Merge pull request #168 from AnthonyF5/appworld

Cumulative lab doc changes

docs/class1/class1.rst

@@ -5,7 +5,7 @@ Welcome
 -------
 
 In this lab, attendees will be introduced to the F5 Distributed Cloud Services platform.  Attendees will create proxy services for publishing and securing
-applications that are served by both public and private endpoints. Attendees will also explore the DNS, Observability, and CDN capabilities of the platform.
+applications that are served by both public and private endpoints. Attendees will also be introduced to the DNS, Observability, and CDN capabilities of the platform.
 
 Objectives:
 ----------

docs/class1/intro.rst

@@ -12,7 +12,7 @@ services that provides a UI and API for managing network, security, and compute
 Distributed Cloud Console can manage "sites" in existing on-premises data centers and sites in
 AWS, Azure, and GCP cloud environments.
 
-Task 1: Lab Environment (chas was here)
+Task 1: Lab Environment
 ~~~~~~~~~~~~~~~~~~~~~~~
 
 +----------------------------------------------------------------------------------------------+

docs/class1/lab2.rst

@@ -1,19 +1,20 @@
-Lab 2: Deploying an AWS VPC Site
-================================
+Lab 2: Protecting a Private Endpoint
+====================================
 
 In the previous lab you learned how to protect a resource that is already on the Public Internet.
 
-In this lab we will look at two additional topologies where you can use a Customer Edge (CE).
+In this next lab we will look at two additional topologies of how you can use a Customer Edge node
+to secure traffic that is going to an endpoint that is not directly exposed to the Internet.
+
+In this lab we will protect an application that is hosted in AWS but not directly exposed to the Internet.
 
 F5 Distributed Cloud AWS VPC Site
 ---------------------------------
 
 In addition to protecting resources using F5 Distributed Cloud WAF/WAAP enforcement at an F5 Regional Edge (RE),
-you can also deploy a Customer Edge (CE) that may or may not be exposed to the public Internet.
+you can also deploy a Customer Edge (CE) that may or may not be exposed to the public Internet. CE nodes may be 
+deployed in physical data centers and/or public cloud environments.
 
-In this exercise, we will review a CE that has already been deployed in an AWS VPC.
-We have also already created a shared F5 Distributed Cloud AWS VPC Site within the Distributed Cloud Console.
-
 Once a CE has been deployed, it unlocks two additional topologies.
 
 1. Client -> RE -> CE -> Protected resource  
@@ -36,57 +37,278 @@ During this time, control plane services are suspended and will resume upon Inte
 
 While a single CE may be adequate for non-production environments, a high-availability cluster of at least 3 CE's is highly recommended for production.
 
-Exercise 1: Introduction to F5 Distributed Cloud AWS VPC Site
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+This lab has auto deployed an AWS site with a Customer Edge node for you. You may walk through this process using the F5 Distributed Cloud Simulator if you wish.
+
+https://simulator.f5.com/s/cloud2cloud_via_sites_brownfield/nav/aws/005/0
 
-#. Start in F5 Distributed Cloud Console and find the "AWS VPC Sites" menu item. 
+Continue with the steps below to allow secure connectivity to the AWS hosted application. 
 
-   From the top left "Select service" and look under "All Services"->"Multi-Cloud Network Connect"
 
-   .. image:: _static/menu_multi_cloud_network_connect.png
-      :width: 50% 
-
-#. Go to Manage > Site Management > AWS VPC Sites
+Task 1. Create Origin Pools
+---------------------------
 
-   .. image:: _static/menu_aws_vpcsites.png
-      :width: 50% 
+Previously we created an origin pool that was accessible via the Public Internet.
+The next lab exercise will create an origin pool that will provide internal resources discovered with local DNS by the AppMesh node that is deployed in our lab AWS environment. 
 
-#. Find the "student-awsnet" site
+Exercise 1: Create Private Origin Pool
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-   In this lab environment we have already deployed a shared AWS VPC Site that we will 
-   use in this lab.  Click on "student-awsnet".
+We will first create an Origin Pool that refers to the "Private Endpoint" site in our lab environment.
 
-   .. image:: _static/student-awsnet-link.png
-      :width: 75% 
+#. Start in F5 Distributed Cloud Console and switch back to the **Multi-Cloud App Connect** context.
 
-   You will be able to observe several metrics about the health of the site.  
-   Spend a few minutes navigating the tabs at the top of the screen, to the right of the "Dashboard" tab.     
+#. Navigate the menu to go to "Manage"->"Load Balancers"->"Origin Pools". Click on *Add Origin Pool*.
 
-   .. image:: _static/student-awsnet-site-metrics.png
-      :width: 75% 
+#. Enter the following variables:
 
+   ================================= =====
+   Variable                          Value
+   ================================= =====
+   Name                              private
+   ================================= =====
 
-   NOTE:  The health shown is specific to the CE site and the performance data shown 
-   is an aggregate of all applications whose data is passing through this CE.
+#. Click on "Add Item" under the section "Origin Servers"
 
-Exercise 2: F5 Distributed Cloud Simulator
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   Enter the following variables: 
 
-Since the AWS site in this lab was pre-built for you, take a few minutes to walk through the process using the 
-F5 Distributed Cloud Simulator.
+   ================================= =====
+   Variable                          Value
+   ================================= =====
+   Select Type of Origin Server      DNS Name of Origin Server on given Sites
+   DNS Name                          private.lab.f5demos.internal
+   Site                              system/student-awsnet
+   ================================= =====
+
+   |op-pool-basic|
 
-https://simulator.f5.com/s/cloud2cloud_via_sites_brownfield/nav/aws/005/0
+   Click on "Apply" to return to the previous screen.
+
+#. Below the "Origin Servers" section fill in the Port information
+
+   ================================= =====
+   Variable                          Value
+   ================================= =====
+   Port                              8080
+   ================================= =====
+
+
+
+#. Click **Save and Exit**.        
+
+.. |app-context| image:: _static/app-context.png
+.. |origin_pools_menu| image:: _static/origin_pools_menu.png
+.. |origin_pools_add| image:: _static/origin_pools_add.png
+.. |origin_pools_config| image:: _static/origin_pools_config.png
+.. |origin_pools_config_api| image:: _static/origin_pools_config_api.png
+.. |origin_pools_config_mongodb| image:: _static/origin_pools_config_mongodb.png
+.. |origin_pools_show_child_objects| image:: _static/origin_pools_show_child_objects.png
+.. |origin_pools_show_child_objects_status| image:: _static/origin_pools_show_child_objects_status.png
+.. |http_lb_origin_pool_health_check| image:: _static/http_lb_origin_pool_health_check.png
+.. |http_lb_origin_pool_health_check2| image:: _static/http_lb_origin_pool_health_check2.png
+
+.. |op-add-pool| image:: _static/op-add-pool.png
+.. |op-api-pool| image:: _static/op-api-pool.png
+.. |op-pool-basic| image:: _static/op-pool-basic-private.png
+  :width: 75% 
+.. |op-spa-check| image:: _static/op-spa-check.png
+.. |op-tshoot| image:: _static/op-tshoot.png
+
+Task 2. Update HTTP Load Balancer on F5 Distributed Cloud Regional Edge
+-----------------------------------------------------------------------
+
+We will now update the HTTP load balancer that we previously created to connect to
+the "Private Endpoint" via the AppMesh node that is deployed in the AWS lab environment.
+
+.. image:: _static/testdrive-volterra-waf-hybrid-vip.png
+
+Exercise 1: HTTP Load Balancer Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Start in F5 Distributed Cloud Console and switch to the **Multi-Cloud App Connect** context. [You should already be here from previous lab]
+
+#. Navigate the menu to go to "Manage"->"HTTP Load Balancers" and look for the Load Balancer named *<namespace>-lb* that you previously created.
+
+#. Click on the three dots "..." to the right of the name of your *<namespace>-lb* Load Balancer and select the "Manage Configuration" option.
+
+   .. image:: _static/screenshot-global-vip-actions-manage.png
+
+#. Click on "Edit Configuration" in the upper right of the screen (after your *<namespace>-lb* Load Balancer is loaded).
+
+   .. image:: _static/screenshot-global-vip-edit-config.png
+
+#. Under "Origins" find your previous "<namespace>-pool" Origin pool and click on the three dots "..." to the right under "Actions" and select "Edit"
+
+   .. image:: _static/screenshot-global-vip-edit-config-pools.png
+
+#. Change the selection of "Origin Pool" from "<namespace>-pool" to "private" and click "Apply"
+
+   .. image:: _static/screenshot-global-vip-edit-config-pools-select.png
+
+#. Click "*Save and Exit* to update the HTTP Load Balancer.
+
+You should now be able to go to the DNS name that you entered 
+previously in a web browser.  The FQDN we used in our example is http://worthy-gecko.lab-sec.f5demos.com/.  
+
+Exercise 2: Verify Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The private demo app should look like the following:
+
+.. image:: _static/screenshot-global-vip-private.png
+   :width: 50%
+
+In this topology we are sending traffic to an AnyCast IP that is hosted in F5 Distributed Cloud's Regional Edge.
+
+We then connect to the AWS resource via the AppMesh node that is deployed in the same VPC as the "Private Endpoint".  
+The AppMesh is only being used for network connectivity to the Private Endpoint; enforcement of the WAF policy is still
+being applied in the Regional Edge.
+
+In the next exercise we will look at a third topology of deploying a WAF policy that will be enforced within the AWS VPC
+on the AppMesh node (in the Customer Edge).
+
+.. raw:: html
+
+   <iframe width="560" height="315" src="https://www.youtube.com/embed/s-BHH0Qayfc?start=366" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+
+
+Task 3. Creating HTTP Load Balancer on F5 Distributed Cloud Customer Edge
+-------------------------------------------------------------------------
+
+In the previous lab exercises we were connecting to a F5 Distributed Cloud Load Balancer that was deployed in a Regional Edge.
+
+In the next lab exercise we will deploy a Load Balancer on the AppMesh node that was deployed in the AWS VPC (Customer Edge location).
+
+.. image:: _static/testdrive-volterra-waf-local-vip.png
 
-Clicking on the "Next" button in the top right of the simulator will allow you to see similar steps that were used to create the site.
+Exercise 1: HTTP Load Balancer Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-.. image:: _static/f5xc-simulator-vpc-site.png
-   :width: 75%
+#. Start in F5 Distributed Cloud Console and switch to the **Multi-Cloud App Connect** context. [You should already be here from previous lab]
 
-Exercise 3 (Optional): Video walkthrough
+#. Navigate the menu to go to "Manage"->"HTTP Load Balancers" and click on "Add HTTP Load Balancer".
+
+#. Enter the following variables:
+
+   ================================= =====
+   Variable                          Value
+   ================================= =====
+   Name                              local
+   Domains                           [NAMESPACE].aws.lab.f5demos.com
+   Select type of Load Balancer      HTTP
+   Automatically Manage DNS Records  No/Unchecked 
+   ================================= =====
+
+Exercise 2: Configure Default Origin Server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+We'll next configure the "Origin Servers".   
+
+#. Click on the *Add Item* button in the the *Origin Pools* section.
+
+#. The "Select Origin Pool Method" will be set to "Origin Pool". Under the "Origin Pool" dropdown menu select the "private" pool you created earlier.
+
+#. Click the *Apply* button to exit the "Origin Pool with Weight and Priority" dialogue.
+
+Exercise 3: Configure Local VIP
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Previously we configured a VIP that was advertised on F5's Regional Edge (PoP) locations.
+We will modify this configuration to expose the service on the "Outside" interface of the AppMesh
+node that is deployed in AWS.  This will allow us to access the VIP via the Public IP Address (AWS Elastic IP)
+that is attached to that interface.  If we wished to only have the service available within the AWS VPC
+we could opt to use the "Inside" interface that does not have an AWS EIP attached.
+
+#. Under "Other Settings" set "VIP Advertisement" to "Custom"
+
+   .. image:: _static/screenshot-local-vip-advertise-custom.png
+      :width: 50%
+
+#. Click on "Configure" under "Custom"
+#. In "List of Sites to Advertise", click on "Add Item"
+#. For "Site Network" click on "Outside Network" 
+#. For "Site Reference" select `system/student-awsnet`
+
+   .. image:: _static/lb-local-vip-advertise.png
+      :width: 60%
+
+#. Click on "Apply" 
+#. Click on "Apply" to return to previous screen
+
+
+Exercise 4: Configure WAF Policy
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Under the *Web Application Firewall* section 
+
+#. Choose the following options:
+
+   =============================== =================================
+   Variable                        Value
+   =============================== =================================
+   Web Application Firewall (WAF)  Enable
+   Select App Firewall             shared/base-appfw
+   =============================== =================================
+
+#. Click "Save and Exit" to create the HTTP Load Balancer.
+
+Once the HTTP Load Balancer has been deployed, you should now be able to go to the DNS name that you entered 
+previously in a web browser.  The FQDN we used in our example is http://stable-sheep.aws.lab.f5demos.com.  
+This is a wildcard DNS entry that points to the Public IP (AWS Elastic IP) that is attached to the AppMesh node.
+
+Exercise 5: Verify Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The private demo app should look like the following:
+
+.. image:: _static/screenshot-local-vip-private.png
+   :width: 50%
+
+
+Exercise 6: Verify DNS
+^^^^^^^^^^^^^^^^^^^^^^
+
+You can verify that you are connecting directly to AWS by comparing the DNS of the two hosts.
+
+.. code-block:: 
+
+   $ dig +short student001.aws.lab.f5demos.com
+   52.4.72.136
+
+   $ dig -x 52.4.72.136 +short
+   ec2-52-4-72-136.compute-1.amazonaws.com.
+
+.. code-block:: 
+
+   $ nslookup student001.aws.lab.f5demos.com
+
+   Server:		2a01:cb04:765:e00:a6ce:daff:fe11:96ea
+   Address:	2a01:cb04:765:e00:a6ce:daff:fe11:96ea#53
+
+   Non-authoritative answer:
+   Name:	student001.aws.lab.f5demos.com
+   Address: 52.4.72.136
+
+
+In this topology we are sending traffic to the AWS EIP that's attached to the AppMesh node in the AWS VPC.
+
+We then connect to the AWS resource via it's Private IP address.  
+
+<! Try adding the following to the URL "?cat%20/etc/passwd".  ###this request hung without providing a blocking page>
+
+Try adding the following to the URL "/cart?search=aaa’><script>prompt(‘Please+enter+your+password’);</script>"
+
+You should see a block page.  This is similar behavior to what we saw in the previous lab,
+but in this case the enforcement of the WAF policy is occurring on the AppMesh node
+that is deployed in the AWS Lab Environment and not in the F5 Distributed Cloud Regional Edge.
+
+In the next lab we will look at how to customize our WAF policy.
+
+Video Walkthrough 
 ^^^^^^^^^^^^^^^^^
 
-NOTE:  The term Distributed Cloud reflects the updated branding launched in 2022.  Prior to that, the platform was called Volterra.
+Optional Video you can watch if you get stuck
 
 .. raw:: html
 
-   <iframe width="560" height="315" src="https://www.youtube.com/embed/s-BHH0Qayfc?start=244" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+   <iframe width="560" height="315" src="https://www.youtube.com/embed/s-BHH0Qayfc?start=400" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+