Secure ACK Apps Against Web Threats via WAF and ALB - Container Service for Kubernetes

Web applications exposed to the internet face risks such as DDoS attacks, SQL injection, cross-site scripting, malicious HTTP requests, and SSH brute force attacks. By attaching Web Application Firewall (WAF) to an Application Load Balancer (ALB) instance managed by the ALB Ingress controller, you can enforce deep, protocol-aware security inspection for your workloads without adding infrastructure. WAF-enabled ALB instances support various HTTP protocols and encoding algorithms to help you build an in-depth and precise security system. If your web applications are vulnerable to intrusions or require higher security, you can use WAF-enabled ALB instances.

For more information about WAF-enabled ALB instances, see Benefits of WAF-enabled ALB instances. For more information about WAF, see What is WAF?

Important

Enabling WAF changes your ALB billing. For pricing details, see ALB billing rules.

Prerequisites

Before you begin, ensure that you have:

The ALB Ingress controller installed in your cluster. For more information, see Manage the ALB Ingress controller.
If using an ACK dedicated cluster: cluster permissions granted to the ALB Ingress controller. For more information, see Authorize an ACK dedicated cluster to access the ALB Ingress controller.
A kubectl client connected to your ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Enable or disable WAF protection

Set the edition field in your AlbConfig to control WAF protection. You can apply this change when creating a new ALB instance or when updating an existing one.

Important

You cannot change the edition field of a reused ALB instance.

The following example shows both states:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    addressType: Internet
    edition: StandardWithWaf # Enable WAF protection. Set to Standard to disable.
    zoneMappings:
      #...

`edition` value	WAF protection
`StandardWithWaf`	Enabled
`Standard`	Disabled

What's next

To control access based on source IP addresses, see Use AlbConfigs to add and modify ACL rules.
To authenticate client identities with mutual TLS, see Use HTTPS mutual authentication to enhance security.