5G Makes a Cloud-Native Application Architecture Vital

The introduction of 5G is a catalyst in accelerating the development of millions of new applications. Massive amounts of data-heavy and latency-sensitive applications are being developed, resulting in a movement of subscriber computing to multi-access edge computing (MEC). MEC brings computing, storage, networking, and services closer to applications, devices, and users. It also delivers lower latency and enhanced security, paving the way for innovations in industries ranging from government to healthcare to manufacturing.

Service providers continue the 5G journey by building out microservices-based, cloud-native infrastructure from the core to the edge of the network. This cloud-native solution is an evolution of a virtualized network. Dynamically provisioning workloads within a network enables new levels of operational automation, flexibility, and adaptability.

Moving to a cloud-native architecture includes many advantages:

• Faster time-to-market: A cloud-native approach speeds deployment of new use cases with continuous integration and continuous delivery (CI/CD), process automation in operations and support, and Agile DevOps development processes.
• Greater efficiency: Cloud-native applications consume up to 40% fewer resources compared with virtual machine-based software.
• The ability to scale: With a cloud-native architecture, service providers can scale to hundreds of thousands of nodes.
• Reduced operational costs: Automated and programmable operations across a multi-cloud environment help to lower costs.
• Improved resource utilization: By decoupling hardware from software, service providers can reuse resources when they are no longer needed.
• Faster development time: A cloud-native approach speeds process automation in development and operations, and supports Agile DevOps development processes. 

Service providers are defining and deploying a cloud-native infrastructure across the entire network from the core to the far edge. As defined by the 3rd Generation Partnership Project (3GPP), a Service-Based Architecture (SBA) is a set of interconnected network functions (NFs) that deliver the control plane functionality and common data repositories of a 5G network. Supporting a cloud-native SBA brings new requirements for the control, coordination, and orchestration of disaggregated network functions that are distributed across the network. Network functions are containerized microservices that can support the 5G Core, virtualized radio access network (vRAN), and the N6-LAN network functions.

Cloud-native, service-based architecture introduces a paradigm shift that enables service providers to migrate from a vertical to a horizontal stack implementation. A vertical stack approach increases vendor lock-in and requires that each vendor enables its own infrastructure, increasing complexity.

A horizontal stack approach breaks such vendor complications and limitations while enabling the service provider to maintain control and visibility of its network. With a horizontal stack, service providers gain a consistent cloud-native infrastructure (telco cloud) implemented across core, edge, and far-edge sites—supporting vRAN, a standalone (SA) 5G Core, internal applications, and enterprise- and consumer-facing applications 5G allows service providers to move to a horizontal stack approach, making it possible to scale edge sites as needed for subscribers.

Table 1 highlights the key drivers for 5G disaggregation, which enables service providers to realize the complete benefits of a cloud-native infrastructure.¹

Kubernetes has become the standard for cloud-native architecture container management and orchestration. However, Kubernetes was not designed to host telco network functions (NFs) and their telco specific protocols, such as 5G HTTP/2-REST, Diameter, SIP, GTP, and SCTP.

The challenges that service providers face with Kubernetes include:

• The inability to apply policy control over multiple traffic types and support the transition from 4G (SIP, Diameter, SCTP, etc.) to 5G protocols. 
• The inability to apply proper security at multiple points in a network and across multiple layers.
• Lack of visibility into the flow of traffic both into and within the infrastructure. 
• Lack of revenue controls as service providers continue to operate both 4G and 5G over the next several years. As the SA 5G Core is rolled out, many service providers will leverage their existing 4G billing and charging systems to speed the delivery of 5G and get a faster return on their investments.

F5 provides solutions that address these cloud-native infrastructure challenges and support the networking and security requirements for the vRAN, 5G Core, and enterprise applications. F5 solutions include:

• F5 BIG-IP Next Service Proxy for Kubernetes
• F5 Carrier-Grade Aspen Mesh
• F5 N6-LAN services
• F5 security solutions

The F5 BIG-IP Next Service Proxy for Kubernetes (SPK) is a unique offering specifically designed to provide a single point of networking and security for Kubernetes and specifically architected for service provider networks. BIG-IP Next SPK provides a single point of networking for the cluster (ingress and egress), reduces the attack surface for greater security, and supports 4G and 5G signaling protocols. BIG-IP Next SPK aligns with Kubernetes design patterns for configuration and orchestration. BIG-IP SPK delivers:

Ingress/egress control

• L4 load balancing: TCP, UDP, and SCTP
• L7 load balancing: Diameter, SIP, HTTP/2
• GTPcV2 load balancing
• Routing
• Rate limiting
   

Security

• Signaling firewall, DDoS, WAF
• Encrypt/decrypt
• Topology hiding
   

Visibility

• Revenue assurance
• Statistics and analytics

F5 Carrier-Grade Aspen Mesh helps service providers improve application traffic visibility, security, and policy management. The service mesh is designed specifically for service provider cloud-native infrastructures and is built on the open source platform Istio with added features critical for a service provider network. F5 Carrier-Grade Aspen Mesh delivers:

• Traffic visibility at all layers through a view of traffic within each 5G Core Kubernetes cluster. This provides revenue assurance and visibility into the data needed to monetize 5G using existing billing systems.
• Advanced security with a consistent approach for encrypting and authenticating all traffic between multi-vendor and multi-site networks functions. F5 Carrier-Grade Aspen Mesh is built on techniques based on a carrier-grade and 3GPP-compatible certificate authority.
• Traffic control and policy management that enable service providers to efficiently route service communication—and enforce business and compliance policies for the service mesh and network traffic. 

In addition to these features, F5 Carrier-Grade Aspen Mesh provides packet capture capabilities, which standard Kubernetes does not. Packet capture is important for troubleshooting communication issues between CNFs within the cluster and to support governmental requirements such as lawful intercept.

BIG-IP Next SPK and Carrier-Grade Aspen Mesh solve different challenges of using Kubernetes in a 5G cloud-native infrastructure. BIG-IP Next SPK meets the need for multi-protocol signaling support, security, and visibility of traffic ingressing and egressing the Kubernetes cluster, while Carrier-Grade Aspen Mesh addresses communication between CNFs. Both are critical to the deployment of a 5G cloud-native infrastructure.

5G networks deliver dynamic applications that can be deployed at the core data center, edge, and far edge. Network functions that used to be located in the S/Gi-LAN in 4G are now service-based CNFs that can move to the location of the applications.  

New network functions are self-contained, independent, and reusable. Each network function service exposes its functionality through a service-based interface (SBI), which employs a well-defined REST interface using HTTP/2. This functionality, called N6 LAN, is at the N6 interface between the packet gateway and the data network.

F5 N6 LAN network functions include traffic management, network security, DNS services, policy enforcement, and carrier-grade network address translation (NAT). Until recently, most of these services have been implemented on dedicated hardware devices, but with the rise of virtualized infrastructure those network functions are now being deployed as virtual network functions (VNFs) and more recently cloud-native network functions (CNFs).

To meet service provider needs, F5 provides the industry’s most comprehensive set of N6 services in a consolidated and virtualized solution. Consolidating and virtualizing N6 services can result in up to a 60% reduction in capital and operating expenditures—while boosting performance and lowering latency.2 

The F5 N6 services solution integrates a wide range of services from security to video optimization into a single platform. Service expansion is simplified, and the unified framework ensures there is a common technology to help service providers optimize their network and transition to 5G.

F5’s N6 LAN network functions may be consumed as hardware appliances, VNFs, or CNFs, allowing the service provider to choose the best deployment solution for the use case.

With F5 N6 solutions and services, service providers can:

• Provide intelligent traffic management and local DNS services for customizable subscriber-  and network-aware traffic steering solutions.
• Deliver carrier-grade NAT (CGNAT) services and migrate networks from IPv4 to IPv6.
• Secure their networks from volumetric attacks with ISCA-certified security solutions.
• Provide subscriber-aware policy enforcement, traffic classification, TCP optimization, and URL categorization.
• Create and deploy new subscriber security services including DNS-based parental controls and a subscriber aware IoT firewall specifically designed to target IoT devices.
• Enhance video optimization with signature detection and granular policy control powered by machine learning.

5G delivers more connection points, higher throughput, and new protocols that increase the number of security attack surfaces. Comprehensive security is required throughout the network, including at the core, edge, and far edge. F5 security tools include:

F5 DDoS protection: Delivers seamless, flexible, and easy-to-deploy solutions that enable a fast response, no matter the type of distributed denial-of-service (DDoS) attack. DDoS protection products include F5 DDoS Hybrid Defender and F5 Silverline DDoS Protection.

F5 AFM: Provides comprehensive protection for networks and protocols to ensure subscribers’ experience to reduce churn and increase revenues. Actionable visibility enables fast mitigation of attacks. 

F5 Advanced Web Application Firewall (WAF): Protects apps with behavioral analytics, proactive bot defense, and application-layer encryption of sensitive data. Defends against the most prevalent attacks against apps without requiring updates to the apps themselves.

F5 Distributed Cloud Bot Defense: Leverages artificial intelligence and machine learning to defeat attackers and prevent fraud. Protects web and mobile applications and API endpoints from sophisticated automation attacks that would otherwise result in large-scale fraud. 

Smooth the transition to 5G
Maintain the 4G infrastructure and foster interoperability with Kubernetes and the 5G Core with help from F5 that includes:

• Speeding time-to-market of new, compelling, and differentiated 5G services.
• Simplifying core network architecture and operations and reducing costs with F5’s unique N6 LAN solutions.
• Enabling billing for 5G services.

Achieve cloud-native performance and security
Build a cloud-native, container-based architecture by leveraging Kubernetes and advanced security. With F5, service providers can:

• Obtain a container-based architecture that is scalable for the core, edge, and far edge.
• Gain dynamic network scalability for improved horizontal scaling and flexibility.
• Implement security at the core, edge, and far edge.
• Leverage Aspen Mesh encryption.

Maximize traffic visibility and control
Gain service-provider-related functionality for the control and visibility that are critical for transitioning to 5G with Kubernetes containers. F5 delivers:

• Enhanced visibility and traceability for billing.
• Improved traffic management including routing, load balancing, and rate limiting for 4G protocols.
• Kubernetes self-discovery for automatic configuration of load balancing.
• Packet capture for troubleshooting and lawful intercept.
• Aspen Mesh for analytics and policy management.
• Seamless operation in a multi-tenant environment.

The introduction of 5G is a catalyst in accelerating the development of millions of new applications. Massive amounts of data-heavy and latency-sensitive applications are being developed, resulting in a movement of subscriber computing to multi-access edge computing (MEC). MEC brings computing, storage, networking, and services closer to applications, devices, and users. It also delivers lower latency and enhanced security, paving the way for innovations in industries ranging from government to healthcare to manufacturing.