Roche Improves Medical Device Management at the Edge with Isovalent and Cilium
Roche, a leader in healthcare based in Switzerland, specialises in pharmaceuticals and diagnostics. Its solutions are delivered to clients in various locations, such as laboratories, hospitals, pharmacies, doctors’ offices, and more. Managing their solutions across all these locations, where they lack control of the IT facilities, can be problematic and has started to hamper further development of their Edge IT solutions and services. Watch the full recording of this session at CiliumCon EU 2024 or continue reading this summary to learn how Roche partnered with Isovalent and deliver the Cilium platform to overcome their challenges.
How Roche Manages Network Connectivity for 1000+ Edge Clusters
In this talk, Roche discuss the challenges of highly protected environments and show how leveraging Cilium Service Mesh can bring “the firewall” closer to the workloads.
Watch the recordingTaking a step back, the platform engineering team at Roche understood they needed to rethink their current method of addressing their Edge IT issues and look towards a new Kubernetes-based solution. Recognising their main issues were born from a lack of control over connectivity, Roche reached out to Isovalent to partner with them as the leader in Cloud Native networking and security. This new solution not only had to work with the existing software stack in harmony but also to provide more streamlined connectivity options to an ever-changing landscape of network devices and cloud services.
Managing Devices at the Edge is Hard
When you build managed solutions that are shipped off to be run by your clients in their own locations, with little control over the IT environment, you can encounter an enormous number of challenges.
- Physical and Digital Storage Constraints—Roche engineers had little control over where the edge devices would be deployed. Given the limited space in which these devices could be deployed, they knew they’d need to build compact devices with limited storage capacity.
- Data Protection and Resiliency – the design needed to account for data loss and outages that may occur due to environmental factors at the deployment location.
- Complex Connectivity Requirements
- Connecting to many external services and possibly undefined future services is necessary.
The platform engineering team constantly battled these issues, from creating methods to automate these remote devices’ updating and software control to submitting change requests for additional egress rules to allow their devices to connect from the customer locations to the various Roche-managed platforms.
“Each time we had a new product that had to interact with devices, the respective product team had to bring their own device and develop and build their own software stack for for logging, monitoring, and any other need they have. Lots of separate devices with different libraries and devices made this hard to automate and manage.”
Edgar Pardo – Platform Engineer
Isovalent and Cilium Service Mesh address connectivity challenges
To address their challenges as part of delivering their next generation secure edge platform, Roche were looking for a partner with expertise in Cloud Native Networking and Security. Roche recongised that Isovalent, the creators of Cilium – the leading CNI for Kubernetes, were the right partner for them. The goal of the new edge platform was to deliver a full networking platform that offers; flexibility to consume alongside their customers own IT requirements, high performance connectivity at Edge IT locations under the control of external IT governance, without compromising the security and aligned compliance requirements as part of operating in the medical industry. The delivery of this platform was backed by Isovalent Enterprise support and customer success teams.
Working with Roche, the Solution Architects at Isovalent mapped out the challenges of the current platform and listened to additional requirements for the new platform. Clearly, the new solution should offer features to reduce the overhead of managing deployments at different locations. The critical need was to overcome the connectivity issues from the Roche-managed devices to the various endpoints and services external to their customer’s IT infrastructure. Ultimately, both Roche and their clients had the security of the IT services at the top of their minds; Roche couldn’t ask their customers to provide unlimited unprotected external connectivity from the sites where the solutions are deployed.
After documenting the issues, requirements, and constraints, it was decided that Cilium Service Mesh would provide the necessary capabilities to achieve Roche’s desired outcome alongside a regional Kubernetes cluster that would centralize tunnelled connectivity from solutions running on customer sites to a Roche-managed environment that would then further control access to the necessary resources.
Using Isovalent Enterprise for Cilium as the Kubernetes CNI for the new platform allowed Roche to take advantage of the Cilium Service Mesh features to redirect known HTTP/S traffic via the Envoy proxy. From here, a rule set could be implemented to steer the traffic to the correct Roche-controlled endpoints. Any traffic that was not connecting to a known endpoint could be denied within the Roche managed solution before it hit the customer’s network.
Any traffic designated for a Roche endpoint could be encapsulated and forwarded to a CloudFlare tunnel, a consistent, known endpoint whose addresses could be provided to the customer’s IT team to be allowed on their network. This reduced the need to consistently request Firewall changes from their customers to access new endpoints, such as new SaaS services used by the managed Roche solutions.
Delivering new features and backporting capabilities for Cilium with Isovalent
To achieve the above outcomes, Isovalent worked with Roche, designing and tailoring Cilium Service Mesh for their needs. Some of these features were also backported to older versions of Cilium, another key benefit of working with Isovalent Customer Success teams.
Enhancements included:
- Support to redirect traffic to Envoy Listener using Cilium Network Policy
- Support for web socket tunnelling filters
“At the time, Cilium Service Mesh was not ready to fully address our use-case, so the team at Isovalent helped create those features for us”
Hector Monsalve – Platform Engineer
For Roche, they delivered a simplified new platform that allowed them to reduce friction when working with their customers.
Examples of technical use cases addressed by the Cilium solution include:
- Edge to Cloud Connectivity
- Roche Managed Solution needs to access a new cloud-based storage endpoint. This connection is tunnelled from the on-site solution to the centralised managed Roche Cluster, which is then proxied to the correct location.
- Connections are allowed from the onsite solution using Cilium Network Policies.
- Customer Proxy for outbound traffic
- Many customers implement their own web security, such as proxies, for any externally bound traffic in their environments.
- Cilium Service Mesh allows Roche to modify the traffic, including headers, as the Proxy configuration allows.
Other notable benefits that stood out for the Roche team when the new solution was implemented included the increase in network performance over the other proof-of-concept solutions they tested for the new platform and the implementation of Hubble, which provides network visibility to aid with troubleshooting and identification of traffic patterns without needing to introduce new observability solutions to their managed solutions.
“We increased the network performance, levelled up network security and observability thanks to Hubble, and brought the firewall closer to our workloads”
Hector Monsalve – Platform Engineer
Learn More
This case study was based on the CiliumCon session “Meshing It up Securely: How Roche Manages Network Connectivity for 1000+ Edge Clusters” at KubeCon 2024 in Paris. The full recording is available on YouTube.
If you are a platform owner looking to enhance the networking and security capabilities of your cloud native platform, reach out to our Cilium Specialists at Isovalent.
Want to learn hands-on technical details about the Cilium Security and Network Layer 7 features Roche uses? Visit our Isovalent Labs.
Dean Lewis is a Senior Technical Marketing Engineer at Isovalent – the company behind the open-source cloud native solution Cilium.
Dean had a varied background working in the technology fields, from support to operations to architectural design and delivery at IT Solutions Providers based in the UK, before moving to VMware and focusing on cloud management and cloud native, which remains as his primary focus. You can find Dean in the past and present speaking at various Technology User Groups and Industry Conferences, as well as his personal blog.