5

First of all, I am using an Nginx ingress controller with the helm for the gke and I am using ModSecurity as a waf. Nevertheless, I was researching for a new kind of waf to display the results of prevention, and cloud armor looks like what I am looking for. Unfortunately, it works only with HTTP/HTTPS Load Balancers but my Nginx ingress external load balancer is a TCP load balancer. As far as I research, I can't convert this load balancer's protocol TCP to HTTP/HTTPS.

- First Question, Is this conversation possible and if it is possible, Can I use cloud armor on it.

Secondly, I tried to create a new cloud load balancer to route traffic through it. Unhappily, Even I can active cloud armor on it, Routing is not working as I expected because it returned me 502 anyway even if it health checks look okay.

Finally, i tried to use BackendConfig with yaml :

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: armor-backendconfig
spec:
  securityPolicy:
    name: "bla-armor"

apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/backend-config: '{"ports": {"443":"bla-backendconfig"}}'
spec:
  clusterIP: xx.xx.xx.xx
  externalTrafficPolicy: Local
  healthCheckNodePort: xxxxxxx
  loadBalancerIP: xx.xx.xxxx.xx
  ports:
   - name: http
     nodePort: 31000
     port: 80
     protocol: TCP
     targetPort: http

And it doesn't work again. That was my last hope. Is there any advice for here?

Burak Kocaoglu
  • 83
  • 6
  • I suspect this is an expected behavior. I found this GitHub [link](https://github.com/kubernetes/ingress-nginx/issues/3294) referencing the same behavior. Please also note that, currently, GCP does not support 3rd party ingresses like Nginx for Cloud Armor and won't be filtered for DDoS attacks. There are some features requests for this implementation but so far, no ETA provided for [nginx-ingress in Cloud Armor](https://issuetracker.google.com/143528734) support. – Marcel P Apr 28 '21 at 15:28

1 Answers1

0

I was facing the same problem as you that we have an ingress with nginx ingress controller and we want to protect our ingress with cloud Armor which is impossible actually. The solution was to create a google cloud http Load balancer and create network endpoint groups (Negs) as backends for our Lb.

To create our Negs it's done via adding an annotation in the kubernetes service like this :

cloud.google.com/neg: '{"exposed_ports": {"PORT_NUMBER":{"name": "NEG_NAME"}}}'

You have to check in the firewell rules that the PORT_NUMBER is allowed for tcp protocol and for source ip ranges: 130.211.0.0/22 35.191.0.0/16 for LB. You can check the doc for the google cloud lb and that's it. Hope that can help

Cheers

ahmed khalil jerbi
  • 61
  • 2
  • 8