Open in app

Sign in

Write

Sign in

How to Use WAF of Application Gateway With AKS

Maciej
3 min readFeb 10, 2022
Photo by Sigmund on Unsplash

Introduction

WAF is used in many cases if it is configured with security in mind, but when I try to use it, I may not understand it at first glance, so I decided to write this. Especially, when combined with AKS AGIC, it becomes more complicated, so we focus on that part.

WAF in Azure

When trying to use WAF on Azure, there are three options:

  • Application Gateway
  • Front Door
  • Content Delivery Network

This time we focus on Application Gateway

Conditions for using Application Gateway with WAF

There are multiple SKUs in Application Gateway, but you need to use when combined with AKS’s

If You decide to use WAF in Application Gateway Ingress Controller You must use WAF V2 unfortunately the price is not low.

Methods that WAF can be used with Application Gateway

There are two main methods for using WAF with Application Gateway.

  • Use the WAF rules built into the Application Gateway
  • Create a WAF policy and attach it to the Applicaiton Gateway

In addition, when attaching a WAF policy, you can select the scope.

  • Application Gateway
  • HTTP Listener
  • Route Path

This is a mechanism to apply different WAF policies to each site when hosting multiple sites with Application Gateway.

How to write AGIC annotation

Basically, all information it is on the AGIC page of azure.github.io

Annotations

The Kubernetes Ingress resource can be annotated with arbitrary key/value pairs. AGIC relies on annotations to program…

azure.github.io

Example of configuration:

apiVersion: extensions/v1
kind: Ingress
metadata:
  name: ad-server-ingress
  namespace: commerce
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/waf-policy-for-path: "/subscriptions/abcd/resourceGroups/rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/adserver"
spec:
  rules:
  - http:
      paths:
      - path: /ad-server
        backend:
          serviceName: ad-server
          servicePort: 80- path: /auth
        backend:
          serviceName: auth-server
          servicePort: 80

That’s it!

Below are some answers that I found while working with AGIC

  • Is it possible to change the Application Gateway SKU to WAF V2 and then back to Standard V2?
    Yes, if you are using the built-in WAF, but if you associate a WAF policy, it is currently not possible because complete disassociation is not supported.
  • What happens if I annotate the Standard V2 Application Gateway waf-policy-for-path?
    It will be a 502 Bad Gateway, so don’t do it, even if you annotate it, it will not change to WAF V2 without permission.
  • What happens if I annotate with the built-in WAF rule enabled waf-policy-for-path?
    Coexistence is possible. In the annotation, the specified WAF policy is valid only for the target HTTP listener the built-in WAF rules apply to other listeners.
  • Is it possible to manually delete or overwrite the WAF policy associated with AGIC in the Azure portal?
    However, it is an act that you should not think normally. You should never do it.
  • What happens if I apply a WAF policy to the entire Application Gateway with the WAF built into the Application Gateway enabled?
    A confirmation dialog will appear properly. However, please note that if you do this, you will not be able to revert to Standard V2.
Azure
Microsoft
Kubernetes
Firewall
Security

 by the author.

--

--

Maciej

Written by Maciej

732 Followers

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams