Beruflich Dokumente
Kultur Dokumente
Table of Contents
What is CloudSpan?
CloudSpan is Layer 7’s newest family of XML-based products specifically designed to help
enterprises solve their issues around securely connecting to, deploying in, and publishing from the
cloud:
• CloudSpan CloudConnect allows enterprises to safely consume SaaS and cloud-based
services by providing not only secure single sign-on, but also secure, bi-directional
application integration.
• The cloud is the new DMZ. CloudSpan CloudProtect is designed to deliver DMZ-level
security in public and private clouds by providing a hardened virtual application container in
which organizations can deploy their enterprise applications.
• CloudSpan CloudControl allows cloud-based service providers to secure, manage and
publish their application APIs to partners, customers, and other third-parties using policy-
driven controls.
CloudSpan also supports cluster-wide rate limiting, which allows organizations to meter service usage
in order to take some action when a preset threshold is reached. For example, Telco’s that meter usage
of cellular SMS services can use CloudSpan to block access to the service when the customer’s
contractual quota is exceeded. Because the clustered devices maintain and update a shared counter,
metering is always accurate. This capability also allows SecureSpan to provide effective protection
against replay attacks.
January 4, 2011 This document is being provided for informational purposes only. Page 2 of 6
The information presented is accurate at the time of publication, but is subject to change.
FREQUENTLY ASKED QUESTIONS
Is CloudSpan extensible?
CloudSpan offers a Custom Policy Assertion SDK, which gives developers the ability to extend the
rich palette of Layer 7 policy assertions in order to customize the out-of-the-box functionality to their
specific requirements.
Custom assertions can be created for proprietary message processing, pattern recognition and filtering,
as well as interfacing to third-party products, such as identity management infrastructure, network
monitoring applications, or anti-virus systems – all without requiring an application server to run the
custom code.
Using Java, programmers can create a Layer 7-compatible .jar file that includes all required code
and/or interfaces to third-party APIs. Uploading the .jar file to CloudSpan will make it available for
use within the policy editor and composer as a policy assertion, which can then be incorporated into
both new and existing polices as required.
The recommended practice is to migrate a tested policy from a QA/test environment to the production
CloudSpan device, and then publish it live. In either case, there’s no need to bring down and restart the
system to implement new/updated policies.
Is CloudSpan upgradeable?
CloudSpan provides maintenance releases as packaged software updates, and major releases as
packaged migration upgrades. Both updates and upgrades can be implemented without requiring
professional services; can be implemented remotely on soft appliances; and can be rolled back, if
necessary.
Customers that purchase software or VMware versions of the CloudSpan appliance and remain current
on their Support and Maintenance are entitled to soft appliance upgrades at no charge
For those customers that remain current on their Support and Maintenance, Layer 7 will refresh their
hardware platform when it becomes EOL for a nominal fee. Customers are entitled to retain their old
appliance hardware – there is no need to return it to Layer 7.
January 4, 2011 This document is being provided for informational purposes only. Page 3 of 6
The information presented is accurate at the time of publication, but is subject to change.
FREQUENTLY ASKED QUESTIONS
PKCS #10
Perpetual License – customers who have purchased a SecureSpan XML Networking Gateway or
CloudSpan license can opt to run that license on Amazon Web Services Elastic Cloud Compute
(AWS EC2) employing the Layer 7 XML Networking Gateway AMI.*
Lease/Rent – customers can pay a set monthly fee to Layer 7 for the right to use the SSG AMI.*
Utility Pricing – customers can also “pay as you go” based on the size of the instance (i.e., # of
CPU equivalents) and the number of hours run.*
*Costs associated with CPU usage, storage, data transfer, etc charged by Amazon would be an additional cost
to the customer.
January 4, 2011 This document is being provided for informational purposes only. Page 4 of 6
The information presented is accurate at the time of publication, but is subject to change.
FREQUENTLY ASKED QUESTIONS
For fail-over purposes, as well as the ability to take advantage of EC2’s Auto Scaling capabilities to
handle performance spikes, Layer 7 recommends scaling out. Best practices for scaling out involves
creating a reserved instance for each AMI to be run. Reserved instances require a one-time, upfront
payment per instance in exchange for which:
• Configuration data is preserved (the image can be preconfigured and is essentially left on stand-by
ready for use; on demand instances need to be configured as they come online)
• Static IP addresses are assigned (on demand instances have randomly assigned IP addresses,
introducing configuration overhead)
• Recommended: customers can choose to spin up the latest SSG AMI registered in the AWS EC2
catalog, and then just export policies from their existing AMI and import their policies into
the new AMI.
o Pros: smoother cutover between old/new SSG AMI
o Cons: customers will need to configure the new SSG AMI
• Alternative: customers can also choose to apply the RPM patch that Layer 7 makes available for
upgrade purposes to their existing SSG AMI.
o Pros: No need to reconfigure the SSG AMI
o Cons: Need to offline the SSG AMI while the RPM is being applied
Can the SSG AMI utilize Amazon’s Elastic Block Storage (EBS)?
Currently, the SSG AMI does not take advantage of EBS.
However, it does support Amazon’s Relational Data Store (RDS), which can be utilized instead of the
SSG’s MySQL database in order to provide for greater reliability (RDS can be used to persist data
even if the SSG AMI goes down); enhanced performance (RDS elastically scales in a seamless manner
as load/demand increase); and backup (storing configuration files in RDS simplifies recovery).
January 4, 2011 This document is being provided for informational purposes only. Page 5 of 6
The information presented is accurate at the time of publication, but is subject to change.
FREQUENTLY ASKED QUESTIONS
Private images are AMIs that customers have purchased/leased/rented from a vendor in the AWS EC2
catalog and then secured for their own use using Amazon’s key pair technology, which ensures against
unauthorized usage.
Customers may also want to purchase the Layer 7 Enterprise Service Manager (ESM), which allows
them to manage and track/report on the performance of each SSG AMI, as well as each individual
service being proxied.
Large 4 (2 virtual cores with 2 EC2 Compute Units each) 7.5GB 64-bit
Extra Large 8 (4 virtual cores with 2 EC2 Compute Units each) 15GB 64-bit
Double Extra Large 13 (4 virtual cores with 3.25 EC2 Compute Units each) 34.2GB 64-bit
Quadruple Extra Large 26 (8 virtual cores with 3.25 EC2 Compute Units each) 68.4GB 64-bit
The following graph shows SSG AMI XML processing performance for 1KB and 10KB messages on
AWS EC2’s “small” instance:
Requests/sec
Message Size
In general, the larger the instance size, the better the performance will be (all other factors being
equal).
January 4, 2011 This document is being provided for informational purposes only. Page 6 of 6
The information presented is accurate at the time of publication, but is subject to change.