diff --git a/docs/class1/lab2.rst b/docs/class1/lab2.rst
index e505c7d8..f47f51de 100644
--- a/docs/class1/lab2.rst
+++ b/docs/class1/lab2.rst
@@ -154,7 +154,7 @@ under this tenant.
| |
+-----------------------------------------------------------------------------------------------------------------------------------+
|| |
-|| 3. Scroll to the botton of the screen and click **Save and Exit** to create the HTTP Load Balancer. |
+|| 3. Scroll to the botton of the screen and click **Save and Exit** to create the HTTP Load Balancer. |
|| |
|| |
+-----------------------------------------------------------------------------------------------------------------------------------+
@@ -198,7 +198,7 @@ in AWS via the connection to the CE node in AWS.
+-----------------------------------------------------------------------------------------------------------------------------------+
| **End of Lab 2**. In this lab you configured a global load balancer with a WAF policy on a CE node running in AWS for a |
| private end point. That private end point was only accessible via the global load balancer. |
-| |
++-----------------------------------------------------------------------------------------------------------------------------------+
| |labend| |
+-----------------------------------------------------------------------------------------------------------------------------------+
diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst
index 5bb194fb..c9b6be33 100644
--- a/docs/class1/lab3.rst
+++ b/docs/class1/lab3.rst
@@ -7,7 +7,7 @@ They have come to you and asked if you could configure customer access to this a
to the Internet. You have been tasked to design and build this connectivity. You have chosen to leverage the
Distributed Cloud Customer Edge deployment model to provide secure reliable access to the AWS hosted application.
-Your design includes the following workflow Client -> CE -> Protected application resource. Let's get started!
+Your design includes the following workflow **Client -> CE -> Protected application resource**. Let's get started!
.. image:: _static/lab3-appworld2025-topology-diagram.png
@@ -46,7 +46,7 @@ Continue with the steps below to allow secure connectivity to the AWS hosted app
Task 1. Create Private Origin Pool
----------------------------
+----------------------------------
In Lab #1 we created an origin pool that was accessible via the Public Internet without using a CE deployment. In Lab #2 we are still leveraging Internet access via the
RE but now connecting to the origin server throught a CE deployment. In this topology the CE IPSec tunnels will carry both control-plane and data-plane traffic down to the orgin.
@@ -58,48 +58,48 @@ We will first create an Origin Pool that refers to the "Private Endpoint" site i
+------------------------------------------------------------------------------------------------------------+
|| 1. Start in F5 Distributed Cloud Console and switch back to the **Multi-Cloud App Connect** context. |
|| |
-|| 2. Navigate the menu to go to **"Manage"->"Load Balancers"->"Origin Pools"**. Click on *Add Origin Pool*. |
+|| 2. Navigate the menu to go to **Manage->Load Balancers->Origin Pools**. Click on **Add Origin Pool**. |
|| |
|| 3. Enter the following variables: |
|| |
+------------------------------------------------------------------------------------------------------------+
| |
-| ================================= ===== |
+| ================================= ====== |
| *Variable* *Value* |
-| ================================= ===== |
+| ================================= ====== |
| Name **[NAMESPACE]-private-pool** |
-| ================================= ===== |
+| ================================= ====== |
| |
+------------------------------------------------------------------------------------------------------------+
|| |
-|| 4. Click on "Add Item" under the section "Origin Servers" |
+|| 4. Click on **Add Item** under the section **Origin Servers** |
|| |
+------------------------------------------------------------------------------------------------------------+
| |
-| ================================= ===== |
-| Variable Value |
-| ================================= ===== |
-| Select Type of Origin Server DNS Name of Origin Server on given Sites |
-| DNS Name private.lab.f5demos.internal |
-| Site system/student-awsnet |
+| ================================= ======= |
+| *Variable* *Value* |
+| ================================= ======= |
+| Select Type of Origin Server **DNS Name of Origin Server on given Sites** |
+| DNS Name **private.lab.f5demos.internal** |
+| Site **system/student-awsnet** |
| ================================= ===== |
+------------------------------------------------------------------------------------------------------------+
| |
| |lab301| |
| |
|| |
-|| 5. Click on **"Apply"** to return to the previous screen. |
+|| 5. Click on **Apply** to return to the previous screen. |
|| |
-|| 6. Below the "Origin Servers" section fill in the Origin Server Port information |
+|| 6. Below the **Origin Servers** section fill in the Origin Server Port information |
|| |
+------------------------------------------------------------------------------------------------------------+
| |
| |
-| ================================= ===== |
-| *Variable* *Value* |
-| ================================= ===== |
+| ================================= ======= |
+| *Variable* *Value* |
+| ================================= ======= |
| Port **8080** |
-| ================================= ===== |
+| ================================= ======= |
| |
+------------------------------------------------------------------------------------------------------------+
|| |
@@ -118,77 +118,78 @@ Now we will deploy a Load Balancer on the CE node that was deployed in the AWS V
+-----------------------------------------------------------------------------------------------------------------------------------+
|| 1. Start in F5 Distributed Cloud Console and switch back to the **Multi-Cloud App Connect** context. |
|| |
-|| 2. Navigate the menu to go to **"Manage"->"Load Balancers"-> "HTTP Loabalancers"**. Click on *Add HTTP Loadbalancer*. |
+|| 2. Navigate the menu to go to **Manage->Load Balancers-> HTTP Load Balancers**. Click on **Add HTTP Load Balancer**. |
|| |
|| 3. Enter the following variables: |
|| |
+-----------------------------------------------------------------------------------------------------------------------------------+
| |
| |
-| ================================= ===== |
-| Variable Value |
-| ================================= ===== |
-| Name [NAMESPACE]-private-lb |
-| Domains [NAMESPACE].aws.lab.f5demos.com |
-| Select type of Load Balancer HTTP |
-| Automatically Manage DNS Records No/Unchecked |
+| ================================= ======= |
+| *Variable* *Value* |
+| ================================= ======= |
+| Name **[NAMESPACE]-private-lb** |
+| Domains **[NAMESPACE].aws.lab.f5demos.com** |
+| Select type of Load Balancer **HTTP** |
+| Automatically Manage DNS Records **No/Unchecked** |
| ================================= ===== |
| |
+-----------------------------------------------------------------------------------------------------------------------------------+
| |
| |lab311| |
|| |
-|| 4. Under Origin Pools Click *"Add Item"* |
+|| 4. Under **Origin Pools** Click **Add Item** |
|| |
| |lab302| |
|| |
-|| 5. Select the recently created **[NAMESPACE]-private-pool** under Origin pool and then click *"Apply"* |
+|| 5. Select the recently created **[NAMESPACE]-private-pool** under **Origin Pool** and then click **Apply** |
|| |
| |lab303| |
|| |
-|| 6. Now you can see your Origin Pool has been added to the HTTP Loadbalancer Configuration |
+|| 6. Now you can see your Origin Pool has been added to the HTTP Load balancer configuration |
|| |
| |lab304| |
|| |
-|| 7. Now we want to control how this Load Balancer is advertised, we will select the "Other Settings" on the left hand side. |
-|| This will auto-scroll the configuations towards the bottom of the Load Balancer configuration section labled "Other Settings" |
+|| 7. Now we want to control how this Load Balancer is advertised, we will select the **Other Settings** on the left hand side. |
+|| This will auto-scroll the configuations towards the bottom of the Load Balancer configuration section labeled |
+|| **Other Settings** |
|| |
|| |lab305| |
|| |
-|| 8. Under *VIP Advertisement* Change it to "Custom" then select **Configure** |
+|| 8. Under **VIP Advertisement**, change it to **Custom** then select **Configure** |
|| |
|| |lab306| |
|| |
-|| 9. In the List of Sites to Advertise", Click on *"Add Item"* |
+|| 9. In the **List of Sites to Advertise**, Click on **Add Item** |
|| |
|| |lab307| |
|| |
-|| 10. For *"Site Network"* select *"Outside Network"* |
+|| 10. For **Site Network** select **Outside Network** |
|| |
-|| 11. For *"Site Reference"* select **system/student-awsnet** |
+|| 11. For **Site Reference** select **system/student-awsnet** |
|| |
|| |lab308| |
|| |
-|| 12. Click on *"Apply"* and once again *"Apply"* on the next screen. |
+|| 12. Click on **Apply** and once again **Apply** on the next screen. |
|| |
| |
+-----------------------------------------------------------------------------------------------------------------------------------+
Task 3: Configure WAF Policy
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+-----------------------------
Now that we have our load balancer and orign server configured we want to make sure we are protecting the origin server. Here we
are easily applying a pre-existing shared WAF policy to our loadbalancer. The shared WAF policy is available for all namespaces
under this tenant.
+-----------------------------------------------------------------------------------------------------------------------------------+
-|| 1. Under the *Web Application Firewall* section |
+|| 1. Under the **Web Application Firewall** section |
|| |
|| 2. Choose the following options: |
|| |
+-----------------------------------------------------------------------------------------------------------------------------------+
| |
| =============================== ================================= |
-| Variable Value |
+| *Variable* *Value* |
| =============================== ================================= |
| Web Application Firewall (WAF) **Enable** |
| Select App Firewall **shared/base-appfw** |
@@ -196,18 +197,12 @@ under this tenant.
| |
+-----------------------------------------------------------------------------------------------------------------------------------+
|| |
-|| 3. Scroll to the botton of the screen and click "Save and Exit" to create the HTTP Load Balancer. |
-|| |
-| Once the HTTP Load Balancer has been deployed, you should now be able to go to the DNS name that you entered |
-| previously in a web browser. The FQDN we used in our example is http://[NAMESPACE].aws.lab.f5demos.com. |
-| This is a wildcard DNS entry that points to the Public IP (AWS Elastic IP) that is attached to the AppMesh node. |
-|| |
-|| 4. Click on *"Save and Exit"* to complete the Load Balancer configuration |
+|| 3. Scroll to the botton of the screen and click **Save and Exit** to create the HTTP Load Balancer. |
|| |
+-----------------------------------------------------------------------------------------------------------------------------------+
Task 4: Verify Configuration
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+-----------------------------
You should now be able to go to the DNS name that you created in this Load Balancer configuration.
The FQDN we used in our example is http://[NAMESPACE].aws.lab.f5demos.com/.
@@ -222,7 +217,7 @@ The FQDN we used in our example is http://[NAMESPACE].aws.lab.f5demos.com/.
Task 5: Verify DNS
-^^^^^^^^^^^^^^^^^^^^^^
+-------------------
You can verify that you are connecting directly to AWS by comparing the DNS of the two hosts.
@@ -250,27 +245,36 @@ You can verify that you are connecting directly to AWS by comparing the DNS of t
+-----------------------------------------------------------+
Task 6: Verify WAF Protection
-^^^^^^^^^^^^^^^^^^^^^^
+-----------------------------
In this topology we are sending traffic to the AWS EIP that's attached to the CE node in the AWS VPC.
We then connect to the AWS resource via it's Private IP address.
+-----------------------------------------------------------------------------------------------------------------------------------+
-| |
| |
-| Try adding the following to the URL "/cart?search=aaa’>" |
+| Using some of the sample attacks below, add the URI path & variables to your application to generate |
+| security event data. |
| |
-| You should see a block page. |
+| * /?cmd=cat%20/etc/passwd |
+| * /product?id=4%20OR%201=1 |
+| * /cart?search=aaa'> |
+| |
+| Just like in Lab 1, you should see a block page when adding the attacks to the URL. The difference in this case is that the |
+| enforcement of the WAF policy is occurring on the load balancer on the CE node that is deployed in the AWS lab environment |
+| instead of the Regional Edge in Distributed Cloud. |
| |
| |lab313| |
| |
+-----------------------------------------------------------------------------------------------------------------------------------+
-This is similar behavior to what we saw in the previous lab,but in this case the enforcement of the WAF policy is occurring on the
-CE nodethat is deployed in the AWS Lab Environment and not in the F5 Distributed Cloud Regional Edge.
++-----------------------------------------------------------------------------------------------------------------------------------+
+| **End of Lab 3**. Congratulations, you have successfully configured and secured application access within AWS! This marks |
+| the end of the lab. |
++-----------------------------------------------------------------------------------------------------------------------------------+
+| |labend| |
++-----------------------------------------------------------------------------------------------------------------------------------+
-Congratulations you have successfully configured and secured application access within AWS! This marks the end of this lab.
.. |lab300| image:: _static/lab3-appworld2025-topology-diagram.png
:width: 800px
@@ -300,3 +304,5 @@ Congratulations you have successfully configured and secured application access
:width: 800px
.. |lab313| image:: _static/lab3-appworld2025-waf-block-message.png
:width: 800px
+.. |labend| image:: _static/labend.png
+ :width: 800px
\ No newline at end of file