Is it possible to apply WAF for a TCP listener service running inside an AKS cluster?

Question

Is it possible to apply WAF for a TCP listener service running inside an AKS cluster?

Chiaroni Alexandre (C/IDI-LA) 40

Hello,

I have a solution running within an AKS cluster. One of the services is a TCP listener, running on a specific port. I can communicate with the listener through the traditional Load Balancer in-cluster ingress controller normally.

However, I would like to apply WAF policies for this port, which I suppose is not possible using the Load Balancer. I know that AKS has support for App Gateway ingress controller as well, and that I can set WAF within the App Gateway. But I understand that App Gateway, which operates at OSI Layer 7, would not work with my TCP listener.

Is there any option for applying security configurations such as WAF and DDoS protection (which are provided by App Gateway) for my TCP listener?

Thanks in advance!

Accepted answer

1 additional answer

Your answer

Answer 1

@Chiaroni Alexandre (C/IDI-LA)

Thank you for reaching out to us on the Microsoft Q&A forum.

Yes, your understanding is correct WAF provides protection at Layer 7 and not Layer 3 and 4.

Based on your question above

Is there any option for applying security configurations such as WAF and DDoS protection (which are provided by App Gateway) for my TCP listener?

Depending on your requirement, I am wondering if you can use Azure Firewall along with Azure Application Gateway. Azure Firewall provides protection at Layer 3 and Layer 4 of the OSI model.

You can go through the documentation here to understand the different use cases of deploying Azure Application Gateway with Firewall.

When you combine Application Gateway and Azure Firewall to protect an AKS cluster, it's best to use the parallel design option. The Application Gateway with WAF processes inbound connection requests to web applications in the cluster. Azure Firewall permits only explicitly allowed outbound connections.

You can go through these reference baseline architectures for AKS to get more information.

If this does not satisfy your requirements, please upload this feature request on our feedback portal as suggested by Cristian above.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Chiaroni Alexandre (C/IDI-LA) 40 Reputation points

2023-03-10T12:22:10.2366667+00:00

Hello @ChaitanyaNaykodi-MSFT

Thanks for your response!

The documentation you provided seems very promising. I will have a look on it carefully. If I find it still do not satisfy my requirements, I will upload a feature request as suggested.

Answer 2

Cristian Gatjens 716 Microsoft Employee

Hello Chiaroni,

Thank you for reaching out & I hope you are doing well.

I understand that you want to apply security configurations similar to what WAF offers for OSI Layer 7. Doing my research, I could not find similar security features that can apply to TCP listeners in our official documentation, nor any feature requests for the same. If you are interested, I suggest creating a new Feature Reques (Post a new Idea) in the following link that will be reviewed by the corresponding PM:

https://feedback.azure.com/d365community/forum/aabe212a-f724-ec11-b6e6-000d3a4f0da0

Please "Accept the answer" if the information helped you. Feel free to reply with any other questions or concerns.

Hope this helps!

Chiaroni Alexandre (C/IDI-LA) 40 Reputation points

2023-03-10T12:26:39.1133333+00:00

Hello @Cristian Gatjens

Thanks for the response. I will have a look on the documentation provided by @ChaitanyaNaykodi-MSFT and if I find it still don´t meet my requirements, I will create a feature request as suggested.

Share via

Is it possible to apply WAF for a TCP listener service running inside an AKS cluster?

1 additional answer

Your answer