Revolutionizing Networking for Hybrid, Multicloud Environments

Simply put, multicloud networking is the fabric that connects applications or services to one another. The goal for networking is to enable organizations to deliver apps to end users, whether these apps are deployed in data centers or in the public cloud. 

According to the F5 State of Application Strategy Report, one of the biggest reasons customers adopt a hybrid, multicloud strategy to deploy their apps is for business continuity—to ensure that their services continue to run in the event of catastrophic failures with a single cloud provider. Another key reason is to set up the big public cloud providers to compete against one another for a customer’s business. This gives a customer flexibility to choose the lowest cost option that still meets their technical needs.

One caveat: multicloud strategy brings significant challenges to building a secure, high-performance network fabric that spans diverse infrastructure environments. These challenges include not only connecting services but also ensuring security, visibility, automation, and operational simplicity.

This is where F5 Distributed Cloud Services comes into play. It provides a unified platform to connect and secure apps, as well as ensure reliable, optimized performance across hybrid multicloud environments. These capabilities are core to the F5 Application Delivery and Security Platform and essential for any modern enterprise.

Distributed Cloud Services multicloud networking offers a wide range of capabilities, which apply to use cases like layer 3 and layer 7 connectivity and network-centric segmentation. Let’s take a look at each of these capabilities, and why they help F5 Distributed Cloud Services stand out in the networking field:

1. SaaS-based solution: SaaS-based delivery provides huge advantages in simplifying customer operations. Customers only need a cloud-based console to fully operate the multicloud networking, without any additional overhead for the control and management infrastructure. Customers spin their data plane components in the locations where their apps and services reside. 

2. Deployment flexibility: CEs can be deployed in any on-premises environment (e.g. VMware, KVM, Nutanix, Red Hat OpenShift) as well as public clouds like AWS, Azure, and Google Cloud Platform. A CE can also be deployed as an Ingress controller for Kubernetes. All CEs also support up to eight interfaces across these environments, providing support for various use cases. 

Connections to the Regional Edges are always provisioned for control and management plane functionality. For data plane connectivity, customers can connect CE sites directly to one another via their own networks or indirectly via the F5 Global Network as the transit network. Direct connectivity between CEs can be encrypted via IPsec. This creates a Site Mesh Group (SMG), or unencrypted via IP-in-IP, creating a Data Center Cluster Group (DCG). 

3. Cloud orchestration: Public cloud providers have many networking constructs, and those constructs vary from one provider to another. For example, AWS constructs include VPCs, Subnets, Route Tables, Elastic Network Interfaces, Network ACLs, and Security Groups. Each of these are individual services that need to be configured and managed on AWS, and this is amplified when also managing other cloud providers. 

F5 Distributed Cloud Services provides the option to fully orchestrate these constructs on one hand. On the other hand, if a customer manages these CSP constructs, they can use manual routing to ensure that CEs only get deployed within their existing VPCs. Again, this brings a ton of flexibility to existing customer environments. 

4. Network-centric segmentation: A segment is a virtual routing and forwarding construct that spans multiple CEs and allows customers to run fully isolated environments. Think of this as two ships passing each other in the night. For example, workloads in production environments will only reach other workloads in production. There is no route to reach the development environment. Network segmentation can extend to individual interfaces on the CE, VPCs, or VNets within the cloud environments—as well as any external connectors that allow third- party routers, firewalls, or SD-WAN solutions to connect to your network. 

6. Service networking: Most people think of connectivity in terms of networks. For example, connecting network A to network B, which is valid in many scenarios. However, this model struggles if you need connectivity to a single app or service within an environment. Let’s take an external partner or customer that runs on-prem or in the cloud and needs access to a single service. A network engineer will start thinking of segments, segment connectors, firewall rules, and possibly NAT in cases of overlapping addresses to make this happen. 

Distributed Cloud Services multicloud networking provides a capability to publish a single app or component without customers having to worry about L3 routing, NAT and Firewall rules and provides a ton of security advantages. This is an essential when one or more Customer Edge (CE) can publish apps that live in remote locations. Distributed Cloud Services multicloud networking can also provide both L3 Networking and Service Networking specific to the customer’s needs and scenario.

7. External connectors (coming soon): Distributed Cloud Services multicloud networking provides standards-based integration with third party components, like routers and firewalls, via IPSec connectivity—with routing via BGP or static routing to ensure our fabric extends to third parties. It’s also worth noting that an External Connector can be placed in a network segment.

8. F5 Global Network: Our network of REs and connecting fiber allows our customers to publish their apps anywhere in the world with an anycast address, ensuring the lowest possible latency to customers based on their closest RE. The F5 Global Network also offers comprehensive security with F5 Distributed Cloud Web App and API Protection (WAAP) against common attack vectors like SQL injection, cross-site scripting (XSS), distributed denial-of-service (DDoS), and bot attacks that may target customer apps or APIs. It effectively acts as a managed ingress security and app delivery layer. 

9. CE security: CEs act as extensions of the F5 Global Network, bringing the same robust WAAP capabilities into your environments without you having to do any re-architecting. Internal and public-facing apps running in environments with a CE deployed are protected from external clients on the internet and/or east-west traffic flows. CEs include an embedded L3/L4 firewall, and customers have the option to use a fully orchestrated NGFW solution with Palo Alto Networks for east-west as well as north-south transit. Finally, CEs offer zero-trust network access (ZTNA) with app-to-app authentication via mTLS.

10. Network observability: Secure multicloud networking offers a wide range of tools and operational capabilities to ensure NetOps, DevOps, and Platform Ops teams can quickly understand the health of their network and troubleshoot any issues. With Distributed Cloud Network Connect and App Connect, we provide insights into:

• CE routes: We help visualize CE routes throughout your network to highlight potential connectivity issues.
• Cloud routes: Our observability tools extend into VPC and VNet routing tables on CSPs like AWS, Microsoft Azure, and Google Cloud Platform to provide a single console experience.
• Flow analysis: We show traffic flows that are traversing the CEs in both visual and tabular formats with advanced search capabilities and an AI assistant.
• Packet captures: Set up packet captures on any of your CEs and leverage Wireshark for reporting, so that you can visualize full packet details.
• Pings/traceroute tools: Leverage common data plane troubleshooting tools from the CE through the Distributed Cloud Console to diagnose network connectivity challenges.
• Application performance: The Distributed Cloud Console provides insights into application health, end-to-end latency, metrics, requests, and errors. An AI assistant can help further diagnose performance issues, all from the same console. 
• Application security: The Distributed Cloud Console also provides a unified visibility into application security with details around all security events (WAF, Bot Defense, API Security, DDoS), security analytics, and recommended actions via an AI assistant. 

As you can see, the multicloud networking cabalities within F5 Distributed Cloud Services cover a wide range of use cases and customer needs. From enabling external connectivity for partners to creating and maintaining precise network segments—all with end-to-end network observability and security—our multicloud networking solutions can help you operate and safeguard your network. Stay tuned for deep dives into each of these capabilities. 

Get in touch with us to learn more about what Distributed Cloud Services multicloud networking can do for you.