German Service Provider Secures Network Services with F5 and NGINX

SysEleven achieves high availability, performance, security and scalability

Founded in 2007, Berlin-based service provider SysEleven GmbH employs more than 100 people and provides premium cloud services to some of Germany’s largest companies. Offering fully virtualized, robust cloud platforms, SysEleven has been a member of the Cloud Native Computing Foundation (CNCF) and a certified Kubernetes provider since 2018.

SysEleven provides a vertical technology stack for its services, including managed cloud services, an OpenStack public cloud, Kubernetes-as-a-service as well as network and carrier services on request, exclusively in German data centers. The company offers its customers more than just server capacity. With a broad, adaptive approach, the company analyzes its customers' application settings and finds the optimal solution for performance, profitability and stability.

"We aim to be a top-notch player in the field of application continuity and cloud adoption. To help our customers win, we set our company apart from most managed service providers by providing a vertical integration of all application layers. Whether the customer needs a fully managed cloud platform, Infrastructure-as-a-service, Kubernetes-as-a-service or internet access, they'll receive the highest level of quality and personal support. Our customers have the freedom to choose their own infrastructure, from our own cloud and Kubernetes platforms to third party platforms like AWS or Azure.

We currently manage around 6,000 virtual environments for our customers. Utilizing our NEO method (Navigate – Educate – Operate) we stand by our customers for service consulting and design, training of admins and developers, all the way up to fully managed services," said Marc Korthaus, CEO at SysEleven GmbH.

SysEleven uses solutions from F5 Networks and NGINX to offer versatile and robust cloud services. This enables the Berlin-based company to use services both for its own applications and for customer applications with the best possible functions for load balancing and security.

The Challenge

As a cloud partner and managed service provider, high availability and stability are crucial to competing in the market. The success of its customers rests on SysEleven's ability to provide a versatile and robust cloud service.

"Our customers trust that new setups will be up and running quickly and efficiently - with timely fine-tuning, troubleshooting and maintenance," explains Jens Plogsties, Head of Infrastructure. "They rely on the stability of our services and on our flexible support. We offer each customer a unique, isolated setup with a dedicated load balancer. This can only be achieved with powerful and highly scalable solutions."

Because SysEleven's solutions support customer installations of up to 6,000 virtual hosts, they must be highly scalable and adaptable to ensure the highest standards of speed and reliability while keeping any service disruptions to an absolute minimum.

One of the challenges the company faces is managing large spikes in customer web traffic that typically results from TV or newsletter advertising. SysEleven's cloud environments must be robust and flexible enough to handle these traffic peaks to avoid any outages that may result in lost revenue or damage to their customer’s reputation. 

The Solution

As customer requirements continue to grow, SysEleven needed to update its infrastructure to meet their needs. The original open source NGINX platform was enhanced with NGINX Plus to provide more opportunities for customer service and greater control over incoming requests to the cloud environment. This solution is primarily used in the areas of load balancing, Kubernetes ingress, containers and security. In addition, SysEleven now uses F5 BIG-IP i5800 clusters with the LTM (Local Traffic Manager) module for load balancing and ASM (Application Security Manager) as a web application firewall for customers with high security requirements for web applications. SysEleven uses some virtual F5 instances with firewalls for testing and development. In addition, the company operates many internal and external services on F5 Application Delivery Controllers.

To prevent service issues for its customers, SysEleven leverages a load balancing gateway solution with F5 and NGINX to receive the incoming traffic. The stability and flexibility that accompanies this component of the cloud infrastructure has allowed the service provider to maintain the trust of its customers ad steadily grow the business over time.

"We have been successfully using NGINX and F5 for many years now," said Simon Pearce, Product Owner at SysEleven. "NGINX plays a major role in our infrastructure. We use the NGINX Ingress Controller throughout our cloud platform and our Kubernetes managed service MetaKube. NGINX also serves as a load balancer and reverse proxy in many virtual environments. In addition, the F5 application security module (ASM) allows us to secure customer applications with a comprehensive ruleset that is tailor made for the specific application. F5 is also used for all geo-redundant setups that require high performance, encryption functionality and scalability. With a seamless failover, the standby controller takes over the active role without any interruptions. In the event of a failure, customers are almost completely unaware when requests are transferred to another appliance. Depending on the customer's needs, we use either NGINX or F5, or both, in combination. Having a reliable load balancing solution is key for our clients and engineers."

F5 serves primarily as a load balancer for pure HTTP solutions and protocols. However, these make up the most important and business-critical customer applications and services that require the highest level of reliability and security. To guarantee this level of service, SysEleven uses dynamic routing with F5 clusters as well as the Border Gateway Protocol (BGP) used on the Internet. In active mode, BGP resources can be moved between the clusters. This offers extremely high flexibility, as SysEleven uses BGP for all solutions connected to the network.

"For example, if a customer is attacked, we can provide them with their own cluster node," says Vincentz Petzholz, Teamload Network at SysEleven. "On the one hand, this ensures that there is no collateral damage for other customers because the problematic traffic is isolated. On the other hand, the affected customer has considerably more performance at his disposal to defend against the attack because he can use his own hardware for a certain period of time. I've only seen this function with F5 so far."

Every SysEleven data center now has at least one F5 i5800 cluster pair. The company has two main data centers and around a dozen pure network sites, which normally handle traffic of around 100 GB - depending on the time of day. For security-relevant incidents such as DDoS attacks, the F5 nodes are connected to the network with 80 or 160 GB. This provides SysEleven customers with a large amount of scalability in terms of performance.

The company can route any traffic at almost any IP address to the F5 clusters. This also applies to backend structures that do not have to stand behind the F5 network topology, but can be located anywhere in the network. SysEleven can dynamically switch services to the F5 clusters at any time and also forward them to other data centers if required, since the infrastructure is the same in all data centers. In addition, an IP address can be used at several clusters at different locations simultaneously with load balancing (also known as “Anycast”).

The Results

High Availability

With the combination of the current F5 and NGINX solutions, SysEleven offers its customers high performance requirements for customer's virtual services and the scalability to manage high traffic fluctuations. In addition, it offers the greatest possible availability for customers with high per-hour revenue loss in the event of a breakdown.

"The parallel use of both load balancer solutions has always had a complementary effect for us," said Vincentz Petzholz. "It enables us to not only offer optimum solutions for customers in every price category., but it also allows us to combine the advantages of both solutions. For example, we partially position the easily automated NGINX instances for caching behind the powerful F5 load balancers."

Increased Security

A great strength of F5 is the high level of security provided by the Web Application Firewall (WAF).

"Only a few solutions can draw on such a large pool of signatures and mechanisms," explained Petzholz. "More and more customers are using the Web Application Firewall in addition to LTM. After all, there is a growing need to control which content flows through the load balancer. The maturity of the WAF is very high; administrators can tailor the solution to the individual needs of the customers, because a high-quality security solution such as a web application firewall naturally requires a lot of adjustment effort. This makes it easier to leverage F5."

Foundation for the Future

In addition, WAF functionalities from F5 will be integrated into NGINX Security in the future due to the recent acquisition of NGINX by F5. Both solutions will be further developed in a targeted and continuous manner. SysEleven also plans to leverage F5's integration with BGP.

"The F5 solution offers numerous other advantages: These include the very simple management with which instances can be moved back and forth," said Jens Plogsties. "F5 Clusternodes can go offline due to maintenance or other reasons - without the users even feeling it. F5 enables extremely fast deployment because there are no Layer 2 networks or other dependencies. In addition, we can simply upscale F5, in principle to infinity. The performance exceeds that of several normal commodity servers. So F5 is able to handle loads that no other system can handle.

A further integration with the F5 Container Ingress Service (CIS) is in the test phase. This is about seamlessly integrating existing environments into the new, dynamic container infrastructure. The implementation with SysEleven and F5 has left a positive impression; the good performance, the protocol diversity (UDP) and a good connection to traditional systems have convinced us. A simple integration per default config and F5s commitment to OpenSource, plus the strategic orientation to DevOps topics, as well as the support for Kubernetes questions are particularly noteworthy. This overall portfolio of container natives (NGINX), data center-centric (F5 BIG-IP) application services, including the security value-added services, such as a web application firewall, allow us to recognize an overall vision and thus look positively into the future."