Back to all videos

Secure and Manage SSL/TLS in F5 NGINXaaS for Google Cloud

By F5 DevCentral Community

Cloud ComputingNetwork SecuritySSL/TLSWeb Application Security
Share:

Key Concepts

  • EngineX: A platform for deploying applications on Google Cloud.
  • Private Service Connect (PSC): A networking service that allows private connectivity between VPC networks without using public IPs.
  • Network Endpoint Group (NEG): A resource representing a group of endpoints for a backend service. Used here with PSC.
  • SSL/TLS: Protocols for creating an encrypted connection between a web server and a browser.
  • SSL Termination: The process of decrypting SSL/TLS traffic at the load balancer, reducing the load on the application servers.
  • Proxy Network Load Balancer: A Google Cloud load balancer that distributes traffic to backends using TCP or UDP.
  • Configuration Versioning: Managing different versions of the EngineX configuration for rollback and controlled updates.

Securing EngineX Deployments with HTTPS on Google Cloud

This demonstration details the process of securing an EngineX application deployment on Google Cloud using end-to-end HTTPS. The process involves setting up a regional public-facing Google Cloud proxy network load balancer, connecting it to the EngineX deployment via Private Service Connect (PSC) and Network Endpoint Groups (NEGs), uploading and managing SSL/TLS credentials within the EngineX console, and configuring EngineX to utilize these credentials for SSL termination at the load balancer.

Setting up the Network Load Balancer

The initial step involves configuring a Google Cloud Network Load Balancer. Specifically, a regional, public-facing proxy type is required for PSC integration. The configuration process, initiated within the Google Cloud Console’s Load Balancing section, includes:

  1. Naming and Region Selection: Assigning a descriptive name to the load balancer and selecting the appropriate Google Cloud region and Virtual Private Cloud (VPC) network.
  2. Backend Configuration: Choosing “Private Service Connect network endpoint group” as the backend type. This necessitates creating a new NEG.
  3. NEG Creation: A new NEG is created by providing a name and pasting the connection string obtained from the EngineX deployment details into the “target service” field. The producer port is set to 443, and the correct VPC network is confirmed.
  4. Frontend Configuration: Configuring the frontend to listen for secure HTTPS requests. This is achieved by setting the protocol to TCP and the port to 443.

The load balancer provisioning process takes approximately one minute.

Securing the EngineX Deployment with SSL Certificates

While the load balancer provisions, the EngineX console is used to manage SSL/TLS credentials. This involves:

  1. Accessing Configurations: Navigating to the “Configurations” tab within the EngineX console and selecting the active configuration for editing.
  2. Uploading Credentials: Adding a new SSL certificate and key by selecting “add file” and then “new SSL certificate SSL bundle”. The certificate type is specified as “SSL certificate and key”.
  3. File Upload and Path Definition: Uploading the certificate and key files directly into the console. The system then displays the file paths for the uploaded certificate and key. These paths are crucial for the next step.
  4. Configuration Update: Modifying the EngineX configuration text area to include the necessary SSL server block directives. The SSL certificate and SSL certificate key paths must precisely match the file paths displayed after uploading the certificate and key.

The updated configuration is saved as a new version.

Deploying the Secure Configuration

To activate the SSL configuration, the following steps are taken:

  1. Deployment Settings Access: Returning to the deployment settings and clicking “edit” in the configuration section.
  2. Configuration Selection: Choosing the newly created configuration and its latest version number from the dropdown menu.
  3. Deployment Initiation: Clicking “update” to initiate the deployment process.

The deployment process takes a few seconds to complete. Once the status changes to “ready”, the EngineX deployment is actively terminating SSL traffic.

Verification and Architecture Overview

Verification of the successful setup is performed by retrieving the IP address of the created load balancer from the Google Cloud Console and pasting it into a web browser. Successful loading of the application confirms that the connection is secure and functioning correctly.

The resulting architecture provides a secure, high-performance, and fully managed solution for delivering modern applications at scale. It leverages a network endpoint group and a proxy load balancer to establish external access, creating a production-ready entry point for all incoming traffic.

Notable Quote: “By establishing external access through a network endpoint group and a proxy load balancer, we've created a productionready entry point for all our incoming traffic.”

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Secure and Manage SSL/TLS in F5 NGINXaaS for Google Cloud". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video