2.1.1. Task – Setup basic cloud components in Azure

Basic cloud components are needed first. Things like Virtual Networks and Resource Groups are required prior to deployment of virtual machines. You will configure these items in preparation for the WordPress deployment.

  1. Log into the Microsoft Azure Portal – https://portal.azure.com

  2. Click the green + Create a resource at the top left corner of the screen

  3. Click on Networking

  4. Click on Virtual network

    ../../_images/image57.png

    Use the information provided in Table 2.1 below to create a virtual network. Replace ## with your assigned student#.

    Table 2.1

    Key Value
    Name student##_vnet
    Address space 10.10.0.0/16
    Subscription <User Unique>
    Resource group Create new: student##-rg
    Location <Closest Azure DC>
    Address Range 10.10.0.0/22
    ../../_images/image58.png

  5. Click Create then continue after “Deployment succeeded” notification.

2.1.2. Task – Deploy WordPress within Azure

In this task you will deploy a virtual machine and install the WordPress application.

  1. Click the green + Create a resource sign at the top left corner of the screen

  2. Start searching the marketplace by typing ‘bitnami wordpress’ in the search field and hit Enter

  3. Select WordPress Certified by Bitnami

    ../../_images/image33.png

  4. Click on Create at the bottom of the screen

    Use the information in Table 2.2 to complete the “Basics” configuration page during this deployment.

    Table 2.2

    Key Value
    Resource Group Use existing: student##-rg
    Virtual machine name student##-wp
    Region <Closest Azure DC>
    Size Change: Basic A1
    Authentication type Password
    Username azureuser
    Password ChangeMeNow123
    ../../_images/image59.png

  5. Click Review + create at the bottom of the page

  6. Supply your email and phone number for validation

    ../../_images/lab-instance-validation.png

  7. Click Purchase or Create. You will receive status “Deployment underway”. Continue on after receiving “Your deployment is complete”.

  8. Go to Resource groups and click on your resource group

  9. Select your WordPress “Public IP address”

    ../../_images/image61.png ../../_images/image62.png

  10. Verify that https://<WordPress-Public-IP> displays the Wordpress blog

    • You may have to accept the security warning
    ../../_images/image54.png

    Note

    Remember the WordPress public IP address. This will be used in subsequent steps. This can take 10min before page loads.

2.1.3. Task – Deploy a new F5 BIG-IP VE in Azure

In this task you will deploy a virtual machine and install the BIG-IP.

  1. Click the green + Create a resource sign at the top left corner of the screen

  2. Search the marketplace by typing ‘F5 Better’ in the search field and hit Enter. Take your time to view the different F5 products available.

  3. Click F5 BIG-IP Virtual Edition - BETTER (PAYG, 25Mbps)

    ../../_images/image9.png

    Note

    All hourly offerings include a 30 day free trial as well as access to F5 premium support.

  4. Click Create

    You will now start the deployment process. Use the information provided in Table 1.1 below to complete the “Create virtual machine” Basics page.

    Table 1.1

    Key Value
    Resource Group Use existing: student##-rg
    Virtual machine name student##-f5
    Region <Closest Azure DC>
    Size Change: Standard DS2_v2
    Authentication type Password
    Username azureuser
    Password ChangeMeNow123
    Public inbound ports Allow selected ports
    Selected inbound ports HTTPS, SSH

    Example:

    ../../_images/image11.png ../../_images/image13.png

  5. Click Review + Create

  6. Review the “Summary” page and the purchase you are about to make

  7. Supply your email and phone number for validation

    ../../_images/image14.png

  8. Click Create. You will receive status “Deployment underway”. Continue on after receiving “Your deployment is complete”.

2.1.4. Task – Allow management and HTTPS access to the BIG-IP

In this task you will permit management access and HTTPS access to the BIG-IP by modifying the Network Security Group “Inbound” network access rule set.

  1. Select the student##-f5-nsg Network security group

    ../../_images/image17.png

  2. Review the existing ruleset. Notice the default inbound rules and HTTPS selected during an earlier step.

    ../../_images/image18.png

    Now you will add rules to allow HTTPS on port 8443 for F5 BIG-IP management by clicking on “Inbound security rules” (to the left of the screen below).

  3. Click Inbound security rules

    ../../_images/image19.png

  4. Click + Add

    Using the information provided in Table 1.4, add a rule to allow F5 BIG-IP management traffic.

    Table 1.4

    Key Value
    Source Any
    Source Port *
    Destination Any
    Destination Port 8443
    Protocol Any
    Action Allow
    Priority 100
    Name f5_mgmt_8443
    ../../_images/image21.png

  5. Click Add

  6. When complete, verify the end results look as follows:

    ../../_images/image22.png

  7. Select Resource Group > student##-rg > student##-f5 then networking to view public and private address of the F5 BIG-IP virtual machine.

    ../../_images/image20.png

  8. Connect to the F5 GUI by going to https://<F5-BIG-IP-public-IP>:443

  9. Accept the SSL certificate warning

  10. Log into the BIG-IP using the credentials configured in the previous steps Username: azureuser Password: ChangeMeNow123

  11. Click Next on Setup Utility

  12. Click Next on Setup Utility -> License

  13. Click Next on Setup Utility -> Resource Provisioning

  14. Click Next on Setup Utility -> Device Certificates

  15. Enter Hostname and Password using info below then click Next

    Table 1.5

    Key Value
    Hostname student.f5demo.com
    Password ChangeMeNow123

  16. Click Finished on Setup Utility -> Network

  17. SSH azureuser@<F5-BIG-IP-public-IP> and enter password

  18. Type modify sys httpd ssl-port 8443

  19. Type modify net self-allow defaults add { tcp:8443 }

  20. Type modify net self-allow defaults delete { tcp:443 }

  21. Type save sys config

  22. Reconnect to the F5 GUI by going to https://<F5-BIG-IP-public-IP>:8443

2.1.5. Task – Allow Internet access to WordPress through the BIG-IP

In this task you will configure the BIG-IP with a Virtual Server and Pool to allow inbound Internet access to the WordPress application. First we need to identify the private IP address for the WordPress instance. Let’s go back to the Microsoft Azure Portal.

  1. Select Resource Group > student##-rg > student##-wp then networking to view public and private address of the F5 BIG-IP virtual machine.

    ../../_images/image47.png

    Note

    Remember WordPress private IP address. This will be used in subsequent steps.

  2. Connect to the BIG-IP using https://<F5-public-IP>:8443

  3. From the BIG-IP GUI, go to Local traffic -> Pools -> Pool List and click on the + sign. Configure the pool using the information provided in Table 1.8 below leaving all other fields set to defaults.

    Table 1.8

    Key Value
    Name wordpress_pool
    Health Montitor HTTPS
    Node Name wordpress
    Address <your WordPress private IP address>
    Service Port 443
    ../../_images/image49.png

  4. Click Finished. When configured correctly, the pool status will be green.

    ../../_images/image50.png

    You now need to configure the Virtual server. To do this, you first need to find the private IP of your F5 BIG-IP.

  5. From the BIG-IP GUI, go to Network -> Self IPs and note the IP Address

    ../../_images/image51.png

  6. Create a virtual server by going to Local Traffic -> Virtual Servers -> Virtual Server List and click on the + sign. Configure the Virtual Server using the information provided in Table 1.9 below leaving all other fields set to defaults.

    Table 1.9

    Key Value
    Name vs_wordpress
    Destination Address <Self IP address of the BIG-IP>
    Service Port 443
    SSL Profile (Client) clientssl
    SSL Profile (Server) serverssl
    Source Address Translation Auto Map
    Default Pool wordpress_pool
    ../../_images/image52.png ../../_images/image53.png

  7. Click Finish

    You have now completed the BIG-IP configuration for the WordPress application. To verify proper functionality, let’s browse the site and verify F5 statistics.

  8. Open a browser to to https://<F5-public-VIP-IP> and ensure it displays your WordPress blog.

    Note

    As part of this task, you will see a certificate warning. You can ignore this as in this lab you did not generate the server certificates. In real life, you would ensure you have installed valid certificates.

  9. Now check the statistics of your virtual server to verify traffic flow, by navigating to Statistics -> Module Statistics -> Local Traffic

  10. Under Statistics Type, select Virtual Servers

    ../../_images/image55.png

2.1.6. Task – Disable direct Internet access to WordPress

You now need to modify the Network security group to remove direct inbound access to the WordPress application.

  1. Select Resource Group > student##-rg > student##-wp-nsg then inbound security rules

    ../../_images/image43.png

  2. Click on the link at the far right side of the HTTPS inbound rule and select Delete

    ../../_images/image45.png

    Note

    You will only allow web access to the WordPress blog via the F5 BIG-IP.

  3. Confirm the delete action when prompted by clicking Yes

  4. Verify that https://<WordPress-Public-IP> does NOT display the WordPress blog

    ../../_images/image46.png

2.1.7. Task – Lab 1 Teardown

Skip this Task if you intend to do the Azure Security Center Lab.

  1. Delete resource group student##-rg created earlier in this lab.

    • From Azure Portal select Resource Group
    • Select on right side of the resource group created earlier
    • Select delete. You will be prompted to enter resource again for confirmation.

  2. Enter resource group name when prompted for resource group to be deleted.

    ../../_images/image56.gif

This concludes Lab 1

Previous Next