Roche Improves Medical Device Management at the Edge with Isovalent and Cilium

Roche, a leader in healthcare based in Switzerland, specialises in pharmaceuticals and diagnostics. Its solutions are delivered to clients in various locations, such as laboratories, hospitals, pharmacies, doctors’ offices, and more. Managing their solutions across all these locations, where they lack control of the IT facilities, can be problematic and has started to hamper further development of their Edge IT solutions and services. Watch the full recording of this session at CiliumCon EU 2024 or continue reading this summary to learn how Roche partnered with Isovalent and deliver the Cilium platform to overcome their challenges. 

How Roche Manages Network Connectivity for 1000+ Edge Clusters

In this talk, Roche discuss the challenges of highly protected environments and show how leveraging Cilium Service Mesh can bring “the firewall” closer to the workloads.

Watch the recording

Taking a step back, the platform engineering team at Roche understood they needed to rethink their current method of addressing their Edge IT issues and look towards a new Kubernetes-based solution. Recognising their main issues were born from a lack of control over connectivity, Roche reached out to Isovalent to partner with them as the leader in Cloud Native networking and security. This new solution had to alleviate the other main issues of lack of automation when it came to deploying new and updated software versions to the devices due to different libraries and languages used by differing software and hardware, various monitoring and logging offerings, and other custom-built instances to support the bespoke needs of certain deployments to customer sites.

Managing Devices at the Edge is Hard

When you build managed solutions that are shipped off to be run by your clients in their own locations, with little control over the IT environment, you can encounter an enormous number of challenges.

• Physical and Digital Storage Constraints—Roche engineers had little control over where the edge devices would be deployed. Given the limited space in which these devices could be deployed, they knew they’d need to build compact devices with limited storage capacity.
• Data Protection and Resiliency – the design needed to account for data loss and outages, that may occur due to environmental factors at the deployment location
• Complex Connectivity Requirements
  • The need to connect to many external services and possible future undefined services

The platform engineering team constantly battled these issues, from creating methods to automate these remote devices’ updating and software control to submitting change requests for additional egress rules to allow their devices to connect from the customer locations to the various Roche-managed platforms. 

Managing the Edge IT infrastructure that makes up Roche’s solutions was not agile, with team members focused on support tasks rather than operational optimisation. 

“Each time we had a new software that interacted with devices, a team was assigned, bringing their own device and developing and building their own solution for logging, monitoring, and any other need. Lots of separate devices with different libraries and devices made this hard to automate and manage.”

Edgar Pardo – Platform Engineer

Isovalent and Cilium Service Mesh address connectivity challenges

To address their challenges as part of delivering their next generation secure edge platform, Roche were looking for a partner with expertise in Cloud Native Networking and Security. Roche recongised that Isovalent, the creators of Cilium – the leading CNI for Kubernetes, were the right partner for them. The goal of the new edge platform was to deliver a full networking platform that offers; flexibility to consume alongside their customers own IT requirements, high performance connectivity at Edge IT locations under the control of external IT governance, without compromising the security and aligned compliance requirements as part of operating in the medical industry. The delivery of this platform was backed by Isovalent Enterprise support and customer success teams.

Working with Roche, the Solution Architects at Isovalent mapped out the challenges of the current platform and listened to additional requirements for the new platform. Clearly, the new solution should offer features to reduce the overhead of managing deployments at different locations. The key need was to overcome the connectivity issues from the Roche-managed devices to the various endpoints and services external to their customer’s IT infrastructure. Ultimately, both Roche and their clients had the security of the IT services at the top of their minds; Roche couldn’t ask their customers to provide unlimited unprotected external connectivity from the sites where the solutions are deployed.

After documenting the issues, requirements, and constraints, it was decided that Cilium Service Mesh would provide the necessary capabilities to achieve Roche’s desired outcome alongside a regional Kubernetes cluster that would centralize tunnelled connectivity from solutions running on customer sites to a Roche-managed environment that would then further control access to the necessary resources.

Using Isovalent Enterprise for Cilium as the Kubernetes CNI for the new platform allowed Roche to take advantage of the Cilium Service Mesh features to redirect known HTTP/S traffic via the Envoy proxy. From here, a rule set could be implemented to steer the traffic to the correct Roche-controlled endpoints. Any traffic that was not connecting to a known endpoint could be denied within the Roche managed solution before it hit the customer’s network.

Any traffic designated for a Roche endpoint could be encapsulated and forwarded to a CloudFlare tunnel, a consistent, known endpoint whose addresses could be provided to the customer’s IT team to be allowed on their network. This reduced the need to consistently request Firewall changes from their customers to access new endpoints, such as new SaaS services used by the managed Roche solutions.

Delivering new features and backporting capabilities for Cilium with Isovalent

To achieve the above outcomes, Isovalent worked with Roche, designing and tailoring Cilium Service Mesh for their needs. Some of these features were also backported to older versions of Cilium, another key benefit of working with Isovalent Customer Success teams. 

Enhancements included:

• Support to redirect traffic to Envoy Listener using Cilium Network Policy
• Support for web socket tunnelling filters

“At the time, Cilium Service Mesh was not ready to fully address our use-case, so the team at Isovalent helped create those features for us”

Hector Monsalve – Platform Engineer

For Roche, they delivered a simplified new platform that allowed them to reduce friction when working with their customers. 

Examples of technical use cases addressed by the Cilium solution include:

• Edge to Cloud Connectivity
  • Roche Managed Solution needs to access a new cloud-based storage endpoint. This connection is tunnelled from the on-site solution to the centralised managed Roche Cluster, which is then proxied to the correct location. 
  • Connections are allowed from the onsite solution using Cilium Network Policies.
• Customer Proxy for outbound traffic
  • Many customers implement their own web security, such as proxies, for any externally bound traffic in their environments.
  • Cilium Service Mesh allows Roche to modify the traffic, including headers, as the Proxy configuration allows.

Other notable benefits that stood out for the Roche team when the new solution was implemented included the increase in network performance over the other proof-of-concept solutions they tested for the new platform and the implementation of Hubble, which provides network visibility to aid with troubleshooting and identification of traffic patterns without needing to introduce new observability solutions to their managed solutions.

“We increased the network performance, levelled up network security and observability thanks to Hubble, and brought the firewall closer to our workloads”

Hector Monsalve – Platform Engineer

Learn More

This case study was based on the CiliumCon session “Meshing It up Securely: How Roche Manages Network Connectivity for 1000+ Edge Clusters” at KubeCon 2024 in Paris. The full recording is available on YouTube. 

If you are a platform owner looking to enhance the networking and security capabilities of your cloud native platform, reach out to our Cilium Specialists at Isovalent. 

Want to learn hands-on technical details about the Cilium Security and Network Layer 7 features Roche uses? Visit our Isovalent Labs. 

• Cilium Envoy L7 Proxy
• Isovalent Enterprise for Cilium: Network Policies