We use it primarily for WAF.
We use it primarily for WAF.
The ability to quickly set up. I understood it very quickly. I had some URLs which pointed to my load balancers, and inside there, I had to send an action to the API Gateway. I thought it was going to be a very complex thing for me to do, but that one rule that I had to create, it solved everything for me.
The connection through the API Gateway worked in no time, which was fantastic. From the perspective of us building it, once you have that one rule you can stamp it out. Also, it was easy for me to show operations, "Look how easy it is. There's nothing complex about it."
I was able to simply and quickly set up the WAF rules and security, and also set up easily complex policies and rules which gave me some great features to redirect. So, I had to integrate API Gateway into our WAF, because we're a healthcare company, and we have to maintain security. Therefore, they didn't want to have public endpoints that had not been inspected. The policy features inside the WAF rules were really easy for me to set up. What I thought was going to take me two months, I had done in about two weeks. Between Googling and F5 having great information, so instead of using traditional iRules, I used a policy thing that they recommended. It was much simpler and cleaner, and seemed to execute faster. It was a great feature.
The configuration and implementation of what I thought I was going to have to do was a lot simpler than I expected it to be. That was a plus.
People love them in security, but their costs are completely out of bounds. However, I'm not a security guy, so I don't necessarily know all the ins and outs of why our security team may have chosen this product versus other ones.
I am disappointed with the additional cost. 25 megabytes is low. If we get to a thousand, a gig, It is like three dollars an hour. While you can get a reduction in price, when I price them against anyone else, they are wildly overpriced.
I used GitHub for autoscaling CloudFormation, and I found two bugs and I submitted them. Their implementation in GitHub could be cleaner and allow for a bit more customization. We always end up customizing these things, so I found two bugs and I thought they were big bugs so I was surprised. This wasn't necessarily relative to product. It was more about the support role of GitHub and the way it was launching. However, the features that they said would work, did not.
It seems very stable. I've had no problems with stability at all. It's been rock solid, from the perspective of staying in line and working as expected.
I did individual testing. We were doing very small tests to start, 25 megabits. So, I was driving close to 25 megabits through it. Memory and CPU, I thought might be a bit of a concern, but overall it seemed good. It was doing what I needed it to do, and doing it well, so I didn't notice anything in my traffic.
I haven't thought of production workloads on it yet. I don't know how the performance is going to be in terms of CPU memory, but I was told by other people because of what we're doing on it, it could be hard to scale. So, we may have to end up buying more because we will be encrypting and decrypting. We have to inspect that traffic, so that will be CPU intensive. Therefore, one instance may not be enough for us, as we may be spinning up multiples across Multi-AZs.
We will be just stacking our costs. Granted, it is virtualization, and you can only get so much out of it. However, I haven't put true production workloads through it. I have only done my testing, and I am concerned a bit about these factors and how they may drive our costs even more, because I will have to spin up more WAFs to accommodate for high CPU and memory loads.
From a cost perspective, I agreed to analyze the standards in terms of load balancing. However, the cost that they have with AWS are almost prohibitive. I'm being forced to use F5 WAF. I would not simply use it based on cost. I agree that they have some great features, but for me, cost is key in terms of AWS.
This applies to buying in the AWS Marketplace. If you go to a simple WAF doing 25 megabits, and I'm paying for the instance cost as well, it is over a dollar an hour. You can add that up and ask for some discounts, but relative to other players, they are significantly more expensive.
We will need a lot of these, and it can be a real negative driver in terms of spend and how we will be able to move forward.
Purchasing though the AWS Marketplace was easy; it was a piece of cake. You go right in, and the options are there. It was nice you can pick the different kind of group you wanted and what type of security you wanted. It did put in a lot of information that would build a lot of the initial infrastructure for me in terms of supporting my load balancer and creating security. Granted, I destroyed it all, but it was nice and it was there. It gave me the ability to level set what I should create versus what they put in place. I could see what they're doing here and I can match it to my own criteria. What they put in the AWS Marketplace and came through with the license, it worked well.
We chose to go through the AWS Marketplace because you can do almost anything you are going to launch there. The first time you launch, you always grab from the market, particularly for PoCs, as it's just easier. There's no reason why I wouldn't go through the AWS Marketplace, because they've already have F5 WAF. It's exactly what I want and it's exactly what I needed, so I can go from there.
I am a fan of using AWS natively. It is much cheaper.
We also looked at Check Point and Barracuda, but they were not markedly cheaper. The whole reason to use AWS was its ability to create resources which have more economic scale. This has almost started to get lost with the prices that these companies are charging.
I started my PoC back in April, which is when I finished three PoCs across different deployments for F5. So, I'd probably been using the product for about eight months.
The product works.
We have F5 all across our environment. We use them for both VPNs and for traditional load balancers. So, we have VIPRIONs and several different versions of on-premise F5 hardware, as well. From an operations team perspective, everything is easy to learn; seamless. The ability to get teams to focus on AWS F5 is easy because they already know everything there. From an operational perspective, it is a win-win because they already know how to work with the F5.
Within our AWS environment, it is integrated with network load balancers. Then, depending on the traffic flow, it can either be back-end through the Palo Alto IDS IPS or it can be front-end for the IDS IPS. So, it has integration in between there, which was very nice. I was able to set up very intricate NAT rules, because I had to handle the traffic away. It did work very well. There were some issues with the routing, but that was more how AWS routes rather than F5 which I had to work around. Other than that, getting traffic back and forth between the two and the network load balancing was a piece of cake.