Bericht

Q&A Layer7 User Group

Thanks for joining our Layer7 user group. During the digital event a lot of knowledge was exchanged by our presenters.

A lot of questions were also asked in the dedicated chat during the event. We didn’t get around to answer each and every one, but we collected them on this page. Should you have any other questions, please do feel free to contact us.

Q: It seems like Enable U is focusing more on managing a cloud infrastructure as well (along side integrations). What are the reasons for not choosing to work with a partner who is more experienced and specialized in managing cloud /container infrastructures?

A: This webinar is specifically meant for Layer 7 users. Besides Layer 7 we also have our own cloud solution for which we work with partners regarding the cloud infrastructure.

Q: When will Enable U (together with Broadcom) organise another online event like this. Or is this a one time event?

A: We organise events on a very regular base, both “live”and virtual, such as this dedicated Layer7 User Group webinar, which takes place every year. Please do visit our eventpage to see and register for our upcoming events.

Q: What are the considerations for upgrading from 10.1 to 11.0 versus 10.1 to 11.1 CR1?

A: Latest CR will include new features but also resolved issues (like CVE updates!) in the software (see releasenotes).

Q: Are you considering supporting federated APIM with the portal?

A: Does “federated APIM” mean the ability to expose APIs that are from other than Layer7 vendors into the Layer7 Portal?
If so, we understand this is part of the Gartner hype cycle and something that we may consider as a long term goal. Keen to also discuss it with your customers that have a real need for it.

Q: What are the added value (ie benefits) for adding “Portal 5.2.3” along side the “API Gateway” in a on-premise infrastructure?

A: See Introduction: Layer7 API Developer Portal (broadcom.com)

Q: Can upgrade of the portal be done by exporting the db from 5.1 and exporting in 5.2?

A: Yes, a Portal v5.2 can be setup using a copy of (or the existing) database for v5.1. On startup of v5.2 the v5.1 database will be migrated to v5.2.

Q: Is there a .vhd image of the 11 release of the gateway which we can use in a Hyper-V environment?

A: No, Azure VHD images are not available anymore starting v11.0 (deprecated since v10.1)

Q: Only websocket support or also SSE?

A: SSE is supported by the gateway, without inspection of the content that is being streamed between the back-end and the front-end.


Q: Can’t you extend v10 support to provide customers the opportunity to upgrade from v10 to v11.1 instead of v10 to v11.0 to v11.1?

A: EOS of v10.1 is a result of CentOS Linux 7 will reach end of life (EOL) on June 30, 2024. Broadcom is targeting the release of 11.1 end of April so this will actually be before EOS 10.1. Extended support for 10.1 including OS patches will be available for customers, but comes with a extra cost.

Q: Any plans for an completely renewed Policy Manager including e.g. OAuth authentication for users?

A: The short term plan is to provide the ability to write policies as code. This should be available during the current PI in April 2024, see Layer7 Work in Progress Update – PI36 (broadcom.com)
At the same time, we recognize that customers still want a more modern and unified UI for managing Layer7 products as compared to what’s currently available in Policy Manager and/or the API Developer Portal. We’ve begun a next generation management interface initiative, starting with stakeholder interviews, to focused on that.
When we begin implementing the new UI, we will be focused on delivering incremental value by focusing on supporting customers’ most common use cases for specific user profiles. The short term goal would be to provide a new UI that is an easier to access and use alternative to existing UIs for those purposes. A long term goal might be to completely replace one or more existing UIs with a combination of the new UI and APIs approved by our customers.
This initiative applies to all customers, whether they only use the Layer7 API Gateway; or whether they also use the OTK and/or Layer7 API Developer Portal. We welcome interested participants.

Q: How can we get a GUI update of the policy manager on the backlog?

A: See answer above.

Q: Any plans for adding a more user friendly feature for migrating a policy from dev to production…like for example the gateway manager from Apiida.com?

A: Broadcom will give you the tools to integrate in your choice of devops migration tooling. As an alternative to Restman, the Graphman interface will be faster and more future rich to support this and will extend this to cloudnative means using repositories. (The Apiida Gateway Manager is such a tool and uses restman of graphman).

Q: We are trying to figure out our architecture in the cloud (containerized). For the ephemeral gateway we see an issue with the portal enrollment as that is a manual action through the policy manager. Is there a work around for that?

A: There is currently no work around for this, the ephemeral gateway does not work with the dev portal. Though there are other options, such as using restman or graphman to create bundles for deployments.

Q: How does container gateway relate to the NLX, common ground vision. Or is this presentation more for organization who are planning to manage their gateway in their (own) cloud infrastructure?

A: The container gateway fits perfectly into the NLX common ground vision as it’s aim is to reduce the reliance on a monolithic architecture. By design the container gateway is able to run multiple gateways that is much easier to scale up and down than it was previously. NLX is moving away from NLX compulsary software to the common FSC standard to be able to create your own implementation (e.g. using the L7 gateway).

Q: For the CGW with external DB: we forsee an issue with LCM upgrades. Example: When container A runs on version 10.0 and we spin up another container B that just got upgraded to 10.1, container B will update the database to its version on startup. However container A still uses the database so that one will be down, while container B is still starting up thus giving downtime. What is your advice for those problems?

A: Using an external database you can upgrade the database while an older version is still running. It should not give problems as the container does not check with the database constantly. However, do keep in mind other reasons that you might need to scale down completely as Menno answered in the case of Hazelcast. A way around this would be by creating a seperate deployment with the new version and then having the loadbalancers switch to the new deployment, that way you could do the upgrade without any downtime.

Q: We also noticed there is no implementation for the MAG extension for containers, is that coming soon?

A: As the number of customers using MAG is definitely not as high as the OTK, we do not currently have a plan to support it through Helm charts. Headless installation or installing through the Policy Manager would be the right way to install it.

Q: If organisations are planning to migrate their API Gateway from on-premise to cloud… what are the considerations (or added value) for choosing the container version of Layer7 API gateway … versus another cloud API gateway product/vendor.

A: The Layer7 gateway is platform agnostic. It provides you with the ability to orchestrate services from different cloud providers as well as internal services. It also provides you the ability to implement business and security logic in an independent way from the cloud providers. It has also been observed that the cloud provider gateways are more limited and would require additional custom (and often costly) developments. Overall, cloud provider gateway appears to have stickiness with the cloud provider services and therefore lack flexibility/openness that can be provided by a vendor agnostic gateway such as Layer7.

Q: What is best practice to upgrade without any downtime other than setting up an extra environment and make a switchover)?

A: In general, you have the following options:
• Patch upgrade (for minor versions. With gateway 11 / Debian, we also plan to make this possible for major versions)
• Extending an existing cluster with additional gateways that are with the latest version. But that works only if you don’t have to do a DB upgrade (i.e. the same DB version can be used for the two different gateway versions)
• Setting up a new cluster behind there same LB and switching traffic at the LB side. This is especially true when the above approach does not work.

Q: Do you expect another migration scenario from 11.x to 12.x… in the future? Hopefully not. And is possible to migrate from 10.1 to 11.1 (and skipping 11.0?)?

A: Major MySQL version change, OS change.
Always check release notes before upgrading to a next CR or major version!

Q: Cant you migrate the 9.x policies to 11.x?

A: You should be able to do so using the GMU. But you need to check if your policies are using custom assertions that need to be recompiled. Good preparation and testing is needed.

Q: Considering that the pipeline from dev to prod can be a potential bottleneck. What is the reason behind the hard deadline of “end of support”. Why not move the date instead of offering extended support?

A: EOS of v10.1 is a result of CentOS Linux 7 will reach end of life (EOL) on June 30, 2024. Extended support for 10.1 including OS patches will be available for customers, but comes with a extra cost. EOS was announced quite a while ago and v11 is out of a year now! See also Support Content Notification – Support Portal – Broadcom support portal

Q: Can I assume that the monthly platform patch procedure will remain the same? (10.x versus 11.x)

A: That is correct.

Q: To what extend is it possible to automate the monthly platform patch?

A: This can be automated using command line options. E.g. a tool like Ansible can be used for this. Contact Enable U for more information.