Deep Automation and ML-Driven Analytics for Application Services
Download as PPTX, PDF0 likes386 views
The document discusses deep automation and machine learning-driven analytics in application services, focusing on autoscaling, security mitigation, and continuous delivery. It highlights the benefits of using AI/ML for capacity planning, traffic identification for security, and deployment automation techniques like blue/green and canary releases. The overarching goal is to streamline decisions, improve security, and enable efficient resource management in cloud environments.
![Traditional Security Solutions: WAF, iRules etc.
• Checks traffic against all rules
– Slow and inefficient
• Uses negative security model
– Not adaptable to new attacks
• Complex to configure
– Difficult to get rules right for every app
• Traffic learning identifies parameters at coarse level
– Eg. It is integer vs it should be in [1-7]
– It is a color vs only three allowed colors
• Offline ML based classifiers are too slow to program in the network
Copyright © 2019 Avi Networks](https://image.slidesharecdn.com/deepautomationmay292019-190529175128/85/Deep-Automation-and-ML-Driven-Analytics-for-Application-Services-14-320.jpg)
Deep Automation and ML-Driven Analytics for Application Services
- 1. Deep Automation and ML-Driven Analytics for Application Services Gaurav Rastogi, Avi Networks Sr. Director, Engineering Ashutosh Gupta, Avi Networks Sr. MTS, Engineering
- 2. Agenda Deep Automation - Decisions Demo 1: Autoscaling – capacity planning Demo 2: Security – WAF and DDOS Demo 3: CI/CD – blue/green and canary
- 3. Analytic-Based Automation Framework Observation Analysis Decision Automated Action Deep Automation Copyright © 2019 Avi Networks
- 4. BARE METAL VIRTUALIZED CONTAINERSON PREMISES PUBLIC CLOUDVIRTUALIZED CONTAINERS Modern, Scalable, Multi-Cloud Architecture Copyright © 2019 Avi Networks CONTROLLER (SaaS / Customer-Managed) SERVICE ENGINE SEPARATE CONTROL & DATA PLANE ELASTICITY INTELLIGENCE AUTOMATIONMULTI-CLOUD
- 5. Use Case 1. Autoscaling – Capacity planning
- 6. Traditional Load Balancer Appliance Copyright © 2019 Avi Networks Active 15% Standby 0%
- 7. Capacity Issues Worse in Multi-Cloud Copyright © 2019 Avi Networks Active 80% Standby 0% Active 15% Standby 0% Active 15% Standby 0% Active 15% Standby 0% Active 15% Standby 0% Active 15% Standby 0% Active 15% Standby 0% Active 15% Standby 0% ON PREMISES CLOUD
- 8. Capacity Planning (Elasticity) • In a hardware or fixed resource system – Capacity >= Max Load expected • In software elastic system – Capacity > Min Load expected – Capacity < Max Load expected – Capacity adjusts (elastically) with the load • How do you know what is the Min and Max Load? • How do you know what is the real capacity of the system? Copyright © 2019 Avi Networks Load Elastic Capacity Capacity Time
- 9. Capacity Measurement using Response Time • Resources like CPU, Memory are symptoms of Capacity – An application could reach its capacity even at 50% CPU. – Bottlenecks could be due to architecture and may not be due to resources. • Little’s Theorem: L = λW – If the system is slow then there would longer delays – L is the Load and W is the Response Time • Response times increase rapidly if the system reaches capacity • Use Analytics to estimate the Capacity Copyright © 2019 Avi Networks
- 10. Load Prediction • DevOps/SRE Goal – Only have enough capacity to handle the “expected” load • Use AI/ML to predict the load – Identify the important load metric – open connections, RPS, CPS, TPS etc. – Regression based - use seasonality to forecast the load like Holt-Winters – ML based - GARCH Models • How to choose models – Real time: Predictions need to be done in real time. – Scalability - How much compute and state needed for 1000s of apps. Copyright © 2019 Avi Networks
- 11. Demo Analytics-based autoscaling based on predictive load and estimated capacity
- 12. Autoscaling Based on Deep Automation Framework Realtime Metrics Load Prediction and Capacity Est. Autoscaling Policy Decision Automated Network, Cloud, Application provisioning Copyright © 2019 Avi Networks Deep Automation
- 13. Use Case 2. Security – WAF and DDOS
- 14. Traditional Security Solutions: WAF, iRules etc. • Checks traffic against all rules – Slow and inefficient • Uses negative security model – Not adaptable to new attacks • Complex to configure – Difficult to get rules right for every app • Traffic learning identifies parameters at coarse level – Eg. It is integer vs it should be in [1-7] – It is a color vs only three allowed colors • Offline ML based classifiers are too slow to program in the network Copyright © 2019 Avi Networks
- 15. ML driven WAF and DDOS – Million TPS Securely! • Uses Machine Learning to categorize traffic – FastPass or Deep Inspection or Bad traffic • Uses Positive Security Model – Learns what good traffic looks like – Can detect new types of attacks • Automatic Learning of Bad Traffic Patterns • Automatic Learning of WAF Tuning Parameters • Automatic DDOS mitigation Use ML to drive the performance! Copyright © 2019 Avi Networks
- 16. Automating Application Security using ML FastPass Deep Inspection Negative Security Deny Allow Traffic ML Classifier Copyright © 2019 Avi Networks
- 17. Demo ML-based DDOS and WAF
- 18. Inside Avi’s ML-based DDOS and WAF Classifier DB Scan Allow/Deny Neural Networks Copyright © 2019 Avi Networks WAF + DDOS Policy Traffic Feedback (False Positives) Avi WAF + DDOS Classifier
- 19. Application Security through Automated Rule generation using ML Application learning through Deep Packet Inspection Application Model Formation Automatic PSM rule generation Vulnerability checking through Fast Pass Copyright © 2019 Avi Networks Deep Automation
- 20. Use Case 3. Continuous Delivery
- 21. Traditional Software Development and Delivery Release Deploy Developers Release Managers Operators Upgrade Monitor Rollback Develop/Fix BuildTest Copyright © 2019 Avi Networks
- 22. Continuous Delivery as a Process Automation Zero down time for deployments Develop/Fix Build TestRelease Deploy Copyright © 2019 Avi Networks
- 23. Blue/Green Deployment • Use two identical deployments with different versions – Current: “Blue” version – New: “Green” version • Switch all new sessions to Green • If validation fails: – Rollback to Blue – Use Green for post-mortem • If validation succeeds: – Wait for open sessions to Blue to finish – Destroy, archive, or analyze Blue deployment Version 1 Version 2 Copyright © 2019 Avi Networks
- 24. Canary Deployment • A fraction of production traffic is deployed to the version under test • If validation fails, then simply stop sending requests to the newer version • Increase load share as validations continue to pass • Elastic applications don’t need 2X deployment resources – Auto-scale takes care of growth and ramp-down Version 2 Version 1 (last good) 90 % 10 % Copyright © 2019 Avi Networks
- 25. Validation of Blue-Green / Canary Release Traffic Engineering Traffic ramp up rate Duration of evaluation window Target test traffic Validation Metrics Response time Open connections Quality of requests Quality of network Errors Request rate Connections rate Resource utilization Audit Trail Progress events Capture evaluation results Final deployment decision Copyright © 2019 Avi Networks
- 26. How to orchestrate traffic switching for blue/green and canary? Version 1 Version 2 Limitations: • Not a generic solution • Not very flexible 1.1.1.1 2.2.2.2 • Client application based • DNS based routing • BGP Route Health Injection (RHI) • Load Balancer based Copyright © 2019 Avi Networks
- 27. How to orchestrate traffic switching for blue/green and canary? Version 1 Version 2 App: 1.1.1.1 Limitations: • Caching makes traffic control difficult • Coarse granularity for Canary deployments 1.1.1.1 2.2.2.2 2.2.2.2 • Client application based • DNS based routing • BGP Route Health Injection (RHI) • Load Balancer based Copyright © 2019 Avi Networks
- 28. How to orchestrate traffic switching for blue/green and canary? Version 1 Version 2 Withdraw Route Advertise Route Upstream Router Limitations: • Existing sessions will be disrupted • Coarse granularity for Canary deployments • Client application based • DNS based routing • BGP Route Health Injection (RHI) • Load Balancer based Copyright © 2019 Avi Networks
- 29. How to orchestrate traffic switching for blue/green and canary? Version 1 Version 2 Load balancer Key Advantage: Fine-grained control on traffic engineering • Client application based • DNS based routing • BGP Route Health Injection (RHI) • Load Balancer based Copyright © 2019 Avi Networks
- 30. Avi’s Automated Continuous Delivery Solution Real-time Metrics Deployment Validations Pool Deployment Policy Updates Automated Network traffic switching and autoscale Copyright © 2019 Avi Networks Deep Automation
- 31. Demo Blue Green Deployment using Avi in Kubernetes cloud
- 32. Avi Pool Group Based Blue / Green Copyright © 2019 Avi Networks Ratio: 0 Ratio: 100
- 33. Summary • Use ML to expedite learning • Focus on automation of the decisions admins need to make manually • Make those decisions actionable by performing – Traffic management – Programming and provisioning of network and cloud resources – Provide admins intuition and build trust towards automation. Copyright © 2019 Avi Networks