How to Use WAF of Application Gateway With AKS

Introduction

WAF is used in many cases if it is configured with security in mind, but when I try to use it, I may not understand it at first glance, so I decided to write this. Especially, when combined with AKS AGIC, it becomes more complicated, so we focus on that part.

WAF in Azure

When trying to use WAF on Azure, there are three options:

  • Application Gateway
  • Front Door
  • Content Delivery Network

This time we focus on Application Gateway

Conditions for using Application Gateway with WAF

There are multiple SKUs in Application Gateway, but you need to use when combined with AKS’s

If You decide to use WAF in Application Gateway Ingress Controller You must use WAF V2 unfortunately the price is not low.

Methods that WAF can be used with Application Gateway

There are two main methods for using WAF with Application Gateway.

  • Use the WAF rules built into the Application Gateway
  • Create a WAF policy and attach it to the Applicaiton Gateway

In addition, when attaching a WAF policy, you can select the scope.

  • Application Gateway
  • HTTP Listener
  • Route Path

This is a mechanism to apply different WAF policies to each site when hosting multiple sites with Application Gateway.

How to write AGIC annotation

Basically, all information it is on the AGIC page of azure.github.io

Example of configuration:

apiVersion: extensions/v1
kind: Ingress
metadata:
name: ad-server-ingress
namespace: commerce
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/waf-policy-for-path: "/subscriptions/abcd/resourceGroups/rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/adserver"

spec:
rules:
- http:
paths:
- path: /ad-server
backend:
serviceName: ad-server
servicePort: 80
- path: /auth
backend:
serviceName: auth-server
servicePort: 80

That’s it!

Below are some answers that I found while working with AGIC

  • Is it possible to change the Application Gateway SKU to WAF V2 and then back to Standard V2?
    Yes, if you are using the built-in WAF, but if you associate a WAF policy, it is currently not possible because complete disassociation is not supported.
  • What happens if I annotate the Standard V2 Application Gateway waf-policy-for-path?
    It will be a 502 Bad Gateway, so don’t do it, even if you annotate it, it will not change to WAF V2 without permission.
  • What happens if I annotate with the built-in WAF rule enabled waf-policy-for-path?
    Coexistence is possible. In the annotation, the specified WAF policy is valid only for the target HTTP listener the built-in WAF rules apply to other listeners.
  • Is it possible to manually delete or overwrite the WAF policy associated with AGIC in the Azure portal?
    However, it is an act that you should not think normally. You should never do it.
  • What happens if I apply a WAF policy to the entire Application Gateway with the WAF built into the Application Gateway enabled?
    A confirmation dialog will appear properly. However, please note that if you do this, you will not be able to revert to Standard V2.

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store