Lab 2: API Protection & Rate Limiting

Lab 2 you will enable API Protection and Rate Limiting on select Endpoint.

This lab’s tasks will walk through the configuration steps and note additional configurations available.

Expected Lab Time: 25 minutes

Task 1: Attaching API Protection to Load Balancer Object

In this task’s series of steps you will enable the API Protection feature on the previously built Load Balancer object delivering the targeted API.

1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

   

2. In the resulting Load Balancers window, click on the three dots … in the Action column, and the select Manage Configuration.

   

3. Click Edit Configuration in the top-right corner.

   

4. In the API Protection > API Protection Rules section, click the Configure link.

   

5. In the resulting API Protection Rules window, click Configure in the API Endpoints section.

   

6. Click Add Item in the API Endpoints window.

   

7. In the resulting window, input block-endpoint in the Name field of the Metadata section.

8. In the Action area, click the drop-down arrow indicated and select Deny.

   

9. In the API Endpoint section, click on the API Endpoint input field as indicated.

10. Select the See Suggestions link.

    

11. Select /api/CatLookup/GetAllCats from the available options provided.

    Note

    The available endpoints are provided by the swagger previously imported, or identified by API Discovery

12. In the HTTP Methods area, click in the Method List input field.

    

13. Select Any from the available methods provided.

    Note

    Multiple methods can be selected if needed

    

14. Review the configuration and click, the Apply button.

    

15. Review the API Endpoint deny rule and click, the Apply button.

    

16. Note that API Protection Rules are configure for the API Endpoints and click, the Apply button.

    

17. Select Other Settings on the left then click on Save and Exit at the bottom right of window.

    

18. Using another browser tab, navigate to the the following URL to confirm access is denied.

    Note

    Path/URI matching is case-sensitive. Make sure the exact case format is used as listed. Copy and paste the following Path/URI to ensure matching.

    http://<namespace>.lab-sec.f5demos.com/api/CatLookup/GetAllCats

    

19. Select Security Dashboard within the XC tab, scroll down and click on the <namespace>-lb load balancer name.

    

20. Click on Security Analytics, observe the event. Expand event details by clicking on the right arrow. Events with the response code of 403 will be present.

    Note

    Change time to 1 hour, and make sure the page has been refreshed

    

    Note

    Detection information will be near the bottom of the event detail. api_sec_event will be listed with details regarding “api protection.”

Task 2: Attach API Rate Limiting to Load Balancer Object

In this task’s series of steps you will enable the API Rate Limiting feature on the previously built Load Balancer object delivering the targeted API.

1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

   

2. In the resulting Load Balancers window, click on the three dots … in the Action column, and the select Manage Configuration.

   

3. Click Edit Configuration in the top-right corner.

   

4. Using the left-hand navigation, click the Common Security Controls link.

   

5. Locate the Rate Limiting area of the Common Security Controls and use the drop-down to select API Rate Limit.

   

6. In the expanded menu under Rate Limiting, click Configure in the API Endpoints area.

7. In the resulting window API Endpoints window, click Add Item.

   

8. In the resulting configuration window, select /api/DogLookup/GetAllDogs for API Endpoint input.

9. Select ANY for Method input and then click the Apply button.

   

10. Review the API Endpoint rate limiting rule and click, the Apply button.

    

11. Note the updated configuration for API Rate limiting, Click Other Settings on the the left, navigation on the bottom right then click on Save and Exit

    

12. Using another browser tab, navigate to the the following URL to confirm rate limiting, by freshing your tab several times.

    Note

    Path/URI matching is case-sensitive. Make sure the exact case format is used as listed. Copy and paste the following Path/URI to ensure matching.

    http://<namespace>.lab-sec.f5demos.com/api/DogLookup/GetAllDogs

    

13. Select Security Dashboard within the XC tab, scroll down and click on the <namespace>.lab-sec.f5demos.com load balancer name.

    

14. Click on Security Analytics, observe the event. Expand event details by clicking on the right arrow. Events with the response code of 429 will be present.

    Note

    Change time to 1 hour, and make sure the page has been refreshed

    

    Note

    Detection information will be near the bottom of the event detail. api_sec_event will be listed with details regarding “rate limiting.”

This configuration highlights the elements needed to deploy API Discovery & Protection. This configuration can also be fully deployed and managed via the F5 Distributed Cloud API.

End of Lab 2: This concludes Lab 2. A Q&A session will begin shortly after conclusion of the overall lab.