F5 Distributed Cloud > F5 Distributed Cloud: SaaS Happens, Control the Flow Source | Edit on

Lab 2: Load Balancer Routes¶

The following lab tasks will guide you through using the Distributed Cloud Console to configure routes within a HTTP Load Balancer. Students will start by creating a route to steer traffic based on a specified HTTP header contained within the client request. Header based routing is often used for blue-green testing. Blue-green testing is a release strategy that uses two independent deployments (Blue and Green) for real world testing of software updates and application enhancements.

Next, students will apply a Web Application Firewall (WAF) policy at the route level. Applying a WAF policy at the route level allows security teams to apply more prescriptive WAF policies to the different components of the web application. For example, you may want to apply additional WAF rules for the logon portion of the application.

The last task within this lab is to deploy routes to modify application responses in transit. This task demonstrates Distributed Cloud’s ability to modify Requests and/or Responses. This can be used to add/remove headers used by the backend application, rewrite path prefixes and modify cookies.

Expected Lab Time: 25 minutes

Task 1: Deploy a Header Route to Steer Traffic for Canary Testing¶

In this task, you will create a header route that directs traffic to different origin pools based off a specified HTTP header. This configuration can be useful for Canary testing. Traffic matching a specified header will be directed to a specified origin pool, while all other traffic will be directed default origin pool for the load balancer.

Configure a Header Route
If you are not still logged into the Distributed Cloud Console, logon at: https://f5-xc-lab-app.console.ves.volterra.io/
If you are at the home landing page, select the Web App & API Protection tile. If you are already in a workspace you can get to the Web APP & API Protection workspace from the top navigation bar, by selecting the Web App & API Protection workspace from the dropdown menu.
In the navigation sidebar on the left, expand Manage, expand Load Balancers, and select HTTP Load Balancers.
Locate your HTTP Load Balancer in the list and click the ellipsis (three dots) under the Actions column. Select Manage Configuration. Your Load Balancer for this lab is named <name-space>-routing-https-lb. Note If you don’t see a HTTP Load Balancer, make sure you are in the correct namespace.
In the Load Balancer Configuration page, click Edit Configuration in the top right.
In the Load Balancer Edit Configuration page, scroll to the Routes section or click Routes in the left menu to jump to the routes section.
Click Configure in the Routes configuration section.
Click Add Item to add a route.
In the resulting form, configure the route policy: Route Type: Simple Route HTTP Method: ANY Path Match: Prefix Prefix: / Headers Click Add Item
In the Header to Match Form, fill in the following values: Name: X-App-Version Value: Exact Exact: green Click Apply
You should now be back in the route add form that you started filling out in Step 9. In the Origin Pools section, click Add Item
In the Origin Pool with Weight and Priority form, add the green origin pool for your name-space. The origin pool should be named <name-space>/<name-space>-green-pool. Click Apply
Click Apply to save the route
Click Apply to apply the routes to the LB.
Click Save HTTP Load Balancer to save the LB config.
Test and Verify:
Go back to your UDF Web Browser tab. Find the student jump host component and expand ACCESS and select FIREFOX.
This will open Firefox running inside a browser window. In the Firefox location bar, enter your LB domin name. The name format is https://<your-namespace>.lab-app.f5demos.com/ Note Notice that you are receiving the Blue version of the application
To test routing via HTTP headers, a browser extension has been installed to modify the request headers. Click the Header Editor icon.
Click the Manage icon.
Expand the Green Rule list and move the slider to enable the Green rule. This rule adds a request header named X-App-Version with a value of green to any request going to a domain that ends in lab-app.f5demos.com. Note To view the rule click the magnifying glass icon.
Go back to the Firefox browser tab that has the Blue application in it. Click the refresh button in Firefox to reload the web page. You should now see the Green version of the application. Note Make sure you are clicking the refresh button for the Firefox browser and not the parent browser that the Firefox browser is running in.
Cleanup - Disable the Header Rule
In the Firefox menu bar, click on the Header-Editor icon.
Click the Manage icon.
Expand the Green Rule list and move the slider to enable the Green rule. This rule adds a request header named X-App-Version with a value of green to any request going to a domain that ends in lab-app.f5demos.com.

Task 2: Deploy and apply WAF policy at the route level¶

This task will guide you through creating and applying a route policy for an F5 Distributed Cloud Load Balancer that makes routing decisions based on the URL path and also attaches a Web Application Firewall (WAF) policy to the route. This configuration can be useful if you have certain URL paths that require additional protection. For example a path that could contain customer data.

Configure a Path Route and Attach a WAF Policy
Open the Distibruted Cloud Console.
If you are not already in the Web App & API Protection workspace, from the top navigation bar, select the Web App & API Protection workspace.
In the navigation sidebar on the left, expand Manage, expand Load Balancers, and select HTTP Load Balancers.
Locate your HTTP Load Balancer in the list and click the ellipsis (three dots) under the Actions column. Select Manage Configuration. Your Load Balancer for this lab is named <your-namespace>-routing-https-lb. Note If you don’t see a HTTP Load Balancer, make sure you are in the correct namespace.
In the Load Balancer Configuration page, click Edit Configuration in the top right.
In the Load Balancer Edit Configuration page, scroll to the Routes section or click Routes in the left menu to jump to the routes section.
Click Configure in the Routes configuration section.
Click Add Item to add a route.
In the resulting form, configure the route policy: Route Type: Simple Route HTTP Method: ANY Path Match: Prefix Prefix: /login Origin Pools Click Add Item
In the Origin Pool with Weight and Priority form, add the green origin pool for your-namespace. The origin pool should be named <your-namespace>/<your-namespace>-green-pool. Click Apply
Back at the route add form scroll down to the bottom of the form and click Configure in the Advanced Options section.
On the resulting form find the Request/Response Manipulation section. Select Enable Prefix Rewrite from the Enable Rewrite dropdown. In the Enable Prefix Rewrite field enter /.
Scroll down to the Security section and select App Firewall from the Web Application Firewall (WAF) dropdown. Select shared/app-block from the App Firewall dropdown. Then click Apply.
Click Apply.
Click Apply.
Click Save HTTP Load Balancer to save the LB config.
Test and Verify:
Go back to your FIREFOX instance that is running within a browser.
In the Firefox location bar, enter your LB domin name. The name format is https://<your-namespace>.lab-app.f5demos.com/. You should see the blue version of the application.
To test routing via HTTP path, add /login to the URL. If everything worked correctly you should now see the green version of the application. The full URL should be https://<your-namespace>.lab-app.f5demos.com/login.
Verify the WAF policy was applied by adding ?cmd=cat /etc/passwd to end of the URL. The full URL should look like: https://<your-namespace>.lab-app.f5demos.com/login/?cmd=cat /etc/passwd. When you hit enter you should now see a page saying The requested URL was rejected along with a support ID.
Refresh your browser a few times. This will generate additional WAF logs that we will be using in lab 3.
After you have refreshed the browser a few times, copy the support ID from the current Request Rejected page in FIREFOX.
Open your Distributed Cloud Management Console. Click on the AI Assistant icon in the top right corner.
At the prompt enter: Explain security event <Support-ID>. Replacing <Support-ID> with the support ID you copied from the Request Rejected page.
The AI Assistant will provide a detailed analysis for the specified Support-ID.

Task 3: Deploy routes to modify application responses in transit¶

This task guides you through configuring a route for an F5 Distributed Cloud Load Balancer that makes routing decisions based on the URL path and adds a response header. This configuration can be used to set or remove headers that are utilized by the backend application.

Configure a Path Route and Adds a Response Header
Open the Disributed Cloud Console.
If you are not already in the Web App & API Protection workspace, from the top navigation bar, select the Web App & API Protection workspace.
In the navigation sidebar on the left, expand Manage, expand Load Balancers, and select HTTP Load Balancers.
Locate your HTTP Load Balancer in the list and click the ellipsis (three dots) under the Actions column. Select Manage Configuration. Your Load Balancer for this lab is named <your-namespace>-routing-https-lb. Note If you don’t see a HTTP Load Balancer, make sure you are in the correct namespace.
In the Load Balancer Configuration page, click Edit Configuration in the top right.
In the Load Balancer Edit Configuration page, scroll to the Routes section or click Routes in the left menu to jump to the routes section.
Click Edit Configuration in the Routes configuration section.
Find the path route we just added in Task 2 and click the ellipsis (three dots) under the Actions column. Select Edit
Scroll to the Advanced Options section and click Edit Configuration.
In the resulting form, scroll to the Add Response Headers section and click Add Item.
In the Headers to Add form, add the following: Name: XC-Namespace Value or Secret: Value Value: $[namespace] Click Apply Note XC has predefined header variables that you can use to insert dynamic content. XC-Header-Variables.
Click Apply.
Click Apply.
Click Apply.
Click Save HTTP Load Balancer to save the LB config.
Test and Verify:
Go back to your FIREFOX instance that is running within a browser.
In the Firefox location bar, enter your LB domin name. The name format is https://<your-namespace>.lab-app.f5demos.com/login. You should see the green version of the application.
Click the three horizontal lines in the Firefox bar to open the application menu and then click More tools.
Click Web Developer Tools
Click the Network tab and then click the Reload icon.
Click on the GET request for the login file and then select Headers from the right tabs. Scroll through the Response Headers until you see the xc-namespace header. Notice that the value matches your namespace.

End of Lab 2
This concludes Lab 2. In this lab, you learned how to: Configure a HTTP Load Balancer to route traffic based on HTTP header values. This configuration can be useful for canary testing. Configure a HTTP Load Balancer to apply WAF policy based on URL path. This configuration can be used to apply different security measures based on URL path. Configure a HTTP Load Balancer route to manipulate request or response parameters. This configuration can be used to apply or remove values that are utilized by the backend application or infrastructure.

End of Lab 2

This concludes Lab 2. In this lab, you learned how to:

Configure a HTTP Load Balancer to route traffic based on HTTP header values. This configuration can be useful for canary testing.
Configure a HTTP Load Balancer to apply WAF policy based on URL path. This configuration can be used to apply different security

measures based on URL path.
Configure a HTTP Load Balancer route to manipulate request or response parameters. This configuration can be used to apply or

remove values that are utilized by the backend application or infrastructure.

Previous Next