PIW Cloud Native For The Discerning Infrastructure Engineer

Cloud Native
for the Discerning Network Engineer
Roger Dickinson @DCgubbins

CISG EMEA
March 23
Roger Dickinson
• 23-year Cisco veteran
• Chief joiner of dots
• Cloud Techie
• Enablement and go-to-market.
• Cartoonist, occasional Peloton rider, ex-

Crossfitter and ex-drinker of Dr Pepper
@DCgubbins
Cloud Business Solutions Architect

EMEA
© 2022 Cisco
© 2 0 2 2and/or its aliates.
C isco and/or Allrights
its a liate s. All rights reserved.
re se rve Cisco
d. C isco C onde ntial Condential
Cloud Native for the discerning network engineer
Goal 1
Position Cloud Native in the

clouds you and your customers
are budling and the implications
to your day job.
Goal 2
Session Goals High Level understanding of

Cloud Native service mesh,
security and what problems Cisco
are solving
Goal 3
Be curious enough to explore

further.
© 2 0 2 2 C isco and/or its a liate s. All rights re se rve d. C isco C onde ntial
Customer Priorities
Reimagine Transform Exceptional Secure Empower

Applications Infrastructure Experience Enterprise Teams
CLOUD is foundational to
digital transformation
CLOUD is an operating model
an application execution venue
Data Centre Colo Edge Public SaaS
Where is the best location to deploy my application?
Data Centre Colo Edge Public SaaS
CLOUD – Public | Private | Hybrid | Multi | Super | Neutral
Operations Cloud operations for optimization, assurance and automation
Observability Real-time insights for user, app, infrastructure and business
Security Secure from application to infrastructure

Everything-as-code
Cloud Ecosystem
Connectivity Networking data center, cloud, colo and edge
Data Data management, protection and security
Infrastructure Platforms for compute, storage and networking
Application Execution Venue Data Centre Colo Edge Public SaaS
Cisco CLOUD – Solutions, integrations and partnerships
SECUREX INTERSIGHT
NEXUS NEXUS VMANAGE CALISTI
Operations
dashboard cloud
Observability Workload Optimizer
PANOPTICA INSIGHTS ANALYTICS WORKLOAD

Security
Everything-as-code
Cloud Ecosystem
Connectivity
NDFC APIC CNC
Data
Infrastructure
Converged Hyperconverged Modular Network Storage 3rd Party
© 2 0 2 2 C isco and/or its affiliate s. All rights re se rve d. C isco C onfide ntial
Cisco CLOUD – Delivered –as-code
PIPELINE
SECUREX INTERSIGHT
NEXUS NEXUS VMANAGE CALISTI
Kubernetes Operations
First dashboard cloud
GitOps
Observability Workload Optimizer
Declarative
Infrastructure PANOPTICA INSIGHTS ANALYTICS WORKLOAD
Security
Everything-as-code
Connectivity
CICD NDFC APIC CNC
Cloud Data
Agnostic
DevOps/SRE/
Platform Infrastructure
Converged Hyperconverged Modular Network Storage 3rd Party
Cisco CLOUD – Delivered –as-code
CALISTI
Kubernetes Operations
First
GitOps
Observability
Declarative
Infrastructure PANOPTICA
Security
Everything-as-code
Connectivity
CICD
Cloud Data
Agnostic
DevOps/SRE/
Platform Infrastructure
An Awesome benet of Cloud Native
Calisti
Service Mesh Management
Istio Service Mesh in 3 minutes
K8S Control Plane
Connection Connection Connection Connection

Management Management Management Management
Authentication Authentication Authentication Authentication
Load Load Load Load

Balancing Balancing Balancing Balancing
Request Request Request Request

Routing Routing Routing Routing
Security Security Security Security
Logging & Logging & Logging & Logging &

metrics metrics metrics metrics
Service Mesh
Cluster 1
K8S Control Plane
Service Mesh Benefits
• Traffic Forwarding
Istio Control Plane
• A/B Testing
Connection Load
Management Authentication
Balancing
Logging & Request Security

metrics Routing
• Canary Rollouts
• Rate Limiting
• Load Balancing
• Security
• End to end authentication
Service Mesh
Cluster 1
• Metric and Monitoring
A Service Mesh is a dedicated infrastructure layer for • Behavioural insights
handling reliable service-to-service communication
K8S Control Plane
Service Mesh Challenges
• Lifecycle management
Istio Control Plane
Connection Load
Balancing
• Disparate/fragmented observability
metrics Routing
• Multi-cluster challenges:
• Availability
• Cross-cluster service discovery
• Inter-cluster traffic management policy
• Multi-Tenancy
Service Mesh
Cluster 1
• Handling asynchronous messaging
A Service Mesh is a dedicated infrastructure layer for
handling reliable service-to-service communication
Calisti: Service Mesh Lifecycle Management
Enterprise Service Mesh Production Kafka

Lifecycle Management Lifecycle Management
Full Upstream Istio Encryption and authentication

OOTB Pre-Integrations Network level tracing
Multi-Cluster Automation and Improved Performance

optimization
integrations
Calisti: Architecture
Kubernetes cluster
telemetry
Calisti Istio Integrations

metrics
API Data Plane
cong
Dashboard Control Plane
CLI
Cert-manager
traces
install
Istio Service Mesh – Single Mesh per cluster
K8S Control Plane K8S Control Plane
Istio Control Plane Istio Control Plane

Connection Load Connection Load
Management Authentication Authentication
Balancing Management Balancing
Logging & Request Security Logging & Request Security

metrics Routing metrics Routing
Service Mesh 1 Service Mesh 2

Cluster 1 Cluster 2
Istio Service Mesh – Single Mesh Multi-cluster
Istio Control Plane

Connection Load
Balancing

metrics Routing
Service Mesh
Cluster 1 Cluster 2
Istio Service Mesh – Single Mesh Multi-primary


Service Mesh
Cluster 1 Cluster 2
Istio Service Mesh – Multi-Gateway Support


Gateway Service Mesh 1 Gateway Gateway Service Mesh 2 Gateway

Cluster 1 Cluster 2
Direct Connect
Next Steps
Calisti
Free offer includes:
• Supports up to 10 nodes, across 2 clusters
• No credit card required
• No time restriction
Sign up and start using Calisti for free at:

Calisti.app
Panoptica
Cloud Native Security
Panoptica
Cloud Native Apps introduce more security

complexity
Traditional security tools Kubernetes is not SecOps has to keep up

don’t meet the needs secure by default; with the speed of app
for cloud native app massive proliferation development and have an
development of one-function tools integrated workflow
OPTION 3
Panoptica
Explosion of threat vectors

in microservices security
93%
of companies had a Kubernetes security
incident in the last 12 months
$4.35 million
Average cost of a data breach in 2022
286% API attack increase

Every quarter and API attacks will be the most frequent
attack vector in the future according to Gartner
Lots of risk
Gartner: Threat vectors in the container lifecycle
1. Development system
2. Git-based repository
3 Fetch dependencies
3. Retrieval of dependencies
4. Image registry
Build Servers
5
5. Unsecured orchestrator platform

Source Code
Registry 4 pods
Repository
Docker File Docker Image 6 6. Host-container relationship
7. Rapid rate of change
Developer Laptop 2 MSA Communication 8 Untrusted User
7
1
9 11 8. MSA communication and network
segmentation
Test Test
Deployment Deployment
1 n 9. Inter-process communication
Object
SQL NoSQL
10.Increased number of databases
Storage
Databases 10 11.Application layer attacks
© 2 0 2 2 C isco and/or its a liate s. All rights re se rve d. C isco C onde ntial Source: Gartner
Cisco Cloud Security
APIs APIs
Containers
Panoptica Containers
Cloud Native Application Security
Service Mesh Service Mesh
Kubernetes Kubernetes
Virtualization Secure Workload Secure Insights Virtualization
Compute Compute
Secure Analytics Secure Firewall
Storage Storage
Network ACI Ransomware Network
Data Centre Colo Edge Public
Simplied Cloud Native Security
for DevSecOps, Platform and DevOps teams
APIs API
Software Supply Chain
Prevents attacks with SBOMs Secure microservices an APIs
and runtime verication with visibility, scoring and
Containers enforcement
Service Mesh
Kubernetes Serverless
Comprehensive protection for your Ensure consistent security by
Kubernetes orchestration environment and applying role-based policies and
containers permissions
Virtualization
Data Centre
Compute
Panoptica
Security across the full app stack from dev to runtime
Dev CI/CD Deployment Runtime
Application Shift Left Connection and Policy Control

Composition Security API Assessment Governance
Panoptica
Cisco Panoptica enables DevSecOps at scale
Policy automation Actionable Insights Pod-based approach
Write one policy and propagate Dashboard highlighting MITRE Application runs on a single pod
across containers or code ATT&CK vectors aligned to that covers your entire
deployments to ensure new Kubernetes risks environment – even across
code has less risk clouds
Works across all Kubernetes platforms
Panoptica
Seamless security for container infrastructure
Scans vulnerabilities Cong hardening RBAC analysis
Cloud/Co-Lo/
Code Container Cluster Corporate
Datacenter
Policy Automation Runs on any cloud Serverless SBOM/SSC
Panoptica
Seamless security for APIs with a SaaS based service
Discovery of API Internal vs. External Connection Risk Policy

API Monitoring
Endpoints APIs Assessment Compliance
Code Endpoints Services Gateways
Permissions Spec Anomaly

automation Fuzz testing Spec Reconstruction
Analysis detection
Next Steps
Panoptica
Free offer includes:
• Supports up to 10 nodes, across 2 clusters
• No credit card required
• No time restriction
• mTLS security for service-to-service traffic
Sign up and start using Panoptica for free at:

Panoptica.app
Improving API Quality & Security
Improve API Quality
API Security
Open Source
Improve Developer Experience
1 Analy4cs Engine and Dashboard UI
2 VS Code IDE Extension
3 CLI Integration with CI/CD pipeline
1 Analytics Engine and Dashboard UI
✓ Scores APIs against OAS guidelines
✓ Veries the completeness of APIs
✓ Checks for inclusive language
✓ Automatically generates a changelog
✓ Spots breaking changes

and maintains backward compatibility
2 VS Code IDE Extension
✓ Provides API health score
✓ Di view between API
✓ Identies inconsistencies in documentation vs.

code
✓ Checks against OpenAPI Spec and Cisco

Inclusive Language ruleset
✓ Dark/Light mode friendly
3 CLI Integration with CI/CD pipeline
✓ Automate API Insights functionality

in your CI/CD pipeline
✓ Achieve eciency and scalability

in your API quality and compliance
API Insights Workow
Developers Tech Lead
Security/Compliance Ops
Spec Authoring
IDE: Comparison Report Dashboard
Spec Version/Revision
Analyzing Spec
Spec Upload
Runtime Drift
OAS API Runtime Drift

Analyzing Latest Registry API Guidance
OAS Di
CI CD
Spec (Version API
API Insights CLI Toolset Doc Compliance
Panoptica
spec for
organization)
Inclusive Language
API Security
API Security
OAS Linter
Upload New Revision
Open Source Open Source SaaS
Panoptica
The Cisco Secure
Application Cloud
Application Developer DevOps DevSecOps
Key Features Key Features Key Features
Static Analysis Dynamic Analysis Container Scanning
API Governance Drift Securing APIs on Kubernetes

Clusters
Language Inclusivity Zombie & Shadow
Internal/External facing API usage
IDE Extension : VS Code Spec Reconstruction
API Policy Enforcement
Coming soon - Integration with Panoptica
© 2 0 2 2 C isco and/or its a liate s. All rights re se rve d. C isco C onde ntial 44
Next Steps
Get started today!

⭐ Star and Clone the API Insights repo
Open Source @ Cisco
https://eti.cisco.com/open-source
Cloud Native for the discerning network engineer
Goal 1
Position Cloud Native in the

clouds you and your customers
are budling and the implications
to your day job.
Goal 2
Session Goals High Level understanding of

Cloud Native service mesh,
security and what problems Cisco
are solving
Goal 3
Be curious enough to explore

further.

PIW Cloud Native For The Discerning Infrastructure Engineer

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PIW Cloud Native For The Discerning Infrastructure Engineer

Uploaded by

Copyright:

Available Formats

Cloud Native

for the Discerning Network Engineer

Roger Dickinson @DCgubbins

• Chief joiner of dots

• Enablement and go-to-market.

• Cartoonist, occasional Peloton rider, ex-

Cloud Business Solutions Architect

Position Cloud Native in the

Session Goals High Level understanding of

Be curious enough to explore

Reimagine Transform Exceptional Secure Empower

Data Centre Colo Edge Public SaaS

Data Centre Colo Edge Public SaaS

Operations Cloud operations for optimization, assurance and automation

Observability Real-time insights for user, app, infrastructure and business

Security Secure from application to infrastructure

Connectivity Networking data center, cloud, colo and edge

Data Data management, protection and security

Infrastructure Platforms for compute, storage and networking

Application Execution Venue Data Centre Colo Edge Public SaaS

Observability Workload Optimizer

PANOPTICA INSIGHTS ANALYTICS WORKLOAD

Application Execution Venue Data Centre Colo Edge Public SaaS

Application Execution Venue Data Centre Colo Edge Public SaaS

Application Execution Venue Data Centre Colo Edge Public SaaS

Service Mesh Management

Connection Connection Connection Connection

Authentication Authentication Authentication Authentication

Load Load Load Load

Request Request Request Request

Security Security Security Security

Logging & Logging & Logging & Logging &

Service Mesh Benefits

Logging & Request Security

Service Mesh Challenges

• Cross-cluster service discovery

• Inter-cluster traffic management policy

Enterprise Service Mesh Production Kafka

Full Upstream Istio Encryption and authentication

Multi-Cluster Automation and Improved Performance

Calisti Istio Integrations

K8S Control Plane K8S Control Plane

Istio Control Plane Istio Control Plane

Logging & Request Security Logging & Request Security

Service Mesh 1 Service Mesh 2

K8S Control Plane K8S Control Plane

Istio Control Plane

Logging & Request Security

K8S Control Plane K8S Control Plane

Istio Control Plane Istio Control Plane

Logging & Request Security Logging & Request Security

K8S Control Plane K8S Control Plane

Istio Control Plane Istio Control Plane

Logging & Request Security Logging & Request Security

Gateway Service Mesh 1 Gateway Gateway Service Mesh 2 Gateway

Sign up and start using Calisti for free at:

Cloud Native Security

Cloud Native Apps introduce more security

Traditional security tools Kubernetes is not SecOps has to keep up

Explosion of threat vectors

286% API attack increase

5. Unsecured orchestrator platform

Databases 10 11.Application layer attacks