Looking Back on Another Year of Innovation for F5 on AWS

Last week, Las Vegas played host to the largest AWS re:Invent conference to date—with over 50,000 attendees eager to learn about the cloud juggernaut’s latest and greatest platform developments. And as the dust settles and the lingering Nevada hangovers wane, what better time to reflect on what has been another dynamic and productive year for F5 on AWS? So kick back, put your feet up, and let’s take a closer look at some of F5’s most notable advances from the past year on AWS, including:

1. BIG-IP Cloud Edition Availability on AWS Marketplace
2. F5 Advanced WAF Availability on AWS Marketplace
3. F5 Cloud Services Early Access
4. Integration with Security Hub
5. AWS Transit Gateway Support
6. CloudFormation Template Progress and an AWS QuickStart
7. Availability on AWS Intelligence Community (IC) Marketplace
8. F5 Managed Rules for AWS WAF

1) BIG-IP Cloud Edition Availability on AWS Marketplace

In a nutshell, BIG-IP Cloud Edition on AWS brought F5’s best-of-breed, virtual per-app application services together with the massively enhanced centralized management capabilities of BIG-IQ. As application portfolios continue to grow and the need for automation and agility becomes more prevalent, what could be better than combining dedicated and right-sized applications services with deep and insightful analytics, app team self-service, and auto-scaling… right?

Basically, BIG-IP Cloud Edition reframes the now-false narrative that you need to choose between industry-leading app services and development agility. With BIG-IP Cloud Edition, you can choose both and address the growing pressures on IT of digital transformation. F5 customers are now able to trial and deploy BIG-IP Cloud Edition within their AWS environment.

Check out the BIG-IP Cloud Edition solution guide or visit the product page on the AWS Marketplace.

2) F5 Advanced WAF Availability on AWS Marketplace

At this juncture in the ongoing public cloud saga, most of us are familiar with the concept of the shared security model—whereby the cloud provider is responsible for the security of the underpinning cloud infrastructure, while the onus is on the user to secure the apps and data.

At the same time, cybercriminals constantly evolve attack methods and exploit vulnerabilities to find new ways to access and impact apps. Beyond the more typical attack vectors that have pestered security professionals for years (XSS, injection, etc.), more innovative and sophisticated mechanisms are being used to threaten apps nowadays—ranging from malware and bot related attacks to resource-crippling DoS attacks. It’s these advanced threats that make implementing the most advanced application security solution on the market a necessity, rather than a luxury, when protecting public cloud apps.

Subsequently, F5 released the industry’s most comprehensive WAF solution—it’s Advanced WAF—available on AWS to ensure workload protection from the most complex of attacks. Advanced WAF’s capabilities include layer 7 behavioral DoS detection and mitigation, credential protection, and proactive bot defense.

For more details, visit our Advanced WAF webpage or check out the AWS Marketplace.

3) F5 Cloud Services Early Access

At re:Invent, we were incredibly excited to announce our innovative new service delivery platform capabilities, built around the AWS SaaS factory. F5 Cloud Services is initially an early access preview, and interested parties can get free and instant trial access to the preview of the following F5 Cloud Services:

• DNS – A globally distributed, authoritative DNS service, with built-in DNS-targeted DDoS protection.
• GSLB – The F5 Global Server Load Balancing (GSLB) service provides intelligent load balancing for cloud- and hybrid-based application deployments.

Check out the F5 Cloud Services announcement and sign up for the early access preview here.

4) Integration with AWS Security Hub

As AWS unveiled their new Security Hub service during Andy Jassy’s re:Invent keynote, the eagle-eyed viewers among you may have noticed that familiar big, red ball on screen. Excitingly, F5 was in fact a launch partner for this new tool, affording customers the ability to integrate Advanced WAF and BIG-IP ASM Virtual Edition with this central reporting console. Doing so allows security teams to escalate predefined alert information (such as attack type, source, etc.) from blocked traffic to AWS Security Hub for further review. Additionally, with automated compliance checks AWS Security Hub can assess F5 WAF configurations to ensure compliance with industry requirements.

For more about F5’s integration with Security Hub, take a look at this article.

5) AWS Transit Gateway Support

AWS Transit Gateway (TGW) was another service revealed at re: Invent, and F5 was again a launch partner. Essentially, TGW is a new centralized routing construct designed improve the way different networks route to each other. Previous AWS routing constructs like VPC peering delivered similar results but were decentralized and limited.

We may be even more excited about this than AWS, given the abundance of ways its functionality can be used to the benefit of F5 customers. An example of this could be the use of TGW to enforce complete sanitization of traffic across an AWS environment. This could be achieved by creating a dedicated security VPC populated with F5 Advanced WAF instances, and then configuring TGW rules to route all inbound traffic through this VPC. All traffic that left this VPC would therefore be scrubbed of malicious traffic, ensuring that only legitimate traffic was routed by TGW to other AWS regions and VPCs.

Learn more about this and other TGW use cases in this DevCentral article.

6) CloudFormation Templates Progress and an AWS QuickStart

In recent years, a crack team of our F5 engineers have been feverishly building out F5’s portfolio of CloudFormation Templates (CFT). For those unfamiliar with CFTs, these are a form of Infrastructure-as-Code providing a simple and automated way of deploying resources on AWS. Leveraging these templates, users can deploy Virtual Editions in diverse and complex architectures in a matter of minutes.

Over the last 12 months, key developments to F5’s CloudFormation Repository on GitHub include:

• Hybrid Auto Scale BIG-IP VE Templates – Deploy BYOL VE instances and—as traffic increases—have auto scaling events trigger additional PAYG VE instances to be provisioned.
• Auto Scale via BIG-IP DNS – Use BIG-IP DNS to distribute traffic among a tier of auto scaling BIG-IP VEs as an alternative to using an AWS ELB as the first tier load balancer.
• BIG-IQ License Manager VE Templates – Enable the deployment of standalone or clusters of BIG-IQ LM instances.

In addition to developing new CFTs, F5 has also been busy wrapping its existing Auto Scale LTM CFT into an AWS QuickStart, making it even easier to stand-up a production or sandbox environment.

Information about this new QuickStart can be found here, while additional details on F5’s CFTs are available here.

7) Availability on the AWS Intelligence Community (IC) Marketplace 

AWS C2S, or Commercial Cloud Services as it’s otherwise known, is the government program and contract vehicle that brought an air-gapped, top secret region of the AWS cloud to the U.S. Intelligence Community (IC). This has allowed top secret government workloads to securely run atop AWS infrastructure and leverage AWS services while meeting all necessary IC compliance requirements. To improve efficiency and reduce procurement cycles for C2S customers, AWS released a version of their Marketplace where all solutions are pre-vetted and authorized for use by IC customers.

After months of collaboration with AWS, F5’s BIG-IP Virtual Edition was added to this marketplace, enabling our IC customers seamlessly implement the same traffic management and security services in the AWS Cloud that they may have previously configured on-premises.

8) F5 Managed Rules for AWS WAF

It’s no secret that all applications aren’t created equal, with each differing greatly depending on a number of factors, including business purpose, deployment location, sensitivity or importance of user data, and regulatory requirements. Ultimately this means that the security requirements vary across workloads. For example, mission-critical apps carrying sensitive data are more likely to require advanced protection from cyber threats, while basic, non-critical applications are unlikely to need all of the advanced functionality of an enterprise-grade WAF. In these cases, a more basic firewall like AWS’ WAF may suffice.

For these less critical workloads, F5 has developed a series of rulesets that can be implemented atop AWS’ native WAF to provide an additional element of protection. Three different rules are available, each protecting against specific threat types:

• Bot Protection – Prevents malicious bot activities such as vulnerability scanners, web scrapers and DDoS tools.
• CVE Vulnerabilities – Protects from common vulnerabilities and exposures (CVE) targeting systems such as Apache, Bash, Java, MySQL, Ruby On Rails, and WordPress.
• Web Exploits – Guards against OWASP Top 10 threats, including XSS, SQL injection, and path traversal.

For more information, take a look at this article or visit the AWS Marketplace.

And that’s a wrap… If you have any questions about anything covered here or about F5 on AWS, feel free to contact us. F5 has plenty of product developments planned for AWS over the next year that are going to continue to help our customers in and on their cloud journeys—so stay tuned!