Add LB and WAF to a Hub to an Hub and Spoke VCN Routing architecture

From Iwan
Jump to: navigation, search

This tutorial will guide you through the steps necessary to deploy and configure a load balancer with a Web Application Firewall (WAF) in OCI, highlighting how this will operate in a Hub and Spoke VCN Routing environment.

Lb-waf-profile.png

This tutorial will use the previously written tutorials below as its main foundation:

  1. [Deploy a Windows Instance in Oracle Cloud Infrastructure]
  2. [Install a pfSense Firewall in Oracle Cloud Infrastructure]
  3. [Route Hub and Spoke VCN with pfSense Firewall in the Hub VCN]
  4. [Connect On-premises to OCI using an IPSec VPN with Hub and Spoke VCN Routing Architecture]

Please make sure you go through the tutorials above first if you want to recreate the content in this tutorial.

The Steps

  • STEP 01: Review the current Hub and Spoke Network Architecture
  • STEP 02: Configure Routing in the Hub and Spoke Network Architecture between the WAF/LB the Hub Firewall and the Spoke Back-Ends.
  • STEP 03: Install a web server on the back-end servers
  • STEP 04: Create or modify a web page on the back-end servers
  • STEP 05: Install an OCI Load Balancer
  • STEP 06: Install/Configure an OCI Web Application Firewall
  • STEP 07: Test the WAF/LB connectivity and WAF Security.

The traffic flows are illustrated in the pictures below.

External to Spoke connectivity using the LB + WAF

A44b3616d1d06af40c62a372ed5b9c70.png

STEP 01 - Review the current Hub and Spoke Network Architecture

Our starting point for this tutorial will be that we will have:

  • 1 x Hub VCN (with a firewall, internet gateway, NAT Gateway, and a Service Gateway)
  • 3 x Spoke VCNs
  • 1 x ON-PREM attached with an IPSEC VPN Connection

In the Hub VCN, we have a Windows Stepstone Instance that we can use to connect to the Spoke Instances. Each spoke will have one Instance that will be configured as a web server these instances can be used as endpoints for the load balance that we will deploy in this tutorial.

The picture below illustrates the starting point.

2f3e597fd619bb8d066f969f71b9487d.png

STEP 02 - Configure Routing in the Hub and Spoke Network Architecture between the WAF and LB the Hub Firewall and the Spoke Back-Ends

The picture below illustrates the current Hub and Spoke Network Architecture with all the Security lists and Routing tables shown in the picture.

743639bb8ffd75eee479659f26f603ae.png

Before we add the Load balancer we want to make sure that traffic that coming FROM the Load Balancer (subnet) is routed TO the Hub Firewall so that the traffic can be inspected on the Hub Firewall before it sends the traffic to the Spoke Instances. While we already have a default routing rule doing this, it is still best practice to add this rule in to call it out explicitly as we did with the other networks as well.

To add in the routing rule:

  1. Browse to Networking > Virtual Cloud networks > Virtual Cloud network details.
  2. Click on Route Tables.

6ef8f121c572e82668f1008bcb13289f.png

  1. Select the VCN_HUB_RT_DRG_TRANSIT route table.

6856a96567cd784dfafe18fdbd512dc7.png

  • Click on the Add Route Rules button.

94e511b6f24c287d01ce4799852f2afe.png

  1. Select Private IP as the target type.
  2. Specify CIDR Block as the Destination Type.
  3. Type in 0.0.0.0/0 for the Destination CIDR Block.
  4. Type in 172.16.0.20 for the Target Selection (This is the IP address of our pfSense Firewall).
  5. Click on the Add Route Rules button.

29ec2784e7f7ed3bf8fbc8f0456d3127.png

  • Notice that the 172.16.0.128/25 route is now added to the VCN_HUB_RT_DRG_TRANSIT route table.

Ef22354ca93321a31236196e3c675cb1.png

The picture below illustrates the current Hub and Spoke Network Architecture with all the Security lists and Routing tables (including the update we just made) shown in the picture.

735fdf11fad9443e7b87dd4795afaae9.png

STEP 03 - Install a web server on the back-end servers

Next, we are going to install an NGINX webserver on all the Instances in the Spoke VCNs. In [this tutorial (on step 6)]I explain how you install an NGINX Webserver on an Oracle Linux Instance.


45a567eb9eb117435f0b09d847b91830.png


STEP 04 - Create or modify a web page on the back-end servers

By default, each web server will be configured with a default web page. To track where our Load Balancer redirects the traffic to it is good practice to change something on the webpage so you know what server is hit.

We can do this by changing the content of the default NGINX index.html file.

sudo nano /usr/share/nginx/html/index.html

For Instance-A change the header to something like this:

<h1>Welcome to nginx! This is INSTANCE-A</h1>

For Instance-B change the header to something like this:

<h1>Welcome to nginx! This is INSTANCE-B</h1>

For Instance-C change the header to something like this:

<h1>Welcome to nginx! This is INSTANCE-C</h1>

Make sure you save the index.html files after changing them.

STEP 05 - Install an OCI Load Balancer

Before we create the Load Balancer (LB) we first need to ALLOW port 80 INGRESS on the Hub VCN Security list. All the traffic (including the traffic that is going from the Load Balancer in the Public Subnet of the Hub VCN) is routed to the HUB Firewall. The instances that the Load Balancer is going to use end-points are listening on port TCP/80. For this reason, we also need to allow port TCP/80 Ingress on the Hub VNC so that the Private subnet (in the Hub VCN) where the traffic is routed also allows the communication towards the Spoke VCNs.

  1. Click on the hamburger menu in the upper left corner of the OCI console.
  2. Click on Networking.
  3. Click on Virtual cloud networks.

Ae8d05c0fa780ffe765568e6ece00d20.png

  1. Make sure you are in the Virtual cloud network section.
  2. Click on the HUB-VCN VCN.

Ae40b96af60d8e3502eb5cb5f16038a0.png

  • Click on Security Lists.

7c8c8e828287d8fe53e6d78101b8226e.png

  • Click on the Default Security List for HUB-VCN.

Bfa4ea06b721ed7c28160bdf64cc9b29.png

  1. Make sure you are in the Ingress section.
  2. Click on the Add Ingress Rules button.
  3. Add in a Security Rule that TCP/80 is allowed from the source 172.16.0.128/25 to ALL destinations.

648fd391e7fa6f0413a61caf8685c234.png

Note

We are using the Default Security List that is applied to the HUB-VCN and therefore applied to all separate Subnets inside this HUB-VCN.

This also means that traffic going from the Public Subnet towards the Private Subnet inside the HUB-VCN is also subject to this Default Security List as the SAME Default Security List is applied to BOTH subnets.

For this reason we are allowing port TCP/80 Ingress because if we do not do this the Load Balancer is not able to communicate with the back-end servers as all the traffic is sent from the Public Subnet to the Private Subnet because we are using a Hub-and-Spoke architecture with a Firewall inside the Private Subnet of the HUB-VCN.

Below you will see a visual representation of what you have created so far with the security rule added.

3c233a5eb5dc954917e8da366abbc9f1.png

  • Now let's create the Load Balancer (LB).
  1. Click on the hamburger menu in the upper left corner of the OCI console.
  2. Click on Networking.
  3. Click on Load Balancer.

D7fbf5fdab48c3f1f7590877c3a0f217.png

  • Click on the Create load balancer button.

B105e855a3fa61794215db70c3977e30.png

  1. Provide a name for the Load Balancer.
  2. Select Public for the visibility type.
  3. Assign an Ephemeral IP address.
  4. Scroll down.

16d00e997780ed43cc94930844845a33.png

  • Leave everything default, and scroll down.

152ebe30d430acd23bd10c379936db00.png

  1. Select the VCN where you want to attach the Load Balancer.
  2. Select the Subnet where you want to attach the Load Balancer.
  3. Click on the Next button.

045111620001133fd254c164b4d611dc.png

  1. Select Weighted Rond Robin as the load balancing policy.
  2. Click on the Add backends button.

Eee6fdc583acd2af6be91e22d71f59c7.png

  1. Select all the backends of the instances (in the Spoke VCNs).
  2. Click on the Add backends button.

179e3399f4e32198b9d4cd72f0685a07.png

  1. Review the backends, and change the port if necessary, in my case all my back-end Instances listen to port 80.
  2. Scroll down.

90b1f6486898556aaa4a9a624ce7d06e.png

  • Leave the Health Check Policy default, and click on the Next button.

8d89c3920ddc942e324626abaa2a84cd.png

  1. Provide a name for the Listener.
  2. Specify the type of traffic to be HTTP for the listener.
  3. Specify a listener port to be 80.
  4. Click on the Next button.

29014544e0947f8597897a4f88856afb.png

  1. Select a Log group.
  2. Click on the Submit button.

De30c59a1886d5d920383b3c856c2cae.png

  • Notice that the Load Balancer status is set to CREATING.

3bf5c57b3bb2b4de599f0dfda162c190.png

  1. Notice the Load Balancer status will change from CREATING to ACTIVE.
  2. Notice that the Overall health is still pending.
  3. Notice that the Backend sets health is still pending.

69e9bf4b628ec5a645c149f2fd808435.png

  1. Make a note of the PUBLIC IP address of the Load Balancer.
  2. Notice that the Overall health is now OK (it may take a minute to change).
  3. Notice that the Backend sets health is now OK (it may take a minute to change).

Af629913f10b94f52052b3a4c2d019b2.png

  • Scroll down to take a closer look at the backend set.

0b1b43147cf485d541da0daabcc892d0.png

  1. Click on Backend Sets.
  2. Click on the only Backend set available.

F31b120453d856847676ae2a605a30b1.png

  1. Notice that the Overall health is now OK.
  2. Notice that the Backend sets health is now OK.
  3. Scroll down.

72dc7153f647179c0c17c1439ea0164e.png

  1. Click on Backends.
  2. Notice the backends in the Backend set.

96a3b3676a96835faab31a8e7ff5e17d.png

  1. Open a new browser.
  2. Type/Paste in the PUBLIC IP address of the Load Balancer.
  3. Notice that the Load Balancer redirects the traffic to the Instance in the Spoke VCN B.

7b04f5b308f6d02992af2cba35e7fc9a.png

  1. Refresh the page.
  2. Notice that the Load Balancer now redirects the traffic to the Instance in the Spoke VCN C.

70fea985e218f6e5447fbce67f88c3f1.png

  1. Refresh the page again.
  2. Notice that the Load Balancer now redirects the traffic to the Instance in the Spoke VCN B again.

B9aa8b4b55ce66a4e5e033268ac43022.png

  1. Refresh the page again.
  2. Notice that the Load Balancer now redirects the traffic to the Instance in the Spoke VCN A.

375f1401a5902b30188ec3a4fc669868.png

  • Below you will see a visual representation of what you have created so far and how the traffic is flowing.

Fe4f30e14cb09eb9d0ebd4cfe19b3e82.png

  • Make sure that the HUB Firewall is allowing Port TCP/80 from the Load Balancer to the Backend servers.
  • In my case, I just allowed ALL traffic in the HUB Firewall for testing purposes.

36517b52cf37e71087e2e958e51354a6.png

STEP 06 - Install and Configure an OCI Web Application Firewall

  • Now that we have configured the Load Balancer we are ready to configure the Web Application Firewall.
  1. Click on the hamburger menu in the upper left corner of the OCI console.
  2. Click on Identity & Security.
  3. Click on Web Application Firewall.

B3ff8e1d307dab29ff755e34dad17bee.png

  • Click on the Create WAF Policy button.

Eaca43ce9b5cd0e83f1a8e3ee45276f2.png

  1. Provide a name for the WAF Policy.
  2. Click on the Next button.

2ef90a48729d6976e9c809846a7021ab.png

  1. Make sure that Enable access control is enabled.

8b94dc5bb0bdf5a0259c30f1202d192f.png

  • Use a website that is capable of retrieving your ISP IP address.
  • This is required to configure your access control in the Web Application Firewall.
  • I am using www.ipchicken.com to retrieve my ISP IP address.

F4f60e1117d1f3036d3c22de012bf5fe.png

  1. Click on the Add access rule button.
  2. # Provide a name for the access rule.
  3. For the Condition Type select Source IP address.
  4. For the Operator select In list.
  5. For the CIDR IP ranges specify the IP address of your own ISP.
  6. Scroll down.

1c5312c49b001aa2964af313429a1f92.png

  1. For the rule action specify the action name and select Pre-configured 401 Response Code Action.
  2. Click on the Add access rule button.

A02ff58cf459f88e8288b9e123f184d6.png

  1. Notice that the access rule has been added.
  2. Click on the Next button.

3a1aba42770fd2c8f5e077d3c59df4c5.png

  • Click on the Next button.

99b879845133db4d7f3bdae53e2f169f.png

  • Click on the Next button.

6d864325997b95e992d2a7332a114887.png

  1. Select the Load Balancer that you want to configure the WAF Policy on (use the Load Balancer we created in the previous step).
  2. Click on the Next button.

Dcdd9f82936f3b9ec5c079632b2494d1.png

  • Click on the Create WAF policy button.

83dfc4e91226299d4d7b3289a1b05e4a.png

  • Notice that the WAF Policy is created.

401faa8b32532e840be5cb5f5a42ae9a.png

  1. Notice that the status of the WAF Policy is ACTIVE.
  2. Click on the Policies breadcrumbs menu to return to the WAF Policies page.

50b54f702ab40e0af116ad185cce2dea.png

  • Notice the WAF Policy that we just configured.

94803d2234c19047d76c23fc61d5cd62.png

STEP 07 - Test the WAF and LB connectivity and WAF Security

  • Go back to the browser we used earlier and refresh the page.
  • If you closed it just type/paste in the PUBLIC IP address of the Load Balancer again.

F64a59e1c3cc673fe6c632370329ebc0.png

  • Notice that the web servers can no longer be accessed because we have blocked them with the WAF Policy.

B61918044b36c4278a1dc15b0db4a028.png

Conclusion

In this article, we have configured a Load Balancer with a WAF policy in a Hub and Spoke Network Architecture. We Configured the web servers in a way that we could track how the load balancer is sending the traffic.