This deployment model offers a streamlined and secure approach to connect AWS-hosted applications with F5’s Distributed Cloud Global Network (DCGN). By utilizing Customer Edge sites and the F5 Distributed Cloud, this architecture enables fast, secure, and private connections for applications that need to remain isolated from the internet. This setup ensures data privacy, integrity, and availability—ideal for enterprises focused on safeguarding their backend systems.
- Customer Edge Sites: These sites serve as secure connection points, linking private customer sites to the Distributed Cloud Global Network. Secure IPsec tunnels facilitate data transfer across this connection, providing robust data encryption and transmission privacy.
- Distributed Cloud Global Network: The F5 DCGN is a resilient, high-performing infrastructure that securely routes traffic between frontend and backend components. It acts as a traffic intermediary, enabling isolated backend applications to function securely within the network.
- F5 HTTPS Load Balancer: Acting as a secure entry point, this load balancer manages HTTPS traffic and directs it to the backend applications hosted on an AWS Elastic Kubernetes cluster. Configured with NodePort, it efficiently distributes load across services within the EKS cluster.
- AWS Elastic Kubernetes Cluster (EKS): This managed Kubernetes service handles application deployment and scaling. Configured with NodePort, it allows the EKS cluster to accept traffic from the F5 HTTPS Load Balancer, providing a flexible and scalable containerized environment.
- vesctl F5 Command-Line Tool: The vesctl tool is used to deploy all components within this architecture, ensuring streamlined and consistent setup across F5 services.
The following outlines the traffic flow and security features within this deployment model:
- Traffic Ingress: The F5 HTTPS Load Balancer receives incoming traffic, which it then forwards to the AWS Elastic Kubernetes cluster. NodePort configurations within the EKS cluster allow for effective port-based traffic management.
- Secure Tunnel Creation: An IPsec tunnel is established between the F5 AWS VNet Site and the EKS cluster. This encrypted tunnel keeps traffic secure and isolates it from the public internet.
- Distributed Cloud Network Routing: Traffic is routed across the DCGN to an egress Regional Edge, which then sends it to the Customer Edge site. This not only keeps backend applications isolated from direct internet exposure but also optimizes latency and data flow.
- Final Delivery to Backend Applications: Upon reaching the Customer Edge site via the IPsec tunnel, traffic flows to the backend applications as IP-based traffic, maintaining data security and restricting access to authorized requests.
- Enhanced Security: By isolating backend applications from direct internet access, this architecture minimizes exposure and unauthorized access risks.
- Reliable Connectivity: Redundant IPsec tunnels ensure continuity by routing to multiple Regional Edge sites, enhancing uptime and consistent application availability.
- Efficient Traffic Management: The F5 HTTPS Load Balancer effectively manages and balances traffic across backend services within the EKS cluster.
- Scalability: AWS Elastic Kubernetes Service provides a dynamic, scalable environment for hosting applications, adjusting to changes in demand seamlessly.
- Streamlined Deployment: Using vesctl, deployment is automated and standardized, reducing the risk of errors and ensuring consistent setups.
This architecture is ideal for enterprises seeking a secure, private, and efficient way to expand application delivery between AWS and F5 Distributed Cloud. By leveraging DCGN, IPsec tunnels, and the F5 HTTPS Load Balancer, organizations can maintain a secure and resilient infrastructure, fully compliant with rigorous privacy and security requirements.
