F5 Distributed Cloud > F5 Distributed Cloud 101 - WAF/WAAP Deployment Models Source | Edit on
2. Lab 1: Protecting a Public Endpoint¶
During this lab you will be introduced to creating a WAF policy in F5 Distributed Cloud and using that policy to protect your lab resource that is a “Public Endpoint” in AWS (webserver with an EIP).
2.1. Task 1. Create WAF Policy¶
F5 Distributed Cloud WAF shares the same WAF engine that is used by F5 BIG-IP WAF and F5 NGINX App Protect.
The F5 Distributed Cloud WAF engine provides preset categories of rules to protect your web applications, provides the ability to run in a monitor or blocking mode, prevent false positives by excluding individual rules, IP addresses, or web application paths
In the next exercise you will configure a basic WAF policy
2.1.1. Exercise 1: Create WAF Policy¶
We will create a blocking WAF policy.
Start in F5 Distributed Cloud Console and switch to the “Web App & API Protection” context.
It can be access either from the main Home page…
…or via the “Select Service” menu on the top left corner of any other page:
Ensure you are in the proper namespace (an adjective-animal combination) and not the default namespace. It is ok if you do not see your namespace as you will be defaulted to it as seen in your URI path as in the Introduction section.
Navigate the menu to go to “Manage”->”App Firewall”. Click on Add App Firewall.
Enter the following variables:
Variable Value Name blocking-app-firewall Enforcement Mode Blocking In this mode we change the policy to block attacks that are included in the default policy. Later we will look at how we can customize these settings.
Click the Save and Exit button to create the policy
2.1.2. Video Walkthrough¶
Optional Video you can watch if you get stuck
Note that each of the videos will start at a specific timestamp.
The entire video is 10 minutes total from start to finish.
2.2. Task 2. Create Origin Pools¶
Before we create an HTTP load balancer to expose our services on the internet, we’ll define “Origin Pools” for our application’s services.
This initial Origin Pool will use the Public DNS record of our target webserver to locate the IP address of the Origin Pool members. This is an example of using the Public Internet to route traffic to our services. In later examples we will look at routing traffic via AppMesh to our services.
2.2.1. Exercise 1: Create Public Origin Pool¶
We will first create an Origin Pool that refers to the “Public Endpoint” site in our lab environment.
Start in F5 Distributed Cloud Console and switch to the “Web App & API Protection” context. [You should already be here from previous task]
Navigate the menu to go to “Manage”->”Load Balancers”->”Origin Pools”. Click on Add Origin Pool.
Enter the following variables:
Variable Value Name public Click on “Add Item” under the section “Origin Servers”
Enter the following variables:
Variable Value Select Type of Origin Server Public DNS Name of Origin Server [default] DNS Name public.lab.f5demos.com Click on “Apply” to return to the previous screen.
Below the “Origin Servers” section fill in the Port information
Variable Value Port 80 In Health Check(s) section, click the Add Item button.
Click the Health Check object dropdown list. Click the Add Item button.
In the Metadata section, enter the following variables:
Variable Value Name http Click the View Configuration link under “HTTP Health Check” and enter the following variables (“/” is the default):
Variable Value path / Click Apply to exit the “Health Check HTTP Request Parameters” dialogue.
Click Continue to return to the “Origin Pool” configuration.
Click the Save and Exit button to create the Origin Pool.
2.3. Task 3. Creating HTTP Load Balancer on F5 Distributed Cloud Regional Edge¶
In this exercise we will be creating a “Global VIP” that will exist on the F5 Distributed Cloud Global Network.
It will protect a public resource that exists in the lab’s AWS Lab Environment.

2.3.1. Exercise 1: HTTP Load Balancer Configuration¶
Start in F5 Distributed Cloud Console and switch to the “Web App & API Protection” context. [You should already be here from previous task]
Navigate the menu to go to “Manage”->”Load Balancers” -> “HTTP Load Balancers” and click on “Add HTTP Load Balancer”.
Enter the following variables:
Variable Value Name global Domains [YOUR-NAMESPACE].lab-sec.f5demos.com Select type of Load Balancer HTTP Automatically Manage DNS Records Yes/Check
2.3.2. Exercise 2: Configure Default Origin Server¶
We’ll next configure the “Default Origin Servers”.
Click on the Add Item link in the Origin Pools section.
The “Select Origin Pool Method” will be set to “Origin Pool”. Under the “Origin Pool” dropdown menu select the “public” pool you created earlier.
Click the Apply button to exit the “Origin Pool with Weight and Priority” dialogue.
Notice that in the “Other Settings” section, Internet has been selected by default for “VIP Advertisement”.
2.3.3. Exercise 3: Configure WAF Policy¶
Under the Web Application Firewall section
Choose the following options:
Variable Value Web Application Firewall (WAF) Enable Select App Firewall [NAMESPACE]/blocking-app-firewall Click “Save and Exit to create the HTTP Load Balancer.
Once the HTTP Load Balancer has been deployed, you should now be able to go to the DNS name that you entered previously in a web browser. The FQDN we used in our example is http://stable-sheep.lab-sec.f5demos.com. Your FQDN should follow the format of [unique name].[supplied domain name for your tenant].
Note
If you are having challenges connecting to the “f5demos.com” name you can also try connecting to the “ves.io” name.
2.3.4. Exercise 4: Verify Configuration¶
The public demo app should look like the following:

In this topology we are sending traffic to an AnyCast IP that is hosted in F5 Distributed Cloud’s Regional Edge.
We then connect to the AWS resource via it’s Public IP address.
Try adding the following to the URL “/?cat%20/etc/passwd”.
You should see a block page.

2.3.5. Exercise 5: Performance and Security¶
Start in F5 Distributed Cloud Console and switch to the “Web App & API Protection” context. [You should already be here from previous lab]
We can view details of successful requests and blocks by navigating to “Virtual Hosts”
Click on “Select service” and select “Load Balancers”. Click “Virtual Hosts”->”HTTP Load Balancers” and click on your “global” Load Balancer
You will see a health score of your application as well as end to end latency of the connection.
Click on “Requests” in the upper page navigation
You should be able to view logs for individual requests.
Click on the “Performance Monitoring” dropdown and select “Security Monitoring”.
Click on “Security Events” You will be able to see details of the security events.
Clicking on the arrow to the left of a security event will expand the details.
Next we will demonstrate how we can securely connect to your private AWS resources via a AppMesh node.
2.3.6. Video Walkthrough¶
Optional Video you can watch if you get stuck