Purpose of the demo: Install PT Web Application Firewall (hereinafter, PT WAF) in Yandex.Cloud in a fault-tolerant configuration.
- Description
- Deployment
- Description of the steps of working with PT WAF
- Checking the traffic flow and fault tolerance
- Additional materials: configuring PT WAF clustering and Application Load Balancer
Steps to be completed during the workshop:
- Installing the infrastructure using Terraform (Infrastructure as a Code).
- Installation and basic configuration of PT WAF Cluster in two Yandex.Cloud availability zones.
Fault tolerance is provided by:
- Clustering of the PT WAF in Active-Active mode
- Balancing of traffic using External-LB Yandex.Cloud
- Using Cloud Function in Yandex.Cloud to monitor the status of PT WAFs and, if they fail, direct the traffic to applications —
BYPASS
.
It is assumed that in Yandex.Cloud, the client has already deployed an unsafe external scenario of publishing a VM, that is, a VM running web applications in two availability zones. It also runs an external network load balancer.
To implement the entire diagram from scratch, use the playbook in the from-scratch folder
- Download an archive with files pt_archive.zip.
- Go to the folder with files.
- Add relevant parameters to the variables.tf file (comments indicate the necessary yc commands to get the values).
- Execute the Terraform initialization command:
terraform init
- Execute the load-balancer import command:
terraform import yandex_lb_network_load_balancer.ext-lb $(yc load-balancer network-load-balancer list --format=json | jq '.[].id' | sed 's/"//g')
- Execute the Terraform startup command:
terraform apply
- Enable NAT on ext-subnet-a and ext-subnet-b (so that PT WAF can go online for updates and activate the license).
- Assign the security group
app-sg
to the VM app-a and app-b.
Video instructions:
- Forward SSH ports to connect to PT AF servers (needs to be executed in two different terminal windows):
ssh -L 22001:192.168.2.10:22013 -L 22002:172.18.0.10:22013 -L 8443:192.168.2.10:8443 -L 127.0.0.2:8443:172.18.0.10:8443 -i ./pt_key.pem yc-user@$(yc compute instance list --format=json | jq '.[] | select( .name == "ssh-a")| .network_interfaces[0].primary_v4_address.one_to_one_nat.address '| sed 's/"//g')
This opens the SSH terminal (broker machine) — leave it open.
- Connect to ptaf-a:
ssh -p 22001 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
- List the current DB password:
sudo wsc -c 'password list'
- Execute the cluster autoconfiguring script:
/home/pt/cluster.sh
- Connect to ptaf-b:
ssh -p 22002 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
- Set the DB password from the previous step:
sudo wsc -c 'password set <master password>'
(it must be the same as the password on the master node)
- Execute the cluster autoconfiguring script:
/home/pt/cluster.sh
- First, run synchronization on the Slave server using the commands:
ssh -p 22002 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
sudo wsc
Enter 0
config commit
- Wait for the message on the Slave server:
TASK: [mongo | please configure all other nodes of your cluster]
. After that, switch to the Master server and start syncing with similar commands:
ssh -p 22001 -i pt_key.pem yc-user@localhost -o StrictHostKeyChecking=no
sudo wsc
Enter 0
config commit
If the config commit command fails on the Master, apply the command again.
-
Next, the configuration on the Master node stopped at the message:
TASK: [mongo | wait config sync on secondary nodes]
. Manually execute the command on the Slave node:config sync
. -
On the Slave, run:
config sync
- On the Master, run:
config sync
- On the Master, run:
mongo --authenticationDatabase admin -u root -p $(cat /opt/waf/conf/master_password) waf --eval 'c = db.sentinel; l = c.findOne({_id: "license"}); Object.keys(l).forEach(function(k) { if (l[k].ip) { delete l[k].ip; l[k].hostname = "yclicense.ptsecurity.ru" }}); c.update({_id: l._id}, l)'
-
Open in the browser: https://127.0.0.1:8443
-
Enter the standard login admin and password positive, change the password, for example, to
P@ssw0rd
. -
Open the tab Configuration → Network → Gateways by clicking on the pencil icon (Edit).
-
On each of the gateways, select the Active option.
-
On each of the gateways, on the Network tab, define the aliases
mgmt
,wan
,lan
for theeth-ext1
interface. -
Create an upstream on the tab Configuration → Network → Upstreams:
-
Name:
internal-lb
-
Backend Host: enter the address of the Yandex.Cloud internal load balancer
-
Backend port:
80
-
Create a service on the tab Configuration → Network → Services:
-
Name:
app
-
Net interface alias:
wan
-
Listen port:
80
-
Upstream:
internal-lb
-
Edit an existing Any web application on the Configuration → Security → Web Applications tab:
-
Service:
app
- Look at the external IP address of your external load balancer.
- Disable ptaf-a and make sure that the traffic is passing.
- Disable app-a and make sure that the traffic is passing.
- Disable ptaf-b and make sure that
BYPASS
applies and the traffic switches over directly to the internal load balancer. - Turn on ptaf-a, ptaf-b, and make sure that traffic goes through ptaf again.
In this model, you can use Yandex Application Load Balancer.
There are detailed instructions on enabling a virtual hosting (including integration with Certificate Manager to manage SSL certificates).