Securing your applications with F5 Virtual Editions in Microsoft Azure

In Nov 2015, F5 announced the availability of F5 BIG-IP virtual editions in Microsoft Azure Cloud. What this meant to our enterprise customers is the ability to create advanced networking and security policies in azure. More importantly, our customers were able to achieve consistency in services across their on-premises and Azure environments. When we talk about security, incorporating a network firewall is critical.

Typical network firewall functions are facilitated by attaching L2 interfaces to separate security zones. This would mean setting up a dedicated virtual NIC interface (VNIC) for each VLAN on a virtual machine. In Azure the number of VNICs supported differ by compute instance type. Larger instances have higher VNIC interfaces but also incur a higher cost. However there is another way to segment zones in azure through the use of UDR (user defined routing). In a nutshell, UDR provides a means for enterprises to design, and secure, the Azure networking infrastructure. For further information on UDR, please refer to the link below.

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-overview/

Using UDR along with the F5 Advanced Firewall Manager (AFM) service, you can implement advanced firewall protection for both N-S and E-W data traffic. Here are a few key capabilities of F5 AFM:

· Policy based access control to and from address/port pairs;

· Network firewall rules and logging at a global context level, or at a virtual server level;

· Stateful and full proxy architecture: a flow from the client is passed to the backend only if it is deemed secure;

· IP Intelligence, Global and virtual server based Denial of Service (DOS) attack protection that can be configured for thresholds on multiple network parameters; and

· Programmability through iRules offering dynamic packet filtering capability.

To get you started with using UDR and F5 AFM, here is an example scenario.   We have an F5 ADC to manage traffic to the backend tiers. We have two backend tiers (database tier and Application tier). Our goal is to stop traffic from database tier connecting to Application tier while allowing data to flow in the opposite direction.  The network topology is illustrated below

 

Here are the steps required to implement this scenario.

 

Step1: Create UDR

Step2: Enable IP forwarding in Azure

Step3: Create IP forwarding Virtual Server in BIGIP

Step4: Create AFM Policy in BIG-IP

 

Step1: Create UDR

There are different ways to create UDR:

1. PowerShell

2. Azure CLI

3. Template

While creating UDR, you must provide the next hop address which is the IP address of your BIG-IP. The example below shows an UDR created for Application tier Subnet.

Here, the address prefix is 10.2.2.0/24 which is the destination CIDR (of the database tier).  The next hop address is 10.2.0.4 which is the private IP address of the BIG-IP. This route is associated to the subnet WebAppSubnet with address range of 10.2.1.0/24. With this, packets from any WebApp subnet destined for any database subnet will be routed through the BIG-IP.

 

Prerequisites: Create a Virtual Network in new Resource Group in Azure. When you do this a default subnet will be automatically created. Create two additional subnets for the WebApp and Database tier in your Virtual Network.

Create UDR for WebAppSubnet:

1. Create route ‘RouteToDatabase’ – directs traffic destined for database subnet to BIGIP.

$route = New-AzureRmRouteConfig -Name RouteToDatabase ` -AddressPrefix 10.2.2.0/24 -NextHopType VirtualAppliance ` -NextHopIpAddress 10.2.0.4

2. Create route table in the region deployed (in this example –westus region used).

$routeTable = New-AzureRmRouteTable -ResourceGroupName Group2 -Location westus ` -Name UDR1 -Route $route

3.  Create a variable vnet that contains name of your virtual network where this subnet is.

$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName Group2 -Name Group2-vnet

4.  Associate the route table WebAppSubnet.

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name WebAppSubnet `-AddressPrefix 10.2.1.0/24 -RouteTable $routeTable

5.       Save configurations in Azure.

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

 

Once created, the table looks like the following .

Create a similar UDR for database tier. Once done, the table looks like the following.

 

Step 2: Enable IP Forwarding on NIC associated with BIG-IP:

1.       $bigipnic = Get-AzureRmNetworkInterface -ResourceGroupName Group2 -Name bigip1234

(bigip1234 is the network interface created for BIG-IP.)

2.       Enable IP Forwarding.

$bigipnic.EnableIPForwarding = 1

3.       Save NIC configurations.

Set-AzureRmNetworkInterface -NetworkInterface $bigipnic

Step 3: Create IP Forwarding Virtual Server in BIG-IP

To enable IP forwarding in BIG-IP, you need to create IP Forwarding Virtual Server.

To Create IP Forwarding Virtual Server, Log in to configuration Utility.

1. Local Traffic > Virtual Server

2. Click ‘Create’ to create Virtual Server and fill the required details.

For additional information on creating forwarding virtuals, refer to this solution article.

Step4: Create AFM Policy in BIG-IP

To create AFM policies you must have AFM provisioned in your BIGIP.

Browse to Security > Options > Network Firewall > Active Rule – click ‘Add’ to create new policy.

Here you need to select ‘Virtual Server’ as a context as shown below.

As mentioned above, this example illustrates a scenario to block traffic from database tier to web tier. The policy below shows the policy settings.

With this step, we have accomplished the example scenario!.

Contributors to this blog post : Apoorva Sahasrabudhe, Greg Coward