From acf7c07a7accbd29962896c4114c65404d634ae9 Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 17:32:58 -0500 Subject: [PATCH 1/7] formatting and typos for lab 3 --- docs/class1/lab3.rst | 113 ++++++++++++++++++++++--------------------- 1 file changed, 59 insertions(+), 54 deletions(-) diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index 5bb194fb..6a874772 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -46,7 +46,7 @@ Continue with the steps below to allow secure connectivity to the AWS hosted app Task 1. Create Private Origin Pool ---------------------------- +---------------------------------- In Lab #1 we created an origin pool that was accessible via the Public Internet without using a CE deployment. In Lab #2 we are still leveraging Internet access via the RE but now connecting to the origin server throught a CE deployment. In this topology the CE IPSec tunnels will carry both control-plane and data-plane traffic down to the orgin. @@ -58,48 +58,48 @@ We will first create an Origin Pool that refers to the "Private Endpoint" site i +------------------------------------------------------------------------------------------------------------+ || 1. Start in F5 Distributed Cloud Console and switch back to the **Multi-Cloud App Connect** context. | || | -|| 2. Navigate the menu to go to **"Manage"->"Load Balancers"->"Origin Pools"**. Click on *Add Origin Pool*. | +|| 2. Navigate the menu to go to **Manage->Load Balancers->Origin Pools**. Click on **Add Origin Pool**. | || | || 3. Enter the following variables: | || | +------------------------------------------------------------------------------------------------------------+ | | -| ================================= ===== | +| ================================= ====== | | *Variable* *Value* | -| ================================= ===== | +| ================================= ====== | | Name **[NAMESPACE]-private-pool** | -| ================================= ===== | +| ================================= ====== | | | +------------------------------------------------------------------------------------------------------------+ || | -|| 4. Click on "Add Item" under the section "Origin Servers" | +|| 4. Click on **Add Item** under the section **Origin Servers** | || | +------------------------------------------------------------------------------------------------------------+ | | -| ================================= ===== | -| Variable Value | -| ================================= ===== | -| Select Type of Origin Server DNS Name of Origin Server on given Sites | -| DNS Name private.lab.f5demos.internal | -| Site system/student-awsnet | +| ================================= ======= | +| *Variable* *Value* | +| ================================= ======= | +| Select Type of Origin Server **DNS Name of Origin Server on given Sites** | +| DNS Name **private.lab.f5demos.internal** | +| Site **system/student-awsnet** | | ================================= ===== | +------------------------------------------------------------------------------------------------------------+ | | | |lab301| | | | || | -|| 5. Click on **"Apply"** to return to the previous screen. | +|| 5. Click on **Apply** to return to the previous screen. | || | -|| 6. Below the "Origin Servers" section fill in the Origin Server Port information | +|| 6. Below the **Origin Servers** section fill in the Origin Server Port information | || | +------------------------------------------------------------------------------------------------------------+ | | | | -| ================================= ===== | -| *Variable* *Value* | -| ================================= ===== | +| ================================= ======= | +| *Variable* *Value* | +| ================================= ======= | | Port **8080** | -| ================================= ===== | +| ================================= ======= | | | +------------------------------------------------------------------------------------------------------------+ || | @@ -118,77 +118,78 @@ Now we will deploy a Load Balancer on the CE node that was deployed in the AWS V +-----------------------------------------------------------------------------------------------------------------------------------+ || 1. Start in F5 Distributed Cloud Console and switch back to the **Multi-Cloud App Connect** context. | || | -|| 2. Navigate the menu to go to **"Manage"->"Load Balancers"-> "HTTP Loabalancers"**. Click on *Add HTTP Loadbalancer*. | +|| 2. Navigate the menu to go to **Manage->Load Balancers-> HTTP Load Balancers**. Click on **Add HTTP Load Balancer**. | || | || 3. Enter the following variables: | || | +-----------------------------------------------------------------------------------------------------------------------------------+ | | | | -| ================================= ===== | -| Variable Value | -| ================================= ===== | -| Name [NAMESPACE]-private-lb | -| Domains [NAMESPACE].aws.lab.f5demos.com | -| Select type of Load Balancer HTTP | -| Automatically Manage DNS Records No/Unchecked | +| ================================= ======= | +| *Variable* *Value* | +| ================================= ======= | +| Name **[NAMESPACE]-private-lb** | +| Domains **[NAMESPACE].aws.lab.f5demos.com** | +| Select type of Load Balancer **HTTP** | +| Automatically Manage DNS Records **No/Unchecked** | | ================================= ===== | | | +-----------------------------------------------------------------------------------------------------------------------------------+ | | | |lab311| | || | -|| 4. Under Origin Pools Click *"Add Item"* | +|| 4. Under Origin Pools Click **Add Item** | || | | |lab302| | || | -|| 5. Select the recently created **[NAMESPACE]-private-pool** under Origin pool and then click *"Apply"* | +|| 5. Select the recently created **[NAMESPACE]-private-pool** under Origin pool and then click **Apply** | || | | |lab303| | || | -|| 6. Now you can see your Origin Pool has been added to the HTTP Loadbalancer Configuration | +|| 6. Now you can see your Origin Pool has been added to the HTTP Load balancer configuration | || | | |lab304| | || | -|| 7. Now we want to control how this Load Balancer is advertised, we will select the "Other Settings" on the left hand side. | -|| This will auto-scroll the configuations towards the bottom of the Load Balancer configuration section labled "Other Settings" | +|| 7. Now we want to control how this Load Balancer is advertised, we will select the **Other Settings** on the left hand side. | +|| This will auto-scroll the configuations towards the bottom of the Load Balancer configuration section labeled | +|| **Other Settings** | || | || |lab305| | || | -|| 8. Under *VIP Advertisement* Change it to "Custom" then select **Configure** | +|| 8. Under **VIP Advertisement** Change it to **Custom** then select **Configure** | || | || |lab306| | || | -|| 9. In the List of Sites to Advertise", Click on *"Add Item"* | +|| 9. In the **List of Sites to Advertise**, Click on **Add Item** | || | || |lab307| | || | -|| 10. For *"Site Network"* select *"Outside Network"* | +|| 10. For **Site Network** select **Outside Network** | || | -|| 11. For *"Site Reference"* select **system/student-awsnet** | +|| 11. For **Site Reference** select **system/student-awsnet** | || | || |lab308| | || | -|| 12. Click on *"Apply"* and once again *"Apply"* on the next screen. | +|| 12. Click on **Apply** and once again **Apply** on the next screen. | || | | | +-----------------------------------------------------------------------------------------------------------------------------------+ Task 3: Configure WAF Policy -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +----------------------------- Now that we have our load balancer and orign server configured we want to make sure we are protecting the origin server. Here we are easily applying a pre-existing shared WAF policy to our loadbalancer. The shared WAF policy is available for all namespaces under this tenant. +-----------------------------------------------------------------------------------------------------------------------------------+ -|| 1. Under the *Web Application Firewall* section | +|| 1. Under the **Web Application Firewall** section | || | || 2. Choose the following options: | || | +-----------------------------------------------------------------------------------------------------------------------------------+ | | | =============================== ================================= | -| Variable Value | +| *Variable* *Value* | | =============================== ================================= | | Web Application Firewall (WAF) **Enable** | | Select App Firewall **shared/base-appfw** | @@ -198,16 +199,10 @@ under this tenant. || | || 3. Scroll to the botton of the screen and click "Save and Exit" to create the HTTP Load Balancer. | || | -| Once the HTTP Load Balancer has been deployed, you should now be able to go to the DNS name that you entered | -| previously in a web browser. The FQDN we used in our example is http://[NAMESPACE].aws.lab.f5demos.com. | -| This is a wildcard DNS entry that points to the Public IP (AWS Elastic IP) that is attached to the AppMesh node. | -|| | -|| 4. Click on *"Save and Exit"* to complete the Load Balancer configuration | -|| | +-----------------------------------------------------------------------------------------------------------------------------------+ Task 4: Verify Configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +----------------------------- You should now be able to go to the DNS name that you created in this Load Balancer configuration. The FQDN we used in our example is http://[NAMESPACE].aws.lab.f5demos.com/. @@ -222,7 +217,7 @@ The FQDN we used in our example is http://[NAMESPACE].aws.lab.f5demos.com/. Task 5: Verify DNS -^^^^^^^^^^^^^^^^^^^^^^ +------------------- You can verify that you are connecting directly to AWS by comparing the DNS of the two hosts. @@ -250,27 +245,37 @@ You can verify that you are connecting directly to AWS by comparing the DNS of t +-----------------------------------------------------------+ Task 6: Verify WAF Protection -^^^^^^^^^^^^^^^^^^^^^^ +----------------------------- In this topology we are sending traffic to the AWS EIP that's attached to the CE node in the AWS VPC. We then connect to the AWS resource via it's Private IP address. +-----------------------------------------------------------------------------------------------------------------------------------+ -| | | | -| Try adding the following to the URL "/cart?search=aaa’>" | +| Using some of the sample attacks below, add the URI path & variables to your application to generate | +| security event data. | +| | +| * /?cmd=cat%20/etc/passwd | +| * /product?id=4%20OR%201=1 | +| * /cart?search=aaa'> | | | -| You should see a block page. | +| Just like in Lab 1, you should see a block page when adding the attacks to the URL. | | | | |lab313| | | | +-----------------------------------------------------------------------------------------------------------------------------------+ -This is similar behavior to what we saw in the previous lab,but in this case the enforcement of the WAF policy is occurring on the -CE nodethat is deployed in the AWS Lab Environment and not in the F5 Distributed Cloud Regional Edge. +This is similar behavior to what we saw in the previous lab, but in this case the enforcement of the WAF policy is occurring on the +CE node that is deployed in the AWS lab environment and not in the F5 Distributed Cloud Regional Edge. -Congratulations you have successfully configured and secured application access within AWS! This marks the end of this lab. + ++-----------------------------------------------------------------------------------------------------------------------------------+ +| **End of Lab 3**. Congratulations you have successfully configured and secured application access within AWS! This marks the | +| end of this lab. | +| | +| |labend| | ++-----------------------------------------------------------------------------------------------------------------------------------+ .. |lab300| image:: _static/lab3-appworld2025-topology-diagram.png :width: 800px From 94884b3111ab51a39bf10e6c9a46449594d9af16 Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 17:34:28 -0500 Subject: [PATCH 2/7] formatting, lab 3 --- docs/class1/lab3.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index 6a874772..edcbe49d 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -7,7 +7,7 @@ They have come to you and asked if you could configure customer access to this a to the Internet. You have been tasked to design and build this connectivity. You have chosen to leverage the Distributed Cloud Customer Edge deployment model to provide secure reliable access to the AWS hosted application. -Your design includes the following workflow Client -> CE -> Protected application resource. Let's get started! +Your design includes the following workflow **Client -> CE -> Protected application resource**. Let's get started! .. image:: _static/lab3-appworld2025-topology-diagram.png From 3369227d357d32e06c2500aa6f78a224d590a0e7 Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 17:40:43 -0500 Subject: [PATCH 3/7] more formatting in lab 3 --- docs/class1/lab3.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index edcbe49d..c03507e9 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -138,11 +138,11 @@ Now we will deploy a Load Balancer on the CE node that was deployed in the AWS V | | | |lab311| | || | -|| 4. Under Origin Pools Click **Add Item** | +|| 4. Under **Origin Pools** Click **Add Item** | || | | |lab302| | || | -|| 5. Select the recently created **[NAMESPACE]-private-pool** under Origin pool and then click **Apply** | +|| 5. Select the recently created **[NAMESPACE]-private-pool** under **Origin pool** and then click **Apply** | || | | |lab303| | || | @@ -197,7 +197,7 @@ under this tenant. | | +-----------------------------------------------------------------------------------------------------------------------------------+ || | -|| 3. Scroll to the botton of the screen and click "Save and Exit" to create the HTTP Load Balancer. | +|| 3. Scroll to the botton of the screen and click **Save and Exit** to create the HTTP Load Balancer. | || | +-----------------------------------------------------------------------------------------------------------------------------------+ @@ -260,16 +260,14 @@ We then connect to the AWS resource via it's Private IP address. | * /product?id=4%20OR%201=1 | | * /cart?search=aaa'> | | | -| Just like in Lab 1, you should see a block page when adding the attacks to the URL. | +| Just like in Lab 1, you should see a block page when adding the attacks to the URL. The difference in this case is that the | +| enforcement of the WAF policy is occurring on the load balancer on the CE node that is deployed in the AWS lab environment | +| instead of the Regional Edge in Distributed Cloud. | | | | |lab313| | | | +-----------------------------------------------------------------------------------------------------------------------------------+ -This is similar behavior to what we saw in the previous lab, but in this case the enforcement of the WAF policy is occurring on the -CE node that is deployed in the AWS lab environment and not in the F5 Distributed Cloud Regional Edge. - - +-----------------------------------------------------------------------------------------------------------------------------------+ | **End of Lab 3**. Congratulations you have successfully configured and secured application access within AWS! This marks the | | end of this lab. | @@ -305,3 +303,5 @@ CE node that is deployed in the AWS lab environment and not in the F5 Distribute :width: 800px .. |lab313| image:: _static/lab3-appworld2025-waf-block-message.png :width: 800px +.. |labend| image:: _static/labend.png + :width: 800px \ No newline at end of file From 70b53d845741747ee8c8e5d8cab58e7d1e0b254f Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 19:37:31 -0500 Subject: [PATCH 4/7] formatting: lab2, lab3 --- docs/class1/lab2.rst | 2 +- docs/class1/lab3.rst | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/class1/lab2.rst b/docs/class1/lab2.rst index e505c7d8..bd2a9bb5 100644 --- a/docs/class1/lab2.rst +++ b/docs/class1/lab2.rst @@ -154,7 +154,7 @@ under this tenant. | | +-----------------------------------------------------------------------------------------------------------------------------------+ || | -|| 3. Scroll to the botton of the screen and click **Save and Exit** to create the HTTP Load Balancer. | +|| 3. Scroll to the botton of the screen and click **Save and Exit** to create the HTTP Load Balancer. | || | || | +-----------------------------------------------------------------------------------------------------------------------------------+ diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index c03507e9..49e50cd0 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -142,7 +142,7 @@ Now we will deploy a Load Balancer on the CE node that was deployed in the AWS V || | | |lab302| | || | -|| 5. Select the recently created **[NAMESPACE]-private-pool** under **Origin pool** and then click **Apply** | +|| 5. Select the recently created **[NAMESPACE]-private-pool** under **Origin Pool** and then click **Apply** | || | | |lab303| | || | @@ -156,7 +156,7 @@ Now we will deploy a Load Balancer on the CE node that was deployed in the AWS V || | || |lab305| | || | -|| 8. Under **VIP Advertisement** Change it to **Custom** then select **Configure** | +|| 8. Under **VIP Advertisement**, change it to **Custom** then select **Configure** | || | || |lab306| | || | From 608d569b153914638546a1dc3e9a55004e5ef8be Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 19:40:23 -0500 Subject: [PATCH 5/7] formatting: lab3 --- docs/class1/lab3.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index 49e50cd0..26db0068 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -269,12 +269,13 @@ We then connect to the AWS resource via it's Private IP address. +-----------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------------------------------------------------------------------------------+ -| **End of Lab 3**. Congratulations you have successfully configured and secured application access within AWS! This marks the | -| end of this lab. | +| **End of Lab 3*. Congratulations, you have successfully configured and secured application access within AWS! This marks | +| the end of the lab. | | | | |labend| | +-----------------------------------------------------------------------------------------------------------------------------------+ + .. |lab300| image:: _static/lab3-appworld2025-topology-diagram.png :width: 800px .. |lab301| image:: _static/lab3-appworld2025-task1-originserver.png From 078bc606545e0eaa00a1d750a4953df7a75cf903 Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 19:42:06 -0500 Subject: [PATCH 6/7] formatting: lab3 --- docs/class1/lab3.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index 26db0068..17fc0d62 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -269,7 +269,8 @@ We then connect to the AWS resource via it's Private IP address. +-----------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------------------------------------------------------------------------------+ -| **End of Lab 3*. Congratulations, you have successfully configured and secured application access within AWS! This marks | +| | +| **End of Lab 3*. Congratulations, you have successfully configured and secured application access within AWS! This marks | | the end of the lab. | | | | |labend| | From 9e340fe5bb7ffe7a843e882687e6a535e4c835ed Mon Sep 17 00:00:00 2001 From: Curt Kersey Date: Wed, 8 Jan 2025 19:44:46 -0500 Subject: [PATCH 7/7] formatting: lab2, lab3 --- docs/class1/lab2.rst | 2 +- docs/class1/lab3.rst | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/class1/lab2.rst b/docs/class1/lab2.rst index bd2a9bb5..f47f51de 100644 --- a/docs/class1/lab2.rst +++ b/docs/class1/lab2.rst @@ -198,7 +198,7 @@ in AWS via the connection to the CE node in AWS. +-----------------------------------------------------------------------------------------------------------------------------------+ | **End of Lab 2**. In this lab you configured a global load balancer with a WAF policy on a CE node running in AWS for a | | private end point. That private end point was only accessible via the global load balancer. | -| | ++-----------------------------------------------------------------------------------------------------------------------------------+ | |labend| | +-----------------------------------------------------------------------------------------------------------------------------------+ diff --git a/docs/class1/lab3.rst b/docs/class1/lab3.rst index 17fc0d62..c9b6be33 100644 --- a/docs/class1/lab3.rst +++ b/docs/class1/lab3.rst @@ -269,10 +269,9 @@ We then connect to the AWS resource via it's Private IP address. +-----------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------------------------------------------------------------------------------+ -| | -| **End of Lab 3*. Congratulations, you have successfully configured and secured application access within AWS! This marks | +| **End of Lab 3**. Congratulations, you have successfully configured and secured application access within AWS! This marks | | the end of the lab. | -| | ++-----------------------------------------------------------------------------------------------------------------------------------+ | |labend| | +-----------------------------------------------------------------------------------------------------------------------------------+