App Delivery Network (ADN)

Objective

This guide provides instructions on how to deploy and secure network edge applications using VoltConsole and VoltMesh.

The following image shows the steps to deploy network edge applications:

Seq
Figure: Steps to Deploy and Secure Network Edge Applications

The following images shows the topology of the example for the use case provided in this document:

Top
Figure: Network Edge Applications Sample Topology

Using the instructions provided in this guide, you can deploy your web application in the Volterra virtual K8s (vK8s) clusters, deliver the application using load balancer, advertise the application services on the Volterra global network (exposing to internet), protect the application using Volterra security features, and monitor the application using Volterra monitoring features.

The example shown in this guide deploys a micro services application called as Hipster Webapp across Volterra global network using the Volterra vK8s. The application consists of the following services:

  • frontend
  • cartservice
  • productcatalogservice
  • currencyservice
  • paymentservice
  • shippingservice
  • emailservice
  • checkoutservice
  • recommendationservice
  • adservice
  • cache

Prerequisites

  • VoltConsole SaaS account.

    Note: If you do not have an account, see Create a VES Account.

  • Volterra vesctl utility.

    Note: See vesctl for more information.

  • Docker.
  • Self-signed or CA-signed certificate for your application domain.

Configuration

The use case provided in this guide deploys the web application across all of the Volterra Regional Edge (RE) sites in the vK8s clusters. It then exposes the application to Volterra global network using Volterra load balancer and secures it using the Volterra security features. The following actions outline the activities in deploying the web app and securely expose it to the internet.

  1. Volterra vK8s cluster is created and using its kubeconfig and K8s manifest, the web application is deployed in the vK8s clusters in all RE sites.
  2. The frontend service of the application needs to be externally available. Therefore, a HTTPS load balancer is created for each cluster with the required origin pools such as endpoint, health check, and cluster. Also, appropriate route and advertise policy are enabled for exposing to internet.
  3. The loadbalancer TLS configuration secured by applying Volterra Blindfold encryption to the TLS key.
  4. Security policies are configured to restrict ingress traffic selectively using the BGP ASN sets. Also, rate limit is enabled to protect the application from DDoS attacks.
  5. A WAF configuration is applied to secure the externally available loadbalancer VIPs. Also, the load balancer is secured with a javascript challenge to protect against bots.
  6. Rest all communication from the k8s clusters is configured to be denied.

Step 1: Deploy K8s App

The following video shows the site deployment workflow:

Perform the following steps to deploy the web application in Volterra vK8s clusters:

Step 1.1: Log into the VolConsole and create a namespace.

This example creates a sample namespace called tutorial-hipster namespace.

  • Select the namespace dropdown and click Manage namespaces.

ns nav
Figure: Navigate to Manage Namespaces

  • Click Add namespace and enter a name for your namespace. Click Save to complete creating the namespace.

ns create
Figure: Create Namespace

Step 1.2: Create vK8s cluster and download its kubeconfig.
  • Click on the namespace dropdown and change to the namespace created in previous step.
  • Select Applications in the configuration menu and Virtual K8s in the options pane.

    vk8s nav
    Figure: Navigate to vK8s Creation

  • Click Add virtual K8s and enter a name for your vK8s cluster.
  • Click Select vsite ref and select ves-all-res and click Select vsite ref agin to add the vK8s cluster to all RE sites.

vK8s all res
Figure: Select Virtual Site for vK8s

  • Click Add virtual K8s to complete creating the vK8s clusters in all RE sites.

vk8s created
Figure: Create vK8s Clusters in Global Network

  • Click ...-> Download for the created vK8s object to download its kubeconfig file.
Step 1.3: Deploy the web application in all Volterra RE sites.

To deploy the web application in a K8s cluster, the following are required:

  • Kubeconfig of the K8s cluster. For this, use the vK8s kubeconfig downloaded in previous step.
  • Manifest file of your web application. Download the sample this example uses and edit its fields as per your application.

Enter the following command to deploy the application:

kubectl apply -f k8s-app-manifest.yaml --kubeconfig vk8s-kubecfg.yaml

This completes deployment of application across all RE sites.


Step 2: Deliver K8s App

Delivering the application requires creating load balancer and origin pool for the services. Origin pools consist of endpoints and clusters. Also routes and advertise policies are required to make the application available to the internet.

The following video shows the application delivery workflow:

Perform the following steps for creating origin pool and load balancer for your application:

Step 2.1: Create endpoint.

Select Manage->Endpoints. Click Add endpoint and enter the configuration as per the following guidelines:

  • Enter a name in the Name field. This example sets the frontend as the name.
  • Enter Virtual Site for the Where field and select the ves-all-res site for the Select ref field.
  • Select Site Local Network for the network type.
  • Select Service Selector Info for Endpoint Specifier field.
  • Select Kubernetes for the Discovery field and Service Name for the Service field.
  • Enter the service name in the <servicename>.<vK8snamespace> format. This example uses the frontend.tutorial-hipster as the service name.
  • Select TCP as the protocol.
  • Enter 80 for the Port field.
  • Click Add endpoint to create endpoint.

EP
Figure: Endpoint Creation

Step 2.2: Add cluster.

Select Manage->Clusters. Click Add cluster and enter the configuration as per the following guidelines:

  • Enter a name in the Name field. This example sets frontend as the name.
  • Select the endpoint created in previous step for the Select endpoint field.
  • Select Distributed for the Endpoint Selection field.
  • Set Connection Timeout and HTTP Idle Timeout as 0.
  • Click Add cluster to complete creating the cluster.

cluster
Figure: Cluster Creation

Step 2.3: Create a route.

Select Manage -> Routes. Click Add route and enter the configuration as per the following guidelines:

  • Enter a name. This example sets the name as frontend.
  • Click Add match. Select ANY for the HTTP Method field and Regex for the Path Match field. Enter (.*?) for the Regex field and click Add match.
  • Select Destination List for the Route action field and click Add destination. Click Select cluster and select the cluster object created in previous step. Click Select cluster and set Weight as 0. Click Add destination to add the cluster.
  • Set Timeout as 0 and click Add route to add the route.
  • Click Add route again to create the route.

route
Figure: Route Creation

Step 2.4 Create an advertise policy.

Exposing the application to internet needs advertising the application domain of load balancer over the Volterra public network.

  • Select Manage -> Advertise Policies and click Add advertise policy.
  • Enter a name. This example sets frontend as the name.
  • Select Virtual Network for the Where field and select the public network for the Select ref field.
  • Enter 443 for the TCP Port field and click Add advertise policy to complete creating advertise policy.

ap
Figure: Advertise Policy Creation

Step 2.5 Add a virtual host.

Select Manage -> Virtual Hosts. Click Add virtual host and set the configuration as per the following guidelines:

  • Enter name, application domain, and set proxy type as HTTPS Proxy. This sample sets frontend as the virtual host name and hipster-shop.tutorial-hipster.playground.helloclouds.app as the domain.
  • Select the route created in previous steps.
  • Select the advertise policy created in previous steps.
  • Click TLS Parameters and click Add TLS certificate in the TLS configuration form.
  • Click Private key and select Secret info as Clear secret and enter the secret in the Location field. Select Secret Encoding as EncodingNone. Click Apply.

vh privkey
Figure: Virtual Host Private Key Configuration

Note: Use the private key of your certificate. Enter cat <privatekey> command to display the secret and then copy it.

  • Generate Base64 string of your certificate and enter it in the string:/// format in the Certificate URLfield. Click Add TLS certificate to apply the certificate.
  • Set TLS_AUTO for the Minimum TLS Version and Maximum TLS Version fields.

vh tls
Figure: Virtual Host TLS Configuration

  • Click Apply and Add virtual host.

Note: It is recommended to add a DNS record to your domain provider so that for the domain name it points to the correct IP.

You can now access the web application from the browser using the domain name of the virtual host. You can use websites such as dotcom tools to verify that the domain in accessible across the global network with reduced load times.


Step 3: Secure K8s App

Securing the web application requires you to setup ingress filtering using BGP ASN sets, javascript challenge, DDoS protection using rate limiting, and WAF.

The following video shows the workflow of securing the K8s application:

The examples in this chapter demonstrate how to reject or allow traffic based on service policies. After that, the instructions for enabling DDoS protection using rate limiting and setting up the java script challenge are shown. Finally, WAF is created and applied to the load balancer to complete securing the application.

Note: Javascript challenge enforces the users to send requests through the browser preventing automated attacks.

Step 3.1: Add BGP ASN set.

You can use the BGP ASN set along with the service policies to protect your web application from competitor scraping. This example creates the BGP ASN set for your ISP for enabling ingress filtering based on the ASN in the later steps.

Select Security -> Network Security. Select BGP ASN Sets and click Add BGP ASN set. Enter the following configuration:

  • Set a name for the BGP ASN set in the Name field. This example uses my-isp as the name.
  • Click Add as number and enter ASN numbers from which you want to reject or allow requests. This example adds ASN 7922 from which the requests are intended to be rejected.
  • Click Add BGP ASN set to complete adding the BGP ASN set.

BgpAS
Figure: BGP ASN Set Creation

Note: You can obtain your ASN using the who is <ipaddress> | grep -i OriginAS command where the <ipaddress> is your IP address. You can find your IP address using by visiting the www.whatismyipaddress.com website.

Step 3.2: Create service policy rules to deny requests from the BGP ASN and allow from the rest of the sources.

Select Security -> Service Policy Rules. Click Add service policy rule and enter the following configuration:

  • Set a name for the policy rule. This example uses the deny-my-isp name.
  • Select Deny for the Action field.
  • Click AS Matcher field and click Select ASN set. Select the BGP ASN set created and click Select ASN set. Click Apply.
  • Click Add service policy rule to complete creating the service policy rule.

sv pol rule deny
Figure: Service Policy Rule To Deny Traffic From BGP ASN

  • Similarly, create another service policy rule to allow rest of the traffic by selecting Allow for the Action field. This example creates the rule with the rest-traffic name.
Step 3.3: Create service policy.

Select Security -> Service Policies. Click Add service policy and enter the following configuration:

  • Set a name for the policy. This example sets the tutorial-sp name.
  • Select First Rule Match for the Rule Combining Algorithm field.
  • Click Select rule and add the rules created in the previous step. Ensure that you first select the Deny rule first followed by the Allow rule.
  • Click Add service policy to complete creating the service policy.

sv pol
Figure: Service Policy Configuration

Step 3.5: Create service policy set.

Select Security -> Service Policy Sets. Click Add service policy set and enter the following configuration:

  • Set a name for the policy. This example sets the tutorial-ps name.
  • Click Select policy and add the policy created in the previous step.
  • Click Add service policy set to complete creating the service policy set.

SrvcPolSet
Figure: Service Policy Set Configuration

You can inspect that the service policy is enabled by visiting your application domain from your regular browser and TOR browser. The request from regular browser gets blocked but request from TOR browser is allowed.

Step 3.6: Enable javascript challenge.

Create a file with a custom message in plain text or HTML element and convert it to Base64. Enter the following commands in the terminal.

echo '<h1> hi javacript challenge </h1>' | base64  
PGgxPiBoaSBqYXZhY3JpcHQgY2hhbGxlbmdlICA8L2gxPgo=

Copy the output. In this case, it is the PGgxPiBoaSBqYXZhY3JpcHQgY2hhbGxlbmdlICA8L2gxPgo= string. Return to VoltConsole and perform the following:

  • Select Manage -> Virtual Hosts. Click ...->Edit for your virtual host to edit the virtual host configuration. Click Javascript Challenge and set the following:
  • Click Enable checkmark.
  • Set javascript delay and cookie expiry periods. This example sets 2000 milliseconds of delay and 120 seconds of cookie expiry.
  • Enter the custom page URL in the string:///<custompage-url> format. Use the Base64 string generated for the custom page.
  • Click Apply and Save changes.

jsc
Figure: Javascript Challenge Configuration

Note: You can verify the javascript challenge functionality by visiting your application domain from the browser. The request gets redirected to the custom page you configured. Ensure that you clear cookies or request in the incognito or private mode.

Step 3.7: Create a Web Application Firewall (WAF).

Select Security -> App Firewall. Click Add firewall and set the following configuration:

  • Set a name for the firewall. This example sets the block-all name.
  • Click Add firewall to complete creating the WAF.

Note: The firewall is enabled by the BLOCK mode by default . This blocks all the suspicious requests.

WAF
Figure: Web Application Firewall Creation

Step 3.8: Apply the WAF to the virtual host.

Select Manage -> Virtual Hosts and find your virtual host from the displayed list. Click ... -> Edit to open the virtual host edit form. Click WAF Config and select the firewall created in the previous step. Click Apply and Save changes to apply the WAF to the virtual host. This protects load balancer from malicious attacks.

WaftoVh
Figure: Enable WAF for Virtual Host

Note: The WAF blocks suspicious requests and DDoS attacks even if the javascript challenge is disabled. The security is further enhanced when the javascript challenge is also enabled.


Step 4: Observe K8s App

You can monitor the deployed K8s application using the VoltConsole monitoring.

The following video shows the workflow of using VoltConsole to monitor your application:

Step 4.1: Open the load balancer dashboard.
  • Log into the VoltConsole and change to your namespace.
  • Select Virtual Hosts from the configuration menu and HTTP Load Balancers in the options pane.
  • Click on your load balancer to open its dashboard. The dashboard loads the overall status of the load balancer such as health score, origin servers, latency, etc.

lbdb
Figure: Load balancer Dashboard View

  • Click Metrics tab check the metrics such as request rate, error rate, latency, and throughput.

lbme
Figure: Load balancer Metrics View

  • Click Origin Servers tab check the origin servers and the associated details like requests, errors, latency, RTT, etc.

lborig
Figure: Load balancer Origin Servers View

  • Click Requests tab check the information on the sampled requests trend and list of requests.

lbreqs
Figure: Load balancer Sampled Requests View

  • Click App Firewall tab check the information on the firewall details such as security events, bots requests, events by location, etc.

lbwafdb
Figure: Load balancer Firewall View

  • Click Security Events tab check the information on the trend of security events in graphical manner.

lbsecevents
Figure: Load balancer Security Events View

Step 4.2: Open the application service graph.
  • Log into the VoltConsole and change to your namespace.
  • Select Mesh and Service Mesh from the configuration menu.
  • Click on the service mesh object for your application to open its service graph. The service graph shows the service mesh graph for your application services.

smgraph
Figure: Service Mesh Service Graph View

  • Click on any edge on the graph to display its quick status to the left. Click on the Endpoints in the quick status to load the Endpoints tab with filtered information about the endpoints related to that edge.

    smepedge
    Figure: Service Mesh Quick Status for a Specific Edge
    smsgep
    Figure: Service Mesh Endpoint View for a Specific Edge

  • Click Endpoints tab to display the details for all endpoints along with the trends in graphical manner.

smep
Figure: Service Mesh Endpoints View for all Endpoints


Concepts