2

I have an AKS cluster running on Azure (managed Kubernetes). I'd like to put a WAF in front of it, using Azure Web Application Gateway. I think this is possible.

But I also want a firewall in front of it, to limit both inbound and outbound traffic. I don't see any documentation on how to combine both an application gateway and a firewall in Azure.

Is this possible? And is this possible using AKS? I tried to get the Application Gateway working on AKS but didn't succeed, I always get a 502 meaning the gateway can't reach the backend pool.

Nicolas Mommaerts
  • 155
  • 2
  • 9

1 Answers1

3

you can put application gateway in front of aks. just use internal load balancer as a balancing mechanism for your services and point properly configured application gateway at it. To use internal load balancer you have to create a service similar to this:

apiVersion: v1
kind: Service
metadata:
  name: name
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  ports:
  - port: port
  selector:
    app: something
  type: LoadBalancer

I dont think you need Azure Firewall, you need Network Security Group (NSG). You can use NSG together with Application gateway, but there are some restrictions you have to keep in mind.
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#configuration

Overall - yes, this is possible

4c74356b41
  • 628
  • 5
  • 10
  • Thanks for the reply! I already tried with the internal load balancer butI can't get it working so I was wondering if it is even possible. I'll try further then! – Nicolas Mommaerts Oct 10 '18 at 08:18
  • the only reason for internal LB so that its not accessible from outside, you dont necessary have to use it, just makes more sense – 4c74356b41 Oct 10 '18 at 08:20
  • well yes, and you need an ip to configure the backendpool of the gateway, I just can't get it to reach it. – Nicolas Mommaerts Oct 10 '18 at 09:14
  • you can use external ip as an endpoint :) just make sure that LB routes traffic to nodes and nodes really listen on that port, so just test internal LB without application gateway and then when you get it working point appgw to that lb, make sure that the probe is configured properly – 4c74356b41 Oct 10 '18 at 09:19
  • I used the internal lb ip as endpoint instead of the k8s services, I presumed they were the same. I added the service ip now and it works :) – Nicolas Mommaerts Oct 10 '18 at 10:29