McGraw Hill, a global provider of traditional and digital learning resources, deploys apps in multiple clouds and on-premises data centers. When costs prompted closure of its physical data centers, F5 Distributed Cloud Services helped the company meet an aggressive app migration schedule while boosting security and easing management of its multi-cloud infrastructure.
In 2022, Adam Wang learned that leading educational company McGraw Hill would need to close its three on-premises data centers by June 2024. As the company’s Director of Networking, he faced a daunting deadline to migrate some three dozen internal applications to Oracle Cloud Infrastructure (OCI). The apps moving to the cloud included many internal apps used by the company’s 3,700 employees to run 40 global offices, and various other apps used in producing and selling their traditional and digital learning.
It wasn’t McGraw Hill’s first foray into the cloud. The company already relied on a multi-cloud architecture that included AWS and Microsoft Azure primarily for customer-facing apps. Oracle Cloud Infrastructure (OCI) would be joining the list as the key repository for many internal apps.
Unfortunately, the native security tooling offered by OCI didn’t meet many of their core requirements. “There were two big drawbacks,” says Wang. “First was security. We weren’t satisfied with OCI’s DDoS security.” It didn’t provide the needed app-level protection. In addition, Oracle’s load balancing services would require a significant amount of tedious setup to accommodate all their migrated apps.
Of course, Wang knew the company’s data centers relied on F5 BIG-IP Local Traffic Manager (LTM) and BIG-IP DNS virtual editions. While flexible F5 licensing allowed McGraw Hill to shift those licenses to support apps in the Oracle cloud, that wasn’t their only option. In early 2023, Wang learned that F5 Distributed Cloud Services could provide equivalent availability services, plus a complete set of security services, in an abstraction layer perfect for multi-cloud situations. He says, “Distributed Cloud Services could be applied no matter where the apps were hosted and deployed quickly as a SaaS-based solution, which fits our company’s cloud and SaaS focus.”
However, McGraw Hill’s cybersecurity group had already invested in building a web application firewall (WAF) profile and intrusion prevention system (IPS) to work with the native OCI tools. Wang explains, “They were saying, ‘Why change directions and scratch all the work we have done?’”
They conducted an assessment, and the F5 Distributed Cloud Web Application Firewall (WAF) aced the test. Wang says, “As we introduced the features of the F5 security profile, like malicious user detection, IP reputation filtering, API security, and bot mitigation, the cybersecurity group quickly realized the depth of the F5 offering and started loving it.”
F5 provided an extensive proof-of-concept (POC) to show how McGraw Hill—and its cybersecurity team—could optimize its OCI cloud. Because the apps involved are for internal use only, they needed to be secured without publicly advertising any app or API endpoints. The traditional proxy-based architecture via regional edge (RE) sites or PoPs used for external, web-facing apps was not a viable solution in this instance.
Fortunately, F5 Distributed Cloud Services offer flexible deployment models for securing apps in public and private cloud environments. During the POC, F5 deployed a local software node in McGraw Hill’s private cloud instance. This software node, often referred to as a CE (Customer Edge) license, is an extension of the F5 Distributed Cloud Platform that enables locally delivered application security without advertising the site to the public Internet. Client requests bypass any of the RE/PoP sites and instead connect directly to the nearest McGraw Hill CE instance. After security policy enforcement by Distributed Cloud WAF and F5 Distributed Cloud DDoS Mitigation, clean traffic proceeds to the applications themselves without any sacrifice of performance and with full observability by McGraw Hill.
With a successful POC complete, the next step was to deploy multiple CEs in the OCI cloud. “That went relatively fast,” says Wang. “F5 was very responsive and supportive, and F5 Professional Services had the knowledge and expertise we needed. When we moved to production in the cloud there were no surprises, even with the very tight deadline we had. It was easy to migrate from our existing F5 virtual machines to the cloud. We could cross-reference much more easily, and all the features of our BIG-IP LTM—plus more—are embedded.”
With about one-third of the OCI cloud migration complete, Wang says his team is already realizing the benefits of Distributed Cloud Services.
F5 Distributed Cloud Services enabled McGraw Hill to simplify the infrastructure behind its OCI cloud by eliminating the need for an IPS. The API security features of the F5 solution serve the same purpose. “I was really glad, because to use the IPS we’d have to spin up another Equinix cloud to work with the F5 cloud and then connect to OCI,” says Wang. “Without the IPS I can eliminate the Equinix cloud entirely.”
As a SaaS-based solution, Distributed Cloud Services are also easy to use. “No hardware means less things to break, less downtime, and less for us to manage,” says Wang. “Everything is a single pane of glass. We can just go into the portal and manage everything. That is a huge advantage. And troubleshooting is a blessing when everything’s in one place.”
The solution also saves significant configuration and management time, especially when creating virtual IPs (VIPs) and setting up certificates. “F5 Distributed Cloud Services are very easy to set up,” says Wang. “My engineers love it.” He adds, “WAF, DDoS—it’s very straightforward, so we don’t need to spend a lot of time on it. Now it looks like we’ll be able to beat our very tight deadline.”
“The biggest benefit of all is the security,” says Wang. “If not for F5, we’d have probably used the OCI native tools, which would have really complicated things. Or we’d have moved to Azure instead, but we would not have gotten the DDoS protection or security profile we really wanted.” It’s also possible that app performance or availability would have suffered as a result, making it more difficult for employees to achieve their educational mission. In addition, the alternate OCI architecture would have required a separate IPS, increasing complexity and requiring separate configuration and management.
With F5, however, Wang says app security is easy to manage. He says, “Everything is in one profile. I don’t have to go to different hardware or services. We’re getting reports daily and we know we’re blocking threats.”
As the migration proceeds, the company’s cybersecurity team will have more time to focus on the solution’s API security. “But I know right off the bat it’s going to help us,” says Wang. He can be certain in part because prior to implementation, the F5 support team worked with McGraw Hill to better understand how many API endpoints or monthly API requests the company needed to secure. With hundreds of active apps, that number turned out to be more than 18 million. But API security for this eye-opening number of endpoints is required to ensure strong app-level DDoS protection.
As the migration proceeds, both internal and public-facing apps in the data centers are being moved to the cloud, with internal apps shifting to either the company’s OCI or Azure clouds. One advantage of the Distributed Cloud solution is that McGraw Hill could choose to extend the same services to apps in its Azure cloud, thus reducing the complexities of managing multiple clouds.
Wang says, “It can scale to different clouds. Our AWS cloud is managed by a totally different group, but if there are any apps, we need to spin up for load balancing in Azure, we will be using F5 Distributed Cloud Services because of their scalability. First, because security has already approved the solution and they love it. Second, we already have the centralized location to configure it and the policies. I also like the failover solution between regions that we’ve set up.”
In fact, when asked for three words to describe Distributed Cloud Services, Wang doesn’t hesitate. “Secure, scalable, and simple,” he says.
That’s a report card F5 is proud to take home.