Back to List of Case Studies
Architected the "Control Center" for NGINX — The Infrastructure Powering 2/3 of the World’s Busiest Websites
Strategic Approach
1. The Vision Integration: From Instance-Centric to Modular App-Delivery
The post-acquisition period provided a unique opportunity to integrate the NGINX and F5 visions. I represented the UX/Design perspective during a pivotal one-week stakeholder offsite to plan this "Integrated Vision." My Information Architecture (IA) work during this phase directly informed the API-first architecture of the new Controller:
Decoupling Through Modularity: By re-orienting the platform around the Application, we enabled a modular structure. This separated concerns between Infrastructure, Security, and DevOps/Deployment through reusable templates and policies.
Lowering the Barrier to Entry: This abstraction significantly reduced the specialized knowledge required to operate the platform. While the legacy tool required deep NGINX "wizardry," the new modular approach enabled new DevOps and less-experienced users to manage sophisticated deployments safely without "breaking" the underlying environment.
Formalized Shared Infrastructure: I evolved the platform from manual, error-prone instance sharing to a model defined by logical separation. By decoupling the app logic from the server instance, we made it simple for multiple teams to safely utilize a shared pool of NGINX server instances with isolated configurations. To support this, I designed Instance State Awareness features (such as color-coded status panels) that clearly indicated when an instance was shared across multiple modules, preventing accidental disruption.
Unified Governance: This enabled a "Guardrails" approach where NetOps managed the foundational infrastructure and SecOps mandated reusable TLS and WAF policies, allowing the delivery teams to move faster within safe boundaries.
NGINX Instance-centric Controller - Prior to Re-architecture
Early Whiteboarding
Information Architecture (draft) of the New NGINX Controller
Navigation Structure of the Re-architected NGINX Controller
The new navigation has a top-level switcher to switch between Analytics (Overview/Home), Services (which include apps, APIs, etc. and their deployments), Infrastructure, Security, and Users/Roles Management.
2. Introducing the API Management (APIM) Module
I led the architectural design of the first dedicated API Management capability within the NGINX Controller. These workflows, originally built for the legacy controller, were evolved for the new App-Centric platform to support modern microservice environments:
Early Whiteboarding
Some APIM Details:
Traffic & Lifecycle: Defined the logical architecture for API Definitions, Upstream Groups, Entry Points (later evolved into Gateways), and Client Groups to precisely control how traffic reached backend services.
Dynamic Discovery: Integrated DNS Service Discovery within the APIM workflow to allow the platform to dynamically route to services as they scale and move. I architected this to allow for continual hostname resolution with a 5s resolver timeout—a critical requirement for dynamic cloud environments.
Advanced Policy Support: Architected support for API Tagging, Upstream Header Policies, and Reusable TLS Policies. Specifically, I decoupled the TLS policy from the Entry Point, enabling centralized management of cipher suites and TLS versions while maintaining a read-only association within the gateway workflow for security compliance.
License Compliance: Designed a volume-based usage tracking system for the APIM module. This included UI notifications and repetitive email alerts for license limits, along with graph-based reports showing historical successful API call volume to help customers manage their monthly entitlements.
Re-architecting APIM within the new App-centric, API-first NGINX Controller:
3. Enterprise Governance & Infrastructure Lifecycle
To ensure the platform was "Enterprise-Ready" for large-scale adoption, I designed the comprehensive governance and maintenance systems required to manage thousands of NGINX instances at once:
Config Management (Versioning & Promotion): Architected a robust system for naming, editing, and versioning configurations, including the ability to "star" or favorite specific versions for quick access. I designed the "Promotion" workflow, allowing users to copy/save configurations from a specific instance and promote them for reuse across multiple instances, facilitating a safe move from Staging to Production environments.
Operational Fleet Maintenance: Designed the critical workflows for upgrading agents across the global fleet to ensure the infrastructure remained secure and up to date. I introduced Instance-Config linkage logic, ensuring that if an instance was utilizing a shared configuration (e.g., "m1config"), the UI clearly displayed how many other instances would be affected by a change.
Searchable Audit Logs: Managed the system architecture for tracking every infrastructure change. I designed a sophisticated filtering system where multiple selections within a filter (e.g., User, Action Type, Functional Area) used logical OR operators, while combining different filters used logical AND operators, providing the granular accountability required for enterprise security audits.
ServiceNow & Ecosystem Integration: Designed the integration for ServiceNow notifications and License Compliance, ensuring the platform fit seamlessly into existing corporate IT stacks. This included utilizing existing email alert capabilities to push non-optional system alerts for license violations or infrastructure warnings.
Some Examples
Re-architecting APIM within the new App-centric, API-first NGINX Controller:
Impact & Results
Strategic Acquisition Catalyst (Logical Abstraction): Architected the "App-Centric" framework that shifted the product from instance-centric configuration to a multi-layered logical model (separating Apps/APIs, Infrastructure, and Security). This vision was instrumental during F5’s $670M acquisition, as it proved NGINX could move beyond a "UI for config files" to become a sophisticated orchestration platform.
Eliminated Cross-Role Bottlenecks: Decoupled service management from underlying infrastructure by introducing a self-service operating model. By structuralizing "Guardrails" and modular workflows, the platform allowed App and DevOps teams to safely deploy their own services without requiring an NGINX expert for every routine change.
Architecture of Reusability: Designed a highly modular system where technical configurations (like TLS Policies and Upstream Groups) became reusable assets. This allowed organizations to standardize security and traffic patterns across thousands of instances, drastically reducing human error and technical debt.
API-First Parity & Programmability: Championed a "Headless-First" architecture where the Control Center UI and customer-built automation tools utilized the exact same public RESTful APIs. This parity ensured a robust, production-ready ecosystem, empowering enterprise customers to build their own custom management interfaces and integrate NGINX programmatically into their global CI/CD pipelines.
Operational Intelligence & Safety: Introduced System-Wide Awareness—such as real-time Instance Usage indicators and Audit Logs—transforming NGINX from a "silent executor" into a transparent system that proactively helped users avoid production-breaking mistakes.
Market Expansion & Revenue Protection: Successfully launched the first integrated APIM module, opening a new revenue stream. Integrated volume-based license tracking and compliance notifications to align technical usage with business entitlements and prevent service disruptions.