By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS load balancer controller + WAF

0

Hello!

I currently have a Kubernets cluster and AWS ingress controller with ALB installed. Additionally, I created WAF and associated it to my application load balancer

Now, I'm trying to configure two (or more) separated ingress objects which have a different domains but I'm going to use the same application load balancer (by set the same value for alb.ingress.kubernetes.io/group.name)

Everything works fine till I try to enable WAF for only one ingress. Example config looks like the following:

First ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-without-WAF
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/group.name: alb-shared
spec:
  rules:
    - host: example-1.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: service-1
                port:
                  number: 80

Second ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-with-WAF
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/group.name: alb-shared
    alb.ingress.kubernetes.io/wafv2-acl-arn: "arn:aws:wafv2:AWS_REGION:ACCOUNT_ID:regional/webacl/example/WAF_ID"

spec:
  rules:
    - host: example-2.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: service-2
                port:
                  number: 80

and it also works fine, but I noticed that WAF rules affect ingress-without-WAF even though I didn't add annotation : alb.ingress.kubernetes.io/wafv2-acl-arn to the ingress-without-WAF. To make sure I intentionally made a mistake in wafv2-acl-arn for ingress-with-WAF (I used wrong ARN) and then I checked what kubectl describe ingress-without-WAF shows:

Failed deploy model due to failed to update WAFv2 webACL association on LoadBalancer: WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exist.

which in my understanding means that ingress-without-WAF uses WAF anyway despite the lack of annotation.

Have I missed something or is this correct behavior and cannot be separated?

Topics
Security, Identity, & ComplianceContainers
Tags
AWS WAFApplication Load BalancerAmazon EKS Anywhere
Language
English
AndrzejDev
asked 5 months ago296 views
1 Answer
0

Hello. A WebACL is associated to an Application Load Balancer (ALB), in this case, when you associate your first ingress all requests to that ALB will go through the WebACL, that would include the petitions from the other ingress send via the only ALB. There are two options you can implement:

a. Use separate ALB for each ingress, in that case ALB 2 will not be WAF associated.

b. Use scope down statements to tell the WebACL not to evaluate requests that are destined for your second ingress.

For the later, you could check this links:

Scope-down statements

How to customize behavior of AWS Managed Rules for AWS WAF

Hope this helps.

profile pictureAWS
romerogt
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content