Enhancing F5 SSL Orchestrator deployments in the public cloud with Aviatrix

Aviatrix logo

CHALLENGES

  • Security inspections must be comprehensive and consistent across all applications throughout a multi-cloud deployment
  • Achieving comprehensive coverage with security virtual appliances can require time-consuming, manual configuration of large numbers of VPC routing tables
  • Most network traffic is encrypted; de-encrypting it for inspection requires a lot of computational power

BENEFITS

  • A comprehensive view across multi-cloud deployments helps ease management and configuration workloads, enables consistent security policy
  • Aviatrix intelligent routing eliminates manual routing table changes
  • Advanced F5 SSL Orchestrator decryption capabilities ensure that threats don’t hide within encrypted traffic
  • High-performance, inter-VPC connectivity enables greater scalability for F5 SSL Orchestrator and other security elements

As enterprises move mission-critical workloads to the public cloud, it is important that they can establish the same level of security as they had previously enjoyed with on-premises deployments. 

Organizations need to protect critical assets from threats that originate both outside and inside the corporate environment. Given that most of today’s network traffic is encrypted—and given that decrypting and re-encrypting traffic is computationally intensive—it makes sense to decrypt traffic once and then route the unencrypted traffic through one or more security inspection controls.

What is F5 SSL Orchestrator?

To solve specific security challenges, IT administrators typically will create a dynamic service chain linking multiple point products to create a comprehensive security stack.

F5 SSL Orchestrator is an F5 BIG-IP module that implements policy-based orchestration to enable cost-effective visibility across the full security chain for any network topology, device, or application. F5 SSL Orchestrator enables a customer to decrypt traffic once and pass it through one or more security devices before re-encrypting and forwarding to the original destination.

This method of using policies to automate traffic steering, reduces administrative costs and enables the IT operator to gain more value from investments already made in security services.

F5 SSL Orchestrator provides high-performance decryption of inbound and outbound SSL/TLS traffic, enabling security inspection to expose threats and stop attacks. Dynamic service chaining and policy-based traffic steering allow organizations to intelligently manage encrypted traffic flows across the entire security chain with optimal availability.

SSL Orchestrator ensures encrypted traffic can be decrypted, inspected by security controls, then re-encrypted, delivering enhanced visibility to mitigate threats traversing the network. As a result, organizations maximize their security services investment for malware, data loss prevention (DLP), ransomware, and next-generation firewalls (NGFW), thereby preventing inbound and outbound threats, including exploitation, callback, and data exfiltration.

An example SSL Orchestrator service chain with 3 inspection devices:

SSLO diagram

Transparent insertion of F5 SSL Orchestrator

While more and more companies have increasing network and application security concerns, they also want to implement stronger security in a way that is transparent to their users.  Transparent means that application access isn’t disrupted by security services, but the traffic is still being inspected for threats.  If no threats are found, application access continues normally.  However, if threats are found, access to the application can still be blocked if desired.

On-premises environments offer you control at every layer, from hypervisor to physical routers, firewalls, advanced services appliances and so forth. You can define layers, zones and route traffic thru them as you like. 

However, in the public cloud, the same rich set of networking capabilities may not be present, and this makes inserting F5 SSL Orchestrator transparently in the traffic flow more complex. It can be done, but depending on the architecture, it may require manually creating and managing a set of routing table rules.

Manual route table updates are difficult to deploy and maintain. Any change in your cloud environment (new VPCs/VNets or route updates for proper network segmentation) or on-premises (route updates from on-premises router) creates several extra manual steps in administration and introduces human error risk. In order to scale, you must automate this process.

What is Aviatrix?

The process of manually maintaining public cloud route tables can be difficult, tedious, and susceptible to human error—making it the ideal candidate for automation. This automation is provided by Aviatrix, which dramatically simplifies VPC-to-VPC, VNet-to-VNet, and even cloud-to-cloud “plumbing” at large scale.

The Aviatrix cloud network platform delivers the advanced networking, security and operational visibility services required by enterprises, while maintaining the simplicity and automation of cloud.

Aviatrix implements a hub and spoke model where the Aviatrix Transit Gateway is the hub and Aviatrix gateways deployed in a VPC/VNet are the spokes.  When the spoke gateways connect to the Aviatrix Transit Gateway, they establish and maintain an encrypted tunnel.  The Aviatrix Transit Gateway then provides transparent service insertion as needed for any traffic.

The Aviatrix gateways manage traffic as it enters and exits to and from a VPC/VNet. Aviatrix can be deployed in AWS, Azure, Google Cloud and Oracle Cloud.

How Aviatrix simplifies F5 SSL Orchestrator integrations

Defining the potentially complex routing needed to transparently insert F5 SSL Orchestrator into the traffic flow can be very challenging. Moreover, as the environment changes, these routing tables will need to be updated.

Aviatrix understands and leverages the public cloud API infrastructure and can dynamically define and adjust the routing tables as needed.

Aviatrix Firewall Network (FireNet) combines the intelligent orchestration and automation provided by the Aviatrix Controller with advanced Aviatrix Transit capabilities to significantly simplify transparent insertion of F5 SSL Orchestrator into the traffic flow. The combined solution eliminates the need for administrators to manually propagate routes and update routing tables when changes are made to the environment.

Additionally, since SSL Orchestrator takes on all SSL/TLS de-encryption and re-encryption that would otherwise be done by security inspection devices, performance improves for those devices as well.  For high availability, Aviatrix provides scaling active / active F5 SSL Orchestrators across availability zones. Aviatrix further contributes to overall security effectiveness by preserving source IP addresses that are critical to security policy enforcement.    

To transparently insert F5 SSL Orchestrator into the flow of traffic between two VPC/VNets, put one of the Aviatrix spoke gateways into an Aviatrix inspection policy. Behind the scenes, Aviatrix updates the routing table to ensure that the traffic from the source is transparently routed first to F5 SSL Orchestrator.

F5 SSL Orchestrator will select the appropriate service chain based on defined policy and will route the traffic through one or more security inspection services. Assuming none of the services in the chain block the traffic, F5 SSL Orchestrator forwards the traffic to the original destination.

As this graphic illustrates, due to an Aviatrix inspection policy, traffic (red line) from the Dev VPC is first routed to F5 SSL Orchestrator and the service chain before reaching the QA VPC.

Aviatrix inspection

Summary

This joint F5 and Aviatrix solution provides users all the power and flexibility that SSL Orchestrator is known for, but without the hassle – and risk – of manually updating routing tables to reflect every change to the entire VPC environment. Aviatrix handles all the multi-cloud complexity so that network operators don’t have to. 

By combining the rich public cloud networking capabilities of Aviatrix with the industry leading traffic management features of F5 BIG-IP, customers can easily, and transparently, insert F5 SSL Orchestrator into the traffic flow without having to maintain a complex set of routing rules while still satisfying the need for security without losing performance and agility.

Learn more

SSL Orchestrator (product page) 

Dynamic Service Chaining with F5 SSL Orchestrator (solution overview) 

Your SSL Secrets Uncovered—Get Started with SSL-Orchestrator (DevCentral) 

Aviatrix Transit

Aviatrix Firewall Network for Security Service Chaining and Insertion

Aviatrix Transit FireNet FAQ