Increase Security in AWS without Rearchitecting your Applications - Part 2: Wednesday Morning

Welcome back! Yesterday we evaluated what options we have that will increase network and application security in AWS.  Today we will dive in and evaluate the architecture in greater detail.  This morning we will focus on the F5 components in the solution and this afternoon we will dive into the AWS components.  

Yesterday we landed on the following high level architecture to address the security concerns raised by the board. 


Background and Assumptions           

The rest of this article requires background knowledge here are the general assumptions:

  • The user has knowledge of networking concepts, AWS Networking, F5 LTM, F5 SSL Orchestrator (SSLO)

To get more understanding of a F5 BIG-IP deployment with AWS Gateway Load balancer please review the topic my colleague  Yossi_Rosenboi1  presented. For further understanding of SSLO please see f5 clouddocs. Kevin Stewart and Kevin Gallaugher have published many articles.

We will begin with a brief discussion of SSLO, followed by how it interoperates with AWS Gateway Load Balancer.  After that we will dive into how to build the solution. 

A Brief Discussion of Forwarding in the BIG-IP SSL Orchestrator Service Insertion

SSLO uses BIG-IP's advanced traffic management capabilities to create polices steering different traffic through different security policies and security service chains. Our capabilities to build dynamic service chains precludes the need to build static daisy chain of security devices. For example, SSLO can be used to configured different security chains for internet in traffic (ingress/north to south), internal to internet (egress/south to north), and internal to internal (east to west) via the same GWLB Endpoint (GWLBE) in AWS. This capability  simplifies route table constructs across the environment while increasing visibility and security.

Conceptual Diagram of SSL Orchestrator and Service Chains

Integrating SSL Orchestrator and AWS Gateway Load Balancer

AWS GWLB allows you to use routing constructs to insert security appliances into a VPC routing table. These appliances reside in their own security VPC and provide services to other VPCs. By using GWLB we will leverage horizontal scale, abstraction, and the ability to run the security stack as a service while protecting cloud native services such as Elastic Load Balancers, Elastic IPs, instances and Kubernetes clusters. If we think of the responsibilities that platform/network engineering has, for example, providing a secure platform to release applications on to, GWLB enables meeting the requirements of securing the infrastructure platform without having interference in how the developers deploy an application.  When you combine SSLO traffic classification capabilities with AWS GWLB we can selectively enable WAFs, NGFWs, DLP, IPS or other security services for north/south, south/north and east/west traffic in the environment. 

The Security VPC – Where SSL Orchestrator and the Security Services Reside

The security VPC does not need direct peering with any of the protected Application VPCs. This security VPC should be isolated because our previously encrypted traffic will not be encrypted here. The security VPC will need a subnet to handle management interfaces, 2 subnets per AZ and per service type, 1 subnet per AZ for the Geneve/Load balancing function. Sometimes VMs require outbound connectivity for CFTs or API actions to complete.  In this scenario you may require a NAT gateway or leverage hosting those objects on an S3 bucket that you can access via a VPC endpoint to minimize risk in the environment. 

You may have unique, different or additional internet access concerns that need to be considered while accounting for the risk that traffic is unencrypted in security VPC.


On my system I have a default route out of the geneve-tunnel VLAN (interface eth1) allowing access AWS to endpoints deployed into my VPC and a NAT gateway.  I have also used VLAN naming to make it easier.

Security Group Rules for SSL Orchestrator and Inspection Instances

When deploying in AWS we will create an array of security groups and network interface behavior (SRC/DST check) to ensure that we can process traffic. Please note that the security VPC does not require inbound access from the internet.

 

Device

Interface Function

SRC / DST Check State

Security Group Rules

SSLO

Management

True

Approved ranges, normally 10.x, 172.x, 192.168.x

SSLO

Tunnel Endpoints

True

ENI subnets for GWLB - VPC address space normally 10.x, 172.x, 192.168.x

SSLO

Ingress / Egress for service chain

False

0.0.0.0/0 or broad network access.

SSLO

Inside Tunnel

N/A

Not managed by AWS SG – broad network access such as 0.0.0.0/0 if applying AFM.

Inspection Device

Management

True

Approved ranges, normally 10.x, 172.x, 192.168.x

Inspection Device

Ingress / Egress for service chain

False

0.0.0.0/0 or broad network access.


Security VPC Traffic Flow 

In the security VPC the GWLB Endpoint uses AWS private link to steer traffic from one or more application VPCs, and load balances the traffic across an array of SSLO systems using the Geneve protocol. Traffic is then moved across the security services in the configured ordered. Traffic is then returned to the GWLB Endpoint and placed back in the protected VPC route table

Single Service in SSL Orchestrator Security Chain

  • Internet Client --> AWS Internet Gateway -->
  • (1) GWLB Endpoint --> (2) Tunnel Interface --> 
  • (3) Out VLAN to security Device --> (4) Out Security Device to SSLO  --> 
  • (7) Tunnel Interface -->  (8) GWLB Endpoint --> ENI (Instance, ALB, NLB) 

Two Services in SSL Orchestrator Security Chain 

  • Client --> AWS (Internet/VGW/TGW)Gateway -->
  • (1) GWLB Endpoint --> (2) Tunnel Interface -->
  • (3) Out VLAN 1 to security Device 1 -->  (4) Out Security Device 1  to SSLO -->
  • (5) Out VLAN 2 to security Device 2 --> (6) Out Security Device 2  to SSLO -->
  • (7) Tunnel Interface --> (8) GWLB Endpoint --> ENI (Instance, ALB, NLB)

Configuring BIG-IP for GWLB

Prior to setting up SSLO we will need to configure BIG-IP to support a Geneve tunnel to use with GWLB, a monitoring virtual server and IPs to use "inside" the tunnel.  Yossi covered this in his article, but it bears repeating since it is critical.

Tunnel Configuration

We will use a basic Geneve tunnel configuration based on the Geneve profile. Geneve uses UDP 6081 as its transport protocol.  In my lab the GENEVE tunnel interface is enabled on the Eth1 interface which is in the same subnet as the GWLB ENIs.  The configuration below can be repeated on any/all SSL Orchestrator deployed.  Please see section on scaling later.

net tunnels tunnel geneve-tunnel { if-index 208 local-address 10.252.20.12 profile geneve remote-address any } 

net self geneve-tunnel-ip { address 10.131.0.1/24 allow-service { none } traffic-group traffic-group-local-only vlan geneve-tunnel }

Returning Traffic into the Tunnel

If you have worked with AWS GWLB you are aware that it does not have an internal IP configuration object similar to how a GRE tunnel works. To make BIG-IP send any traffic back into the tunnel we created a Self IP address on the tunnel interface and will create a pool member in the same subnet matching a fake_arp_entry. These two constructs will ensure that we can use GENEVE tunnel will do so as expected. DO NOT PLACE A MONITOR ON THE POOL. 

ltm pool gwlb-gateway-pool {
    members {
        10.131.0.2:any {
            address 10.131.0.2
        }
    }
}
net arp /Common/fake-arp { ip-address 10.131.0.2 mac-address ff:ff:ff:ff:ff:ff }

SSL Orchestrator and Tunnel Interfaces

The SSLO configuration wizard (v 9.1.70) does not allow the user to select a tunnel interface to be selected. To enable us to process traffic on the Geneve tunnel interface we will need to edit the virtual server enabled on VLANs after we deploy our SSLO configurations, we will also need to disable strictness in our SSL policy.  You will need to navigate to the virtual server that represents the configuration and update the incoming "VLAN Enabled ON" setting adding the tunnel and removing the VLAN that you used in your config selection. You will need to repeat this across all the security chains that you create.  Additionally, all the virtual servers should be set to source-port preserve strict, translate-address disabled, and translate-port disabled.

The SSL Orchestrator Wizard – Building our Topology.

When deploying our SSLO we will be using the L3 Transparent topology, for all of our security chains as we are inserting transparent security services between AWS Public IPs and AWS Elastic Load Balancers, Elastic IPs and instance interfaces or between compute instances.

We will only need to create the services and service chains a single time. You can do this during the creation of the first topology our you can do it out of band and then refer to it during the wizard process. Below we have a screen shot of the first step to create or edit a topology.  The key take ways are we are selecting L3 Inbound/Outbound (depending on which traffic flow).   All topologies will select Gateway.  Please familiarize yourself with the differences between inbound and outboud traffic on SSLO. 

Digging Deeper - Interception Polices and Network Flow

F5 Virtual Servers allow you to configure source address, destination address, port and protocol to apply to virtual server matching. This will be critical in our SSLO GWLB deployment since the listening virtual servers are all on the same tunnel interface.  In a physical deployment the different traffic patterns would commonly arrive on different VLANs that reflected the network topology, not so with this deployment so matching traffic characteristics is key to ensure we select the correct interception rule.  When we configure SSLO you are prompted for which IPs to match in the final step of creating your interception policy.  

The table below provides an example of how we use the interception rules and thus virtual server matching to create the more specific objects (Source IP, Destination IP, Protocol, Port etc) to select the traffic. Please see  this KB for more details on virtual server matching.  In my topology I am using 10.0.0.0 address space in my AWS VPCs.

 

Flow

Source Network Address

Destination Network Address

Port

Protocol

North/South

0.0.0.0/0

0.0.0.0/0

ANY

TCP

North/South

0.0.0.0/0

0.0.0.0/0

ANY

UDP

South/North

10.0.0.0/8

0.0.0.0/0

ANY

TCP

South/North

10.0.0.0/8

0.0.0.0/0

ANY

UDP

East/West

10.0.0.0/8

10.0.0.0/8

ANY

TCP

East/West

10.0.0.0/8

10.0.0.0/8

ANY

UDP

N/S, S/E, E/W Other

0.0.0.0/0

0.0.0.0/0

ANY

ANY

Screen shot - interceptoin rules

You will notice that there is only one interception rule for OTHER protocols: IE non TCP/UDP. This allows protocols such as ICMP to pass which would be required for PMTUD. The reason we only need a single chain for North/South, South/North and East/West is 1. We are not actually inspecting these protocols and 2. The topology is the same in all flows. 

Screen shot - associated servers

At this point it should be evident that network flow characteristics will map to an interception rule and a virtual server object.  This virtual server is the entry into the SSLO processing and service chains enabled on the tunnel interface.

SSL Orchestrator Security Policy Strictness

We will need to apply manual edits to the virtual servers used to process traffic and the gateway pool (Geneve Tunnel) that is used to force traffic back into the tunnel. Prior to making these changes we will need to ensure that all of the inspection polices are "unlocked". This is because we need to edit the virtual servers created for port preservation and which interface they are enabled on.

Conclusion

Join me this afternoon and we will dive deeper into the AWS components required to make this work, how all the pieces of this puzzle fit together allowing traffic to flow and a discussion around scaling and resiliency.

Published Apr 04, 2023
Version 1.0

1 Comment

"}},"componentScriptGroups({\"componentId\":\"custom.widget.Beta_MetaNav\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Beta_Footer\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"message:307459\"],\"name\":\"TkbMessagePage\",\"props\":{},\"url\":\"https://community.f5.com/kb/technicalarticles/increase-security-in-aws-without-rearchitecting-your-applications---part-2-wedne/307459\"}}})":{"__typename":"ComponentRenderResult","html":"
 
 
 
 
 

\"F5 ©2024 F5, Inc. All rights reserved.
Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information
"}},"componentScriptGroups({\"componentId\":\"custom.widget.Beta_Footer\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Tag_Manager_Helper\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"message:307459\"],\"name\":\"TkbMessagePage\",\"props\":{},\"url\":\"https://community.f5.com/kb/technicalarticles/increase-security-in-aws-without-rearchitecting-your-applications---part-2-wedne/307459\"}}})":{"__typename":"ComponentRenderResult","html":" "}},"componentScriptGroups({\"componentId\":\"custom.widget.Tag_Manager_Helper\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Consent_Blackbar\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"message:307459\"],\"name\":\"TkbMessagePage\",\"props\":{},\"url\":\"https://community.f5.com/kb/technicalarticles/increase-security-in-aws-without-rearchitecting-your-applications---part-2-wedne/307459\"}}})":{"__typename":"ComponentRenderResult","html":"
"}},"componentScriptGroups({\"componentId\":\"custom.widget.Consent_Blackbar\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/guides/GuideBottomNavigation\"]})":[{"__ref":"CachedAsset:text:en_US-components/guides/GuideBottomNavigation-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageListMenu\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageListMenu-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"components/customComponent/CustomComponent\"]})":[{"__ref":"CachedAsset:text:en_US-components/customComponent/CustomComponent-1745595729125"}],"message({\"id\":\"message:324205\"})":{"__ref":"TkbReplyMessage:message:324205"},"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745595729125"}],"cachedText({\"lastModified\":\"1745595729125\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1745595729125"}]},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Former Member","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"dd-MMM-yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","possibleValues":["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1745595724052":{"__typename":"CachedAsset","id":"pages-1745595724052","value":[{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1739501733000,"localOverride":null,"page":{"id":"Test","type":"CUSTOM","urlPath":"/custom-test-2","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745595724052,"localOverride":null,"page":{"id":"HowDoI","type":"COMMUNITY","urlPath":"/c/how-do-i","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstMjgtQ3U0RXo2\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/cmstMjgtQ3U0RXo2","height":0,"width":0,"mimeType":"image/svg+xml"},"Rank:rank:28":{"__typename":"Rank","id":"rank:28","position":5,"name":"Employee","color":"C20025","icon":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/cmstMjgtQ3U0RXo2\"}"},"rankStyle":"OUTLINE"},"User:user:215984":{"__typename":"User","id":"user:215984","uid":215984,"login":"Heath_Parrott","deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0yMTU5ODQtMjA5NTdpRkU1NkVFOUZDRDE4RTAyQw"},"rank":{"__ref":"Rank:rank:28"},"email":"","messagesCount":54,"biography":null,"topicsCount":20,"kudosReceivedCount":57,"kudosGivenCount":10,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-07-22T07:10:23.000-07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":4},"Category:category:Articles":{"__typename":"Category","id":"category:Articles","entityType":"CATEGORY","displayId":"Articles","nodeType":"category","depth":1,"title":"Articles","shortTitle":"Articles","parent":{"__ref":"Category:category:top"},"categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:top":{"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle":"Top"},"Tkb:board:TechnicalArticles":{"__typename":"Tkb","id":"board:TechnicalArticles","entityType":"TKB","displayId":"TechnicalArticles","nodeType":"board","depth":2,"conversationStyle":"TKB","repliesProperties":{"__typename":"RepliesProperties","sortOrder":"PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"FREEFORM_AND_PRESET","description":"F5 SMEs share good practice.","title":"Technical Articles","shortTitle":"Technical Articles","parent":{"__ref":"Category:category:Articles"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:zihoc95639"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:Articles"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme":{"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","args":[]}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","args":[]}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}},"canReadNode":{"__typename":"PolicyResult","failureReason":null}},"isManualSortOrderAvailable":false,"tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"eventPath":"category:Articles/community:zihoc95639board:TechnicalArticles/"},"TkbTopicMessage:message:307459":{"__typename":"TkbTopicMessage","uid":307459,"subject":"Increase Security in AWS without Rearchitecting your Applications - Part 2: Wednesday Morning","id":"message:307459","revisionNum":28,"repliesCount":1,"author":{"__ref":"User:user:215984"},"depth":0,"hasGivenKudo":false,"helpful":null,"board":{"__ref":"Tkb:board:TechnicalArticles"},"conversation":{"__ref":"Conversation:conversation:307459"},"messagePolicies":{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","args":[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","args":[]}}},"contentWorkflow":{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnToAuthor":null,"canPublish":null,"canReturnToReview":null,"canSchedule":false},"shortScheduledTimezone":null},"readOnly":false,"editFrozen":false,"moderationData":{"__ref":"ModerationData:moderation_data:307459"},"teaser":"

It is a random Tuesday, and your boss just left an urgent meeting with the executives. The board has become concerned about the security of your IT infrastructure. Several companies in your segment have recently suffered security breaches making front page news and management is being pressed on the steps they are taking to secure the application infrastructure. Lucky you, it is now your task to fix it (somewhere in all those courses on networking it was never stated that Network Engineering is the team every company turns to when there is a problem and nobody else can help...). Your company is a maze of VPCs, route tables, Transit Gateways, Transit VPCs, Internet Gateways, Direct Connects, VPNs, multiple accounts and traffic flowing in every different direction that no one seems to know what is talking to what, why or what information they are sharing. Your boss simply says that a solution needs to be found. Fast. This is the second installment in a four part series we will cover the architecture options, examine the deployment process, discuss scale, investigate resiliency and troubleshooting commands.

","body":"
\n

Welcome back! Yesterday we evaluated what options we have that will increase network and application security in AWS.  Today we will dive in and evaluate the architecture in greater detail.  This morning we will focus on the F5 components in the solution and this afternoon we will dive into the AWS components.  

\n

Yesterday we landed on the following high level architecture to address the security concerns raised by the board. 

\n
\n

Background and Assumptions           

\n

The rest of this article requires background knowledge here are the general assumptions:

\n\n

To get more understanding of a F5 BIG-IP deployment with AWS Gateway Load balancer please review the topic my colleague  Yossi_Rosenboi1  presented. For further understanding of SSLO please see f5 clouddocs. Kevin Stewart and Kevin Gallaugher have published many articles.

\n

We will begin with a brief discussion of SSLO, followed by how it interoperates with AWS Gateway Load Balancer.  After that we will dive into how to build the solution. 

\n

A Brief Discussion of Forwarding in the BIG-IP SSL Orchestrator Service Insertion

\n

SSLO uses BIG-IP's advanced traffic management capabilities to create polices steering different traffic through different security policies and security service chains. Our capabilities to build dynamic service chains precludes the need to build static daisy chain of security devices. For example, SSLO can be used to configured different security chains for internet in traffic (ingress/north to south), internal to internet (egress/south to north), and internal to internal (east to west) via the same GWLB Endpoint (GWLBE) in AWS. This capability  simplifies route table constructs across the environment while increasing visibility and security.

\n

Conceptual Diagram of SSL Orchestrator and Service Chains

\n\n

Integrating SSL Orchestrator and AWS Gateway Load Balancer

\n

AWS GWLB allows you to use routing constructs to insert security appliances into a VPC routing table. These appliances reside in their own security VPC and provide services to other VPCs. By using GWLB we will leverage horizontal scale, abstraction, and the ability to run the security stack as a service while protecting cloud native services such as Elastic Load Balancers, Elastic IPs, instances and Kubernetes clusters. If we think of the responsibilities that platform/network engineering has, for example, providing a secure platform to release applications on to, GWLB enables meeting the requirements of securing the infrastructure platform without having interference in how the developers deploy an application.  When you combine SSLO traffic classification capabilities with AWS GWLB we can selectively enable WAFs, NGFWs, DLP, IPS or other security services for north/south, south/north and east/west traffic in the environment. 

\n

The Security VPC – Where SSL Orchestrator and the Security Services Reside

\n

The security VPC does not need direct peering with any of the protected Application VPCs. This security VPC should be isolated because our previously encrypted traffic will not be encrypted here. The security VPC will need a subnet to handle management interfaces, 2 subnets per AZ and per service type, 1 subnet per AZ for the Geneve/Load balancing function. Sometimes VMs require outbound connectivity for CFTs or API actions to complete.  In this scenario you may require a NAT gateway or leverage hosting those objects on an S3 bucket that you can access via a VPC endpoint to minimize risk in the environment. 

\n

You may have unique, different or additional internet access concerns that need to be considered while accounting for the risk that traffic is unencrypted in security VPC.

\n
\n

On my system I have a default route out of the geneve-tunnel VLAN (interface eth1) allowing access AWS to endpoints deployed into my VPC and a NAT gateway.  I have also used VLAN naming to make it easier.

\n

\n

\n

Security Group Rules for SSL Orchestrator and Inspection Instances

\n

When deploying in AWS we will create an array of security groups and network interface behavior (SRC/DST check) to ensure that we can process traffic. Please note that the security VPC does not require inbound access from the internet.

\n

 

\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Device

\n
\n

Interface Function

\n
\n

SRC / DST Check State

\n
\n

Security Group Rules

\n
\n

SSLO

\n
\n

Management

\n
\n

True

\n
\n

Approved ranges, normally 10.x, 172.x, 192.168.x

\n
\n

SSLO

\n
\n

Tunnel Endpoints

\n
\n

True

\n
\n

ENI subnets for GWLB - VPC address space normally 10.x, 172.x, 192.168.x

\n
\n

SSLO

\n
\n

Ingress / Egress for service chain

\n
\n

False

\n
\n

0.0.0.0/0 or broad network access.

\n
\n

SSLO

\n
\n

Inside Tunnel

\n
\n

N/A

\n
\n

Not managed by AWS SG – broad network access such as 0.0.0.0/0 if applying AFM.

\n
\n

Inspection Device

\n
\n

Management

\n
\n

True

\n
\n

Approved ranges, normally 10.x, 172.x, 192.168.x

\n
\n

Inspection Device

\n
\n

Ingress / Egress for service chain

\n
\n

False

\n
\n

0.0.0.0/0 or broad network access.

\n
\n
\n

Security VPC Traffic Flow 

\n

In the security VPC the GWLB Endpoint uses AWS private link to steer traffic from one or more application VPCs, and load balances the traffic across an array of SSLO systems using the Geneve protocol. Traffic is then moved across the security services in the configured ordered. Traffic is then returned to the GWLB Endpoint and placed back in the protected VPC route table

\n

\n

Single Service in SSL Orchestrator Security Chain

\n\n

Two Services in SSL Orchestrator Security Chain 

\n\n

Configuring BIG-IP for GWLB

\n

Prior to setting up SSLO we will need to configure BIG-IP to support a Geneve tunnel to use with GWLB, a monitoring virtual server and IPs to use \"inside\" the tunnel.  Yossi covered this in his article, but it bears repeating since it is critical.

\n

Tunnel Configuration

\n

We will use a basic Geneve tunnel configuration based on the Geneve profile. Geneve uses UDP 6081 as its transport protocol.  In my lab the GENEVE tunnel interface is enabled on the Eth1 interface which is in the same subnet as the GWLB ENIs.  The configuration below can be repeated on any/all SSL Orchestrator deployed.  Please see section on scaling later.

\n
net tunnels tunnel geneve-tunnel { if-index 208 local-address 10.252.20.12 profile geneve remote-address any } \n\nnet self geneve-tunnel-ip { address 10.131.0.1/24 allow-service { none } traffic-group traffic-group-local-only vlan geneve-tunnel }
\n

\n

\n

Returning Traffic into the Tunnel

\n

If you have worked with AWS GWLB you are aware that it does not have an internal IP configuration object similar to how a GRE tunnel works. To make BIG-IP send any traffic back into the tunnel we created a Self IP address on the tunnel interface and will create a pool member in the same subnet matching a fake_arp_entry. These two constructs will ensure that we can use GENEVE tunnel will do so as expected. DO NOT PLACE A MONITOR ON THE POOL. 

\n
ltm pool gwlb-gateway-pool {\n    members {\n        10.131.0.2:any {\n            address 10.131.0.2\n        }\n    }\n}\nnet arp /Common/fake-arp { ip-address 10.131.0.2 mac-address ff:ff:ff:ff:ff:ff }
\n

SSL Orchestrator and Tunnel Interfaces

\n

The SSLO configuration wizard (v 9.1.70) does not allow the user to select a tunnel interface to be selected. To enable us to process traffic on the Geneve tunnel interface we will need to edit the virtual server enabled on VLANs after we deploy our SSLO configurations, we will also need to disable strictness in our SSL policy.  You will need to navigate to the virtual server that represents the configuration and update the incoming \"VLAN Enabled ON\" setting adding the tunnel and removing the VLAN that you used in your config selection. You will need to repeat this across all the security chains that you create.  Additionally, all the virtual servers should be set to source-port preserve strict, translate-address disabled, and translate-port disabled.

\n

\n

The SSL Orchestrator Wizard – Building our Topology.

\n

When deploying our SSLO we will be using the L3 Transparent topology, for all of our security chains as we are inserting transparent security services between AWS Public IPs and AWS Elastic Load Balancers, Elastic IPs and instance interfaces or between compute instances.

\n

We will only need to create the services and service chains a single time. You can do this during the creation of the first topology our you can do it out of band and then refer to it during the wizard process. Below we have a screen shot of the first step to create or edit a topology.  The key take ways are we are selecting L3 Inbound/Outbound (depending on which traffic flow).   All topologies will select Gateway.  Please familiarize yourself with the differences between inbound and outboud traffic on SSLO. 

\n

\n

Digging Deeper - Interception Polices and Network Flow

\n

F5 Virtual Servers allow you to configure source address, destination address, port and protocol to apply to virtual server matching. This will be critical in our SSLO GWLB deployment since the listening virtual servers are all on the same tunnel interface.  In a physical deployment the different traffic patterns would commonly arrive on different VLANs that reflected the network topology, not so with this deployment so matching traffic characteristics is key to ensure we select the correct interception rule.  When we configure SSLO you are prompted for which IPs to match in the final step of creating your interception policy.  

The table below provides an example of how we use the interception rules and thus virtual server matching to create the more specific objects (Source IP, Destination IP, Protocol, Port etc) to select the traffic. Please see  this KB for more details on virtual server matching.  In my topology I am using 10.0.0.0 address space in my AWS VPCs.

\n

 

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Flow

\n
\n

Source Network Address

\n
\n

Destination Network Address

\n
\n

Port

\n
\n

Protocol

\n
\n

North/South

\n
\n

0.0.0.0/0

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

TCP

\n
\n

North/South

\n
\n

0.0.0.0/0

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

UDP

\n
\n

South/North

\n
\n

10.0.0.0/8

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

TCP

\n
\n

South/North

\n
\n

10.0.0.0/8

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

UDP

\n
\n

East/West

\n
\n

10.0.0.0/8

\n
\n

10.0.0.0/8

\n
\n

ANY

\n
\n

TCP

\n
\n

East/West

\n
\n

10.0.0.0/8

\n
\n

10.0.0.0/8

\n
\n

ANY

\n
\n

UDP

\n
\n

N/S, S/E, E/W Other

\n
\n

0.0.0.0/0

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

ANY

\n
\n

Screen shot - interceptoin rules

\n

\n

You will notice that there is only one interception rule for OTHER protocols: IE non TCP/UDP. This allows protocols such as ICMP to pass which would be required for PMTUD. The reason we only need a single chain for North/South, South/North and East/West is 1. We are not actually inspecting these protocols and 2. The topology is the same in all flows. 

\n

Screen shot - associated servers

\n

\n

At this point it should be evident that network flow characteristics will map to an interception rule and a virtual server object.  This virtual server is the entry into the SSLO processing and service chains enabled on the tunnel interface.

\n

SSL Orchestrator Security Policy Strictness

\n

We will need to apply manual edits to the virtual servers used to process traffic and the gateway pool (Geneve Tunnel) that is used to force traffic back into the tunnel. Prior to making these changes we will need to ensure that all of the inspection polices are \"unlocked\". This is because we need to edit the virtual servers created for port preservation and which interface they are enabled on.

\n

\n

Conclusion

\n

Join me this afternoon and we will dive deeper into the AWS components required to make this work, how all the pieces of this puzzle fit together allowing traffic to flow and a discussion around scaling and resiliency.

\n
","body@stringLength":"25186","rawBody":"
\n

Welcome back! Yesterday we evaluated what options we have that will increase network and application security in AWS.  Today we will dive in and evaluate the architecture in greater detail.  This morning we will focus on the F5 components in the solution and this afternoon we will dive into the AWS components.  

\n

Yesterday we landed on the following high level architecture to address the security concerns raised by the board. 

\n
\n

Background and Assumptions           

\n

The rest of this article requires background knowledge here are the general assumptions:

\n\n

To get more understanding of a F5 BIG-IP deployment with AWS Gateway Load balancer please review the topic my colleague    presented. For further understanding of SSLO please see f5 clouddocs. Kevin Stewart and Kevin Gallaugher have published many articles.

\n

We will begin with a brief discussion of SSLO, followed by how it interoperates with AWS Gateway Load Balancer.  After that we will dive into how to build the solution. 

\n

A Brief Discussion of Forwarding in the BIG-IP SSL Orchestrator Service Insertion

\n

SSLO uses BIG-IP's advanced traffic management capabilities to create polices steering different traffic through different security policies and security service chains. Our capabilities to build dynamic service chains precludes the need to build static daisy chain of security devices. For example, SSLO can be used to configured different security chains for internet in traffic (ingress/north to south), internal to internet (egress/south to north), and internal to internal (east to west) via the same GWLB Endpoint (GWLBE) in AWS. This capability  simplifies route table constructs across the environment while increasing visibility and security.

\n

Conceptual Diagram of SSL Orchestrator and Service Chains

\n\n

Integrating SSL Orchestrator and AWS Gateway Load Balancer

\n

AWS GWLB allows you to use routing constructs to insert security appliances into a VPC routing table. These appliances reside in their own security VPC and provide services to other VPCs. By using GWLB we will leverage horizontal scale, abstraction, and the ability to run the security stack as a service while protecting cloud native services such as Elastic Load Balancers, Elastic IPs, instances and Kubernetes clusters. If we think of the responsibilities that platform/network engineering has, for example, providing a secure platform to release applications on to, GWLB enables meeting the requirements of securing the infrastructure platform without having interference in how the developers deploy an application.  When you combine SSLO traffic classification capabilities with AWS GWLB we can selectively enable WAFs, NGFWs, DLP, IPS or other security services for north/south, south/north and east/west traffic in the environment. 

\n

The Security VPC – Where SSL Orchestrator and the Security Services Reside

\n

The security VPC does not need direct peering with any of the protected Application VPCs. This security VPC should be isolated because our previously encrypted traffic will not be encrypted here. The security VPC will need a subnet to handle management interfaces, 2 subnets per AZ and per service type, 1 subnet per AZ for the Geneve/Load balancing function. Sometimes VMs require outbound connectivity for CFTs or API actions to complete.  In this scenario you may require a NAT gateway or leverage hosting those objects on an S3 bucket that you can access via a VPC endpoint to minimize risk in the environment. 

\n

You may have unique, different or additional internet access concerns that need to be considered while accounting for the risk that traffic is unencrypted in security VPC.

\n
\n

On my system I have a default route out of the geneve-tunnel VLAN (interface eth1) allowing access AWS to endpoints deployed into my VPC and a NAT gateway.  I have also used VLAN naming to make it easier.

\n

\n

\n

Security Group Rules for SSL Orchestrator and Inspection Instances

\n

When deploying in AWS we will create an array of security groups and network interface behavior (SRC/DST check) to ensure that we can process traffic. Please note that the security VPC does not require inbound access from the internet.

\n

 

\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Device

\n
\n

Interface Function

\n
\n

SRC / DST Check State

\n
\n

Security Group Rules

\n
\n

SSLO

\n
\n

Management

\n
\n

True

\n
\n

Approved ranges, normally 10.x, 172.x, 192.168.x

\n
\n

SSLO

\n
\n

Tunnel Endpoints

\n
\n

True

\n
\n

ENI subnets for GWLB - VPC address space normally 10.x, 172.x, 192.168.x

\n
\n

SSLO

\n
\n

Ingress / Egress for service chain

\n
\n

False

\n
\n

0.0.0.0/0 or broad network access.

\n
\n

SSLO

\n
\n

Inside Tunnel

\n
\n

N/A

\n
\n

Not managed by AWS SG – broad network access such as 0.0.0.0/0 if applying AFM.

\n
\n

Inspection Device

\n
\n

Management

\n
\n

True

\n
\n

Approved ranges, normally 10.x, 172.x, 192.168.x

\n
\n

Inspection Device

\n
\n

Ingress / Egress for service chain

\n
\n

False

\n
\n

0.0.0.0/0 or broad network access.

\n
\n
\n

Security VPC Traffic Flow 

\n

In the security VPC the GWLB Endpoint uses AWS private link to steer traffic from one or more application VPCs, and load balances the traffic across an array of SSLO systems using the Geneve protocol. Traffic is then moved across the security services in the configured ordered. Traffic is then returned to the GWLB Endpoint and placed back in the protected VPC route table

\n

\n

Single Service in SSL Orchestrator Security Chain

\n\n

Two Services in SSL Orchestrator Security Chain 

\n\n

Configuring BIG-IP for GWLB

\n

Prior to setting up SSLO we will need to configure BIG-IP to support a Geneve tunnel to use with GWLB, a monitoring virtual server and IPs to use \"inside\" the tunnel.  Yossi covered this in his article, but it bears repeating since it is critical.

\n

Tunnel Configuration

\n

We will use a basic Geneve tunnel configuration based on the Geneve profile. Geneve uses UDP 6081 as its transport protocol.  In my lab the GENEVE tunnel interface is enabled on the Eth1 interface which is in the same subnet as the GWLB ENIs.  The configuration below can be repeated on any/all SSL Orchestrator deployed.  Please see section on scaling later.

\nnet tunnels tunnel geneve-tunnel { if-index 208 local-address 10.252.20.12 profile geneve remote-address any } \n\nnet self geneve-tunnel-ip { address 10.131.0.1/24 allow-service { none } traffic-group traffic-group-local-only vlan geneve-tunnel }\n

\n

\n

Returning Traffic into the Tunnel

\n

If you have worked with AWS GWLB you are aware that it does not have an internal IP configuration object similar to how a GRE tunnel works. To make BIG-IP send any traffic back into the tunnel we created a Self IP address on the tunnel interface and will create a pool member in the same subnet matching a fake_arp_entry. These two constructs will ensure that we can use GENEVE tunnel will do so as expected. DO NOT PLACE A MONITOR ON THE POOL. 

\nltm pool gwlb-gateway-pool {\n members {\n 10.131.0.2:any {\n address 10.131.0.2\n }\n }\n}\nnet arp /Common/fake-arp { ip-address 10.131.0.2 mac-address ff:ff:ff:ff:ff:ff }\n

SSL Orchestrator and Tunnel Interfaces

\n

The SSLO configuration wizard (v 9.1.70) does not allow the user to select a tunnel interface to be selected. To enable us to process traffic on the Geneve tunnel interface we will need to edit the virtual server enabled on VLANs after we deploy our SSLO configurations, we will also need to disable strictness in our SSL policy.  You will need to navigate to the virtual server that represents the configuration and update the incoming \"VLAN Enabled ON\" setting adding the tunnel and removing the VLAN that you used in your config selection. You will need to repeat this across all the security chains that you create.  Additionally, all the virtual servers should be set to source-port preserve strict, translate-address disabled, and translate-port disabled.

\n

\n

The SSL Orchestrator Wizard – Building our Topology.

\n

When deploying our SSLO we will be using the L3 Transparent topology, for all of our security chains as we are inserting transparent security services between AWS Public IPs and AWS Elastic Load Balancers, Elastic IPs and instance interfaces or between compute instances.

\n

We will only need to create the services and service chains a single time. You can do this during the creation of the first topology our you can do it out of band and then refer to it during the wizard process. Below we have a screen shot of the first step to create or edit a topology.  The key take ways are we are selecting L3 Inbound/Outbound (depending on which traffic flow).   All topologies will select Gateway.  Please familiarize yourself with the differences between inbound and outboud traffic on SSLO. 

\n

\n

Digging Deeper - Interception Polices and Network Flow

\n

F5 Virtual Servers allow you to configure source address, destination address, port and protocol to apply to virtual server matching. This will be critical in our SSLO GWLB deployment since the listening virtual servers are all on the same tunnel interface.  In a physical deployment the different traffic patterns would commonly arrive on different VLANs that reflected the network topology, not so with this deployment so matching traffic characteristics is key to ensure we select the correct interception rule.  When we configure SSLO you are prompted for which IPs to match in the final step of creating your interception policy.  

The table below provides an example of how we use the interception rules and thus virtual server matching to create the more specific objects (Source IP, Destination IP, Protocol, Port etc) to select the traffic. Please see  this KB for more details on virtual server matching.  In my topology I am using 10.0.0.0 address space in my AWS VPCs.

\n

 

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Flow

\n
\n

Source Network Address

\n
\n

Destination Network Address

\n
\n

Port

\n
\n

Protocol

\n
\n

North/South

\n
\n

0.0.0.0/0

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

TCP

\n
\n

North/South

\n
\n

0.0.0.0/0

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

UDP

\n
\n

South/North

\n
\n

10.0.0.0/8

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

TCP

\n
\n

South/North

\n
\n

10.0.0.0/8

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

UDP

\n
\n

East/West

\n
\n

10.0.0.0/8

\n
\n

10.0.0.0/8

\n
\n

ANY

\n
\n

TCP

\n
\n

East/West

\n
\n

10.0.0.0/8

\n
\n

10.0.0.0/8

\n
\n

ANY

\n
\n

UDP

\n
\n

N/S, S/E, E/W Other

\n
\n

0.0.0.0/0

\n
\n

0.0.0.0/0

\n
\n

ANY

\n
\n

ANY

\n
\n

Screen shot - interceptoin rules

\n

\n

You will notice that there is only one interception rule for OTHER protocols: IE non TCP/UDP. This allows protocols such as ICMP to pass which would be required for PMTUD. The reason we only need a single chain for North/South, South/North and East/West is 1. We are not actually inspecting these protocols and 2. The topology is the same in all flows. 

\n

Screen shot - associated servers

\n

\n

At this point it should be evident that network flow characteristics will map to an interception rule and a virtual server object.  This virtual server is the entry into the SSLO processing and service chains enabled on the tunnel interface.

\n

SSL Orchestrator Security Policy Strictness

\n

We will need to apply manual edits to the virtual servers used to process traffic and the gateway pool (Geneve Tunnel) that is used to force traffic back into the tunnel. Prior to making these changes we will need to ensure that all of the inspection polices are \"unlocked\". This is because we need to edit the virtual servers created for port preservation and which interface they are enabled on.

\n

\n

Conclusion

\n

Join me this afternoon and we will dive deeper into the AWS components required to make this work, how all the pieces of this puzzle fit together allowing traffic to flow and a discussion around scaling and resiliency.

\n
","kudosSumWeight":4,"postTime":"2023-04-19T05:00:00.036-07:00","images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjhpNEZCMzc5RUQzMjE1NDEzOQ?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMTVpQzlERTg1RDk5QzkzNTRDMA?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjJpRTNBMjY4OTQ2Nzc0NEI4NQ?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDFpRkFGNDRBNzIzNTA1MkY5MQ?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDJpQTgzQTAyNTlFNDNDQjJFMw?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjVpREUyREQ2REZGMzY4QzRBOQ?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjlpNTkxNkM1RUM4QTIwRkI0Ng?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDBpRTk3MzQ4NDZFQTNENjEwRA?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzBpM0VFRjY3MTcyODEwOTFCOQ?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzFpRDFFRUY5NDA1MkM1MTAwRQ?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzJpOURERUVEQTk5OUNDMjUwNg?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzNpMDY0OUFDMjRCRDNGQzFCMg?revision=28\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzRpREY5REZFNjE3NTY3ODlEOQ?revision=28\"}"}}],"totalCount":13,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"tags":{"__typename":"TagConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDE","node":{"__typename":"Tag","id":"tag:application delivery","text":"application delivery","time":"2021-06-30T01:48:44.000-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDI","node":{"__typename":"Tag","id":"tag:cloud","text":"cloud","time":"2016-05-10T00:36:43.000-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDM","node":{"__typename":"Tag","id":"tag:security","text":"security","time":"2009-07-03T08:19:36.000-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":8,"rawTeaser":"

It is a random Tuesday, and your boss just left an urgent meeting with the executives. The board has become concerned about the security of your IT infrastructure. Several companies in your segment have recently suffered security breaches making front page news and management is being pressed on the steps they are taking to secure the application infrastructure. Lucky you, it is now your task to fix it (somewhere in all those courses on networking it was never stated that Network Engineering is the team every company turns to when there is a problem and nobody else can help...). Your company is a maze of VPCs, route tables, Transit Gateways, Transit VPCs, Internet Gateways, Direct Connects, VPNs, multiple accounts and traffic flowing in every different direction that no one seems to know what is talking to what, why or what information they are sharing. Your boss simply says that a solution needs to be found. Fast. This is the second installment in a four part series we will cover the architecture options, examine the deployment process, discuss scale, investigate resiliency and troubleshooting commands.

","introduction":"","currentRevision":{"__ref":"Revision:revision:307459_28"},"latestVersion":{"__typename":"FriendlyVersion","major":"1","minor":"0"},"metrics":{"__typename":"MessageMetrics","views":1297},"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":"Increase Security in AWS without Rearchitecting your Applications - Part 2: Wednesday Morning","seoDescription":"It is a random Tuesday, and your boss just left an urgent meeting with the executives. The board has become concerned about the security of your IT infrastructure. Several companies in your segment have recently suffered security breaches making front page news and management is being pressed on the steps they are taking to secure the application infrastructure. Lucky you, it is now your task to fix it (somewhere in all those courses on networking it was never stated that Network Engineering is the team every company turns to when there is a problem and nobody else can help...). Your company is a maze of VPCs, route tables, Transit Gateways, Transit VPCs, Internet Gateways, Direct Connects, VPNs, multiple accounts and traffic flowing in every different direction that no one seems to know what is talking to what, why or what information they are sharing. Your boss simply says that a solution needs to be found. Fast. This is the second installment in a four part series we will cover the architecture options, examine the deployment process, discuss scale, investigate resiliency and troubleshooting commands. ","placeholder":false,"originalMessageForPlaceholder":null,"contributors":{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":[]},"coAuthors":{"__typename":"UserConnection","edges":[]},"tkbMessagePolicies":{"__typename":"TkbMessagePolicies","canDoAuthoringActionsOnTkb":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.tkb.policy_can_do_authoring_action.accessDenied","key":"error.lithium.policies.tkb.policy_can_do_authoring_action.accessDenied","args":[]}}},"archivalData":null,"replies":{"__typename":"MessageConnection","edges":[{"__typename":"MessageEdge","cursor":"MjUuM3wyLjF8aXwxMHwzOToxfGludCwzMjQyMDUsMzI0MjA1","node":{"__ref":"TkbReplyMessage:message:324205"}}],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}},\"first\":1})":{"__typename":"RevisionConnection","totalCount":1}},"Conversation:conversation:307459":{"__typename":"Conversation","id":"conversation:307459","solved":false,"topic":{"__ref":"TkbTopicMessage:message:307459"},"lastPostingActivityTime":"2023-11-16T07:27:52.011-08:00","lastPostTime":"2023-11-16T07:27:52.011-08:00","unreadReplyCount":1,"isSubscribed":false},"ModerationData:moderation_data:307459":{"__typename":"ModerationData","id":"moderation_data:307459","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjhpNEZCMzc5RUQzMjE1NDEzOQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjhpNEZCMzc5RUQzMjE1NDEzOQ?revision=28","title":"SSLoAWS - Complex-4.png","associationType":"BODY","width":1431,"height":846,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMTVpQzlERTg1RDk5QzkzNTRDMA?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMTVpQzlERTg1RDk5QzkzNTRDMA?revision=28","title":"Heath_Parrott_1-1680294762736.png","associationType":"BODY","width":1099,"height":386,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjJpRTNBMjY4OTQ2Nzc0NEI4NQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjJpRTNBMjY4OTQ2Nzc0NEI4NQ?revision=28","title":"SSLoAWS - Sec VPC Arch.png","associationType":"BODY","width":1180,"height":680,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDFpRkFGNDRBNzIzNTA1MkY5MQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDFpRkFGNDRBNzIzNTA1MkY5MQ?revision=28","title":"Screenshot 2023-04-01 at 12.43.12 PM.png","associationType":"BODY","width":1281,"height":102,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDJpQTgzQTAyNTlFNDNDQjJFMw?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDJpQTgzQTAyNTlFNDNDQjJFMw?revision=28","title":"Screenshot 2023-04-01 at 12.42.57 PM.png","associationType":"BODY","width":783,"height":96,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjVpREUyREQ2REZGMzY4QzRBOQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjVpREUyREQ2REZGMzY4QzRBOQ?revision=28","title":"SSLoAWS - Security VPC Flow to GWLBE.png","associationType":"BODY","width":1400,"height":860,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjlpNTkxNkM1RUM4QTIwRkI0Ng?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMjlpNTkxNkM1RUM4QTIwRkI0Ng?revision=28","title":"geneve_tunnel.png","associationType":"BODY","width":654,"height":490,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDBpRTk3MzQ4NDZFQTNENjEwRA?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyNDBpRTk3MzQ4NDZFQTNENjEwRA?revision=28","title":"tunnel_self_ip.png","associationType":"BODY","width":587,"height":320,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzBpM0VFRjY3MTcyODEwOTFCOQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzBpM0VFRjY3MTcyODEwOTFCOQ?revision=28","title":"LTM_VLAN.png","associationType":"BODY","width":612,"height":205,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzFpRDFFRUY5NDA1MkM1MTAwRQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzFpRDFFRUY5NDA1MkM1MTAwRQ?revision=28","title":"wizard.png","associationType":"BODY","width":1142,"height":842,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzJpOURERUVEQTk5OUNDMjUwNg?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzJpOURERUVEQTk5OUNDMjUwNg?revision=28","title":"INSPECT_CHAIN.png","associationType":"BODY","width":1067,"height":266,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzNpMDY0OUFDMjRCRDNGQzFCMg?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzNpMDY0OUFDMjRCRDNGQzFCMg?revision=28","title":"VIPS.png","associationType":"BODY","width":1635,"height":426,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzRpREY5REZFNjE3NTY3ODlEOQ?revision=28\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDc0NTktMjMyMzRpREY5REZFNjE3NTY3ODlEOQ?revision=28","title":"strict_policy.png","associationType":"BODY","width":1260,"height":259,"altText":null},"Revision:revision:307459_28":{"__typename":"Revision","id":"revision:307459_28","lastEditTime":"2023-04-04T14:39:11.665-07:00"},"CachedAsset:theme:customTheme1-1745595709910":{"__typename":"CachedAsset","id":"theme:customTheme1-1745595709910","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["custom"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"JimmyPackets-512-1702592938213.png","imageLastModified":"1702592945815","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"f5_logo_fix-1704824537976.svg","imageLastModified":"1704824540697","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1600px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_PAGE_CONTENT","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"5px","borderRadius":"5px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"14px","paddingXHero":"42px","fontStyle":"NORMAL","fontWeight":"400","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-400)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-400-h), var(--lia-bs-gray-400-s), calc(var(--lia-bs-gray-400-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-400-h), var(--lia-bs-gray-400-s), calc(var(--lia-bs-gray-400-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-300)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-300-h), var(--lia-bs-gray-300-s), calc(var(--lia-bs-gray-300-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-300-h), var(--lia-bs-gray-300-s), calc(var(--lia-bs-gray-300-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"NONE","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.06)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.15)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.15)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-primary)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","defaultMessageFontFamily":"var(--lia-bs-font-family-base)","forumColor":"#0C5C8D","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#62C026","blogColor":"#730015","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#C20025","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#F3704B","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#EE4B5B","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#491B62","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#949494","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0C5C8D","secondary":"#333333","bodyText":"#222222","bodyBg":"#F5F5F5","info":"#1D9CD3","success":"#62C026","warning":"#FFD651","danger":"#C20025","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#C20025","#081B85","#009639","#B3C6D7","#7CC0EB","#F29A36"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Inter","fontStyle":"NORMAL","fontWeight":"600","h1FontSize":"30px","h2FontSize":"25px","h3FontSize":"20px","h4FontSize":"18px","h5FontSize":"16px","h6FontSize":"16px","lineHeight":"1.2","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":null,"imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"14px","defaultMessageHeaderMarginBottom":"10px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"14px","specialMessageHeaderMarginBottom":"10px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Atkinson Hyperlegible","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.3","fontSizeBase":"15px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"13px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1745595729125","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:f5.prod:pages/kbs/TkbMessagePage:board:TechnicalArticles-1745595725993":{"__typename":"CachedAsset","id":"quilt:f5.prod:pages/kbs/TkbMessagePage:board:TechnicalArticles-1745595725993","value":{"id":"TkbMessagePage","container":{"id":"Common","headerProps":{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":{"community.widget.breadcrumbWidget":{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"message-list","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":true,"showDescription":true,"textPosition":"CENTER","textColor":"var(--lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"MainSideQuiltSection","columnMap":{"main":[{"id":"tkbs.widget.tkbArticleWidget","className":"lia-tkb-container","props":{"contributorListType":"panel","showHelpfulness":false,"showTimestamp":true,"showGuideNavigationSection":true,"showVersion":true,"lazyLoad":false,"editLevel":"CONFIGURE"},"__typename":"QuiltComponent"}],"side":[{"id":"featuredWidgets.widget.featuredContentWidget","className":null,"props":{"instanceId":"featuredWidgets.widget.featuredContentWidget-1702666556326","layoutProps":{"layout":"card","layoutOptions":{"useRepliesCount":false,"useAuthorRank":false,"useTimeToRead":true,"useKudosCount":false,"useViewCount":true,"usePreviewMedia":true,"useBody":false,"useCenteredCardContent":false,"useTags":true,"useTimestamp":false,"useBoardLink":true,"useAuthorLink":false,"useSolvedBadge":true}},"titleSrOnly":false,"showPager":true,"pageSize":3,"lazyLoad":true},"__typename":"QuiltComponent"},{"id":"messages.widget.relatedContentWidget","className":null,"props":{"hideIfEmpty":true,"enablePagination":true,"useTitle":true,"listVariant":{"type":"listGroup"},"pageSize":3,"style":"list","pagerVariant":{"type":"loadMore"},"viewVariant":{"type":"inline","props":{"useRepliesCount":true,"useMedia":true,"useAuthorRank":false,"useNode":true,"useTimeToRead":true,"useSpoilerFreeBody":true,"useKudosCount":true,"useNodeLink":true,"useViewCount":true,"usePreviewMedia":false,"useBody":false,"timeStampType":"postTime","useTags":true,"clampSubjectLines":2,"useBoardIcon":false,"useMessageTimeLink":true,"clampBodyLines":3,"useTextBody":true,"useSolvedBadge":true,"useAvatar":true,"useAuthorLogin":true,"useUnreadCount":true}},"lazyLoad":true,"panelType":"divider"},"__typename":"QuiltComponent"}],"__typename":"MainSideSectionColumns"}}],"__typename":"QuiltContainer"},"__typename":"Quilt","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1745595729125","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/kbs/TkbMessagePage-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-pages/kbs/TkbMessagePage-1745595729125","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This article cannot be found","name":"TKB Message Page","section.message-list.title":"","archivedMessageTitle":"This Content Has Been Archived","section.erPqcf.title":"","section.erPqcf.description":"","section.message-list.description":""},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1745595729125","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:quiltWrapper:f5.prod:Common:1745595708677":{"__typename":"CachedAsset","id":"quiltWrapper:f5.prod:Common:1745595708677","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":"header.jpg","backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"LEFT_CENTER","lastModified":"1702932449000","__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.GainsightShared","props":{"widgetVisibility":"signedInOnly","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Beta_MetaNav","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"community.widget.navbarWidget","props":{"showUserName":false,"showRegisterLink":true,"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"700","controllerHighlightColor":"hsla(30, 100%, 50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"15px","linkBoxShadowHover":"none","backgroundOpacity":0.4,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"48px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom":"10px","dropdownPaddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"0","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"center","linkColor":"var(--lia-bs-primary)","collapseMenuDividerBg":"var(--lia-nav-link-color)","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-primary)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid #0C5C8D","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","paddingTop":"10px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"#0C5C8D","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"#0C5C8D"},"links":{"sideLinks":[],"mainLinks":[{"children":[{"linkType":"INTERNAL","id":"migrated-link-1","params":{"boardId":"TechnicalForum","categoryId":"Forums"},"routeName":"ForumBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-2","params":{"boardId":"WaterCooler","categoryId":"Forums"},"routeName":"ForumBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-0","params":{"categoryId":"Forums"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-4","params":{"boardId":"codeshare","categoryId":"CrowdSRC"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-5","params":{"boardId":"communityarticles","categoryId":"CrowdSRC"},"routeName":"TkbBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-3","params":{"categoryId":"CrowdSRC"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-7","params":{"boardId":"TechnicalArticles","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"article-series","params":{"boardId":"article-series","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"security-insights","params":{"boardId":"security-insights","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-8","params":{"boardId":"DevCentralNews","categoryId":"Articles"},"routeName":"TkbBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-6","params":{"categoryId":"Articles"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-10","params":{"categoryId":"CommunityGroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"migrated-link-11","params":{"categoryId":"F5-Groups"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"migrated-link-9","params":{"categoryId":"GroupsCategory"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"migrated-link-12","params":{"boardId":"Events","categoryId":"top"},"routeName":"EventBoardPage"},{"children":[],"linkType":"INTERNAL","id":"migrated-link-13","params":{"boardId":"Suggestions","categoryId":"top"},"routeName":"IdeaBoardPage"},{"children":[],"linkType":"EXTERNAL","id":"Common-external-link","url":"https://community.f5.com/c/how-do-i","target":"SELF"}]},"className":"QuiltComponent_lia-component-edit-mode__lQ9Z6","showSearchIcon":false},"__typename":"QuiltComponent"},{"id":"community.widget.bannerWidget","props":{"backgroundColor":"transparent","visualEffects":{"showBottomBorder":false},"backgroundImageProps":{"backgroundSize":"COVER","backgroundPosition":"CENTER_CENTER","backgroundRepeat":"NO_REPEAT"},"fontColor":"#222222"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"var(--lia-bs-primary)","linkHighlightColor":"#FFFFFF","visualEffects":{"showBottomBorder":false},"backgroundOpacity":60,"linkTextColor":"#FFFFFF"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"var(--lia-bs-body-color)","items":[{"id":"custom.widget.Beta_Footer","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Tag_Manager_Helper","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Consent_Blackbar","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:component:custom.widget.GainsightShared-en-us-1745595733836":{"__typename":"CachedAsset","id":"component:custom.widget.GainsightShared-en-us-1745595733836","value":{"component":{"id":"custom.widget.GainsightShared","template":{"id":"GainsightShared","markupLanguage":"HTML","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"Shared functions for Gainsight integration","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.GainsightShared","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"TEXTHTML","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Shared functions for Gainsight integration","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Beta_MetaNav-en-us-1745595733836":{"__typename":"CachedAsset","id":"component:custom.widget.Beta_MetaNav-en-us-1745595733836","value":{"component":{"id":"custom.widget.Beta_MetaNav","template":{"id":"Beta_MetaNav","markupLanguage":"HANDLEBARS","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"MetaNav menu at the top of every page.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Beta_MetaNav","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"MetaNav menu at the top of every page.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Beta_Footer-en-us-1745595733836":{"__typename":"CachedAsset","id":"component:custom.widget.Beta_Footer-en-us-1745595733836","value":{"component":{"id":"custom.widget.Beta_Footer","template":{"id":"Beta_Footer","markupLanguage":"HANDLEBARS","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"DevCentral´s custom footer.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Beta_Footer","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"DevCentral´s custom footer.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Tag_Manager_Helper-en-us-1745595733836":{"__typename":"CachedAsset","id":"component:custom.widget.Tag_Manager_Helper-en-us-1745595733836","value":{"component":{"id":"custom.widget.Tag_Manager_Helper","template":{"id":"Tag_Manager_Helper","markupLanguage":"HANDLEBARS","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"Helper widget to inject Tag Manager scripts into head element","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Tag_Manager_Helper","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Helper widget to inject Tag Manager scripts into head element","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Consent_Blackbar-en-us-1745595733836":{"__typename":"CachedAsset","id":"component:custom.widget.Consent_Blackbar-en-us-1745595733836","value":{"component":{"id":"custom.widget.Consent_Blackbar","template":{"id":"Consent_Blackbar","markupLanguage":"HTML","style":null,"texts":{},"defaults":{"config":{"applicablePages":[],"description":"","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Consent_Blackbar","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"TEXTHTML","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1745595729125","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1745595729125","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"CachedAsset:text:en_US-components/tkbs/TkbArticleWidget-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/tkbs/TkbArticleWidget-1745595729125","value":{},"localOverride":false},"Category:category:Forums":{"__typename":"Category","id":"category:Forums","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:TechnicalForum":{"__typename":"Forum","id":"board:TechnicalForum","forumPolicies":{"__typename":"ForumPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:WaterCooler":{"__typename":"Forum","id":"board:WaterCooler","forumPolicies":{"__typename":"ForumPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:DevCentralNews":{"__typename":"Tkb","id":"board:DevCentralNews","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:GroupsCategory":{"__typename":"Category","id":"category:GroupsCategory","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:F5-Groups":{"__typename":"Category","id":"category:F5-Groups","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityGroups":{"__typename":"Category","id":"category:CommunityGroups","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Occasion:board:Events":{"__typename":"Occasion","id":"board:Events","boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"occasionPolicies":{"__typename":"OccasionPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Idea:board:Suggestions":{"__typename":"Idea","id":"board:Suggestions","boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"ideaPolicies":{"__typename":"IdeaPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CrowdSRC":{"__typename":"Category","id":"category:CrowdSRC","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:codeshare":{"__typename":"Tkb","id":"board:codeshare","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:communityarticles":{"__typename":"Tkb","id":"board:communityarticles","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:security-insights":{"__typename":"Tkb","id":"board:security-insights","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:article-series":{"__typename":"Tkb","id":"board:article-series","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"QueryVariables:TopicReplyList:message:307459:28":{"__typename":"QueryVariables","id":"TopicReplyList:message:307459:28","value":{"id":"message:307459","first":10,"sorts":{"postTime":{"direction":"ASC"}},"repliesFirst":3,"repliesFirstDepthThree":1,"repliesSorts":{"postTime":{"direction":"ASC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":true,"useBody":true,"useKudosCount":true,"useTimeToRead":false,"useMedia":false,"useReadOnlyIcon":false,"useRepliesCount":true,"useSearchSnippet":false,"useAcceptedSolutionButton":false,"useSolvedBadge":false,"useAttachments":false,"attachmentsFirst":5,"useTags":true,"useNodeAncestors":false,"useUserHoverCard":false,"useNodeHoverCard":false,"useModerationStatus":true,"usePreviewSubjectModal":false,"useMessageStatus":true}},"ROOT_MUTATION":{"__typename":"Mutation"},"CachedAsset:text:en_US-components/community/Navbar-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1745595729125","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","migrated-link-9":"Groups","migrated-link-7":"Technical Articles","migrated-link-8":"DevCentral News","migrated-link-1":"Technical Forum","migrated-link-10":"Community Groups","migrated-link-2":"Water Cooler","migrated-link-11":"F5 Groups","Common-external-link":"How Do I...?","migrated-link-0":"Forums","article-series":"Article Series","migrated-link-5":"Community Articles","migrated-link-6":"Articles","security-insights":"Security Insights","migrated-link-3":"CrowdSRC","migrated-link-4":"CodeShare","migrated-link-12":"Events","migrated-link-13":"Suggestions"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1745595729125","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1745595729125","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1745595729125","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1745595729125","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1745595729125","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1745595729125","value":{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","movedMessagePlaceholder.BLOG":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.TKB":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.FORUM":"{count, plural, =0 {This reply has been} other {These replies have been} }","movedMessagePlaceholder.IDEA":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.OCCASION":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholderUrlText":"moved.","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/ThreadedReplyList-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/ThreadedReplyList-1745595729125","value":{"title":"{count, plural, one{# Reply} other{# Replies}}","title@board:BLOG":"{count, plural, one{# Comment} other{# Comments}}","title@board:TKB":"{count, plural, one{# Comment} other{# Comments}}","title@board:IDEA":"{count, plural, one{# Comment} other{# Comments}}","title@board:OCCASION":"{count, plural, one{# Comment} other{# Comments}}","noRepliesTitle":"No Replies","noRepliesTitle@board:BLOG":"No Comments","noRepliesTitle@board:TKB":"No Comments","noRepliesTitle@board:IDEA":"No Comments","noRepliesTitle@board:OCCASION":"No Comments","noRepliesDescription":"Be the first to reply","noRepliesDescription@board:BLOG":"Be the first to comment","noRepliesDescription@board:TKB":"Be the first to comment","noRepliesDescription@board:IDEA":"Be the first to comment","noRepliesDescription@board:OCCASION":"Be the first to comment","messageReadOnlyAlert:BLOG":"Comments have been turned off for this post","messageReadOnlyAlert:TKB":"Comments have been turned off for this article","messageReadOnlyAlert:IDEA":"Comments have been turned off for this idea","messageReadOnlyAlert:FORUM":"Replies have been turned off for this discussion","messageReadOnlyAlert:OCCASION":"Comments have been turned off for this event"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1745595729125","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"User:user:242856":{"__typename":"User","id":"user:242856","uid":242856,"login":"MichaelOLeary","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-05-15T14:42:55.000-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0yNDI4NTYtMjA2NzVpMjAwQzU1OUQzMEFFMDM2RQ"},"rank":{"__ref":"Rank:rank:28"},"entityType":"USER","eventPath":"community:zihoc95639/user:242856"},"ModerationData:moderation_data:324205":{"__typename":"ModerationData","id":"moderation_data:324205","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"TkbReplyMessage:message:324205":{"__typename":"TkbReplyMessage","author":{"__ref":"User:user:242856"},"id":"message:324205","revisionNum":1,"uid":324205,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Tkb:board:TechnicalArticles"},"parent":{"__ref":"TkbTopicMessage:message:307459"},"conversation":{"__ref":"Conversation:conversation:307459"},"subject":"Re: Increase Security in AWS without Rearchitecting your Applications - Part 2: Wednesday Morning","moderationData":{"__ref":"ModerationData:moderation_data:324205"},"body":"

Hi Heath, Thank you for this article and the detail. Looks like there are some broken hyperlinks in this paragraph: 

\n

To get more understanding of a F5 BIG-IP deployment with AWS Gateway Load balancer please review the topic my colleague  @Yossi_Rosenboi1  presented. For further understanding of SSLO please see f5 clouddocsKevin Stewart and Kevin Gallaugher have published many articles.

","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"208","kudosSumWeight":0,"repliesCount":0,"postTime":"2023-11-16T07:27:52.011-08:00","lastPublishTime":"2023-11-16T07:27:52.011-08:00","metrics":{"__typename":"MessageMetrics","views":267},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"TKB_REPLY","eventPath":"category:Articles/community:zihoc95639board:TechnicalArticles/message:307459/message:324205","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1745595729125","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1745595729125","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1745595729125","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1745595729125","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1745595729125","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1745595729125","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1745595729125","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1745595729125","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-components/guides/GuideBottomNavigation-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/guides/GuideBottomNavigation-1745595729125","value":{"nav.label":"Previous/Next Page","nav.previous":"Previous","nav.next":"Next"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1745595729125","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1745595729125","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1745595729125","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1745595729125","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListMenu-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListMenu-1745595729125","value":{"postTimeAsc":"Oldest","postTimeDesc":"Newest","kudosSumWeightAsc":"Least Liked","kudosSumWeightDesc":"Most Liked","sortTitle":"Sort By","sortedBy.item":" { itemName, select, postTimeAsc {Oldest} postTimeDesc {Newest} kudosSumWeightAsc {Least Liked} kudosSumWeightDesc {Most Liked} other {}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1745595729125","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/customComponent/CustomComponent-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-components/customComponent/CustomComponent-1745595729125","value":{"errorMessage":"Error rendering component id: {customComponentId}","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1745595729125","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1745595729125":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1745595729125","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false}}}},"page":"/kbs/TkbMessagePage/TkbMessagePage","query":{"boardId":"technicalarticles","messageSubject":"increase-security-in-aws-without-rearchitecting-your-applications---part-2-wedne","messageId":"307459"},"buildId":"ISAhs0UxT148eG089lpQq","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"f5","openTelemetryServiceVersion":"25.3.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/customComponent/CustomComponent/CustomComponent.tsx","./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/tkbs/TkbArticleWidget/TkbArticleWidget.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx","./components/customComponent/CustomComponentContent/HtmlContent.tsx","./components/customComponent/CustomComponentContent/CustomComponentScripts.tsx"],"appGip":true,"scriptLoader":[]}