Deploying F5 Distributed Cloud WAF on Kubernetes

The introduction article covered basics of different use cases of Web Application Firewall (WAF) deployments and this article will dive deep into deployment of F5 Distributed Cloud (F5 XC) WAF on Kubernetes (k8s). 

Note: Even though the scenario here focuses on XC WAF, customers can enable any security services in the same setup, such as API Security, Bot Defense, DoS/DDOS and Fraud, as per their needs.

 

Advantages of modern apps: 

Modern applications using k8s microservice based approaches have solved many challenges observed in monolithic architecture like scalability, cost effectiveness, flexibility, design modularity, release management, maintenance, etc. This method provides simplicity, robustness, lightweight, easier maintenance & integration, service granularity, evolving technology adaptability, development focused release management and eliminates many other challenges.  

Because of the above benefits every day many organizations are in the process of migrating their services to cloud based Kubernetes services. As per CNCF report, k8s adoption increased by 67% in 2021 year. Many modern applications like github, Adidas, NewYork Times, Nokia, Walmart, Spotify, PinInterest, AirBnB, etc have already migrated their services to k8s [1 , 2].  

 

Security issues in modern apps: 

Along with many advantages using k8s service also come some challenges like inconsistent security controls, misconfiguration's, not validating request data, lack of DevSecOps principles, etc. These concerns may pose a security risk to organizations exposing sensitive customer data, application downtime, revenue loss, customer dissatisfaction, loss of trust, etc. 

As per Redhat survey, 67% of companies have slowed down releases due to a security issue and 37% of customers faced revenue loss due to k8s security issues. 

 

Solution: 

WAAP is a set of security services which protects applications from known application threats thereby providing WAF, DDOS prevention, API Security and bot mitigation solution. To safeguard our modern applications which are residing inside a k8s cluster, we have to integrate this solution as part of data plane workflow. 

In this article we are going to provide a possible solution for deploying WAF in the customer existing k8s infra using F5 XC. 

 

Architectural diagram: 

Fig 1: Image showing architecture

 

Design: 

  1. Backend application is already hosted as a k8s service inside existing customer cluster 

  2. CE site related resources are deployed on same cluster as pods and services 
  3. F5 XC load balancer (LB) and pool are created from F5 XC console 
  4. WAF functionality is configured on this LB 
  5. Finally, a public k8s load balancer service is created and mapped to F5 XC VER component. VER is an internal component which supports L7 customizable multi-protocol proxy & LB, L4 SNAT firewall and L3 dynamic routing using BGP protocol. 

 

Deployment Diagram: 
Fig 2: Image showing design

 

Step by step process along with deployment .yml files can be found here.

 

Data flow: 

  • Customer/users will send requests to k8s load balancer service along with host header 
  • These requests will pass through the internet and reaches AWS k8s load balancer service 
  • This service LB hosts a F5 XC layer 7 application Volterra Edge Router (VERcheck design section step 5 for more details) which checks the host header and routes it to appropriate F5 XC LB 
  • We have configured XC HTTP LB to be accessible only from this CE site and so requests will reach XC HTTP LB and its backend origin pool 
  • WAF is configured on XC HTTP LB and so request data is validated for any attack signatures. If any malicious content is found, WAF will block the request as below 
    Fig 3: Image showing F5 WAF blocking XSS illegal request
  • If request is legitimate and has no issues, then it will be forwarded to origin pool 
  • Demo applications front end is running as a Kubernetes service and above pool is mapped to this service
  • Backend after receiving request will validate and responds back with the response data as below 
    Fig 4: Image showing valid response
     
     

Conclusion: 

As demonstrated above, F5 XC CE site along with WAF capabilities can be deployed on existing customer k8s cluster and can be used as a mitigation solution to prevent security attacks on our modern micro service-based applications. 

Updated Aug 31, 2023
Version 5.0