Share via

blocking requests from a specific IP to an application in the AKS cluster

Prokhorov Dmytro (Прохоров Дмитро) 41 Reputation points
2021-11-30T11:04:23.99+00:00

Hello everybody!
I have an AKS cluster with my applications.
I recently noticed that an abnormally large number of requests are received from one IP address.
I would like to block this IP address for a certain time.
I want the blocking to occur automatically when a certain limit is reached, for example, more than 10,000 calls per minute from a unique IP
I am looking for a solution how to do this?
Tell me, someone faced such a task or knows a convenient solution

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
Accepted answer
  1. Andriy Bilous 11,821 Reputation points MVP Volunteer Moderator
    2021-11-30T12:37:57.85+00:00

    Hello @ProkhorovDmytro-0185

    AKS supports different Ingress Controllers but unfortunately popular Azure Application Gateway do not have support of rate limiting.

    You can use Nginx Ingress with annotation nginx.ingress.kubernetes.io/limit-rpm in AKS to apply rate limit instead of Azure Application Gateway.
    There are more options to manage rate limit in Nginx Ingress
    https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting

    Here is an example of Nginx Ingress usage together with annotation nginx.ingress.kubernetes.io/limit-rpm 

    apiVersion: networking.k8s.io/v1  
kind: Ingress  
metadata:  
  name: ingress  
  annotations:  
    nginx.ingress.kubernetes.io/rewrite-target: /  
    nginx.ingress.kubernetes.io/limit-rpm: 1000  
spec:  
  rules:  
  - http:  
      paths:  
      - path: /testpath  
        pathType: Prefix  
        backend:  
          service:  
            name: test  
            port:  
              number: 80

    You may also limit rate using Web Application Firewall on Azure Front Door and put Azure Application Gateway or Nginx Ingress behind it.
    You may configure a threshold on the number of web requests allowed from a client IP during a one-minute duration. This rule is distinct from an IP list-based allow/block custom rule that either allows all or blocks all request from a client IP. Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.

    https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell#create-a-custom-rate-limit-rule

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prokhorov Dmytro (Прохоров Дмитро) 41 Reputation points
    2021-11-30T13:50:57.737+00:00

    Hello @Andriy Bilous

    The annotation nginx.ingress.kubernetes.io/limit-rpm solution is a good way. Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.