Welcome to FY20 EMEA Forum breakout session¶
Publish and protect modern applications¶
Warning
For any remark or mistake in this lab, please send a Teams chat to Matthieu DIERICK.
Note
Contributors : Philippe Cloup, Nicolas Ménant, Fouad Chmainy
Intro - Understand the infrastructure and the workflow¶
Welcome into the Forum FY20 breakout demo “Publish and Protect Modern Applications”.
Warning
For any remark or mistake in this lab, please send a Teams chat to Matthieu DIERICK.
First of all, have a look on the PowerPoint deck.
This section convers the concept and the goals of the breakout.
- Audiance:
- DevOps
- Netops
- Goals:
- Demonstrate Nginx and BIG-IP are part of application lifecyle
- Demonstrate Nginx and BIG-IP are fully integrated with CI/CD pipeline
- Demonstrate the new Controller 3.x capabilities and automation tool set
- Demonstrate Declarative WAF
Workflow of the demo¶
- The demo is splitted in 4 steps :
- Deploy and publish Arcadia Main App
- Deploy and publish Money Transfer App
- Deploy and publish Refer Friends App
- Apply WAF policy
Step 1 - DevOps deploy Arcadia application¶
Note
Goal is to use the GUI in the NGINX Controller for our traditional customers. NetOps will configure the services (MainApp and BackEnd) manually.
Tasks:
- DevOps commit a new code in GitLab in order to publish a brand new application “Arcadia Bank”
- GitLab webhooks this commit and ask Jenkins to run a pipeline. This pipeline:
- Deploy Arcadia application in Kubernetes (Terraform).
- Deploy nodeports in Kubernetes (but it could be KIC) (Terraform).
- Deploy NGINX+ instances (ADC) in Docker, in front of this K8S cluster (Terraform)
- Create Gateways in NGINX Controller for each NGINX+ instance (Ansible)
- Deploy AS3 template into front BIGIP to publish publically the application - without WAF (Ansible)
- NetOps create ADC configuration in NGINX controller in order to “route” traffic to the right K8S service
- MainApp (/*) to service MainApp
- BackEnd (/file*) to service BackEnd
Warning
At this stage, the first part of the application is published and can be accessed and demonstrated. We can see Money Transfert application is not yet there, same for Refer Friends.
Step 2 - DevOps deploy Money Transfer application¶
Note
Goal is to demonstrate NGINX Controller has a REST API to configure objects. NetOps will configure the service (Money Transfer) via REST API.
Tasks:
- DevOps commit a new code in GitLab in order to publish the second part of the Arcadia Bank website. This new application allows money transfer between friends.
- GitLab webhooks this commit and ask Jenkins to run a pipeline. This pipeline:
- Deploy Money Transfer application in Kubernetes (Terraform)
- Deploy nodeports in Kubernetes (Terraform)
- NetOps use REST API to publish this new app on NGINX+ instances
Warning
At this stage, the Money Transfer application is published and can be accessed and demonstrated
Step 3 - DevOps deploy Refer Friends application¶
Note
Goal is to demonstrate NGINX Controller can be part of the application lifecycle and CICD. NetOps don’t configure anything.
Tasks:
- DevOps commit a new code in GitLab in order to publish the third and last part of the Arcadia Bank website. This new application allow a customer to refer friends with their email address.
- GitLab webhooks this commit and ask Jenkins to run a Pipeline. This pipeline:
- Deploy Refer Friends application in Kubernetes (Terraform)
- Deploy nodeports in Kubernetes (Terraform)
- Configure all components in NGINX Controller (Ansible)
Warning
At this stage, the Refer Friends application is published and can be accessed and demonstrated. The Arcadia Bank website is finished, but not yet secured.
Step 4 - NetOps/SecOps publish WAF policy to protect Arcadia application¶
Note
Goal is to demonstrate BIG-IP Advanced WAF has a Declrarative API interface to push WAF policies.
Task:
- NetOps run a Jenkins pipeline that will push a new AS3 declaration with a WAF policy built by Secops
Warning
At this stage, the Arcadia Bank website is published and secured.
Demo - Run the demo in UDF¶
In this section, I demonstrate all the step to deliver the demo
Step 1 - DevOps deploy Arcadia Application¶
In this module, we will deploy the 2 main containers for Arcadia Bank application and we will publish them.
Note
At the end of this module, Arcadia Bank application will look like this.
Warning
Please keep case senstive for all objects below
- Application name : app_webapp
- Components:
- cp_mainapp:
- Ingress URI: http://www.arcadia-finance.io/
- Workload: wl_mainapp
- cp_back:
- Ingress URI: http://www.arcadia-finance.io/files/
- Workload: wl_backend
- cp_mainapp:
Video of this module :
Step 2 - DevOps deploy Money Transfer application¶
In this module, we will deploy the Money Tranfer container for Arcadia Bank application and we will publish it.
Note
At the end of this module, Arcadia Bank application will look like this.
Video of this module :
step 3 - DevOps deploy Refer Friends Application¶
In this module, we will deploy the Refer Friends container for Arcadia Bank application and we will publish it.
Note
At the end of this module, Arcadia Bank application will look like this.
Video of this module :
step 4 - Protect Arcadia Application¶
In this module, we will deploy a WAF policy to protect Arcadia Bank application and we will publish it.
Note
We use the new v15.1 Declarative WAF policy. You can retrieve the JSON Policy in the GitLab repo and below.
{
"policy": {
"name": "policy-fund-1",
"description": "Policy Example - Rapid Deployment",
"template": {
"name": "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
},
"enforcementMode": "blocking",
"server-technologies": [
{
"serverTechnologyName": "MySQL"
},
{
"serverTechnologyName": "Unix/Linux"
},
{
"serverTechnologyName": "MongoDB"
}
],
"signature-settings": {
"signatureStaging": false
},
"policy-builder": {
"learnOnlyFromNonBotTraffic": false
}
}
}
Video of this module :