3.4. Deploy AS3 declarations with F5 VS Code Extension

3.4.1. Connect to BIG-IPs

  1. Go to the BIG-IP #1 TMUI. Notice that it is in the Standby state. Leave it as is for now.

  2. Navigate to Local Traffic > Virtual Servers. There should be no virtual servers configured.

  3. Click on the Partition drop-down list at the top-right of the TMUI. Notice that have two administrative partitions: Common and LOCAL_ONLY.

    Common is the default parititon. LOCAL_ONLY is a special partition that was created during the onboarding process to support configurations unique to each BIG-IP (will not be synchronized).

    BIG-IP #1

    BIGIP management GUI no config

    BIG-IP #2

    BIGIP management GUI no config

3.4.2. Create HTTP Virtual Servers with AS3 and Service Discovery

  1. Switch to the VS Code window and ensure that you are in the file Explorer view.

  2. Close the as3check_makehttprequest.json and any untitled-n tabs.

  3. Navigate to the ATC/AS3 folder and open the Step1_as3_AWS_Autodiscovery.json file.

  4. In the window with the JSON declaration, select all of the text. Scroll down and you will see that we are configuring AS3 to look for tagged AWS EC2 instances to add to the pool.

    load JSON file

  5. Select all of the text and right click. Then, select Post as AS3 Declaration.

    POST as AS3 declaration

    As the extension waits for AS3 to validate and apply the declaration, you will see the following:

    Posting Declaration

    A new panel will open with the response from AS3. Here you can see that all sections of the declaration were successful. Below the highlighted area is the declaration that you submitted.

    Successful deployment

    Hint

    If needed, you can resize the VS Code Console/Terminal panel by grabbing the top edge and dragging it down.


  6. In the TMUI of both BIG-IP devices, confirm the creation of:

    • A new BIG-IP administrative partition (AS3 tenant named Example01)
    • Two new virtual servers in the Example01 partition
    • A new Pool (with two pool members) in the Common partition

    Note

    Since configuration sync was enabled as part of the BIG-IP onboarding, you will see the same configuration on both BIG-IP instances.


    BIG-IP #1

    BIGIP management GUI partition verification

    BIGIP management GUI shared pool verification

    BIGIP management GUI VS verification

    BIG-IP #2

    BIGIP management GUI partition verification

    BIGIP management GUI shared pool verification

    BIGIP management GUI VS verification

3.4.3. Enable HTTP/2 with AS3

By default, BIG-IP uses HTTP/1.1. In this section, you will enable HTTP/2, which is a more modern protocol version.

  1. Close the Step1_as3_AWS_Autodiscovery.json and untitled-1 file tabs.

  2. Open Step2_as3_HTTPS_ModernProtocols_Autodiscovery.json, select all of the text, right click, and then select POST as AS3 Declaration.

    load JSON file

    POST as AS3 declaration

    Posting Declaration

  3. When successful, the BIG-IP will return a status code of 200 and a message of SUCCESS.

    Successful deployment

  4. In the TMUI of both BIG-IP devices, confirm the following:

    • Two HTTPS virtual servers were created, each with an HTTP/2 Profile (Client) attached
    • Two HTTP redirect virtual servers were created
    ../../_images/02as3_step2_vs.png ../../_images/02as3_step2_vshttp2.png

  5. Now, you will verify connectivity to the HTTPS application and examine the ciphers used.

    • Open the web browser and navigate to the IP address vip1_public_ip (refer to terraform output if needed).
    • Use the web browser’s developer tools to see the ciphers in use.
    ../../_images/02as3_step2_web.png

    ../../_images/developertools.png

  6. Click on the Network tab.

  7. Right-click on the Name column header and select the Protocol field to add it to the table.

    ../../_images/02as3_step2_http2.png

  8. You should see h2 in the Protocol column. This confirms that the connection was made using the HTTP/2 protocol.

3.4.4. Adding ECDSA certificates to the application

Elliptic Curve Cryptography (ECC) provides strong security with smaller key sizes than traditional RSA cryptography. ECC is also more computationally efficient, which is better for use with mobile devices. You will now apply ECDSA certificates to your application virtual servers.

  1. Close the previous AS3 declaration and the untitled-1 file tabs.

  2. Open Step3_as3_ecdsaCerts_Autodiscovery.json and select all of the text.

    load JSON file

  3. Right click and select POST as AS3 Declaration.

    POST as AS3 declaration

    Posting Declaration

  4. In the TMUI of both BIG-IP devices, confirm the following:

    • Two ECDSA certificates were created (System > certificate Management > Traffic Certificate Management > SSL Certificate List)
    BIGIP management GUI ECDSA certificates

  5. On the example app web page, use Developer tools to verify that you see the ECC ciphers (ECDHE_RSA with P-256) in use.

    BIGIP management GUI shared pool verification

    BIGIP management GUI http2 verification