The introduction article covered basics of different use cases of Web Application Firewall (WAF) deployments and this article will dive deep into deployment of F5 Distributed Cloud (F5 XC) WAF on Kubernetes (k8s).
Note: Even though the scenario here focuses on XC WAF, customers can enable any security services in the same setup, such as API Security, Bot Defense, DoS/DDOS and Fraud, as per their needs.
Advantages of modern apps:
Modern applications using k8s microservice based approaches have solved many challenges observed in monolithic architecture like scalability, cost effectiveness, flexibility, design modularity, release management, maintenance, etc. This method provides simplicity, robustness, lightweight, easier maintenance & integration, service granularity, evolving technology adaptability, development focused release management and eliminates many other challenges.
Because of the above benefits every day many organizations are in the process of migrating their services to cloud based Kubernetes services. As per CNCF report, k8s adoption increased by 67% in 2021 year. Many modern applications like github, Adidas, NewYork Times, Nokia, Walmart, Spotify, PinInterest, AirBnB, etc have already migrated their services to k8s [1 , 2].
Security issues in modern apps:
Along with many advantages using k8s service also come some challenges like inconsistent security controls, misconfiguration's, not validating request data, lack of DevSecOps principles, etc. These concerns may pose a security risk to organizations exposing sensitive customer data, application downtime, revenue loss, customer dissatisfaction, loss of trust, etc.
As per Redhat survey, 67% of companies have slowed down releases due to a security issue and 37% of customers faced revenue loss due to k8s security issues.
WAAP is a set of security services which protects applications from known application threats thereby providing WAF, DDOS prevention, API Security and bot mitigation solution. To safeguard our modern applications which are residing inside a k8s cluster, we have to integrate this solution as part of data plane workflow.
In this article we are going to provide a possible solution for deploying WAF in the customer existing k8s infra using F5 XC.
Fig 1: Image showing architecture
Backend application is already hosted as a k8s service inside existing customer cluster
CE site related resources are deployed on same cluster as pods and services
F5 XC load balancer (LB) and pool are created from F5 XC console
WAF functionality is configured on this LB
Finally, a public k8s load balancer service is created and mapped to F5 XC VER component.VER is an internal component which supports L7 customizablemulti-protocol proxy & LB, L4 SNAT firewall and L3 dynamic routing using BGP protocol.
Deployment Diagram: Fig 2: Image showing design
Step by step process along with deployment .yml files can be found here.
Customer/users will send requests to k8s load balancer service along with host header
These requests will pass through the internet and reaches AWS k8s load balancer service
This service LB hosts a F5 XC layer 7 application Volterra Edge Router (VER – check design section step 5 for more details) which checks the host header and routes it to appropriate F5 XC LB
We have configuredXC HTTP LBto be accessible only from this CE site and sorequestswill reach XC HTTP LB and its backend origin pool
WAF is configured on XC HTTP LB and so request data is validated for any attack signatures. If any malicious content is found, WAF will block the request as below Fig 3: Image showing F5 WAF blocking XSS illegal request
If request is legitimate and has no issues, then it will be forwarded to origin pool
Demo applications front end is running as a Kubernetes service and above pool is mapped to this service
Backend after receiving request will validate and responds back with the response data as below Fig 4: Image showing valid response
As demonstrated above, F5 XC CE site along with WAF capabilities can be deployed on existing customer k8s cluster and can be used as a mitigation solution to prevent security attacks on our modern micro service-based applications.