Lab 1: API Discovery


If you are using multiple labs in one course, understand that some steps below may be redundant depending on labs deployed. To gain full benefits from this lab, please delete any objects created in your prior lab and continue with this lab as all necessary objects will be recreated.

The following labs focus on the deployment and securing of an existing hosted API using F5 Distributed Cloud Platform and Services. This lab will be deployed in a SaaS only configuration with no on-premises (public or private cloud) elements. All configurations will be made via the F5 Distributed Cloud Console and within the F5 Distributed Cloud Global Network services architecture.

For the tasks that follow, you should have already noted your individual namespace. If you failed to note it, return to the Introduction section of this lab, follow the instructions provided and note your namespace accordingly. The Delegated Domain and the F5 Distributed Cloud Tenant are listed below for your convenience as they will be the same for all lab attendees.

Following the tasks in the prior Introduction Section, you should now be able to access the F5 Distributed Cloud Console, having set your Work Domain Roles and Skill levels. If you have not done so already, please login to your tenant for this lab and proceed to Task 1.

Lab 1 you will create a Application Load Balancer, Import and apply an API Definition, and enable Discovery.

Expected Lab Time: 25 minutes

Task 1: Configure Load Balancer and Origin Pool

The following steps will allow you to deploy and advertise a globally available API. These steps will define an application, register its DNS and assign a target as an origin.

  1. In the left top click the F5 ball and navigate to the Web App & API Protection Tile.

  2. In the left-hand navigation expand Manage and click Load Balancers > HTTP Load Balancers

  3. In the resulting screen click the Add HTTP Load Balancer in the graphic as shown.

    ../_images/shared-002.png ../_images/lab1-task1-002.png


    You have defaulted to your specific namespace as that is the only namespace to which you have administrative access.

  4. Using the left-hand navigation and in the sections as shown, enter the following data. Values where <namespace> is required, use the name of your given namespace.

    • Metadata:Name ID: <namespace>-lb

    • Basic Configuration: List of Domains: <namespace>

    • Basic Configuration: Select Type of Load Balancer: HTTP

    • Basic Configuration: Automatically Manage DNS Records: (Check the checkbox)

    • Basic Configuration: HTTP Port: 80

  5. In the current window’s left-hand navigation, click Origins. In the adjacent Origins section, under Origin Pools, click Add Item.

  6. In the resulting window, use the drop down as shown and click Add Item.

  7. In the resulting window, enter <namespace>-pool in the Name field and click Add Item under Origin Servers as shown.

  8. In the resulting window, Public DNS Name of Origin Server should be selected for Select Type of Origin Server.

  9. In the DNS Name field enter the following hostname: and then click Apply

  10. After returning to the prior window, make sure Port: within the Origin Servers section, under Origin Server Port is configured for 80.

  11. Leave all other values as shown while scrolling to the bottom and click, Continue.

  12. After returning to the next window and confirming the content, click Apply.

    ../_images/lab1-task1-008.png ../_images/lab1-task1-009.png ../_images/lab1-task1-010.png
  13. After returning to the HTTP Load Balancer window, select Other Settings on the left then click on Save and Exit at the bottom right of window.

  14. Using another browser tab, navigate to the the following URL to confirm the Load Balancer has been configured properly.



Task 2: Swagger File Import & Version Control

In this task’s series of steps you will import swagger files into the F5 Distributed Cloud tenant and explore version control features.

  1. For the next series of steps, to download the JSON/OpenAPI spec file app-api-v1.json to your local desktop or workspace.


    Depending on browser, you may need to copy content and save as **app-api-v1.json**

  2. In the left top click the F5 ball and navigate to the Web App & API Protection Tile.

  3. In the left-hand navigation, click on Files under the Manage section.

  4. Click Add Swagger File in the main window area as shown. Alternatively, the link near the top of the window can also be used.


    If you receive an error when clicking on “Add Swagger File” located at the center of the window, click “Add Swagger File” at the top of the same window.

  5. In the resulting New Swagger File window, input app-api for the Name under the Metadata section.

  6. In the Upload Swagger File section, click the Upload File button. Select the file downloaded in Step 1 above and click Open.

  7. Observe that the file app-api-v1 is present and the click Save and Exit

  8. In the resulting Swagger Files window, you will see the upload file with additional metadata.


    You will also see a dialogue box, in the bottom left of your screen indicating the file has been successfully added.*


Task 3: Swagger Definition

In this task’s series of steps you will establish the Swagger Definition which serves as an object pointer to imported swagger files you just uploaded.

  1. In the left-hand navigation of the Web App & API Protection service, click on API Management under the Manage section and then click API Definition.

  2. In the resulting API Definition window, click Add API Definition in the main window area as shown.

  3. In the resulting New API Definition window, input app-api-spec for the Name under the Metadata section.

  4. In the Swagger Specs section, click Add Item box in the Swagger Specs column.

  5. Select the version 1 of the previously uploaded swagger spec file. It will be in the format <namespace>/app-api/v1-<current-date>.

  6. Once selected, click Save and Exit in the bottom-right corner.


Task 4: Enabling API Inventory and Discovery

In this task’s series of steps you will enable the API Inventory and Discovery feature on the previously built Load Balancer object delivering the targeted API.

  1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

  2. In the resulting Load Balancers window, click on the three dots in the Action column, and the select Manage Configuration.

  3. Click Edit Configuration in the top-right corner.

  4. Click API Protection in the left-hand navigation.

  5. In the API Protection section, click the drop-down arrow next to API Definition and select Enable.

  6. In the second API Definition section, click the drop-down arrow and select the previously created API Definition <namespace>/app-api-spec.

  7. Under Validation, select API Inventory from drop-down then click on View Configuration

  8. Within API Inventory validation, update Request Validation Endforcement Type to Block. Click on Apply bottom right.

  9. In the API Protection section, click the drop-down arrow next to API Discovery and select Enable.

  10. Select Other Settings on the left then click on Save and Exit at the bottom right of window.

  11. Using another browser tab, navigate to the the following URL to confirm cat details.


  12. Using the same tab, update the URI parameter from age=5 to age=five and confirm the request has been blocked.


    Path/URI matching is case-sensitive. Make sure the exact case format is used as listed. Copy and paste the following Path/URI to ensure matching.




    This request was blocked due to the uploaded swagger defining the parameter type as “integer” for this endpoint.

  13. Select Security Dashboard within the XC tab, scroll down and click on the <namespace>-lb load balancer name.

    ../_images/shared-005.png ../_images/shared-006.png
  14. Click on Security Analytics, observe the event. Expand event details by clicking on the right arrow. Events with the response code of 403 will be present.


    Change time to 1 hour, and make sure the page has been refreshed



    Detection information will be near the bottom of the event detail. api_sec_event will be listed with the following detail, “Request Query Parameter Violation, an invalid integer”.

End of Lab 1: This concludes Lab 1, feel free to review and test the configuration. A brief presentation and demo will be shared prior to the beginning of Lab 2.