Azure NetApp Files, built on NetApp technology, allows file-based applications to benefit from the scale, agility and economics of public cloud.  F5 is a technology company specializing in application security, multi-cloud management, and application delivery networking (ADN).  F5 Distributed Cloud connects, protects, and deploys apps across clouds, on-prem networks and co-location centres, accelerating time-to-service, lowering TCO, and increasing security efficacy with a cloud-native platform. The combination of the solutions lets customers gain greater, secure control and access of their corporate data from the locations of their choice.

Architecture

Customer locations are securely connected with an Azure VNET belonging to their organization.   The secure interconnection is provided by F5 XC through CE virtual or physical appliances deployed on-prem and a virtual appliance in the VNET.   The interconnectivity is instantiated through dual IPSec or SSL tunnels auto attached to the global fabric maintained by F5 XC.   A delegated subnet in the customer VNET is provided for access to ANF volumes, using protocols such as NFS or SMB.  Interconnectivity is achieved by having the inside CE interfaces in both customer locations and the VNET join an XC virtual network, thus restricting access to members only.  A sample diagram of a remote office securely accessing ANF volumes is as follows.

 

 

Workflow

• The Azure Resource Group (RG) and encompassed virtual network (VNET) are created through methods such the F5 XC User Interface (UI) deployment wizard, Terraform offered by XC, or manually through Azure portal.
• The F5 Azure CE site is deployed by the F5 XC UI deployment wizard or through Terraform, use a 2-port CE model with outside and inside subnets.
• Add a delegate subnet for ANF to the VNET, in the delegation pull down menu select “Microsoft.Netapp/volumes”.
• With the Azure portal, add a NetApp account to the resource group, select the Azure geographic location (region) that corresponds to the VNET deployment.
• Add a capacity pool to the NetApp account, with service level, storage size and quality of service (QoS) desired.
• Configure a volume on the capacity pool, with the quota size required and the protocols NFS, SMB, or Dual indicated. An export rule may be added to restrict read/write operations from source subnets for NFS clients.
• Add an F5 CE site to the on-premises customer node, dual interface model including an external and internal subnet. The image may be deployed on hypervisors like ESXi or KVM, or an iso may be applied onto a bare metal server.  For cloud-based remote sites deploy the CE as a cloud site, such as to a remote Azure-based VNET.
• For on-premises sites, configure a fleet configuration for the CE site and apply the configuration by associating the “ves.io/fleet” label to the CE site.
• Configure an XC global virtual network. Join both the inside interfaces of the Azure CE in the central VNET and the inside interface of the remote office CE to the same XC virtual network, thus allowing connectivity.
• From the remote site, use a protocol such as NFS to remotely mount ANF volumes for full read/write file access from the central location.

Components

• Azure Bastion: Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell protocol (SSH) access to VMs without any exposure through public IP addresses.
• Azure F5 XC Customer Edge (CE) site: Azure XC CE site is a node which provides a security demarcation point for secure access into the Azure VNET and services such as Azure NetApp Files.
• Azure NetApp Files: A high performance, low latency file access solution to allow customer access to their data housed upon NetApp storage pools and configured volumes.
• On-Premises F5 XC Customer Edge (CE) site: F5 XC CE node deployed as a virtual or physical two-port security device at a customer location to serve a security demarcation point.
• Azure Monitor: Azure Monitor helps you collect, analyze, and act on telemetry data from your Azure and on-premises environments.

Alternatives

As an alternate solution, you can use F5 Distributed Cloud AppConnect to create TCP Load Balancers, supporting the ports required by protocols such as NFS and SMB/CIFS, to bring requests directly to the Azure NetApp Files (ANF) delegated subnet.

Scenario details

NetApp volumes are file system-aware points of storage that are traditionally deployed on-premises, including office space and enterprise data centers.  Administrative simplicity and enhanced security of data at rest may be achieved by pursuing a centralized and performant management of NetApp volumes.

Azure provides a flexible and ubiquitous worldwide compute platform and varying approaches to providing storage to enhance compute workloads.  

F5 Distributed Cloud (XC) allows for world-wide interconnections for secure, encrypted turn-key enterprise points of presence including office space, data centers, and cloud-based points of presence such as Azure VNETs.

Combining NetApp, Azure and F5 allows the benefits of centralized, secure volumes to be performed in the service of remote users at global scale.

Potential use cases

This solution is ideal for use across multiple industries, including these potential use cases:

• Gain better control of storage operations, improve efficiency by reducing duplicated file content, and reduce infrastructure cost by transitioning on-prem clusters of storage to centrally provisioned and managed Azure NetApp Files.
• Utilize the F5 Distributed Cloud global fabric of sites to securely connect enterprise remote points of presence to Azure, without VPN or routing configuration skills as the solution is delivered in a software as a service (SaaS) solution.

Requirements and limitations

Azure NetApp Files provides throughput that scales with size when provisioning file system volumes and the underlying pools of storage capacity.   Different qualities of service (QoS) are selectable, so even the most latency sensitive database transactions can be accommodated in a cloud first approach.  F5 Distributed Cloud provides turnkey layer 3 connectivity between remote sites and Azure VNETs used by enterprise clients.   F5 site reliability engineering (SRE) teams maintain high-speed global connectivity and mitigate any L3/L4 DDoS attacks that may be attempted against the infrastructure.  Enterprise sites, such as office spaces, manufacturing facilities, data centers, as some examples, are connected automatically the F5 global network through encrypted technologies such as IPSec and TLS tunnels, with active-active redundancy offered by default.  Some considerations about the solution include:

• The suggested deployment of F5 Distributed Cloud a layer-3 approach to automatic delivery of reachability. This approach requires layer-3 unique IP address assignments in each location involved.   If overlapping IP address space exists a layer-7 approach involving load balancers between Azure and the remote sites will allow for reachability.
• Layer-3 reachability has a layer-3/layer-4 firewall service available, if firewall rules are added the traditional ports required for NFS are TCP/UDP 111(Remote Procedure Call, RPC) and 2049 (NFS). Ports required for SMB/CIFS include UDP 137 and 138 (NetBIOS name and datagram services, respectively) and TCP 139 (NetBIOS session service) and 445 (SMB).
• You often deploy the F5 CE node in the same VNET as the Azure NetApp Files delegated subnet. However, you may also deploy the CE node in another VNET, or different Resource Group, and enable Azure virtual network peering (same Azure region) or Azure global virtual network peering (across Azure regions).

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

Reliability

Reliability ensures your application can meet the commitments you make to your customers. For more information, see Overview of the reliability pillar.

F5 Distributed Cloud points of presence (PoPs) are interconnected using a multi-terabit, dedicated and redundant private backbone for maximum performance. These PoPs are densely peered and connected with multiple Tier1 transit providers to deliver high-quality internet access for applications and consumers. F5 XC directly connects to multiple cloud providers from these locations to provide a reliable and predictable experience across cloud providers. Using BGP and advanced traffic engineering, F5 are able to provide granular SLAs for any customer that wants a high performance global private network without the complexity of procurement and operations.

https://www.f5.com/cloud/products/globalnetwork

F5 Distributed Cloud has a built in logging and alerting system, and can also stream into enterprise event management solutions such as Splunk or Datadog etc. To do this you simply need to enable remote logging in the system and configure the remote log receiver destination.

F5 Distributed Cloud runs a Centralized Control and Management Plane - this component runs across many globally distributed locations with a combination of private infrastructure as well as public cloud providers like AWS, Azure, and GCP for a highly redundant solution.

Upgrades and patching to the platform can be done to an entire fleet with minimal downtime. A detailed guide on this can be found at https://docs.cloud.f5.com/docs/quick-start/infrastructure-and-app-management

F5 Distributed Cloud PoP locations are upgraded by F5 (with advanced notifications to customers), using a rolling-upgrade approach, one PoP at a time, and one node at a time in each PoP.  For customer node deployments, the platform alerts customers when a node upgrade is available.  When a customer clicks upgrade, a rolling-upgrade approach is taken, whereby the first node in a cluster is upgraded, and only if validated as successful, the next node in the cluster is upgraded, and so on, until all nodes are upgraded successfully.

CE nodes are, by default, connected to the global RE fabric of nodes by active-active redundant encrypted tunnels.   Both IPSec and TLS tunnelling are fully supported with no end user administration requirements.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

F5 Distributed Cloud WAAP signatures are updated on a weekly basis, and more often if there is a critical vulnerability. There are thousands of signatures included and this includes many common application technologies and frameworks such as Apache, Oracle, Microsoft, Cisco, Red Hat, IBM, Java, Unix/Linux, Jenkins and many more.

Threat Campaigns are a highly accurate, near zero false positive set of signatures that have been developed by our threat research team to pinpoint specific attack campaigns and APTs. This would provide Lloyds with fast mitigation of threats with minimal operational effort. By default, immediate blocking action is taken once an active threat campaign signature is detected. It is possible though to configure a staging period in which identified requests are allowed for a temporary period of time.

F5 Distributed Cloud Bot Defense leverages billions of crowd-sourced signals and telemetry from across our vast customer base to combat many of the most critical and automated attacks. As soon as a new attack technique is observed on one customer, new countermeasures are autonomously deployed, and shared with all other F5 customers, providing global anti-bot inoculation across the platform and the user population. This base of telemetry information about attacks and bot patterns is coupled with our machine learning engine to analyze every transaction and detect malicious bots, allowing real users frictionless access without the need of other authentication factors such as CAPCHA.

The F5 Distributed Cloud platform provides full coverage for the OWASP API Top 10 vulnerability exploits that update automatically as new exploits are identified.

F5 Bot Defense (fully integrated within the Distributed Cloud platform) processes over 4.5 billion HTTP transactions a day, transactions enriched with signal data continually updated through R&D. Unsupervised ML algorithms monitor and rapidly process this data every ten minutes, feeding alerts into a triaging system, where a 24x7 team of experts review the alerts to eliminate false positives and forward confirmed bot traffic into a supervised learning system.

This supervised ML generates deployable models that are reviewed by experts to further reduce false positives and prevent overfitting. The human in the loop increases rule resiliency, making the system more accurate and scalable, reducing the frequency of rule changes and enhancing the network effect: new attacks are launched against the few highest value targets, mostly financial institutions, and updated rules are deployed across all F5 Bot Defense customers.

In addition, the following capabilities are made possible through advanced AI/ML:

• Automated Discovery:  APIs change frequently. Using AI/ML, as APIs are used, the system determines normal behavior, usage, methods and detects outliers helping you detect shadow APIs. AI/ML also learns the schema (generating a downloadable swagger file) and identifies PII.
• Anomaly Detection: For each API leaf, a Probability Distribution Function model is made for errors, latency (with and without data) and request metrics (request rate, request size, response size, throughput). 
• Behavior and Time: By analyzing what endpoints are used, in what order and the frequency, API Protection AI/ML can identify bad actors not obeying normal behavior and act.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

F5 Distributed Cloud optimizes the cost of ownership but reducing the staff commitment required to maintain the solution, which is consumed like most software-as-a-service (SaaS) solutions.   Issues like maintaining encrypted tunnels to sites are fully automated, routing between sites is again automated with not day-to-day administration needed.   The F5 XC site resource engineering (SRE) team maintain issues like L3/L4 DDoS mitigation against customers and fine-tuning of signature sets and evolving zero-day threats via curated “Threat Campaign” protections.

The solution is geared towards ultra-low false positive security incidents, to again optimize and minimize the management effort needed by XC customers.   There are several capabilities that lead to low false-positives when using the F5 Distributed Cloud platform.

1. Automatic Attack Signature Tuning (combines technology from F5 and Volterra) used to determine if a signature-identified attack is really a threat, helping reduce false positives.  This uses a self-learning, probabilistic ML model that suppresses false-positive triggers.
2. Signature meta-data includes the signature accuracy (High, Medium, Low).  By default, only High and Medium accuracy signatures are enabled.
3. Threat Campaigns are a curated set of signatures and rules that identify sophisticated attacks that are actively trying to exploit customers at the current time.  They are high accuracy and very low false-positive.

The F5 solution can tag services/devices to enable tracking of ownership to a business entity, such as a department, cost code or group.  All objects created in F5 Distributed Cloud can be labelled/tagged.  There are built-in labels/tags, or you can create your own labels/tags with a defined set of values to checkbox select from (where consistent values are required), or you can create tags with freeform values.

Operational excellence

Operational excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Overview of the operational excellence pillar.

Use Azure Monitor to monitor the Azure infrastructure components. Its alerting mechanism lets you take preventive actions like autoscaling or notification.

You can achieve infrastructure automation by using Infrastructure as Code services, like Azure Resource Manager templates or Terraform scripts.

Azure DevOps lets you deploy Azure SQL Server with any IaC that is supported, such as Terraform.

F5 Distributed Cloud can interpret declarative, intent-based code and deliver the required capabilities.  Declarative APIs that abstract underlying imperative operations, making it easy for DevSecOps type engineers to interact with the F5 platform without domain specific knowledge.  The APIs are well documented and have mature ecosystems such as Terraform Providers.

For a fully managed security service approach, F5 XC offers fully managed security and 24/7 SOC services, if required. Managed Service customers are assigned a Customer Success Manager who acts as the conduit into the service and will help drive everything from onboarding to the platform, design and architecture discussions, project planning, site analysis and working with the SOC to make sure your security policies and posture are up to date and configured correctly. The SOC can be engaged at any time for questions related to the service or in case there is a critical issue that needs handling.

Performance efficiency

Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see Performance efficiency pillar overview.

F5 Distributed Cloud operates as AS35280 with multi-terabits of backbone capacity and redundancy.  It is instantiated with colocation in over a dozen major metropolitan cities. Densely peered backbone and transit providing high-performance reachability to Internet desktop & mobile consumers and applications, Public Clouds and Private cloud facilities.

F5 directly connects to multiple cloud providers from these locations to provide a reliable and predictable experience across cloud providers. Using BGP and advanced traffic engineering, F5 are able to provide granular SLAs for any customer that wants a high performance global private network without the complexity of procurement and operations.

End-to-end latency for each application can be observed in the Performance Monitoring dashboard. This shows the overall status such as a health score, the number of origin servers, end-to-end latency, requests per second, and throughput information.  F5 Distributed Cloud has detailed application health, security and performance dashboards that allow you to drill deep down into statistics and events and the status of the estate across multiple environments and providers.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal authors:

• Steve Gorman - F5 Solutions Architect 
• Will Stowe - Manager, NetApp Data Platform