Serverless NGINX App Protect
Advanced teams which develop serverless applications usually prefer to have entire infrastructure running serverless including security tools like WAF. F5 can definitely accommodate such need with Essential App Protect which runs as SaaS. It doesn't require any infrastructure management, easy to setup as 1-2-3 however not as flexible as managed WAF can be. Serverful NGINX App Protect gives full flexibility in data plane and WAF policy configuration but requires team, expertise and time to manage underlying servers. What if to combine both of these approaches by running full featured NGINX App Protect on top of public cloud's serverless compute engine (e.g. AWS Fargate, GCP Cloud Run, ...) which require zero infrastructure maintenance to run workloads.
Note: If you are not familiar with serverless compute platforms take a look to official docs: AWS, GCP, Azure. Long story short they are managed compute engines which take container workload declaration (what?) as input and then automatically make sure that workload runs exactly as specified in declaration (how?). Compute resources, networking, security, everything... Literally zero infrastructure maintenance.
The idea sounds pretty attractive so let's define requirements and try to make it happen.
- Fully featured WAF runs serverless (zero infrastructure maintenance, low cost due to per used CPU/MEM billing)
- As easy to setup as SaaS WAF
- Deployment is fully automated and repeatable
- All configuration stored in git (version control, easy roll back, developers friendly)
Clear requirements are half of success. Implementation is another half. Last two solution requirements lead to use of CICD platform (like Gitlab). Such platform allows to automate anything using CICD pipelines. Fortunately there is no need to develop a pipeline from scratch. There is a template repo which can be reused to deploy your own serverless WAF. The plan as simple as:
- Clone template repo to a new one
- Supply cloud service account credentials and NGINX App Protect license keys to the new git repo
- Let pipeline to do the rest for you
- Enjoy serverless WAF
Template repo contains all configuration files and CICD pipeline definition to automate all deployment and operation steps. Pipeline designed to use Gitlab as CICD platform, AWS as public cloud and consists of three stages:
- Terraform: Creates AWS resources (VPC, subnets, security groups, cluster, etc...)
- Build: Builds NGINX App Protect docker image and pushes it to container registry (AWS ECR)
- Deploy: Generates NGINX App Protect configuration and launches it in AWS Elastic Container Service (AWS ECS aka AWS Fargate)
Terraform is a popular configuration management system. It takes infrastructure declaration as input and builds it at location of your choice either cloud or on-premises (Official docs). This particular stage uses terraform to create "Security VPC" and its components as shown below:
ECS cluster runs NGINX App Protect containers to process a traffic. ECR stores and supplies container images to ECS. ALB accepts traffic from clients and distributes it between WAF containers.
Build stage builds NGINX App Protect container image with default configuration and pushes it to ECR. In order to get access to NGINX App Protect repositories certificate and key should be supplied to the Gitlab repo as base64 encoded environment variables.
This stage generates configuration for NGINX App Protect, deploys containers to the ECS and publishes them through ALB.
Therefore pipeline completely automates WAF deployment. All day to day operations are performed via code commits. Want to change NGINX configuration - commit changes to nginx.conf. Want to change WAF policy - commit changes to WAF policy file. Want to roll back configuration - refer previous task definition.
After initial commit CICD pipeline creates AWS VPC and ECS cluster with few NGINX App Protect instances running in it.
Instances with default configuration return static hello page. It means deployment went successfully and the WAF is ready for use.
Next step is to publish a web resource through the WAF. Remember, serverless NGINX App Protect has exactly the same NGINX under the hood but running on top of serverless platform. Therefore publishing a web resource happens exactly the same as with serverful NGINX. All traffic which comes to WAF simply redirects to a web server. After committing changes to nginx.conf pipeline automatically updates running NGINX instances with new configuration.
Once configuration applied traffic redirects to a protected web resource (see URL).
Any other system configuration aspect as WAF policy, logging, scaling, image, etc. modification happens similarly. Update configuration file and pipeline does the rest.
This approach of running NGINX App Protect serverless brings a lot of benefits. Easy to deploy and manage. Doesn't require infrastructure management. Auto scalable. Cost effective since AWS ECS charges only for consumed CPU/Memory. developer friendly because all configuration and parameters stored as a code. Easy to roll back. Therefore in current world of developers who want to only write code but still need their applications secured such WAF format seems right on time.
This is a new project which IMO worth to be further developed. Feel free to give it a try and post your feedback to the repo or directly to me (see profile)
Template repo: link
Demo video: link