{"id":20329924,"url":"https://github.com/f5devcentral/f5-cloudservicelab","last_synced_at":"2026-02-08T22:32:14.383Z","repository":{"id":54557907,"uuid":"237290365","full_name":"f5devcentral/f5-cloudservicelab","owner":"f5devcentral","description":"F5 Cloud Services API reference and demo content via a hands-on-lab","archived":false,"fork":false,"pushed_at":"2021-02-10T16:36:32.000Z","size":12228,"stargazers_count":15,"open_issues_count":0,"forks_count":21,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-01-14T15:18:51.090Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f5devcentral.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-30T19:36:16.000Z","updated_at":"2023-10-24T08:00:16.000Z","dependencies_parsed_at":"2022-08-13T19:40:13.833Z","dependency_job_id":null,"html_url":"https://github.com/f5devcentral/f5-cloudservicelab","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Ff5-cloudservicelab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Ff5-cloudservicelab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Ff5-cloudservicelab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Ff5-cloudservicelab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f5devcentral","download_url":"https://codeload.github.com/f5devcentral/f5-cloudservicelab/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241844796,"owners_count":20029723,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T20:14:03.366Z","updated_at":"2026-02-08T22:32:09.357Z","avatar_url":"https://github.com/f5devcentral.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"F5 Cloud Services – API Lab\r\n===========================\r\nSpring 2020\r\n\r\n.. contents:: Table of Contents\r\n\r\nOverview\r\n########\r\n\r\nThis lab will take you through setting up and basic usage of the following F5 Cloud Services:\r\n\r\n* **F5 DNS Cloud Service**: secondary DNS backed by globally-distributed anycast network with built-in DDoS protection\r\n\r\n* **F5 DNS Load Balancer Cloud Service**: global availability and performance with health-check and built-in DDoS protection\r\n\r\n* **F5 Essential App Protect Service**:  mitigate risk of exploits, targeted attacks \u0026 threats to web applications\r\n\r\nIn the course of this lab you will create application infrastructure using F5 Cloud Services to support:\r\n\r\n* Secondary DNS for backup of primary with high availability, scale \u0026 security\r\n\r\n* Secondary DNS and DNS load balancing services with DDoS protection\r\n\r\n* Load balance pools of app instances across multiple clouds (Azure \u0026 AWS)\r\n\r\n* Geo-proximity traffic routing for performance and/or compliance (GDPR, etc.)\r\n\r\n* Web app protection against common high-risk web exploits\r\n\r\n* Application protection against external IPs flagged as malicious\r\n\r\n* Risk mitigation against coordinated attack trends \u0026 vulnerabilities\r\n\r\nThe estimated time to complete the lab is ~45 minutes.\r\n\r\nPrerequisites\r\n##############\r\n\r\n* F5 Cloud Services account: sign up `here \u003chttp://bit.ly/f5csreg\u003e`_\r\n\r\n* Postman: download `here \u003chttp://bit.ly/309wSLl\u003e`_\r\n\r\n**IMPORTANT NOTE**: If you originally signed up for F5 Cloud Services through a Limited User invitation (such as an email invite from another lab or from a different account owner), then it is possible that you haven't yet completed a full registration.\r\n\r\nYou can quickly tell if you have a full account by looking at your account(s) in the `F5 Cloud Services Portal \u003chttps://portal.cloudservices.f5.com/\u003e`_. If you do now see any \"Accounts you own:\" and only see \"Accounts you've been granted access to\" as a **\"Limited User\"**, then you will need to create a full account \u0026 update user info before you can proceed with this lab. You can do so in the step 5(c) below via the F5 Cloud Services API using the Postman request titled \"Set User Info (optional)\", the details of which are outlined below after the Login.\r\n\r\nEnvironment and Setup\r\n#####################\r\n\r\n1. APIs and Services\r\n*********************\r\n\r\nThe setup \u0026 configuration of the services will be done by sending API requests to the following services:\r\n\r\n* **F5 Cloud Services API**: create, use, and remove the services in the scope of this lab\r\n\r\n* **Lab service API**: facilitates auxiliary functions for the lab only: creating DNS entries, sending targeted requests \u0026 traffic to the apps/services, etc.\r\n\r\n\r\nThe following diagram captures the core components of this Lab:\r\n\r\n.. figure:: _figures/Diagram.png\r\n\r\n\r\n2. Application Scenario\r\n***********************\r\n\r\nIn order to fully explore the capabilities of F5 Cloud Services, you will be able to use an existing application with a set of live instances across different clouds and geographic locations. This app is `\"BuyTime Auction\" \u003chttp://bit.ly/37fVwfX\u003e`_, a fictitious multi-instance deployment that helps to simulate a globally deployed app topology. Unsurprisingly, robust security, global availability, zero downtime,\r\nand performance are critical for this application, while the app Developers \u0026 DevOps are used to consuming app infrastructure as-a-Service.\r\n\r\nThe following are the demo application instances:\r\n\r\n.. csv-table::\r\n   :header: \"Name\", \"Geography\", \"Cloud/Region\", \"IP\", \"URI\"\r\n\r\n   \"AU\", \"Australia\", \"AWS - Asia Pacific (Sydney)\", \"54.206.13.195\", \"http://au-auction.securelab.online/\"\r\n   \"EU1\", \"Europe\", \"AWS – Europe (Paris)\", \"35.180.122.91\", \"http://eu1-auction.securelab.online/\"\r\n   \"NA1\", \"North America\", \"AWS - US East (N. Virginia)\", \"34.229.48.248\", \"http://na1-auction.securelab.online/\"\r\n   \"NA2\", \"North America\", \"AWS – US East (N. Virginia)\", \"18.232.64.254\", \"http://na2-auction.securelab.online/\"\r\n   \"NA3\", \"North America\", \"Azure – US East\", \"52.249.252.91\", \"http://na3-auction.securelab.online/\"\r\n\r\n\r\nThe following diagram is a simplified architecture of the Auction application:\r\n\r\n\r\n.. figure:: _figures/Auction.png\r\n\r\n\r\n3. Postman Configuration\r\n************************\r\n\r\n`a)` Open Postman, create a Postman account if you don’t have one and choose to do so, and sign in.\r\n\r\n`b)` Use the \"Run in Postman\" button below to import collection and environment to the Postman or manually import it from the `Git repo for this lab \u003chttps://bit.ly/3jdhnf3\u003e`_\r\n\r\n.. image:: https://run.pstmn.io/button.svg\r\n   :target: https://app.getpostman.com/run-collection/222d7e7804f37069898b#?env%5BF5%20Cloud%20Services%20LAB%5D=W3sia2V5IjoiSE9TVE5BTUUiLCJ2YWx1ZSI6ImFwaS5jbG91ZHNlcnZpY2VzLmY1LmNvbSIsImVuYWJsZWQiOnRydWV9LHsia2V5IjoiQVBJX1ZFUlNJT04iLCJ2YWx1ZSI6InYxIiwiZW5hYmxlZCI6dHJ1ZX0seyJrZXkiOiJETlNfV0VCX0FETUlOIiwidmFsdWUiOiI1NC4yMTEuMTIuMTczIiwiZW5hYmxlZCI6dHJ1ZX0seyJrZXkiOiJBQ0NPVU5UX05BTUUiLCJ2YWx1ZSI6IiIsImVuYWJsZWQiOnRydWV9LHsia2V5IjoiVVNFUl9FTUFJTCIsInZhbHVlIjoiIiwiZW5hYmxlZCI6dHJ1ZX0seyJrZXkiOiJVU0VSX1BBU1NXT1JEIiwidmFsdWUiOiIiLCJlbmFibGVkIjp0cnVlfV0=\r\n\r\n`c)` Choose \"Postman for Windows\" and open collection in Postman\r\n\r\n.. figure:: _figures/1.png\r\n\r\n\r\nYou will now see your collection (left side) with calls in several categories, as well as environment variables (top right).\r\n\r\n.. figure:: _figures/2.jpg\r\n\r\n\r\nYou are now ready to interface with F5 Cloud Services using Postman.\r\n\r\n\r\n\r\n4. Postman Environment Variables Detail\r\n***************************************\r\n\r\n\r\n\r\nThe Postman environment contains a number of variables. To see them, select **Manage Environments** and click **F5 Cloud Services LAB**.\r\n\r\n.. figure:: _figures/3.jpg\r\n   :height: 100px\r\n   :width: 200 px\r\n   :scale: 250 %\r\n   :alt: alternate text\r\n   :align: center\r\n\r\n\r\n\r\nYou will now see the list of environment variables:\r\n\r\n.. figure:: _figures/4.jpg\r\n   :height: 100px\r\n   :width: 200 px\r\n   :scale: 250 %\r\n   :alt: alternate text\r\n   :align: center\r\n\r\n\r\n\r\nYou will later need to add the variables highlighted in bold.\r\n\r\n\r\n\r\n.. csv-table::\r\n  :header: \" \", \"Variable\", \"Description\"\r\n  :widths: 5, 15, 40\r\n\r\n  \"1\", \"HOSTNAME\", \"F5 API URL\"\r\n  \"2\", \"API_VERSION\", \"Version of API used\"\r\n  \"3\", \"DNS_WEB_ADMIN\", \"Labs DNS API\"\r\n  \"4\", \"ACCOUNT_NAME\", \"Name of your F5 Cloud Services portal account which is retrieved in Get User Membership call to get account ID to work in\"\r\n  \"5\", \"**USER_EMAIL**\", \"**Email of the main user in the F5 Cloud Services portal**\"\r\n  \"6\", \"**USER_PASSWORD**\", \"**Password of the main user in the F5 Cloud Services portal**\"\r\n  \"7\", \"ACCESS_TOKEN\", \"Token for authenticating API calls used by your main user account\"\r\n  \"8\", \"USER_ID\", \"ID of your main user\"\r\n  \"9\", \"ACCOUNT_ID\", \"ID of your main user’s primary account (where you will create instances)\"\r\n  \"10\", \"DNS_CATALOG_ID\", \"Unique ID for DNS service catalog\"\r\n  \"11\", \"WAF_CATALOG_ID\", \"Unique ID for the Essential App Protect service catalog\"\r\n  \"12\", \"GSLB_CATALOG_ID\", \"Unique ID for the DNS Load Balancer service catalog\"\r\n  \"13\", \"ZONE_NAME\", \"Your test DNS zone which is assigned by the LAB Service API\"\r\n  \"14\", \"DNS_SUBSCRIPTION_ID\", \"Your instance ID for the DNS subscription\"\r\n  \"15\", \"WAF_SUBSCRIPTION_ID\", \"Your instance ID for the Essential App Protect subscription\"\r\n  \"16\", \"GSLB_SUBSCRIPTION_ID\", \"Your instance ID for the DNS Load Balancer subscription\"\r\n  \"17\", \"WAF_SERVICE_INSTANCE_ID\", \"The ID of the app instance in your Essential App Protect subscription\"\r\n  \"18\", \"WAF_CNAME\", \"CNAME record for the app instance in your Essential App Protect subscription\"\r\n\r\nCore API Calls\r\n##############\r\n\r\n5. Login\r\n********\r\n\r\n\r\n`a)` Open the “F5 Cloud Services LAB” environment variables by clicking the “Environment Quick Look”, click into the field of the corresponding variable, and type the value of your main user email in the variable “USER_EMAIL” (click **Enter** after typing the values).\r\n\r\n.. figure:: _figures/5-6.jpg\r\n\r\n   Repeat the same for the “USER_PASSWORD”.\r\n\r\n\r\n`b)` Select the **Login** request in the sidebar to login to your F5 Cloud Services profile and click **Send** to get the authorization token described above. More detailed information on this API request can be found `here \u003chttp://bit.ly/36ffsyy\u003e`_.\r\n\r\n.. figure:: _figures/107.jpg\r\n\r\nA successful login will result in Postman returning the tokens from the API, shown in the response body below:\r\n\r\n.. figure:: _figures/84.jpg\r\n\r\nThese tokens are then stored for subsequent calls using a function inside Postman to set environment variables. You can see the test function in the “Tests” tab:\r\n\r\n.. figure:: _figures/9.jpg\r\n        :height: 60px\r\n        :width: 200 px\r\n        :scale: 230 %\r\n        :alt: alternate text\r\n        :align: center\r\n\r\n**NOTE**: If any of the subsequent Postman calls return a blank response or **\"status\": \"unauthorized\"** response (see the screenshot below), it means your user token has expired and you will need to re-login. To do that you just need to re-send the **Login** request.\r\n\r\n.. figure:: _figures/10.jpg\r\n        :height: 60px\r\n        :width: 200 px\r\n        :scale: 230 %\r\n        :alt: alternate text\r\n        :align: center\r\n\r\n`c)` OPTIONAL: Set User ID \u0026 Account Info\r\n\r\n**IMPORTANT NOTE**: If you originally signed up for F5 Cloud Services through a Limited User invitation (such as an email invite from another lab or from a different account owner), then it is possible that you haven't yet completed a full registration. You can quickly tell if you have by looking at your account(s) in the `F5 Cloud Services Portal \u003chttps://portal.cloudservices.f5.com/\u003e`_ If you do now see any \"Accounts you own:\" and only see \"Accounts you've been granted access to\" as a **\"Limited User\"**, then you need to create a full account \u0026 update user info before you can proceed with this lab.\r\n\r\nYou can do this by running the following **Set User Info** API call, after you've updated the Body of the request with your own organization \u0026 address information:  \r\n\r\n.. figure:: _figures/112.jpg\r\n\r\nThe response returns the following detail, including your own organization account ID (id):\r\n\r\n.. figure:: _figures/113.jpg\r\n\r\nMore information on this API request can be found `here \u003chttps://portal.cloudservices.f5.com/docs#operation/CreateAccount\u003e`_.\r\n\r\nAt this point you should be a full user with an \"Owned Account\" and a primary organization account id, which can also be confirmed in the `F5 Cloud Services Portal \u003chttps://portal.cloudservices.f5.com/\u003e`_ in the drop-down under your user name (top right), where you should see \"Accounts you own:\" and the Organization Account you created with **\"Owner\"** defined.\r\n\r\n`d)` Retrieve User ID \u0026 Account ID\r\n\r\nSelect the **Get Current User** request and click **Send** to retrieve User ID and Account ID to be used in the further requests.\r\n\r\n.. figure:: _figures/86.jpg\r\n\r\nThe response returns the following detail:\r\n\r\n.. figure:: _figures/12.jpg\r\n       :height: 170px\r\n       :width: 140 px\r\n       :scale: 230 %\r\n       :alt: alternate text\r\n       :align: center\r\n\r\nThe retrieved User ID and Account ID are then stored for subsequent calls.\r\n\r\n.. figure:: _figures/11.jpg\r\n        :height: 60px\r\n        :width: 200 px\r\n        :scale: 230 %\r\n        :alt: alternate text\r\n        :align: center\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/37hyQw3\u003e`_.\r\n\r\n\r\n6. Get the Zone Name for your Lab\r\n*********************************\r\n\r\nThis Lab contains an API that provides utility functions including DNS management, geo proximity load balance testing, and limited (targeted) attacks on specific instances. The first step to identify your individual lab is to retrieve the Zone Name for your lab with the following API Call:\r\n\r\n\r\n**Get DNS Zone (lab)**\r\n\r\n\r\nClick **Send**. This call will pass your “ACCESS_TOKEN” in the header of the request to the Labs API in order to validate existence of your F5 account \u0026 return back a ZONE name unique to your lab.\r\n\r\n\r\n\r\nRequest:\r\n\r\n.. figure:: _figures/25.jpg\r\n\r\nThe response will return your test DNS zone **name** and the status.\r\n\r\n.. figure:: _figures/27.jpg\r\n\r\nSending this request will automatically capture of the ZONE variables:\r\n\r\n.. figure:: _figures/26.jpg\r\n\r\n\r\nThis ZONE name will be used throughout the lab as the domain name for your test applications.\r\n\r\n7. User Account Operations\r\n**************************\r\n\r\n\r\n`a)` Get User Membership to F5 Cloud Services accounts\r\n\r\n**Get User Membership** returns info on your main user’s access to F5 Cloud Services accounts, which are owned/full rights and which are limited.\r\n\r\n.. figure:: _figures/89.jpg\r\n\r\nYou will see account ids, names, roles and other information in the body of response. The “role_id” will correspond to the unique IDs returned in section 6.b.1.\r\n\r\n.. figure:: _figures/29.jpg\r\n\r\nYour \"account_id\" will be retrieved using \"account_name\" and used for creating user's instances.\r\n\r\n.. figure:: _figures/28.jpg\r\n        :height: 50px\r\n        :width: 170 px\r\n        :scale: 230 %\r\n        :alt: alternate text\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/2Gfu1r3\u003e`_.\r\n\r\n`b)` Retrieve information on available catalogs and their IDs\r\n\r\nSelect the **Get Catalogs** request and click **Send** to retrieve data about the available Catalogs and their IDs.\r\n\r\n.. figure:: _figures/90.jpg\r\n\r\nAs you see there are a number of catalogs available:\r\n\r\n.. figure:: _figures/31.jpg\r\n\r\nThe retrieved IDs are then stored for subsequent calls using a function inside Postman to set environment variables. You can see the test function in the \"Tests\" tab:\r\n\r\n.. figure:: _figures/30.jpg\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36j1Yl4\u003e`_.\r\n\r\n`c)` Subscribe to Catalogs using the F5 Cloud Services portal\r\n\r\nYou can subscribe to any of these cloud service catalogs by using the portal or API (assuming you already provided payment / credit card info to enable certain catalogs). There may be free tier and trials that you could take advantage of, see the available options next to each catalog!\r\n\r\nPortal:\r\n\r\n.. figure:: _figures/32.jpg\r\n\r\nIf you haven’t already, you will need to add your payment information or subscribe through AWS Marketplace:\r\n\r\n.. figure:: _figures/33.jpg\r\n\r\nAdd payment card to pay by credit card...\r\n\r\n.. figure:: _figures/200.jpg\r\n\r\n...or initiate the subscription from AWS Marketplace:\r\n\r\n.. figure:: _figures/202.jpg\r\n\r\nAt the time of writing Essential App Protect service provides a free trial, which you can use for the purposes of this lab:\r\n\r\n.. figure:: _figures/201.png\r\n\r\n`d)` Subscribe to Catalog using Postman\r\n\r\n\r\n   `1.` Get the ID of the catalog you want to subscribe to. In the earlier example (see point 9.c), the DNS Load Balancer has a “catalog_id” value of “c-aaQnOrPjGu”.\r\n\r\n   `2.` Subscribe to Catalog using API\r\n\r\n\r\n   **Subscribe to Catalog** request will pass your primary account info (“account _id”) as well as the ID of the desired catalog. From the previous step, we can subscribe to ID “c-aaQnOrPjGu” by replacing the value of “catalog_id” in the Body of the request:\r\n\r\n   .. figure:: _figures/34.jpg\r\n      :height: 50px\r\n      :width: 170 px\r\n      :scale: 230 %\r\n      :alt: alternate text\r\n\r\n   The resulting response will confirm subscription to the service:\r\n\r\n   .. figure:: _figures/105.jpg\r\n      :height: 100px\r\n      :width: 140 px\r\n      :scale: 200 %\r\n      :alt: alternate text\r\n\r\n   This API call can be repeated to subscribe to all desired catalog. Within the scope of this lab there are the following catalogs:\r\n\r\n   .. csv-table::\r\n     :header: \"Catalog\", \"Catalog_ID\"\r\n     :widths: 5, 4\r\n\r\n     \"DNS\", \"c-aaxBJkfg8u\"\r\n     \"DNS Load Balancer\", \"c-aaQnOrPjGu\"\r\n     \"Essential App Protect\", \"c-aa9N0jgHI4\"\r\n\r\n   You can repeat this call any number of times for different catalogs you’d like to subscribe by changing the “catalog_id” value.\r\n\r\n\r\n\r\n   `3.` Get Previously Created Subscriptions\r\n\r\n\r\n\r\n   If you have already created subscriptions, you can see them by sending **Retrieve Previously Created Subscriptions**:\r\n\r\n   .. figure:: _figures/91.jpg\r\n\r\n   The response will show subscriptions IDs using which you will be able to retire them in the “clean up” section of this lab.\r\n\r\n   .. figure:: _figures/29.jpg\r\n      :height: 130px\r\n      :width: 140 px\r\n      :scale: 200 %\r\n      :alt: alternate text\r\n\r\n\r\nF5 DNS Cloud Service\r\n###################\r\n\r\n\r\n1. List DNS Subscriptions\r\n**************************\r\n\r\nYou can check your available zones sending the **List DNS Subscriptions** request.\r\n\r\n.. figure:: _figures/92.jpg\r\n\r\nThe first DNS Zone you create is free and the following zones will incur charges.\r\n\r\nYou will see the list of your subscriptions (if any), including subscription IDs, account IDs, user IDs and other related information.  If you don’t have any subscriptions, you will see the following response:\r\n\r\n.. figure:: _figures/39.jpg\r\n\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/30Ixkk5\u003e`_.\r\n\r\n2. Create DNS Subscription\r\n**************************\r\n\r\nSelect the **Create DNS Subscription** request and click **Send** to create a new service instance of Secondary Authoritative DNS using “account_id” and “catalog_id” retrieved a few steps above.\r\n\r\n.. figure:: _figures/93.jpg\r\n\r\nYou will see “subscription_id” and created “service_instance_id” in the body.\r\n\r\n.. figure:: _figures/41.jpg\r\n\r\nThe retrieved \"subscription_id\" is then stored for subsequent calls.\r\n\r\n.. figure:: _figures/40.jpg\r\n\r\nYou can change its status from “DISABLED” to “ACTIVE” sending the **Activate DNS Subscription** request below.\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36fvHLX\u003e`_.\r\n\r\n3. Activate DNS Subscription\r\n****************************\r\n\r\nSelect the **Activate DNS Subscription** request and click **Send**. This will deploy the secondary DNS using “subscription_id” captured in one of the steps above.\r\n\r\n.. figure:: _figures/42.jpg\r\n\r\nYou will see “active” subscription status.\r\n\r\n.. figure:: _figures/43.jpg\r\n\r\nNote that it takes some time to deploy the service, so you can just re-send the same request after a few minutes to see “service_state”: “DEPLOYED”.\r\n\r\n.. figure:: _figures/44.jpg\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36h6tgj\u003e`_.\r\n\r\n4. Get DNS Subscription Zones\r\n*****************************\r\n\r\nSend the **Get DNS Subscription Zones** request which uses DNS “subscription_id” created a few steps above.  This will retrieve a zone file from your primary DNS server.\r\n\r\n.. figure:: _figures/94.jpg\r\n\r\nAs a result, you will get the zone file describing your DNS zone and containing mappings between domain names and IP addresses.\r\n\r\n.. figure:: _figures/46.jpg\r\n\r\nF5 DNS Load Balancer Cloud Service\r\n##################################\r\n\r\n1. Create DNS Load Balancer Subscription\r\n****************************************\r\n\r\nSelect the **Create GSLB Subscription** request and click **Send** to create a new service instance of DNS Load Balancer using “account_id” and “catalog_id” retrieved a few steps above.\r\n\r\n.. figure:: _figures/95.jpg\r\n\r\nYou will see “subscription_id” and created ”service_instance_id” in the body. You may also note that this request will create *only* NA1 endpoint for now. Some more will be created in the subsequent requests.\r\n\r\nYou may also notice that the current proximity rule is set to send traffic from Anywhere to \"usa\" pool. This means that only one endpoint (NA1) will be serving all requests now. We will subsequently configure proper load balancing and geoproximity rules.\r\n\r\n    .. figure:: _figures/48.jpg\r\n        :height: 210px\r\n        :width: 180 px\r\n        :scale: 160 %\r\n        :alt: alternate text\r\n        :align: center\r\n\r\nThe retrieved \"subscription_id\" is then stored for subsequent calls.\r\n\r\n.. figure:: _figures/47.jpg\r\n\r\nYou can change its status from \"DISABLED” to “ACTIVE” sending the **Activate GSLB Subscription** request below.\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36fvHLX\u003e`_.\r\n\r\n2. Activate DNS Load Balancer Subscription\r\n******************************************\r\n\r\nSelect the **Activate GSLB Subscription** request and click **Send**. This will deploy DNS Load Balancer using “subscription_id” captured in one of the steps above.\r\n\r\n.. figure:: _figures/49.jpg\r\n\r\nYou will see “active” subscription status.\r\n\r\n.. figure:: _figures/50.jpg\r\n\r\nNote that it takes some time to deploy the service, so you can just re-send the same request after a few minutes to see “service_state”: “DEPLOYED”.\r\n\r\n.. figure:: _figures/51.jpg\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36h6tgj\u003e`_.\r\n\r\n3. Test NA Pool\r\n***************\r\n\r\nSend the **Test NA Availability (lab)** request to execute a call against the Lab service API, which in turn uses an external VM (located in the USA) to run a \"wget\" to retrieve the response from the auction website. This should show the only available instance NA1 in the HTML that is returned.\r\n\r\n.. figure:: _figures/52.jpg\r\n\r\nThe response shows that your first instance is available:\r\n\r\n.. figure:: _figures/53.jpg\r\n\r\n4. Add Endpoints \u0026 Pool Members (NA3)\r\n*************************************\r\n\r\nSend the **Add Endpoint \u0026 Pool Members** request to add a few more endpoints for load balancing of the application. Note that three of the new endpoints (AU, EU and NA2) are deployed on Amazon AWS, and one (NA3) is running on Microsoft Azure. NA1, NA2, and NA3 endpoints are aggregated into a pool \"usa\", which demonstrates multi-cloud load balancing.\r\n\r\n.. figure:: _figures/54.jpg\r\n\r\nYou will see all the information on the added endpoints:\r\n\r\n.. figure:: _figures/55.jpg\r\n\r\n5. Test Round Robin (lab)\r\n*************************\r\n\r\nRun the **Test Round Robin (lab)** request to check the response from the Lab service API to test what instance is now being returned. This should show a result different from the previous due to the newly-configured round-robin load balancing.\r\n\r\nNOTE: it's possible that you will still get the same endpoint in the response due to either DNS caching or 1/3 chance of the same endpoint to be pulled from the load-balance pool. Let's try:\r\n\r\n.. figure:: _figures/56.jpg\r\n\r\nAnd check the response:\r\n\r\n.. figure:: _figures/57.jpg\r\n\r\nYou can send the same request to check other instances.\r\n\r\n6. Update Proximity Rule\r\n************************\r\n\r\nRun the **Update Proximity Rules \u0026 Regions**. This adds new regions \"europe\" and “australia”, and assigns EU and AU endpoints accordingly. It also updates the DNS Load Balancer with new proximity rules: to send the traffic originating in Europe to the \"europe\" pool, and traffic from Australia to the “australia” pool, utilizing a higher relative score than the previous rule of routing traffic from \"Anywhere\" to the \"usa\" pool. This type of geo-proximity based routing is useful for GDPR compliance.\r\n\r\n.. figure:: _figures/58.jpg\r\n\r\nAnd you will see all the information on available pools and regions:\r\n\r\n.. figure:: _figures/59.jpg\r\n\r\n7. Test Proximity Rules (lab)\r\n*****************************\r\n\r\nSend the **Test Proximity Rules (lab)** request, which uses an external VM (located in Europe) to run a \"wget\" to retrieve the response from the auction website. This simulates what an EU-based customer would see when opening this URL in their browser.\r\n\r\n.. figure:: _figures/60.jpg\r\n\r\nHere’s what you should see in the response:\r\n\r\n.. figure:: _figures/61.jpg\r\n\r\nF5 Essential App Protect Service\r\n###############################\r\n\r\n1. Create EAP Subscription\r\n**************************\r\n\r\nNow, let's protect the NA2 endpoint with an instance of F5 Essential App Protect service. We will start with creating a subscription and retrieving the \"subscription_id\" for the newly-created instance.\r\n\r\nSelect the **Create EAP Subscription** request and click **Send** to create a new service instance of Essential App Protect. Note that this request passes the “account_id” and “catalog_id” values retrieved from the previous steps.\r\n\r\n.. figure:: _figures/96.jpg\r\n\r\nYou will see “subscription_id” and created “service_instance_id” in the body used for the subsequent requests.\r\n\r\n.. figure:: _figures/63.jpg\r\n\r\nThe retrieved \"subscription_id\" is then stored for subsequent calls.\r\n\r\n.. figure:: _figures/62.jpg\r\n\r\nYou can change its status from \"DISABLED” to \"ACTIVE” sending the **Activate EAP Subscription** request below.\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36fvHLX\u003e`_.\r\n\r\n2. Activate EAP Subscription\r\n***************************\r\n\r\nNow let’s activate the subscription created in the step above. Select the **Activate EAP Subscription** request and click **Send**. This will deploy Essential App Protect service using “subscription_id” captured in one of the steps above.\r\n\r\n.. figure:: _figures/64.jpg\r\n\r\nYou will see “active” subscription status.\r\n\r\n.. figure:: _figures/50.jpg\r\n\r\nNote that it takes some time to deploy the service, so you can just re-send the same request after a few minutes to see “service_state”: “DEPLOYED”.\r\n\r\n.. figure:: _figures/51.jpg\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/36h6tgj\u003e`_.\r\n\r\n3. Get EAP Subscription\r\n***********************\r\n\r\nIn order to direct your site’s traffic through Essential App Protect service you need to get “CNAMEValue” using “subscription_id” from the previous steps. The CNAME value will then be used to update the DNS record of the app you're protecting, which will then direct traffic to the instance of Essential App Protect that you created. To get \"CNAMEValue\", send the **Get EAP Subscription** request.\r\n\r\n.. figure:: _figures/97.jpg\r\n\r\nYou will see the information for the service and “CNAMEValue”.\r\n\r\n.. figure:: _figures/66.jpg\r\n\r\n“CNAMEValue” and \"service_instance_id\" are then stored for subsequent calls.\r\n\r\n.. figure:: _figures/65.jpg\r\n\r\nMore detailed information on this API request can be found `here \u003chttp://bit.ly/38xUHjc\u003e`_.\r\n\r\n** THIS LAST STEP MAY TAKE SOME TIME TO COMPLETE **\r\n\r\n4. Update EAP CNAME (lab)\r\n************************\r\n\r\nNow let’s update our DNS settings with the new CNAME. It can be easily done by sending the **Update EAP CNAME (lab)** request. This will direct all of the requests through Essential App Protect first. You can inspect the JSON body for the details of the current configuration. Note, that we have chosen to start with the \"Monitor\" mode first, which we will subsequently update to \"Block\".\r\n\r\n.. figure:: _figures/68.jpg\r\n\r\nYou will see “ok” status in the body if it is executed successfully.\r\n\r\n.. figure:: _figures/69.jpg\r\n\r\n5. Check the Site\r\n*****************\r\n\r\nNow let’s see how our site looks like in a browser. Copy “CNAMEValue” from the **Get EAP Subscription** request and paste it into your browser.\r\n\r\n.. figure:: _figures/70.jpg\r\n\r\nYou will see the NA2 instances of the Auction website and all of the requests will now be flowing through the Essential App Protect. However, any malicious requests will not be blocked, as we have not yet turned on \"Blocking\" mode yet.\r\n\r\n.. figure:: _figures/71.jpg\r\n\r\n6. Start Essential App Protect Attack (lab)\r\n*******************************************\r\n\r\nLet’s now return to Postman and simulate the attacks by sending the **Start EAP Attack (lab)** request.\r\n\r\n.. figure:: _figures/72.jpg\r\n\r\nYou will see “ok” status which means that your zone is being attacked.  In the F5 Cloud Services portal you can see the results of the attacks: their types, severity and some other information (see the next step).\r\n\r\n.. figure:: _figures/69.jpg\r\n\r\n7. Check the Map\r\n****************\r\n\r\nNow let’s see the map of our attacks on the F5 Cloud Services portal. You need to select **Essential App Protect** tab where you will see the dashboard.\r\n\r\n.. figure:: _figures/74.jpg\r\n\r\nFor now, all attacks are not blocked. We will block them sending the **Update Monitor to Block** request in one of the following steps.\r\n\r\n8. Get Essential App Protect Events Stream\r\n********************************************\r\n\r\nNow return to Postman to get more detailed information on the simulated attacks. Send the **Get EAP Events Stream** request which uses “subscription_id” and “service_instance_id”.\r\n\r\n.. figure:: _figures/75.jpg\r\n\r\nYou can see different attack characteristics in the response, including type, country, source IPs, etc.\r\n\r\n.. figure:: _figures/76.jpg\r\n\r\n9. Update Monitoring to Blocking\r\n********************************\r\n\r\nTo change your instance from \"Monitoring\" to \"Blocking\" run **Update Monitor to Block** request which uses your “subscription_id” retrieved in one of the previous steps. You may also want to re-run attacks activated by the **Start EAP Attack (lab)** request as discussed above and observe the change of behavior in the Essential App Protect \"View Events\" screen.\r\n\r\n** **This may take a few seconds** **\r\n\r\n.. figure:: _figures/98.jpg\r\n\r\nYou will see blocked attacks and their information in the response.\r\n\r\n.. figure:: _figures/78.jpg\r\n\r\n10. Attacks\r\n***********\r\n\r\nIn this section you can use Postman to initiate a few types of attacks using the GET method against the protected NA2 instance. You can also choose to run your own attacks against the protected instance (CNAME retrieved earlier) by using a browser or tools of your choice.\r\n\r\n`a)` SQL Injection\r\n\r\nThis attack inserts a SQL query via the input data field in the web application. Such attacks could potentially read sensitive data, modify and destroy it. More detailed information can be found `here \u003chttp://bit.ly/2RfmXkw\u003e`_.\r\n\r\nYou can simulate this attack from your local computer by selecting the **Attack: SQL Injection** request and clicking **Send**.\r\n\r\n.. figure:: _figures/99.jpg\r\n\r\nThe result will be shown in the Essential App Protect \"VIEW EVENTS\" section of the F5 Cloud Services portal.\r\n\r\n.. figure:: _figures/100.jpg\r\n\r\n`b)` Illegal Filetype\r\n\r\nThis attack combines valid URL path segments with invalid input to guess or brute-force download of sensitive files or data. More detailed information can be found `here \u003chttp://bit.ly/30NrAFF\u003e`_.\r\n\r\nYou can simulate this attack from your local computer by selecting the **Attack: Illegal Filetype** request and clicking **Send**.\r\n\r\n.. figure:: _figures/101.jpg\r\n\r\nThe result will be shown in the Essential App Protect \"VIEW EVENTS\" section of the F5 Cloud Services portal.\r\n\r\n.. figure:: _figures/102.jpg\r\n\r\n`c)` Threat Campaign\r\n\r\nThese types of attacks are the category that F5 Labs tracks as coordinated campaigns that exploit known vulnerabilities. This particular attack simulates using a known Tomcat backdoor vulnerability. The complete list of such threats can be found `here \u003chttp://bit.ly/36bPmfG\u003e`_.\r\n\r\nYou can simulate this attack from your local computer by selecting the **Attack: Threat Campaign** request and clicking **Send**.\r\n\r\n.. figure:: _figures/103.jpg\r\n\r\nThe result will be shown in the Essential App Protect \"VIEW EVENTS\" section of the F5 Cloud Services portal.\r\n\r\n.. figure:: _figures/104.jpg\r\n\r\nClean Up\r\n#########\r\n\r\n1. Retire the Services\r\n**********************\r\n\r\nAt this point feel free to explore and repeat any of the previous steps of the lab, but should you want to clean up the resources you've created and remove your service **Subscriptions**, then follow the steps below:\r\n\r\n`a)` DNS\r\n\r\nSend the **Retire DNS Subscription** request which uses the relevant “subscription_id”.\r\n\r\n.. figure:: _figures/79.jpg\r\n\r\nYou will see “retired” status in the response body which means that it’s not available on the F5 Cloud Services portal anymore.\r\n\r\n.. figure:: _figures/80.jpg\r\n\r\nMore detailed information on these API requests can be found `here \u003chttp://bit.ly/2Gf166I\u003e`_.\r\n\r\n`b)` DNS Load Balancer\r\n\r\nSend the **Retire GSLB Subscription** request which uses the relevant “subscription_id”.\r\n\r\n.. figure:: _figures/81.jpg\r\n\r\nYou will see “retired” status in the response body which means that it’s not available on the F5 Cloud Services portal anymore.\r\n\r\n.. figure:: _figures/80.jpg\r\n\r\nMore detailed information on these API requests can be found `here \u003chttp://bit.ly/2Gf166I\u003e`_.\r\n\r\n`c)` Essential App Protect\r\n\r\nSend the **Retire EAP Subscription** request which uses the relevant “subscription_id”.\r\n\r\n.. figure:: _figures/82.jpg\r\n\r\nYou will see “retired” status in the response body which means that it’s not available on the F5 Cloud Services portal anymore.\r\n\r\n.. figure:: _figures/80.jpg\r\n\r\nMore detailed information on these API requests can be found `here \u003chttp://bit.ly/2Gf166I\u003e`_.\r\n\r\n2. Clear Tokens from the Lab Service API\r\n************************\r\n\r\n`a)` Send the **Retire DNS Zone** to remove or reset zone file. You will get response with status code \"200 OK\".\r\n\r\n.. figure:: _figures/111.jpg\r\n\r\n`b)` We recommend that you clear your tokens from the Lab Service API for security purposes.\r\n\r\nIn order to do that, send the **Logout** request, which uses your **ACCESS_TOKEN**:\r\n\r\n.. figure:: _figures/108.png\r\n\r\nYou will get the following response with the status showing \"200 OK\":\r\n\r\n.. figure:: _figures/109.jpg\r\n\r\nYour **ACCESS_TOKEN** will be considered invalid:\r\n\r\n.. figure:: _figures/110.png\r\n\r\nFinal Notes\r\n###########\r\n\r\nBy this point you would have done the following:\r\n\r\n* Configured Postman account used for sending API requests to F5 Cloud Services and Lab Service\r\n\r\n* Created app infrastructure using F5 Cloud Services\r\n\r\n* Setup the following F5 Cloud Services by sending API requests in Postman: DNS, DNS Load Balancer and Essential App Protect\r\n\r\n* Created your zone which was used as the domain name to work with the F5 Cloud Services portal\r\n\r\n* Subscribed to the services and created secondary DNS for your primary one, endpoints and pools across Azure and AWS clouds for DNS Load Balancer\r\n\r\n* Set Essential App Protect instance and let all requests to the main domain go through it first\r\n\r\n* Simulated attacks of various types to verify the performance of Essential App Protect\r\n\r\n* Had fun with F5 Cloud Services!\r\n\r\nFeedback / Comments\r\n###################\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Ff5-cloudservicelab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5devcentral%2Ff5-cloudservicelab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Ff5-cloudservicelab/lists"}