F5 Distributed Cloud Security Service Insertion With BIG-IP Advanced WAF
In this article we will show you how to quickly deploy and operate external services of your choice across multiple public clouds. For this article I will select the BIG-IP Advanced WAF (PAYG), future articles will cover additional solutions.
F5’s Distributed Cloud Securtiy Service Insertion solution allows enterprises to deploy and operate external services of their choice across multiple public clouds.
Let's start by looking at a real-world customer example. The enterprise has standardized on an external firewall in their private data center. Their network and security team are very familiar with using BIG-IP AWAF. They want to deploy the same security firewall solution that they use in the private datacenter in the public cloud.
The requirements are:
- a simple operational model to deploy these services
- a unified security policy
- consistency across different clouds
- simple deployments
- unified logging
Customers have identified several challenges in moving to the cloud. Initallly, teams that are very familiar with supporting services in their private data center usually do not have the expertise in designing, deploying and supporting in public clouds. If the same team then is tasked with deploying to multiple clouds the gap widens, terminology, archtitecture tools and constructs are all unique.
Second, the operational models are different across different clouds. In AWS, you use either a VPC or a transit gateway (TGW), in Azure you use a VNET and Google has VPC’s.
Let's look at how F5’s Distributed Cloud Security Service insertion solution helps simplify and unify security solution deployments in multi-cloud and hybrid cloud environments:
Infrastructure-as-code: Implementation and policy configuration can be automated and run as infrastructure-as-code across clouds and regions, allowing policies to be repeatable in any major public or private cloud.
- Easy setup and management: This simplified setup and management extends across AWS, Azure, and other clouds, as the F5 Distributed Cloud Platform supports AWS Transit Gateway, virtual network peering in Azure, and use of VPC attachments.
- Define once and replicate models: No extra handcrafting is needed for consistent, straightforward operations and deployment.
- Unified traffic steering rules: With the Distributed Cloud Platform, traffic is rerouted from networks through the security service using the same steering rules across different public and private clouds. Using F5 Distributed Cloud Console, IT pros get granular visibility and single-pane-of-glass management of traffic across clouds and networks.
- Optional policy deployment routes: Policies can be deployed at either or both the network layer (using IP addresses) or the application layer (using APIs).
Step by Step Process
This walk thru assumes you already have an AWS VPC deployed. Have handy the VPC id.
- Log into the F5 Distributed Cloud Dashboard
You are presented with the Dashboard where you can choose which deployment option you want to work with. We will be working with Cloud and Edge Sites.
- Select Cloud and Edge Sites > Manage > Site Management > AWS TWG Sites
- Click Add the AWS Transit Gateway (TWG)
- Under Metadata give your TWG site a Name, Label and Description
- Click on Configure under AWS Configuration
This brings up the Services VPC Configuration Page
- Select your AWS region
- Select Services VPC, leave as New, let it genetrate a name or choose your own name and give the Primary CIDR block you want to assign to the VPC.
- Leave Transit Gateway as New TWG
- Leave BGP as Automatic
- Under Site Node Parameters, Ingress/ Egress select “Add Item”
- Move slider on upper right corner to Show Advanced Fields
- Fill in required configuration, AWS AZ Name and CIDR Blocks for each of the the subnets and click the “Add Item” You can let the system autogenerate these or assign the desired range.
This will take you back to the last screen, where you need to either create or select your cloud credentials. These are Programmatic Access Credentials allowing API access.
- Click Apply
This takes you to the previous screen where we connect your current VPC to the Service VPC we are creating. (have VPC id available)
Click Configure under VPC attachments
- Click Add Item
- Supply VPC id
- Click Apply
This takes you back once again to the AWS TWG Site Screen.
- Finish with clicking Save and Exit.
- In the UI you will then click Apply.
You are now deploying your new Security VPC via Terraform.
While that is deploying we will move on to the External Services.
- Manage > Site Management > External Services > Add External Service
- Give your Service a name, add a label and description.
- Click “Configure” under Select NFV Service Provider.
For this article we will select the F5 BIG-IP Advanced WAF (PAYG), future articles will cover additional solutions.
- Provide the Admin Password
- Admin Username
- public SSH Key that you will use to access your BIG-IP deployment.
- Select the TWG site you created above.
- Finally click “Add Item“ under Service Nodes.
- Enter a Node name and the Avilibilty Zones you wish to delpoy into. Then click “Add Item”
This will take you back to the original screen.
- Enable HTTPS Management of Nodes, supply a delegated doman that will issue a Certificate.
- Under Select Service Type” Keep Inside VIP at Automatic and Set the Outside VIP to “Advertise On Outside Network”.
- Finally Click “Save and Exit”
At the end, the External Security Service is deployed, and you are taken to all the External Services.
- Click the name of the External Service you deployed to expand the details
From this screen you are able to access several items, the two I want to point out are the TGW stats and the BIG-IP you deployed by clicking the Management Dashboard URL.
- Click under Site the TWG Service you deployed
Here you are able to see fine grained stats under all the tabs.
- System Metrics
- Application Metrics
- Site Status
- Top Talkers
- Flow tables
- Status Objects
Going back click the hyperlink to the BIG-IP if you wish to look at the configuration.
F5 Distributed Cloud Service Insertion automatically configured your BIG-IP with the following information:
• Self IPs
• Management and credentials
• IPoIP tunnel SI<-> BIG-IP
The following two items will need to be configured on your BIG-IP. This configuration
- Configure AWAF policies
- SecOps can access familiar BIG-IP UI using management link provided in F5 Cloud Console and set up and configure AWAF ploicies
- Define a Traffic Steering Policy
- Network traffic to define traffic steering policy at Network (L3/L4) layer
- Service policy to define traffic steering policy at App(L7) level.
- Below are the traffic steering control methods available:
- Network level – Ip address, port, etc
- App level – API, Method, etc
At the end of this step, you can see traffic getting diverted to BIG-IP and getting inspected by BIG-IP.
As you can see, F5 Distributed Cloud Security Service Insertion dramatically reduces the operation complexity for deploying external services in public clouds, it greatly enhances the security posture and it vastly improves productivity for all the operations teams such as NetOps, SecOps or DevOps.