Edge Networking & Security

Objective

This guide provides instructions on how to create secure edge networks using F5® Distributed Cloud Console and F5 Distributed Cloud Mesh.

The steps to create secure edge networks are:

Figure: Steps to Deploy Edge Cloud Networking and Security

The following images shows the topology of the example for the use case provided in this document:

Figure: ECNS Sample Topology

Using the instructions provided in this guide, you can deploy an F5 Distributed Cloud Site as part of a fleet, connect it to the cloud or SaaS services over public internet or privately, and secure the Distributed Cloud Site using network policies, service policies, and application firewall.

Prerequisites

Distributed Cloud Console SaaS account.

Note: If you do not have an account, see Create an Account.
Amazon Web Services (AWS) account.

Note: This is required to deploy a Site.
Intel NUC as commodity device with at least 4 VCPU and 8G memory.

Note: See Hardware Installation.
Distributed Cloud vesctl utility.

Note: See vesctl for more information.
Docker.
The balenaEtcher software to flash the F5 Distributed Cloud Services software image on to a USB drive.
A secret and policy document for encrypting your certificates and secrets using F5 Distributed Cloud Blindfold.

Note: See Blindfold for more information.
Self-signed or CA-signed certificate for your application domain.

Configuration

The use case provided in this guide sets up a Site on a commodity edge device and adds it to a fleet. The Site is then connected to cloud or SaaS services and secured using the Disitributed Cloud security features.

The following list outlines the sequence of activities performed for this use case:

Distributed Cloud Services software is installed on the edge device and registered on F5 Distributed Cloud Console.
A fleet is created with the required network configurations, and a fleet label is applied to the Site to make it part of the fleet.
The edge Site is connected to cloud or SaaS services over public internet in the Default Gateway SNAT Mode or Forward Proxy Mode. The step also shows how to privately connect the edge Site to cloud apps, without exposing communication to the internet.
Network policy to allowlist access to specific IP addresses and service policy to allowlist or denylist access to specific URLs is configured. Also, the application firewall is applied to block sophisticated application layer attacks such as the SQL injection attack.

The use case for this document assumes that an application called as Hipster Webapp is deployed in an AWS EKS in Amazon VPC. Also, a Distributed Cloud Mesh node is deployed in the same VPC with the Site name as hipster-webapp-west. The K8s namespace name is hipster.

The application consists of the following services:

frontend
cartservice
productcatalogservice
currencyservice
paymentservice
shippingservice
emailservice
checkoutservice
recommendationservice
adservice
cache

Note: Ensure that you keep the Amazon Elastic IP VIPs ready for later use in configuration.

Step 1: Provision

The following video shows the Site provisioning workflow:

You can use any of the supported hardware devices. However, in case of F5 Volterra IGW or ISV devices, the software is pre-installed, and you can power on, connect through Ethernet or Wi-Fi, and perform registration.

Perform the following steps to provision the Site on the commodity device:

Step 1.1: Download the Distributed Cloud Services software image.

Download the certified hardware image from the Certified Images page.

Step 1.2: Create a site token.

Log into Distributed Cloud Console and create a site token as per the instructions in the Site Management guides.

Note: You can also use an existing site token. In case you do not have any token, create one for using later for registration.

Step 1.3: Install the software on the device.

Install the Distributed Cloud Services software using the downloaded image on the commodity device as per the instructions in the Install Distributed Cloud Node guide.
Log into your device terminal and perform initial configuration. Initial configuration includes setting site token, cluster name, and set default values for rest of the options such as network configuration.

Step 1.4: Perform Site registration.

Log into Console and select the Multi-Cloud Network Connect service.
Select Manage from the configuration menu and Site Management -> Registrations in the options.
Click Pending Registrations tab and find the registration request for your device. Click Approve.
Click Accept to confirm.

Note: Check for your device status in the Other Registrations tab. The ONLINE status indicates that the Site is provisioned and ready to use.

Step 1.5: Deploy web application and node in the Amazon VPC.

Perform the steps mentioned in the Step 1: Deploy Site chapter of the Secure Kubernetes Gateway guide to deploy the web application.

Note: This step performs automatic Site registration.

Step 2: Define

Create a fleet of Sites with inside and outside network configuration and add the Site created in the previous chapter to this fleet.

The following video shows the fleet configuration and Site inclusion workflow:

Perform the following steps to configure the fleet and add site to it:

Step 2.1: Log into Console and create network configuration required for fleet.

Create virtual networks and network interfaces for the inside and outside networks. Also, create a network connector for connecting inside network with outside network.

Step 2.1.1: Create outside and inside networks.

Select Manage in the configuration menu and Networking->Virtual Networks in the options. Click Add virtual network.
Enter a name for your network and select Site Local Network for the Network Type field.
Click Add subnet, enter an IP address for the Prefix field, and enter prefix length for the Prefix Length field. Click Apply to add subnet.
Click Add virtual network to create the virtual network.

Figure: Virtual Network Creation

Repeat the above steps to create another network with the Network Type as Site Local Inside Network.

Step 2.1.2: Create outside and inside network interfaces.

Select Manage in the configuration menu and Networking->Network Interfaces in the options. Click Add network interface.
Enter a name for your network interface, set Ethernet for the Type field, and set eth0 for the Device Name field.
Click Select Virtual Network, select the outside network created in the previous step and click Select Virtual Network to apply the virtual network.
Select Enable for the Enable DHCP Client field.
Select Disable DHCP Server for the Enable DHCP Server field.
Click Add network interface to complete creating the network interface.

Figure: Network Interface Creation

Repeat the above steps to create another network interface with the following configuration:
- Set Ethernet for the Type field and set eth1 for the Device Name field.
- Click Select Virtual Network, select the inside network created in the previous step and click Select Virtual Network to apply the virtual network.
- Select Disable for the Enable DHCP Client field.
- Select Enable DHCP Server for the Enable DHCP Server field.

Step 2.1.3: Create network connector.

Select Manage in the configuration menu and Networking->Network Connectors in the options. Click Add network connector.
Enter a name for your network and select Default Gateway Snat for the Network Connector Type field.
Select Site Local Network for the Outside Virtual Network Type field.
Click Select outside network and select the outside network created in Step 2.1.1.
Select Site Local Inside Network for the Inside Virtual Network Type field.
Click Select inside network and select the inside network in Step 2.1.1.
Click Add network connector to complete creating the network connector.

Figure: Network Connector Creation

Step 2.2: Start creating a fleet.

Navigate to the Manage in the configuration menu and Fleets in the options. Click Add fleet to load fleet creation form.
Enter a name for your fleet and set a label in the Fleet Label Value field.

Figure: Fleet Basic Configuration

Step 2.3: Configure network settings.

Step 2.3.1: Add outside and inside network interfaces to the fleet.

Click Add device and set a name for the Device Name field.
Select Owner VER and Networking Device for the Device Owner and Device Instance fields respectively.
Click Select Interface and select the outside network interface created in Step 2.1.2.
Select Outside Interface for the Use field and click Apply to add the device to fleet.

Figure: Fleet Network Interface Configuration

Repeat the above steps to add the inside network interface created in Step 2.1.2. Select Inside Interface for the Use field.

Step 2.3.2: Add network connector to the fleet.

Click Select network connector and add the network connector created in Step 2.1.3.

Step 2.4: Complete fleet creation.

Click Add fleet to complete fleet creation.

Step 2.5: Add Site to the fleet.

Select Sites from configuration menu and Site List from options. Click ...->Edit to open Site edit form.
Click in the Labels field and select ves.io/fleet as the label. Select the value as the label of the fleet you created in Step 2.2.

Figure: Add Fleet Label to Site

Click Save changes to add your Site to the fleet.

Step 3: Connect

Connect privately to cloud application that is not exposed on public internet. This use case has the cloud app, hipster-shop that is already deployed in AWS EKS. The users on the edge Site need to reach frontend service over a private connection without exposing frontend to the internet. This is achieved by deploying a Mesh node in the same VPC where the hipster-shop is deployed, setting up service discovery, and configuring load balancer for the frontend service.

Note: This chapter provides the details for configuring the required components for the load balancer. For detailed instructions on creation of virtual host, see Virtual Hosts.

The following video shows the service discovery and load balancer creation workflow:

Perform the following to configure service discovery and load balancer:

Step 3.1: Log into Console and update proxy mode for network connector.

Select Manage in the configuration menu and Networking->Network Connectors in the options. Find the network connector created and click ...->Edit.
Scroll down to the Proxy Type field and select Forward Proxy.
Click Save changes.

Step 3.2: Configure service discovery for the webapp deployed in the Amazon VPC.

Select Manage in the configuration menu and Site Management-> Discovery in options. Click Add discovery and enter the configuration as per the following guidelines:

Enter a name in the Name field.
Select Virtual Site for the Where field.
Click Select ref, select hipster-webapp-west as the Site, and click Select ref.
Select Site Local Network for the Network Type field.
Select Kubernetes for the Type field.
Select K8s for the Discovery Service Access Information field and select Kubeconfig for the Oneoff field.

Figure: Service Discovery Configuration

Encrypt Kubeconfig file for your EKS cluster using the F5 Distributed Cloud Blindfold:

vesctl request secrets encrypt --policy-document <policy-doc> --public-key <public-key> hipster-app-kubeconfig > hipster-app-bf-secret

Copied!

Click Kubeconfig and enter the configuration as per the following guidelines:
- Select Blindfold for the Secret info field.
- Enter the encrypted secret in the Location field.
- Select EncodingNone for Secret Encoding field.

Figure: Service Discovery Secret Configuration

Select Apply and Add discovery to create discovery object.

Step 3.3: Change to the hipster-webapp namespace and create endpoint.

Select Manage->Endpoints. Click Add endpoint and enter the configuration as per the following guidelines:

Enter a name in the Name field.
Enter Site for the Where field and select hipster-webapp-west for the Select ref field.
Select Site Local Network for the network type.
Select Service Selector Info for Endpoint Specifier field.
Select Kubernetes for the Discovery field and Service Name for the Service field.
Enter frontend.hipster as the service name. Here hipster is the K8s namespace name.
Select TCP as the protocol.
Enter 80 for the Port field.
Click Add endpoint to create endpoint.

Step 3.4: Create healthcheck.

Select Manage->Healthcheck. Click Add healthcheck and enter the configuration as per the following guidelines:

Enter a name in the Name field.
Select HTTP Healthcheck the Health check field.
Enter / for path
Enter 5 for Timeout and Interval fields. This sets timeout and interval as 5 seconds for health check.
Enter 3 and 1 for Unhealthy Threshold and Healthy Threshold fields.
Click Add healthchcek.

Step 3.5: Create cluster.

Select Manage->Clusters. Click Add cluster and enter the configuration as per the following guidelines:

Enter a name in the Name field.
Select the endpoint created for the Select endpoint field.
Select the healthcheck object created for the Select healthcheck field.
Select Round Robin for the LoadBalancer Algorithm field.
Click Add cluster.

Step 3.6: Add route towards the created cluster.

Select Manage -> Routes. Enter a name and click Add route. Enter the configuration as per the following guidelines:

Click Add match. Select ANY for the HTTP Method field and Regex for the Path Match field. Enter (.*?) for the Regex field and click Add match.
Select Destination List for the Route action field and click Add destination. Click Select cluster and select the cluster object created. Click Select cluster and Add destination to add the cluster.
Click Add route to create the route.

Step 3.7:Add advertise policy.

Select Manage -> Advertise Policies. Click Add advertise policy and select Site for the Where field
Click Select ref and select the Site created in the Step 1: Provision chapter.
Select TCP as the protocol and 443 as the port.
Click Add advertise policy to complete creating the advertise policy.

Step 3.8: Encrypt the private key of the certificate using the Distributed Cloud Blindfold.

Use the public key and policy document obtained. This example shows the sample of generating a secret for your application domain. Store the output to a file.


vesctl request secrets encrypt --policy-document secure-kgw-demo-policy-doc --public-key hipster-co-public-key tls.key > tls.key.secret

Copied!

Note: The tls.key is the private key of the certificate you generated.

Step 3.9: Add a virtual host.

Select Manage -> Virtual Hosts. Click Add virtual host and set the configuration as per the following guidelines:

Enter name, application domain, and your proxy type. This sample uses HTTPS_PROXY as the proxy type and hello-web-4.helloclouds.app as the domain.
Select previously defined route.
Select previously created advertise policy.
Click TLS Parameters and click Add TLS certificate in the TLS configuration form.
- Generate Base64 string of your certificate and enter it in the string:/// format in the Certificate URL field. You can use the echo <certficiate> |base64 command.
Click Private key and select Secret info as Blindfold secret and enter the secret in the Location field. Select Secret Encoding as EncodingNone. Click Apply and Add virtual host.

Note: Use the secret created in previous step.

Step 4: Secure

Securing the ingress and egress traffic requires you to set the network policies, service policies, WAF, and network firewall.

The following video shows the workflow of securing the ingress and egress:

This example sets policies that allow egress traffic to github.com, block traffic to origin IP 8.8.8.8/32, and block egress traffic to some identified malicious domains. It also enables the WAF to block malicious ingress attacks such as SQL injection traffic.

Step 4.1: Create network policy.

Change to the system namespace and select Security -> Firewall -> Network Policies. Click Add network policy.
Set a name for the policy and select Endpoints Reachable via all Outside Interfaces in the Select Endpoint field of Attachment section. This makes the policy apply to all endpoints.

Figure: Network Policy Endpoint Configuration

Click Configure in the Egress section and configure egress rules as per the following guidelines:
- Select Deny for the Action field.
- Select IPv4 Prefix List for the Select Other Endpoint field.
- Set 8.8.8.8/32 for the IPv4 Prefix List field.
- Enter a name for the Rule Name field and click Apply.

Figure: Network Policy Egress Rule

Click Continue to create the network policy.

Step 4.2: Create forward proxy policies.

Navigate to Security -> Firewall->Forward Proxy Policy.

Step 4.2.1: Create a forward proxy policy to allow access to GitHub.

Click Add forward proxy policy and enter the following configuration:

Set a name for the policy.
Select All Proxies on Site for the Select Forward Proxy field in the Proxy section.
Select Allowed Connections in the Select Policy Rules section and click Configure under the TLS Domains field.

Figure: Forward Proxy Policy Rule Configuration

Click Add item in the TLS Domains screen and enter github.com in the Exact Value field. You can change Enter Domain field to exact value or suffix value or regex values. However, the default is exact value.

Figure: Forward Proxy Policy TLS Domain Configuration

Click Apply to add the TLS domain to the forward proxy policy configuration.
Click Continue to complete creating the forward proxy.

Step 4.2.2: Create another forward proxy policy to block access to malicious sites of your choice.

Set a name for the policy.
Select All Proxies on Site for the Select Forward Proxy field in the Proxy section.
Select Denied Connections in the Select Policy Rules section.
Click Configure for the TLS Domains field, click Add item in the TLS domains screen, and select a value for the Enter Domain field.
Enter a domain as per your domain type selection and click Apply. This example setting suffix value.

Figure: Forward Proxy Policy TLS Deny Configuration

Similarly click Configure for the HTTP URLs field and add URLS of the Sites to which access is to be blocked and click Apply. This example shows sample Sites that are blocked.

Figure: Forward Proxy Policy HTTP Deny Configuration

Click Continue to complete creating the forward proxy policy.

Step 4.3: Create network firewall.

Select Security -> Firewall -> Network Firewall. Click Add network firewall and set the following configuration:

Set a name for the firewall.
Select Active Forward Proxy Policies for the Select Forward Policy Configuration field in the Forward Proxy Policy section.
Select the deny policy created in the previous step for the Forward Proxy Policies field.
Click Add item and add the GitHub allow policy.
Select Active Network Policies for the Select Network Policy Configuration field in the Network Policy section.
Select the deny policy for IP 8.8.8.8/32 created in the previous step for the Network Policies field.

Figure: Network Firewall Configuration

Click Continue to complete creating network firewall.

Step 4.4: Apply the network firewall to the fleet.

Select Manage -> Site Management->Fleets and find your fleet from the displayed list. Click ... -> Edit to open the fleet edit form. Click Select network firewall and select the firewall created in the previous step. Click Save changes to apply the network firewall to the fleet of Sites.

Figure: Network Firewall Addition to Fleet

Note: After adding the network firewall to the fleet, any updates to the network policy or forward proxy policy are applied to all Sites that are part of that fleet.

Step 4.4: Create a WAF and apply it to virtual host.

Change to your application namespace and create WAF.

Navigate to Security->App Firewall->App Firewall. Click Add firewall.
Enter a name and select BLOCK for the Mode field.
Click Add firewall to complete creating the WAF.

Figure: WAF Creation

Navigate to your virtual host and apply the WAF.

Navigate to Manage->Virtual Hosts. Find your virtual host from the displayed list and click ...->Edit to open the virtual host edit form.
Scroll down and click WAF Config to open the WAF configuration form.
Select WAF for the WAF Config field. Click Select WAF, select the created WAF, and click Apply.
Click Save changes to apply WAF to virtual host configuration.

Figure: Apply WAF to Virtual Host

Verification

The applied security policies block egress traffic towards 8.8.8.8/32 and also towards malicious URLs as per the configuration. Also, traffic towards GitHub is allowed. You can also inspect the virtual host and site monitoring for requests and alerts:

Perform the following to verify this:

Step 1: Verify if the requests to github.com are allowed and requests to the blocked sites are rejected.

Use curl from command line or browser to load github.com and GitHub should be allowed.
Use curl from command line or browser to load the URLs you configured to block in the forward proxy deny policy. The requests should be rejected.
Enter ping 8.8.8.8/32 from the command line and this should be unsuccessful.

Step 2: Verify the requests in the site dashboard

Navigate to Sites -> Site List and click on your site to open its dashboard.
Click on the Requests tab and check the sample requests. Your requests to the blocked sites are displayed along with the HTTP return code.

Figure: Sampled Site Requests

Step 3: Verify alerts related to your site

Change to system namespace and navigate to Notifications -> Alerts. By default, active alerts are displayed for all sites. Filter the alerts for your site by entering your site name in the Search field.
Switch to all alerts using the All option. All alerts for your site are displayed.

Figure: Site Alerts

Note: You can also post your alerts to a 3rd party monitoring system or communication platform such as OpsGenie or Slack. For more information, see Alerting.