Share via

Restrict nginx ingress controller to two Azure front doors

milancas 21 Reputation points
2022-10-19T10:02:11.93+00:00

I need to restrict ingress controller to 2 different Azure Front Doors at the same time (i.e. ingress controller needs to accept http traffic from those 2 Front Doors only).
I'm able to restrict the ingress controller to a single Azure front door with the below statement, but not sure what's a correct syntax if I need restrict traffic to 2 Front Doors.
Any help is much appreciated.

nginx.ingress.kubernetes.io/allow-snippet-annotations: 'true'
nginx.ingress.kubernetes.io/enable-modsecurity: 'true'
nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs: 'true'
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($http_x_azure_fdid !~* ''xxxxx-xxx-xxx-xxxxxx'){
{ 

 return 403;

}

ingress version ingress-nginx-1661945723 portal 2 2022-08-31 12:53:58.6382585 +0100 BST deployed ingress-nginx-4.2.3 1.3.0
AKS version 1.24.3

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
850 questions
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
0 comments
Accepted answer
  1. Andriy Bilous 11,821 Reputation points MVP Volunteer Moderator
    2022-10-19T15:10:28.747+00:00

    Hello @milancas
    You can use nginx.ingress.kubernetes.io/modsecurity-snippet ModSecurity snippet in your Ingress annotations

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:

    ...

    annotations:
    # To restric traffic coming only through our Front Door instance, we use a header check on the X-Azure-FDID
    # The value gets injected by the pipeline. Hence, this ID should be treated as a senstive value
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
    SecRuleEngine On
    SecRule &REQUEST_HEADERS:X-Azure-FDID \"@eq 0\" \"log,deny,id:106,status:403,msg:\'Front Door ID not present\'\"
    SecRule REQUEST_HEADERS:X-Azure-FDID \"@rx ^(?!{{ .Values.azure.frontdooridfirst }}).$\" \"log,deny,id:107,status:403,msg:\'Wrong Front Door ID\'\"
    SecRule REQUEST_HEADERS:X-Azure-FDID \"@rx ^(?!{{ .Values.azure.frontdooridsecond }}).    $\" \"log,deny,id:107,status:403,msg:\'Wrong Front Door ID\'\"

    ...

    https://learn.microsoft.com/EN-US/azure/architecture/reference-architectures/containers/aks-mission-critical/mission-critical-security#routing

    If you think your question has been answered, click "Mark as Accept Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.