I have an AKS application, we want to create a global frontend to it, not sure which app I should use? It has to have global presence also WAF feature for our application to protect the ingress traffic

Samier Zaghloul 40 Reputation points
2023-11-25T21:27:59.76+00:00

I have an AKS application, we want to create a global frontend to it, not sure which app I should use? It has to have global presence also WAF feature for our application to protect the ingress traffic

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,992 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adam Zachary 2,886 Reputation points
    2023-11-25T21:42:41.9+00:00

    Hi Samier,

    For creating a global frontend for your AKS application with Web Application Firewall (WAF) features to protect ingress traffic, you have a couple of options in Microsoft Azure (In case you decided to use Azure Native tools/services).

    (Option 1) Azure Front Door with Web Application Firewall

    • Description: Azure Front Door offers a scalable and secure entry point for fast delivery of your global web applications. It integrates with Azure Web Application Firewall to provide centralized protection against common exploits and vulnerabilities.
    • Features:
    • Global and centralized solution.
    • Protects against common web vulnerabilities and DDoS attacks.
    • Configurable WAF policies with custom and managed rules.
    • Supports detection and prevention modes for WAF policies.
    • Can be configured via Azure portal, REST APIs, Azure Resource Manager templates, and Azure PowerShell​​​​​​​​.

    (Option 2) Application Gateway Ingress Controller (AGIC) with WAF

    • Description: AGIC allows Azure Kubernetes Service (AKS) customers to use Azure Application Gateway as the ingress for AKS. The Application Gateway Ingress Controller can be integrated with Azure Web Application Firewall to protect your web applications.
    • Features:
    • Protects web applications on AKS from exploits and vulnerabilities like SQL injection and cross-site scripting.
    • Comes pre-configured with OWASP core rule sets.
    • Can be deployed via Azure CLI or a Helm chart.
    • Offers continuous updates and support when deployed as an AKS add-on.
    • Works by continuously updating an Application Gateway based on the state of the AKS cluster​​​​​​​​.

    Difference between the two solutions:

    • Global Presence: Both options provide global presence. Azure Front Door operates at the network edge globally, while AGIC updates an Application Gateway based on AKS state.
    • WAF Features: Azure Front Door provides a more comprehensive WAF integration with full capabilities in its premium tier, while AGIC uses WAF policy on Azure Application Gateway with customizable rule sets.
    • Ease of Use: Azure Front Door offers a straightforward setup for global distribution and security. AGIC requires a more Kubernetes-centric approach but provides tight integration with AKS.
    • Flexibility: AGIC offers more flexibility for Kubernetes-specific deployments, whereas Azure Front Door is more suited for broader web application scenarios.

    Steps to Implement

    1. Evaluate Your Needs: Decide which option better fits your use case - global web application protection (Azure Front Door) or Kubernetes-specific ingress control (AGIC with WAF).
    2. Set Up: For Azure Front Door, configure it with WAF in the Azure portal. For AGIC, deploy it using Azure CLI or a Helm chart and integrate it with Application Gateway and WAF.
    3. Configure WAF Policies: Define custom rules or use managed rule sets for WAF in either solution.
    4. Test and Monitor: Ensure the setup works as intended and monitor traffic to adjust rules and settings as needed.

    Additionally, for achieving global presence, consider deploying your AKS clusters in multiple regions and use Azure Traffic Manager for traffic routing. Also, use geo-replication for container image registries to improve performance and availability across regions​​​​​​​​​​​​​​. Here's the reference architecture if you decided to go with Azure Front-Door with AKS cluster in two regions for High Availability Architecture diagram showing multi-region deployment.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more