SASE Framework Site Reliability SRE คืออะไร
SASE (Secure Access Service Edge) เป็น framework ที่รวม network security และ WAN capabilities เข้าด้วยกันเป็น cloud-delivered service เดียว ออกแบบโดย Gartner ในปี 2019 ประกอบด้วย SD-WAN, CASB, FWaaS, ZTNA และ SWG Site Reliability Engineering (SRE) คือแนวปฏิบัติจาก Google ที่ใช้ software engineering แก้ปัญหา operations เน้น reliability, scalability และ automation การรวมสองแนวคิดนี้ช่วยให้องค์กรมี network security ที่ reliable, observable และ automated ด้วย SRE principles
SASE Architecture Components
# sase_arch.py — SASE architecture components
import json
class SASEArchitecture:
COMPONENTS = {
"sdwan": {
"name": "SD-WAN (Software-Defined WAN)",
"description": "จัดการ WAN connections อัจฉริยะ — route traffic ตาม policy, performance",
"benefit": "ลดค่า MPLS, เพิ่ม bandwidth, improve application performance",
},
"ztna": {
"name": "ZTNA (Zero Trust Network Access)",
"description": "ไม่เชื่อถือใคร — verify ทุก user/device ก่อนให้ access",
"benefit": "แทน VPN — secure remote access, micro-segmentation",
},
"casb": {
"name": "CASB (Cloud Access Security Broker)",
"description": "ควบคุม access ไป cloud applications (SaaS)",
"benefit": "Visibility, compliance, data protection สำหรับ SaaS",
},
"fwaas": {
"name": "FWaaS (Firewall as a Service)",
"description": "Cloud-based firewall — inspect traffic โดยไม่ต้อง hardware",
"benefit": "Scalable, centralized policy, no hardware to manage",
},
"swg": {
"name": "SWG (Secure Web Gateway)",
"description": "กรอง web traffic — block malware, phishing, inappropriate content",
"benefit": "Protect users browsing, enforce acceptable use policy",
},
}
VENDORS = {
"zscaler": {"name": "Zscaler", "strength": "Cloud-native, largest SASE cloud"},
"palo_alto": {"name": "Palo Alto Prisma SASE", "strength": "Comprehensive, strong NGFW heritage"},
"cloudflare": {"name": "Cloudflare One", "strength": "Global edge network, developer-friendly"},
"netskope": {"name": "Netskope", "strength": "Best CASB, data-centric security"},
"fortinet": {"name": "Fortinet SASE", "strength": "Integrated with FortiGate ecosystem"},
}
def show_components(self):
print("=== SASE Components ===\n")
for key, comp in self.COMPONENTS.items():
print(f"[{comp['name']}]")
print(f" {comp['description']}")
print(f" Benefit: {comp['benefit']}")
print()
def show_vendors(self):
print("=== SASE Vendors ===")
for key, v in self.VENDORS.items():
print(f" [{v['name']}] {v['strength']}")
sase = SASEArchitecture()
sase.show_components()
sase.show_vendors()SRE Principles for SASE
# sre_principles.py — SRE principles applied to SASE
import json
class SREForSASE:
PRINCIPLES = {
"slo": {
"name": "SLOs (Service Level Objectives)",
"sase_application": "กำหนด target uptime และ latency สำหรับ SASE services",
"examples": [
"ZTNA availability: 99.99% uptime",
"SD-WAN latency: P95 < 50ms within region",
"SWG throughput: > 10 Gbps per PoP",
"FWaaS policy update: < 60 seconds propagation",
],
},
"error_budget": {
"name": "Error Budget",
"sase_application": "จำนวน downtime ที่ยอมรับได้ต่อเดือน",
"examples": [
"99.99% SLO = 4.32 minutes downtime/month",
"ถ้า error budget หมด → freeze changes, focus reliability",
"ถ้า error budget เหลือ → deploy features, experiment",
],
},
"toil_reduction": {
"name": "Toil Reduction",
"sase_application": "Automate repetitive SASE operations",
"examples": [
"Auto-provision ZTNA policies for new employees",
"Auto-block IPs from threat intelligence feeds",
"Auto-scale SD-WAN bandwidth based on usage",
"Auto-remediate certificate expiry",
],
},
"observability": {
"name": "Observability",
"sase_application": "ดูได้ทุกอย่างใน SASE stack — logs, metrics, traces",
"examples": [
"Dashboard: real-time traffic flow, threat blocks, user sessions",
"Alerting: latency spike, policy violation, certificate expiry",
"Tracing: track request path through SASE components",
],
},
"incident_management": {
"name": "Incident Management",
"sase_application": "ตอบสนอง SASE incidents อย่างเป็นระบบ",
"examples": [
"On-call rotation สำหรับ network/security team",
"Runbooks สำหรับ common SASE issues",
"Blameless post-mortems หลังทุก incident",
],
},
}
def show_principles(self):
print("=== SRE Principles for SASE ===\n")
for key, p in self.PRINCIPLES.items():
print(f"[{p['name']}]")
print(f" {p['sase_application']}")
for ex in p["examples"][:2]:
print(f" • {ex}")
print()
sre = SREForSASE()
sre.show_principles()Automation & Infrastructure as Code
# automation.py — SASE automation with IaC
import json
class SASEAutomation:
TERRAFORM = """
# sase_infra.tf — Terraform for SASE configuration
terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.0"
}
}
}
# Zero Trust Access Policy
resource "cloudflare_access_application" "internal_app" {
zone_id = var.zone_id
name = "Internal Dashboard"
domain = "dashboard.example.com"
session_duration = "24h"
cors_headers {
allowed_origins = ["https://dashboard.example.com"]
}
}
resource "cloudflare_access_policy" "engineering_team" {
application_id = cloudflare_access_application.internal_app.id
zone_id = var.zone_id
name = "Engineering Team Access"
precedence = 1
decision = "allow"
include {
group = [cloudflare_access_group.engineering.id]
}
require {
device_posture = [cloudflare_device_posture_rule.corp_managed.id]
}
}
# Gateway Policy (SWG)
resource "cloudflare_teams_rule" "block_malware" {
account_id = var.account_id
name = "Block Malware Domains"
description = "Block known malware domains"
precedence = 1
action = "block"
enabled = true
traffic = "any(dns.domains[*] in $malware_domains)"
rule_settings {
block_page_enabled = true
block_page_reason = "This site has been blocked for security reasons."
}
}
# Tunnel (replace VPN)
resource "cloudflare_tunnel" "corp_tunnel" {
account_id = var.account_id
name = "corp-datacenter"
secret = var.tunnel_secret
}
"""
PYTHON_API = """
# sase_api.py — SASE policy automation
import requests
import json
class SASEPolicyManager:
def __init__(self, api_url, api_key):
self.base_url = api_url
self.headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
def create_ztna_policy(self, name, users, applications, conditions=None):
policy = {
"name": name,
"users": users,
"applications": applications,
"action": "allow",
"conditions": conditions or {
"device_trust": "managed",
"mfa": True,
"geo_restrict": ["TH", "SG", "JP"],
},
}
resp = requests.post(f"{self.base_url}/policies", headers=self.headers, json=policy)
return resp.json()
def auto_provision_new_employee(self, employee):
dept_policies = {
"engineering": ["gitlab", "jira", "aws-console", "grafana"],
"marketing": ["hubspot", "analytics", "cms"],
"finance": ["erp", "banking", "reports"],
}
apps = dept_policies.get(employee["department"], [])
return self.create_ztna_policy(
name=f"auto-{employee['email']}",
users=[employee["email"]],
applications=apps,
)
def update_threat_feeds(self, feed_url):
resp = requests.get(feed_url)
domains = resp.text.strip().split("\\n")
block_rule = {
"name": "Auto-updated Threat Block",
"action": "block",
"domains": domains,
"updated_at": "auto",
}
return requests.put(
f"{self.base_url}/gateway-rules/threat-block",
headers=self.headers,
json=block_rule,
).json()
manager = SASEPolicyManager("https://api.sase.example.com", "api-key")
manager.auto_provision_new_employee({
"email": "new.dev@company.com",
"department": "engineering",
})
"""
def show_terraform(self):
print("=== Terraform SASE Config ===")
print(self.TERRAFORM[:600])
def show_api(self):
print(f"\n=== Python SASE API ===")
print(self.PYTHON_API[:500])
auto = SASEAutomation()
auto.show_terraform()
auto.show_api()Monitoring & Observability
# monitoring.py — SASE monitoring dashboard
import json
import random
class SASEMonitoring:
SLO_DASHBOARD = {
"ztna_availability": {"target": 99.99, "current": round(random.uniform(99.95, 100), 3)},
"sdwan_latency_p95": {"target": 50, "current": round(random.uniform(20, 55), 1), "unit": "ms"},
"swg_throughput": {"target": 10, "current": round(random.uniform(8, 15), 1), "unit": "Gbps"},
"policy_propagation": {"target": 60, "current": round(random.uniform(10, 70), 0), "unit": "sec"},
}
def show_slos(self):
print("=== SLO Dashboard ===\n")
for name, slo in self.SLO_DASHBOARD.items():
unit = slo.get("unit", "%")
status = "OK" if (slo["current"] >= slo["target"] if "availability" in name else slo["current"] <= slo["target"]) else "BREACH"
print(f" [{status:>6}] {name}: {slo['current']}{unit} (target: {slo['target']}{unit})")
def security_dashboard(self):
print(f"\n=== Security Dashboard (24h) ===")
metrics = {
"Threats blocked": f"{random.randint(1000, 50000):,}",
"Malware domains blocked": f"{random.randint(100, 5000):,}",
"ZTNA sessions": f"{random.randint(500, 5000):,}",
"Policy violations": random.randint(0, 50),
"DLP incidents": random.randint(0, 20),
"Suspicious logins": random.randint(0, 10),
}
for name, value in metrics.items():
print(f" {name}: {value}")
def traffic_overview(self):
print(f"\n=== Traffic Overview ===")
pops = [
{"name": "Singapore", "traffic_gbps": random.uniform(2, 10), "users": random.randint(100, 500)},
{"name": "Tokyo", "traffic_gbps": random.uniform(1, 5), "users": random.randint(50, 200)},
{"name": "Frankfurt", "traffic_gbps": random.uniform(1, 4), "users": random.randint(30, 150)},
{"name": "US-East", "traffic_gbps": random.uniform(2, 8), "users": random.randint(80, 400)},
]
for pop in pops:
print(f" [{pop['name']:<12}] Traffic: {pop['traffic_gbps']:.1f} Gbps | Users: {pop['users']}")
mon = SASEMonitoring()
mon.show_slos()
mon.security_dashboard()
mon.traffic_overview()Incident Response & Runbooks
# incident.py — SASE incident response
import json
class SASEIncidentResponse:
RUNBOOKS = {
"ztna_outage": {
"name": "ZTNA Service Outage",
"severity": "P1 - Critical",
"steps": [
"1. ตรวจสอบ SASE provider status page",
"2. Check PoP health ทุก region",
"3. Verify DNS resolution สำหรับ ZTNA endpoints",
"4. Enable fallback VPN สำหรับ critical users",
"5. Notify affected users + stakeholders",
"6. Contact SASE vendor support",
"7. Post-incident review + update runbook",
],
},
"policy_misconfiguration": {
"name": "Policy Misconfiguration (Users Blocked)",
"severity": "P2 - High",
"steps": [
"1. Identify affected users/applications",
"2. Check recent policy changes (audit log)",
"3. Rollback to last known good policy",
"4. Verify access restored",
"5. Root cause analysis on misconfiguration",
"6. Add validation checks to CI/CD pipeline",
],
},
"sdwan_degradation": {
"name": "SD-WAN Performance Degradation",
"severity": "P2 - High",
"steps": [
"1. Check SD-WAN dashboard — identify affected circuits",
"2. Run path quality tests (latency, jitter, packet loss)",
"3. Failover to backup circuit if available",
"4. Contact ISP if circuit issue",
"5. Verify application performance restored",
],
},
}
ON_CALL = {
"rotation": "Weekly rotation — Network Security team",
"escalation": "P1: 5 min → on-call → 15 min → team lead → 30 min → director",
"tools": "PagerDuty + Slack #sase-incidents + Status page",
}
def show_runbooks(self):
print("=== SASE Runbooks ===\n")
for key, rb in self.RUNBOOKS.items():
print(f"[{rb['name']}] {rb['severity']}")
for step in rb["steps"][:4]:
print(f" {step}")
print()
def show_oncall(self):
print("=== On-Call Setup ===")
for key, value in self.ON_CALL.items():
print(f" {key}: {value}")
ir = SASEIncidentResponse()
ir.show_runbooks()
ir.show_oncall()FAQ - คำถามที่พบบ่อย
Q: SASE กับ VPN ต่างกันอย่างไร?
A: VPN: tunnel traffic ทั้งหมดไป data center → ช้า, ไม่ scale, split tunnel เสี่ยง SASE: cloud-native, inspect traffic ที่ edge, Zero Trust model, scale ได้ SASE ดีกว่า: latency ต่ำกว่า (edge PoPs), security ดีกว่า (ZTNA), ไม่ต้อง hardware VPN แนะนำ: migrate จาก VPN → ZTNA (Cloudflare Access, Zscaler ZPA)
Q: SRE จำเป็นสำหรับ SASE ไหม?
A: จำเป็นมาก เพราะ SASE เป็น critical infrastructure — ถ้า down = ทุกู้คืนเข้า resource ไม่ได้ SRE ช่วย: SLOs ชัดเจน, error budget, automated incident response, toil reduction ทีมเล็ก: เริ่มจาก SLOs + on-call + runbooks ทีมใหญ่: full SRE practice + automation + chaos engineering
Q: SASE vendor ไหนดีที่สุด?
A: ขึ้นกับ use case: Enterprise ใหญ่: Zscaler, Palo Alto Prisma Developer-friendly: Cloudflare One Data-centric: Netskope Existing Fortinet: Fortinet SASE ทดลอง: Cloudflare One มี free plan, ง่ายที่สุดในการเริ่มต้น
Q: เริ่มใช้ SASE อย่างไร?
A: Phase 1: ZTNA — แทน VPN สำหรับ remote access (เห็นผลเร็ว) Phase 2: SWG — กรอง web traffic, block threats Phase 3: CASB — ควบคุม SaaS access Phase 4: SD-WAN — optimize WAN (ถ้ามีหลาย branches) Phase 5: Full SASE — รวมทุก component อย่า deploy ทุกอย่างพร้อมกัน — ทำทีละ phase
