How to Use A10 Lightning ADS in Google Cloud Platform (GCP)

Using the A10 Lightning Application Delivery Service (ADS) in Google Cloud Platform (GCP) helps operations teams easily implement advanced application traffic management capabilities, including elastic load balancing with rich application analytics and integrated application security. Here, we look at how to use A10 Lighting ADS in GCP.

A10 Lightning ADS

A10 Lightning ADS is a cloud-native solution to optimize the delivery and security of applications and services running over public or private clouds.

It provides innovative, elastic application load balancing capabilities, including traffic management with content-switching, application security and analytics for cloud applications. Lightning ADS is purpose-built for containers and microservices-based application architectures and elegantly integrates with DevOps processes.

For organizations embracing the cloud and application centricity, A10 Lightning ADS increases operational efficiency, offloads application administrators from cumbersome tasks, reduces risk and helps in meeting compliance requirements.

Lightning ADS Architecture

A10 Lightning ADS is purpose-built to serve not just traditional Web applications, but also modern microservices and container-based applications.

The solution offers a highly scalable, software-defined distributed architecture with a separation of control and data planes. This allows the A10 Lightning ADC data plane elements to be lightweight and deployed close to, or embedded within, the application environment.


Figure 1: A10 Lightning ADS is unique from traditional application delivery controllers (ADC) in that it separates control and data planes to help reduce management overhead and infrastructure costs.

ADS has four major architectural components. Unlike traditional ADCs, the management plane and data plane are separated. This allows users to replicate the data plane, as needed, without replicating management. This also reduces infrastructure costs and management overhead.

Benefits of Lightning ADS in GCP

Google Cloud Platform (GCP) features a Google load balancer for applications deployed only in GCP and requiring only basic load-balancing services.

However, for more advanced load balancing capabilities and for microservices-based applications, where services are running on different domains and traffic between microservices also uses a load balancer, the deployment becomes complicated.

Further, when your requirements go beyond just load balancing and SSL termination, and you need application traffic security like Web application firewall (WAF) and additional insights into traffic, the deployment architecture becomes even more complicated and is no longer cost effective from an infrastructure or operational point of view.

A10 Lightning ADS brings innovative Layer 4-7 capabilities, including traffic management with content- switching with advanced elastic load-balancing, security and analytics for applications fully or partly deployed in GCP. Lightning ADS unifies application traffic management, application security and application traffic analytics into single solution and provides a single point of management for applications deployed in GCP or in a hybrid cloud.

Application Load Balancing and Traffic Management

Lightning ADS goes beyond load balancing and provides complete traffic management capabilities. Like any other load balancer, it also has ability to load balance between members of a server pool based on selected load balancing algorithm. Further, it provides various options for stickiness of user sessions.

In a heterogeneous server environment, where different server pools serve different content, ADS can be configured to route traffic based on any information in the HTTP request. Further, granular segmentation of traffic is also done by applying the appropriate policies on the specific segment of the traffic.

Again, for Blue/Green, A/B or Canary deployments, Lightning ADS allows you to segment traffic based on users, devices, countries or any other information in the HTTP request, and to rollout new features to that specific set.


Figure 2: Lightning ADS provides an easy way to rollout new features of your application to control group via Blue/Green or A/B deployments.

Multiple techniques like server hopping, use of backup server groups and temporary request queuing contribute to improving the overall availability of the application deployed behind Lightning ADS.

Additionally, Lightning ADS offloads various tasks from the application servers so that server resources can be utilized for executing the core business logic of the execution. Offloading the SSL handshake is one such task that frees up servers from CPU intensive operations. TCP connection multiplexing is another technique that reduces the memory requirement on server by significantly decreasing the number of connections handled by the server. Rewrites of Request/Response Headers and Body, content compression and inline caching also make the servers much efficient.

Application Security

A10 Lightning ADS unifies security to provide ease of management, better integration and lower costs.

In the shared security model of GCP, security across Layer 1-3 of the network stack is Google’s responsibility, while security of L4 to L7 falls in the application owner’s court.

Lightning ADS eliminates the need of yet another point solution. Multiple layers of security are designed to avoid, report, mitigate and prevent attacks.


Figure 3: A10 Lightning ADS protects applications via several built-in security layers that detect and mitigate advanced cyber attacks.

Threat actors and other malicious groups plan attacks by profiling both the environment and its applications. ADS helps reduce or eliminate meta data and other information that is often used for profiling. This includes deleting or rewriting response headers, response codes and response body.

Lightning ADS also protects sensitive users by blocking malware, encrypting cookies, rewriting response body and blocking responses containing sensitive data.

Lightning ADS provides Web application firewall (WAF) controls to protect against the top-10 OWASP vulnerabilities like SQL injection, command injection, cross-site scripting (XSS), cross-site request forgery (CSRF), function-level access control, remote or local file inclusion, and more.

Elastic architecture and connection multiplexing techniques make the infrastructure resilient to distributed denial of service (DDoS) attacks. DDoS attacks are mitigated by quickly identifying the attackers, configuring access control and dynamically changing HTTP timeouts and traffic-rate limiting.

The combination of rich and granular security analytics, coupled with automation support, creates a powerful tool for adjusting security postures on-the-fly and combating attackers.

Per-Application Analytics and Alerting

Continuous metrics are collected by the Lightning Controller, processed and presented to administrators in the form of actionable insights. Because of the consolidation and correlation functions of the Controller, administrators gain a unified view of the distributed application environment, per defined logical application abstraction.


Figure 4: Rich per-application analytics in the Lightning Portal.

The Lightning Controller also runs a big data-style analytics engine to analyze the collected data to detect anomalous trends. Traffic is examined for possible security threats. These analytics are displayed in the portal to provide better context, and also include various recommendations and alerts based on the information. 

The powerful Lightning ADS alert framework allows administrators to set up alerts on various metrics or customizable fields. Alerts may be defined at granular levels, per the application abstraction modal. When conditions are matched and alerts are triggered, administrators receive notification emails for manual action. Additionally, the alerts are delivered to the configured Web-hook URL for automated, rapid action.

Elastic Load Balancing and Application Security - Automatic Orchestration and Scaling of ADCs

Because of split architecture of A10 Lightning ADS, the data plane component (Lightning ADCs) is deployed separately from the Controller (management plane component). We recommend that Lightning ADCs be deployed near the application servers in the same subnet.

The Lightning Controller automates the Lightning ADC orchestration work for infrastructure administrators, while the Lightning Controller uses the APIs provided by GCP for orchestration.

In addition to orchestration, Lightning Controller also configures auto-scale of Lightning ADCs – delivering elastic load balancing. This is done based on the policy specified by the administrator via the Lightning portal or Lighting APIs. The policy consists of placement, size and scaling parameters for the Lightning ADC Cluster.

Along with policy, an administrator needs to create a service account in their GCP project and provide service account credentials to Lightning ADS so Lightning ADS can work in GCP on their behalf as needed.

Google Authentication for using Lightning ADS

Organizations hosting their applications in GCP and their users authenticate and login with their Google account credentials. Additionally, there are some organizations that use Google Apps authentication as their enterprise authentication system.

For such organizations, using Google authentication in Lightning ADS simplifies the process as it eliminates the need of managing another password.

Summary

A10 Lightning ADS is an elastic and cloud native application delivery solution that brings security and visibility of traffic along with L3-L7 load balancing. The solution not only simplifies its use in Google Cloud Platform but also across multiple cloud environments. Its unique split architecture, single point management, and unified service approach reduces total cost of ownership.

If you're at Google Cloud Next '17 this week in San Francsico, swing by to say hello and to learn more about A10 Lightning ADS and using it with Google Cloud Platform. We'll see you there!

Add new comment