Moving to the Cloud can be tough. The Department of Defense (DoD) has requirements to protect the Defense Information System Networks (DISN) and DoD Information Networks (DoDIN), even for workloads residing in a Cloud Service Provider (CSP). Per the SCCA Functional Requirements Document, the purpose of SCCA is to provide a barrier of protection between the DISN and commercial cloud services used by the DoD.
“It specifically addresses attacks originating from mission applications that reside within the Cloud Service Environment (CSE) upon both the DISN infrastructure and neighboring tenants in a multi-tenant environment. It provides a consistent CSP independent level of security that enables the use of commercially available Cloud Service Offerings (CSO) for hosting DoD mission applications operating at all DoD Information System Impact Levels (i.e. 2, 4, 5, & 6).” * https://dl.dod.cyber.mil/wp-content/uploads/cloud/pdf/SCCA_FRD_v2-9.pdf
This solution uses Terraform to launch a Single Tiered or Three Tier deployment of three NIC cloud-focused BIG-IP VE cluster(s) (Active/Standby) in Microsoft Azure. This is the standard cloud design where the BIG-IP VE instance is running with three interfaces, where both management and data plane traffic is segregated.
The BIG-IP VEs have the following features / modules enabled:
-
- Firewall with Intrusion Protection and IP Intelligence only available with BYOL deployments today.
- Important: When you configure the admin password for the BIG-IP VE in the template, you cannot use the character #. Additionally, there are a number of other special characters that you should avoid using for F5 product user accounts. See K2873 for details.
- This template requires a service principal, one will be created in the provided script at ./prepare/setupAzureGovVars_local.sh.
- Important For gov cloud deployments its important to run this script to prepare your environment, whether local or Azure Cloud CLI based. There are extra env variables that ned to be passed by TF to Gov Cloud Regions.
- This deployment will be using the Terraform Azurerm provider to build out all the neccessary Azure objects. Therefore, Azure CLI is required. for installation, please follow this Microsoft link
- If this is the first time to deploy the F5 image, the subscription used in this deployment needs to be enabled to programatically deploy. For more information, please refer to Configure Programatic Deployment
- You need to set your region and log in to azure ahead of time, the scripts will map your authenitcation credentials and create a service principle, so you will not need to hardcode any credentials in the files.
- All variables are configured in variables.tf
- MOST STIG / SRG configurations settings have been addressed in the Declarative Onboarding and Application Services templates used in this example.
- An Example application is optionally deployed with this template. The example appliation includes several apps running in docker on the host:
- Juiceshop on port 3000
- F5 Demo app by Eric Chen on ports 80 and 443
- rsyslogd with PimpMyLogs on port 808
- Note Juiceshop and PimpMyLogs URLS are part of the terraform output when deployed.
- All Configuration should happen at the root level; auto.tfvars or variables.tf.
-
For PAYG deployments the variables image_name and product need to be configured accordingly, default values are set for PAYG.
-
Example: image_name = f5-bigip-virtual-edition-1g-best-hourly and product = f5-big-ip-best
-
For BYOL deployments the variables image_name, product, and licenses need to be configured accordingly.
-
Example: image_name = f5-big-all-2slot-byol, product = f5-big-ip-byol, and licenses = appropriate licenses.
| Name | Version |
|---|---|
| terraform | ~> 0.13 |
| Name | Version |
|---|---|
| azurerm | n/a |
| Name | Description | Type | Default |
|---|---|---|---|
| projectPrefix | REQUIRED: Prefix to prepend to all objects created, minus Windows Jumpbox | string |
"ccbad9e7" |
| adminUserName | REQUIRED: Admin Username for All systems | string |
"xadmin" |
| adminPassword | REQUIRED: Admin Password for all systems | string |
"pleaseUseVault123!!" |
| location | REQUIRED: Azure Region: usgovvirginia, usgovarizona, etc. For a list of available locations for your subscription use az account list-locations -o table |
string |
"usgovvirginia" |
| region | Azure Region: US Gov Virginia, US Gov Arizona, etc | string |
"US Gov Virginia" |
| deploymentType | REQUIRED: This determines the type of deployment; one tier versus three tier: one_tier, three_tier | string |
"three_tier" |
| deployDemoApp | OPTIONAL: Deploy Demo Application with Stack. Recommended to show functionality. Options: deploy, anything else. | string |
"deploy" |
| sshPublicKey | OPTIONAL: ssh public key for instances | string |
"" |
| sshPublicKeyPath | OPTIONAL: ssh public key path for instances | string |
"/mykey.pub" |
| cidr | REQUIRED: VNET Network CIDR | string |
"10.90.0.0/16" |
| subnets | REQUIRED: Subnet CIDRs | map(string) |
{ |
| f5_mgmt | F5 BIG-IP Management IPs. These must be in the management subnet. | map(string) |
{ |
| f5_t1_ext | Tier 1 BIG-IP External IPs. These must be in the external subnet. | map(string) |
{ |
| f5_t1_int | Tier 1 BIG-IP Internal IPs. These must be in the internal subnet. | map(string) |
{ |
| f5_t3_ext | Tier 3 BIG-IP External IPs. These must be in the waf external subnet. | map(string) |
{ |
| f5_t3_int | Tier 3 BIG-IP Internal IPs. These must be in the waf internal subnet. | map(string) |
{ |
| internalILBIPs | REQUIRED: Used by One and Three Tier. Azure internal load balancer ips, these are used for ingress and egress. | map(string) |
{} |
| ilb01ip | REQUIRED: Used by One and Three Tier. Azure internal load balancer ip, this is used as egress, must be in internal subnet. | string |
"10.90.2.10" |
| ilb02ip | REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as egress, must be in waf_ext subnet. | string |
"10.90.6.10" |
| ilb03ip | REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as ingress, must be in waf_ext subnet. | string |
"10.90.6.13" |
| ilb04ip | REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as ingress, must be in inspect_external subnet. | string |
"10.90.4.13" |
| app01ip | OPTIONAL: Example Application used by all use-cases to demonstrate functionality of deploymeny, must reside in the application subnet. | string |
"10.90.10.101" |
| ips01ext | Example IPS private ips | string |
"10.90.4.4" |
| ips01int | n/a | string |
"10.90.5.4" |
| ips01mgmt | n/a | string |
"10.90.0.8" |
| winjumpip | REQUIRED: Used by all use-cases for RDP/Windows Jumpbox, must reside in VDMS subnet. | string |
"10.90.3.98" |
| linuxjumpip | REQUIRED: Used by all use-cases for SSH/Linux Jumpbox, must reside in VDMS subnet. | string |
"10.90.3.99" |
| instanceType | BIGIP Instance Type, DS5_v2 is a solid baseline for BEST | string |
"Standard_DS5_v2" |
| jumpinstanceType | Be careful which instance type selected, jump boxes currently use Premium_LRS managed disks | string |
"Standard_B2s" |
| appInstanceType | Demo Application Instance Size | string |
"Standard_DS3_v2" |
| image_name | REQUIRED: BIG-IP Image Name. 'az vm image list --output table --publisher f5-networks --location [region] --offer f5-big-ip --all' Default f5-bigip-virtual-edition-1g-best-hourly is PAYG Image. For BYOL use f5-big-all-2slot-byol | string |
"f5-bigip-virtual-edition-1g-best-hourly" |
| product | REQUIRED: BYOL = f5-big-ip-byol, PAYG = f5-big-ip-best | string |
"f5-big-ip-best" |
| bigip_version | REQUIRED: BIG-IP Version. Note: verify available versions before using as images can change. | string |
"14.1.400000" |
| licenses | BIGIP Setup Licenses are only needed when using BYOL images | map(string) |
{ |
| hosts | n/a | map(string) |
{ |
| dns_server | REQUIRED: Default is set to Azure DNS. | string |
"168.63.129.16" |
| asm_policy | REQUIRED: ASM Policy. Examples: https://github.com/f5devcentral/f5-asm-policy-templates. Default: OWASP Ready Autotuning | string |
"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml" |
| ntp_server | n/a | string |
"time.nist.gov" |
| timezone | n/a | string |
"UTC" |
| onboard_log | n/a | string |
"/var/log/startup-script.log" |
| tags | Environment tags for objects | map(string) |
{ |
| Name | Description |
|---|---|
| DemoApplication_443 | Public IP for applications. Https for example app, RDP for Windows Jumpbox, SSH for Linux Jumpbox |
| rSyslogdHttp_8080 | Public IP for applications. Https for example app, RDP for Windows Jumpbox, SSH for Linux Jumpbox |
| tier_one | One Tier Outputs: VM IDs, VM Mgmt IPs, VM External Private IPs |
| tier_three | Three Tier Outputs: VM IDs, VM Mgmt IPs, VM External Private IPs |
For deployment you can do the traditional terraform commands or use the provided scripts.
terraform init
terraform plan
terraform applyOR
./demo.shThere is also a dockerfile provided, use make [options] to build as needed.
make build
make shell || make azure || make govFor destruction / tear down you can do the trafitional terraform commands or use the provided scripts.
terraform destroyOR
./cleanup.shmake destroy || make revolutionOutline any requirements to setup a development environment if someone would like to contribute. You may also link to another file for this information.
# test pre commit manually
pre-commit run -a -v