API Management and Security with F5 and NGINX

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning and thanks for watching this video I will try to be short in this video it's a it's a new demonstration combining five nginx ok as you may know five acquire nginx and Ingenix has great API management solution and a five hats were good a five API security gateway so now let's try to combine both together the IP management or nginx the five security get away from so from a five and let's do a nice demonstration so first of all this is the the architecture that I'm going to demonstrate ok so we try to keep the best of breeze for balls so on the right you can see a punitive cluster so here is my application so the dev ops are the pre-application applications with the head and I'm going to show you that this application is an API oriented application so we can can be used with graphic original typeface it's a bank application ok so with a queen or with an API only I'm gonna use an apprentice ingress commands his proxy and then in front of this cluster I'll I will protect and publish and route the API through an engine Express ok and to configure the engine Express I'm gonna use the control and genex control this is my first layer or care protection so I'm going when I do routing and I will alert deny access to some some resources and then on in front of this Ingenix plus layer will have an f5 big IP advant swath solution so here I will not do in your notification today on the demo session I will talk to the just protection for what protection DDoS and woth because devops provided me with a swagger file or open api Phi or specification file it's exactly and when I import these swagger into the big IP to protect my my solution so let's do it now so here is my kubernetes cluster and my dashboard so the application is pretty simple so let's do it now let me show you so this is application so it's it's a bank it's a bog application running in a back-end and are in a context cluster this is the home page okay for it now on page and let's go to the to the user application okay so login UMass credential and here we are okay so this is a the bug application running in kubernetes so as you can see this application is not yet fully deployed so the dev ops are working on it and so far I have only the main application here okay so the main application is a vacation where I can buy and sell stocks and of course there is a backup so everything is running in a cubic pressure so you have north-south this one and his whist okay in order to get the price of the stock and my stocks here on bottom writes his application to not just deploy as you can see an ear application free budget deploy so the the first things of course is to publish this application so the first layer I told you is my Ingenix engine Express API gateway so here as you can see first up we have one angelic play deploy only one is this one this is my engine Express instance and it's very simple to deploy to the point Ingenix API get way so first of all I have to create my entry points so this is my entry point okay then one 20.9 and i specified the my instances so far only one this is a prediction about a single step I have to create I have to declare I have to create the applications okay so the there Arcadia Finance web application has four hats okay four come to nose on microservices the first one of course and man HAP the one you just see the back end have three up to enough three okay the one that are not yet deployed but the DevOps told me there will be enough to it there will be an athlete so in advance I created the dubs can whoop so it's pretty simple it works you specify the fqdn so the fqdn he is my kubernetes not of course so I use a DNS resolver to resolve this and the port is provided by communities okay so my services are here and you can see the photo made up it's five one one what the backend is three one five eight four okay so I just have to set the port I use not port okay I don't use an ingress here because my engine Express is doing the job but in Brazil then when I create when I've created on my string groups I could definition itself so definitions pretty simple again you specify the resources okay so if you do not specify the resource the access is denied so I have a slash the main app have a slash API it's up number two slash fight this is a back-end where everything were or or the backend visits and up three so now everything is deployed on on the App Engine Express instance what I need is I just need to create my big idea so this will be the next step okay so so far there is only energy M with the veep and a backyard that's it okay and of course the backend the instances okay so far I have only one so let's go back to kubernetes and let's deploy a new application so DevOps started deploying had up number two okay and the CI CD is doing everything but let's do it manually now so here is my kubernetes CLI okay I created the EMF file you can see here and let's deploy at the moment just just the application okay so keep city l apply and only the main back and after okay so I'm deploying the application to now okay so it takes time time you have to wait and application to is deploy on one not okay so I just need one of the monitor I'll have a lot of traffic so here if i refresh this application should be there great okay so as you can see now the API gateway and intubated way is bringing traffic to slash API and slash API is a micro service with the port don't remember it was specific port it was about 33 6 - okay great so now is deeper application free and for application free now I just have to deprive all the services okay you can see yes so back and unchanged up to unchanged main and change and up recreated okay so now I should have an application free probably perfect the pod is deployed and my service is Tinder's to the same so now this application here should be everybody okay so prophesy have up great the ICD process of course afire Jenkins for instance a my API get ways ready ok my plug this will rise what fat for that so now what I want to do is two projects application because I engine it's not just doing routing and only allowing access to the right path slash API slash F 3 / files for the backend so what what I need to do now is to go to my big APN had a dwarf okay a real graph with advanced features like what protection DDoS swagger import and I have a swagify provided by the DevOps so let's go to security and guided configuration have a Tom Petty Earth its name recipe.i security with open API spec perfect so but there have some automation where I can you might have to do with the silver steps to I give a name its Arcadia emo and I have to provide the swag aside this worker is there okay I'll play if you want to have a look on it so the file is pretty simple as you can see there are several paths so I have four paths one is slash API it rest execute money transfers to make money transfer and the one is to buy stock set start and get the transaction so that's it okay so of course all of them have some information regarding the name and so here I do not own a bar anything on the authentication side authorization part of the API see for the next demo the swagger is imported I can see the methods the URI the response then the enforcement so I want to block of course then I need to specify if I want to assign to that receiver or not guess what actuated new I can use the next one you can see there are key guys here say and then I click on deploy and I have to wait for the deployed when deployment is down in deploy now add a virtual server here with NEPA in an ape in an endless war policy perfect so it means now I should I should be able to breach the API and I should be protected okay so of course if I go to security in ASM I have my my policy my wife Buddhism is here okay right so I want to simulate course on the right for the application to this one okay so if I do a money transfer like that as but fifty five pounds of rope when I do that the end the scene it's an API call between the application so now in pass man let's do it okay so I'm here so if I go to the last transaction i canti the last from section okay perfect it's the out the last reflection I did you can see here okay now I would like to do I would like to transfer money so I can see this is my VIP I deep API says Reza executive transfer if you remember the swagify this was the the UL and then I would like to transfer 19 pounds to back from this from the second okay success okay I seems to work and if you know a five and the lives we should see some sunlight we're gonna my my request perfect okay you can see the past authorization is done and at the response okay but get money and if I switch back to the app and if i refresh I should see my mic or perfect nineteen okay so now if I try to make very if I try to inject something in the body like a script or if I want to cut cost at fifteen or if I try to do an injection on the database it will be black okay so if you recognizes people Heidi from from f5 laugh and here I should have my my my vibration okay attacks NATO detected forces killing so as you can see it's very easy to protect an IP I and provision API with a five and nginx ok Ingenix is publishing the the API and engineers very ideal so if I want to scale out I can scale out so for instance I can scale out my application to imagine the application to it's too slow ok have thrown s on my application because it I have a lot of money transferred at the moment I can up to okay and I'm dead so you can see it's deploying you and you thought okay you pod means that we have more resource scale out so I got there nice I have to put here okay so now whatever when I do money transfer it would be the punch between bus and something yet is my my engine Express I have only one engine Express at the moment and let's right left boss now - engine Express from the controls right this is my my engine X plus a loft okay so as you can see them gen Express is running into a hooker so I just have to to spin a new one I like this one okay so start a new door code with press controller to have to give a name a new part the first part is 8 is 1 is 81 let's do okay so now second engine Express is running okay so of course this could be done by my CI CD process okay I find monitor my resources and it is too high I can spin a new one so I need some minutes to a data kicked in in my control so in few minutes here I should see a new engine expressed what I have to do now in this demo I need to had this Ingenix place in my big IP the first layer okay if I come back to my slide this one of course if I have a new engine X plus my my v has to do balance between both so in the meantime it appears I go there pool okay so this is my idea to Ingenix and had a new member that's it very simple okay so it's 8081 adding one okay this is why Ingenix plus 81 you can do it with your safety process of course okay now it looks good and I have two in Janek past now right so this one as you can see has some matrix this one not yet okay need to wait a few minutes and now if I get back to my application my my traffic would be loud bands between twigs and grass and the back end it will be repulsive one two up to if remembered application in between this one is block let's try to buy some stock for instance okay I would like to buy some Microsoft stock and got it I've new Microsoft stock and if I go to the app awesome okay and I can see my new Microsoft stock and here's its low balance between the two putts so it's very shy as you can see okay so engine x+ press f5 is preservation for API management and API is security stay tuned for the next video where I gonna explain how to come or two tries traffic between their five and ginger

Info

Channel: Matthieu Dierick, F5

Views: 2,035

Rating: undefined out of 5

Keywords: api, f5, nginx, waf, oauth, oidc, api security, api management

Id: 9xpCl1a40B8

Channel Id: undefined

Length: 17min 40sec (1060 seconds)

Published: Tue Oct 08 2019