Deploy WAF on any Edge with F5 Distributed Cloud (SaaS Console, Automation)

Introduction

The target deployment environment has long been a critical factor in selecting WAF products as, typically, specific WAFs were better suited for some but not all environments. Appliance-based WAFs, with their superior throughput performance and larger footprint were perfect for on-prem deployments but not the best candidates for Cloud environments. As-a-service deployments where born in the Cloud but did not fit a lab-based Kubernetes use case very well.
Modern enterprises tend to deploy their applications in a variety on environments so selecting a WAF specialized for one (primary) environment would mean accepting limitations when deployed in others or buying separate products that would increase management complexity.
This should not be the case anymore as F5 Distributed Cloud (XC) can abstract away the underlaying environment and allow for to be deployed in a multitude of environments maintaining full functionality.

This is the first article in a series that will explore the various ways to deploy XC WAF on any Edge and we will start with an overview of XC WAF deployment options. We will showcase the deployment process in both XC Console and through Terraform automation. Both the XC Console user guides and Terraform automations are hosted in a GitHub repo, F5 XC Terraform Examples, where "Deploy WAF on any Edge with F5 XC" is just the first major use case, others following soon. For examples of hybrid F5 XC deployments (alongside NGINX App Protect and BIG-IP Advanced WAF) on multi-cloud and on-premises, check out the F5 XC Hybrid Security Architecture Deployments GitHub repository.

 

WAF on XC RE (Regional Edge) deployment mode

This deployment mode is better suited when protecting backend applications which are already public (accessible from the Interned via FQDN or Public IP).

Architecture

 XC WAF is deployed on the REs, where the services are being advertised to the Internet through Anycast IPs. The end users will connect to their closest RE and the traffic will be inspected by the WAF security policy. The traffic will then be forwarded across the XC Global Network towards an egress RE and then towards the customer site as regular Internet traffic. The customer will filter the traffic, only allowing traffic forwarded by the XC platform.

Key Security Capabilities

• Web Application Firewall
• Bot Protection
• API Protection
• HTTPS SSL Termination
• L3 DDoS protection
• L7 DDoS protection

Implementation examples

Deploying F5 XC WAF on Regional Edge - XC Console user guide & Terraform automation available

 

 

WAF (on RE) + AppConnect deployment mode

This deployment model is the best solution when the backend applications are not yet accessible from the Internet (no FQDN / Public IP). In this case, CE (Customer Edge) sites can be deployed to connect these “private” customer sites to the XC Global Network via IPSEC tunnels opened from XC CE(s) to the closest two REs sites.

Architecture

XC WAF is deployed on the REs, where the services are being advertised to the Internet through Anycast IPs. CE(s) are being deployed on the customer sites and connect to the closest two REs through IPSEC tunnels. The end users will connect to their closest RE and the traffic will be inspected by the WAAP security policy. The traffic will then be forwarded across the XC Global Network towards an egress RE and then tover an IPSEC tunnel to the CE site where it will be forwarded to the backend application as pure IP-based traffic.

Key Security Capabilities

• Web Application Firewall
• Bot Protection
• API Protection
• HTTPS SSL Termination
• L3 DDoS protection
• L7 DDoS protection

Implementation examples

Deploying F5 XC WAF on RE + AppConnect (backend app deployed on VM) - XC Console user guide & Terraform automation available

Deploying F5 XC WAF on RE + AppConnect (backend app deployed on K8s) - XC Console user guide & Terraform automation available

Protect LLM applications against Model Denial of Service - XC Console user guide available (Terraform automation coming soon)

Deploying F5 XC’s Customer Edge using ESXi on VMware Private Cloud - XC Console user guide available

Deploying F5 XC’s Customer Edge using KVM on OpenStack’s Private Cloud - XC Console user guide available

WAF on CE (Customer Edge) deployment mode

This deployment mode is better suited when protecting backend applications that require Internet traffic to be directed to them with no intermediary processing, for security or privacy purposes. Another use case is local traffic (all traffic is sourced and destined for the same customer site).

Architecture

XC WAF is configured on the CE(s) deployed on the customer sites. The end users will connect directly to the CEs, bypassing the XC Global Network. The CE sites will be still managed through the XC Cloud-based Console.

Key Security Capabilities

• Web Application Firewall
• Bot Protection
• API Protection
• HTTPS SSL Termination
• No L3 DDoS protection
• L7 DDoS protection
• Best compliance with local regulations

Implementation examples

Deploying F5 XC WAF on Customer Edge (Single cloud scenario - Azure) - XC Console user guide & Terraform automation available

Deploying F5 XC WAF on Customer Edge (Single cloud scenario - AWS) - XC Console user guide & Terraform automation available

Deploying F5 XC WAF on Customer Edge (Single cloud scenario - GCP) - XC Console user guide & Terraform automation available

 

WAF on Kubernetes deployment mode

Best fit for closely-coupled protection of workloads deployed in Kubernetes environments.

Architecture(s)

XC WAF can be configured on CEs deployed either outside the Kubernetes cluster or inside, as a regular k8s workload. Through the XC Console, XC WAAP can be automated and integrated in CI/CD pipelines as required by the modern apps development methodologies.

Key Security Capabilities

• Web Application Firewall
• Bot Protection
• API Protection
• HTTPS SSL Termination
• No L3 DDoS protection
• L7 DDoS protection
• Best compliance with local regulations
• Best support for DevSecOps practices

Implementation examples

F5 Distributed Cloud WAF deployment on k8s - XC Console user guide & Terraform automation available

Conclusion

F5 XC WAF presents a clear advantage over classical WAFs in that it can be deployed on a variety of environments without loss of functionality.
In this first article of a series, we presented an overview of the main deployment options for XC WAF on any Edge while follow-on articles will dive deeper into the details of the deployment procedures.

For further information or to get started:

• F5 Distributed Cloud Terraform Examples GitHub Repository
• F5 Distributed Cloud Platform
• F5 Distributed Cloud WAAP (Web Application and API Protection) Services
• F5 Distributed Cloud WAAP (Web Application and API Protection) YouTube series
• F5 Distributed Cloud WAAP (Web Application and API Protection) Get Started
• F5 Distributed Cloud WAAP - Introducing the Distributed Cloud Web Application Firewall
• F5 Hybrid Security Architectures: One WAF Engine, Total Flexibility (Intro)
• F5 Distributed Cloud Web App and API Protection hybrid architecture for DevSecOps