ll use or plan to use, but with the continual evolution of platforms and services nobody can guarantee that the best cloud for their app today will be the best cloud for their app tomorrow. Perhaps an innovative new cloud service might force a migration of apps, or a cost analysis might reveal that another provider could dramatically reduce expenditure. Maybe a change in IT leadership might cause a U-turn in cloud strategy? With all this uncertainty it’s important to future-proof your investments to de-risk adopting new clouds or infrastructures.

As with our security scenario, consistency can help. F5 application services are fundamentally identical across platforms. This is critical if you do find yourself migrating from one cloud to another, or from your data center to the cloud, as you can essentially replicate and reuse all of your existing service policies, iRules, and instance configurations across environments. This can likely save you considerable time and drastically ease your migration. But don’t just take our word for it, both Gold Digest Online and the Alberta Motor Association found this to be incredibly beneficial as they simplified their transition to AWS by taking existing F5 services and policies with them.

3)    Enhance Disaster Recovery

Both private data centers and commercial cloud providers occasionally fall short, with hardware failures, power loss, and security breaches the usual culprits. This causes many to implement back-up disaster recovery sites not just in alternative locations but with alternative vendors to ensure their mission- and business-critical applications remain available. When these DR sites are called into action, it is essential that the experience of application users in not impacted.

With F5, not only can the failover of application requests from primary to DR sites occur seamlessly by utilizing an active/standby HA configuration, but with advanced and consistent services across environments, the user experience remains unchanged. Utilizing F5’s configuration sync functionality ensures that any changes made to primary BIG-IP devices can be continually propagated out to the entire device group, inclusive of those in the DR region. Everything from iRules and profiles to SSL certificates and virtual IPs can be synchronized across environments to ensure business continuity despite system outages.

Find out more about how F5 can help you manage consistent policies here.