CLOUD SOLUTIONS FAQ

Layer 7 CloudSpan & AMI FAQ

Table of Contents

What is CloudSpan? .......................................................................................................................... 2

Is CloudSpan only available as virtual appliances?........................................................................... 2
Does CloudSpan support clustering?................................................................................................. 2
Does CloudSpan require specialized tools or skills? ......................................................................... 3
Is CloudSpan extensible? .................................................................................................................. 3
Can I publish/update policies on a live “in production” CloudSpan device? .................................... 3
Is CloudSpan upgradeable? ............................................................................................................... 3
What third-party identity products does CloudSpan support?........................................................... 4
Which protocols and standards does CloudSpan support? ................................................................ 4
How is the Layer 7 SSG AMI priced?............................................................................................... 4
What is the best practice for scaling Layer 7 AMIs?......................................................................... 4
What is the best practice for upgrading SSG AMIs? ......................................................................... 5
Can the SSG AMI utilize RightScale’s EC2 provisioning capabilities? ........................................... 5
Can the SSG AMI utilize Amazon’s Elastic Block Storage (EBS)? ................................................. 5
Are SSG AMIs public or private images? ......................................................................................... 5
Does the SSG AMI work with Amazon CloudFront? ....................................................................... 6
What performance can be expected for the SSG AMI? .................................................................... 6
 FREQUENTLY ASKED QUESTIONS

What is CloudSpan?
CloudSpan is Layer 7’s newest family of XML-based products specifically designed to help
enterprises solve their issues around securely connecting to, deploying in, and publishing from the
cloud:
• CloudSpan CloudConnect allows enterprises to safely consume SaaS and cloud-based
services by providing not only secure single sign-on, but also secure, bi-directional
application integration.
• The cloud is the new DMZ. CloudSpan CloudProtect is designed to deliver DMZ-level
security in public and private clouds by providing a hardened virtual application container in
which organizations can deploy their enterprise applications.
• CloudSpan CloudControl allows cloud-based service providers to secure, manage and
publish their application APIs to partners, customers, and other third-parties using policy-
driven controls.

Is CloudSpan only available as virtual appliances?

CloudSpan is available in a number of different form factors in order to support multiple deployment
scenarios, budgets and business requirements:
• Hardware – for deployment in traditional datacenters and other high-performance
environments, CloudSpan CloudConnect and CloudControl are available as a 1U 64-bit
multiprocessor platform that features dual power supplies, four GE/FE NICS, and mirrored
hot-swappable drives
• Software – for customers that prefer a do-it-yourself approach using their own hardware,
CloudSpan CloudConnect and CloudControl are available for Sun Solaris 10 (supports both
x86 and Niagara versions), SUSE Linux, and Red Hat Linux 4.0/5.0
• Virtual Appliance for VMware – the entire CloudSpan family is available as Virtual
Appliances supporting VMWare/ESX deployments and is “VM Ready” certified
• Amazon Machine Image – CloudSpan CloudProtect and CloudControl can be implemented
using the existing SecureSpan XML Gateway AMI form factor.

Does CloudSpan support clustering?

Yes, CloudSpan appliances (except the AMI) support true clustering, allowing organizations to
centrally administer multiple devices in a cluster, as well as multiple clusters.

CloudSpan also supports cluster-wide rate limiting, which allows organizations to meter service usage
in order to take some action when a preset threshold is reached. For example, Telco’s that meter usage
of cellular SMS services can use CloudSpan to block access to the service when the customer’s
contractual quota is exceeded. Because the clustered devices maintain and update a shared counter,
metering is always accurate. This capability also allows SecureSpan to provide effective protection
against replay attacks.

January 4, 2011 This document is being provided for informational purposes only. Page 2 of 6
The information presented is accurate at the time of publication, but is subject to change.
 FREQUENTLY ASKED QUESTIONS

Does CloudSpan require specialized tools or skills?

CloudSpan includes an intuitive, graphical policy editor and composer (Layer 7 Policy Manager),
allowing anyone with basic scripting skills to create as simple or as complex a policy as required. No
knowledge of XSLT or other complex programming language is required. More than 70 pre-made
policy assertions are provided out of the box to help you get started.
• Compose inheritable policy statements
• Branch policy execution based on logical conditions, message content, externally retrieved
data or transaction specific environment variables
• Create service and operation-level policies using inheritance, simplifying administration

Is CloudSpan extensible?
CloudSpan offers a Custom Policy Assertion SDK, which gives developers the ability to extend the
rich palette of Layer 7 policy assertions in order to customize the out-of-the-box functionality to their
specific requirements.

Custom assertions can be created for proprietary message processing, pattern recognition and filtering,
as well as interfacing to third-party products, such as identity management infrastructure, network
monitoring applications, or anti-virus systems – all without requiring an application server to run the
custom code.

Using Java, programmers can create a Layer 7-compatible .jar file that includes all required code
and/or interfaces to third-party APIs. Uploading the .jar file to CloudSpan will make it available for
use within the policy editor and composer as a policy assertion, which can then be incorporated into
both new and existing polices as required.

Can I publish/update policies on a live “in production” CloudSpan device?

Yes, while it’s not recommended that new policies be created and implemented on a production
version of CloudSpan, it is possible to do so: the next message processed by CloudSpan will be subject
to the new/updated policy.

The recommended practice is to migrate a tested policy from a QA/test environment to the production
CloudSpan device, and then publish it live. In either case, there’s no need to bring down and restart the
system to implement new/updated policies.

Is CloudSpan upgradeable?
CloudSpan provides maintenance releases as packaged software updates, and major releases as
packaged migration upgrades. Both updates and upgrades can be implemented without requiring
professional services; can be implemented remotely on soft appliances; and can be rolled back, if
necessary.

Customers that purchase software or VMware versions of the CloudSpan appliance and remain current
on their Support and Maintenance are entitled to soft appliance upgrades at no charge

For those customers that remain current on their Support and Maintenance, Layer 7 will refresh their
hardware platform when it becomes EOL for a nominal fee. Customers are entitled to retain their old
appliance hardware – there is no need to return it to Layer 7.

January 4, 2011 This document is being provided for informational purposes only. Page 3 of 6
The information presented is accurate at the time of publication, but is subject to change.
 FREQUENTLY ASKED QUESTIONS

What third-party identity products does CloudSpan support?

CloudSpan supports integration with leading identity, access, SSO and federation systems, including
LDAP, Microsoft Active Directory/Federated Services, Oracle Access Manager, IBM Tivoli (TAM
and TFIM), CA SiteMinder, Sun Java Access Manager and Novell Access Manager.

Which protocols and standards does CloudSpan support?

CloudSpan supports most common Web services/Web 2.0 and PKI standards, as well as a number of
transport and security protocols, including:

XML 1.0 SOAP 1.2 REST AJAX

FIPS 140-2 Level 3 Kerberos W3C XML Signature 1.0 MQ Series

SNMP IMAP4 W3C XML Encryption 1.0 Tibco EMS

SMTP HTTP/HTTPS X.509 v3 Certificates FTP

POP3 JMS 1.0 SSL/TLS 1.1 / 3.0 WS-Security 1.1

WS-Trust 1.0 WS-Federation WS-Addressing WSSecureConversation

WS-Policy WS-SecurityPolicy WS-MetadataExchange WS-PolicyAttachment

WS-I WSIL WS-SecureExchange WS-I BSP

WSDL 1.1 3.0 XACML 2.0 SAML 1.1/2.0 XML Schema

XPath 1.0 XSLT 1.0 UDDI LDAP 3.0

PKCS #10

How is the Layer 7 SSG AMI priced?

The Layer 7 SecureSpan XML Networking Gateway Amazon Machine Image (SSG AMI) is available
for purchase under a number of models, including:

Perpetual License – customers who have purchased a SecureSpan XML Networking Gateway or
CloudSpan license can opt to run that license on Amazon Web Services Elastic Cloud Compute
(AWS EC2) employing the Layer 7 XML Networking Gateway AMI.*

Lease/Rent – customers can pay a set monthly fee to Layer 7 for the right to use the SSG AMI.*

Utility Pricing – customers can also “pay as you go” based on the size of the instance (i.e., # of
CPU equivalents) and the number of hours run.*
*Costs associated with CPU usage, storage, data transfer, etc charged by Amazon would be an additional cost
to the customer.

What is the best practice for scaling Layer 7 AMIs?

AWS supports both scaling up (running on a single, larger instance that has more computing resources)
and scaling out (adding more instances). Scaling up makes sense for applications that have a steady
workload with little variance over a typical day or week. Scaling out makes more sense for
applications whose workload varies on an hourly or daily basis.

January 4, 2011 This document is being provided for informational purposes only. Page 4 of 6
The information presented is accurate at the time of publication, but is subject to change.
 FREQUENTLY ASKED QUESTIONS

For fail-over purposes, as well as the ability to take advantage of EC2’s Auto Scaling capabilities to
handle performance spikes, Layer 7 recommends scaling out. Best practices for scaling out involves
creating a reserved instance for each AMI to be run. Reserved instances require a one-time, upfront
payment per instance in exchange for which:

• Time to availability is almost instantaneous (compared to on demand instances, which can

introduce a significant lag as resources are spun up)

• Configuration data is preserved (the image can be preconfigured and is essentially left on stand-by
ready for use; on demand instances need to be configured as they come online)

• Static IP addresses are assigned (on demand instances have randomly assigned IP addresses,
introducing configuration overhead)

What is the best practice for upgrading SSG AMIs?

There are two approaches that customers can choose between depending on their own, internal, IT best
practices:

• Recommended: customers can choose to spin up the latest SSG AMI registered in the AWS EC2
catalog, and then just
export policies from their existing AMI and  import their policies into
the new AMI.
o Pros: smoother cutover between old/new SSG AMI
o Cons: customers will need to configure the new SSG AMI

• Alternative: customers can also choose to apply the RPM patch that Layer 7 makes available for
upgrade purposes to their existing SSG AMI.
o Pros: No need to reconfigure the SSG AMI
o Cons: Need to offline the SSG AMI while the RPM is being applied

Can the SSG AMI utilize RightScale’s EC2 provisioning capabilities?

Layer 7 has been working closely with RightScale to create an Amazon Machine Image that can
automate much of the provisioning and configuration details customers currently must perform
manually. This functionality is currently undergoing testing and is not yet widely available.

Can the SSG AMI utilize Amazon’s Elastic Block Storage (EBS)?
Currently, the SSG AMI does not take advantage of EBS.

However, it does support Amazon’s Relational Data Store (RDS), which can be utilized instead of the
SSG’s MySQL database in order to provide for greater reliability (RDS can be used to persist data
even if the SSG AMI goes down); enhanced performance (RDS elastically scales in a seamless manner
as load/demand increase); and backup (storing configuration files in RDS simplifies recovery).

Are SSG AMIs public or private images?

Public images are AMIs that vendors have made available to the general public. They tend to be
Commercial Off-The-Shelf (COTS) resources that customers can purchase/lease/rent, and then tailor to
their specific needs. For example, the SSG AMI is a public image, generally available for any
customer to purchase from the AWS EC2 catalog.

January 4, 2011 This document is being provided for informational purposes only. Page 5 of 6
The information presented is accurate at the time of publication, but is subject to change.
 FREQUENTLY ASKED QUESTIONS

Private images are AMIs that customers have purchased/leased/rented from a vendor in the AWS EC2
catalog and then secured for their own use using Amazon’s key pair technology, which ensures against
unauthorized usage.

Does the SSG AMI work with Amazon CloudFront?

Yes, customers can utilize Amazon’s CloudFront capabilities in conjunction with the SSG AMI.
CloudFront provides customers with load balancing, firewalling and IaaS management capabilities
which can be used to ensure the SSG AMI (and associated services) are properly utilizing EC2
resources.

Customers may also want to purchase the Layer 7 Enterprise Service Manager (ESM), which allows
them to manage and track/report on the performance of each SSG AMI, as well as each individual
service being proxied.

What performance can be expected for the SSG AMI?

XML processing performance will vary depending on the resources dedicated to the SSG AMI. AWS
EC2 offers a number of different instance sizes that come with a preset, base amount of standard
computing resources:

Size CPU Equivalents Memory Platform

Small 1 (1 virtual core with 1 EC2 Compute Unit) 1.7GB 32-bit

Large 4 (2 virtual cores with 2 EC2 Compute Units each) 7.5GB 64-bit

Extra Large 8 (4 virtual cores with 2 EC2 Compute Units each) 15GB 64-bit

Double Extra Large 13 (4 virtual cores with 3.25 EC2 Compute Units each) 34.2GB 64-bit

Quadruple Extra Large 26 (8 virtual cores with 3.25 EC2 Compute Units each) 68.4GB 64-bit

The following graph shows SSG AMI XML processing performance for 1KB and 10KB messages on
AWS EC2’s “small” instance:
Requests/sec

Message Size

In general, the larger the instance size, the better the performance will be (all other factors being
equal).

January 4, 2011 This document is being provided for informational purposes only. Page 6 of 6
The information presented is accurate at the time of publication, but is subject to change.