Examples of using a WAF in front of ROSA / OSD on AWS / OCP on AWS
Problem Statement
-
Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)
-
Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF
Quick Introduction by Paul Czarkowski & Ryan Niksch on YouTube
Solutions
Cloud Front -> WAF -> CustomDomain -> $APP
This is the preferred method and can also work with most third party WAF systems that act as a reverse proxy
Uses a custom domain, custom route, LE cert. CloudFront and WAF
Application Load Balancer -> ALB Operator -> $APP
Installs the ALB Operator, and uses the ALB to route via WAF, one ALB per app though!
AWS ALB
Note: It is recommended that you use the Cloud Front based guide unless you absolutely must use an ALB based solution.
Here ’s a good overview of AWS LB types and what they support
Problem Statement
-
Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)
-
Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF
Using CloudFront + WAF
Problem Statement
-
Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)
-
Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF
Proposed Solution
-
Add a CustomDomain resource to the cluster using a wildcard DNS and TLS certificate.
-
Set the Wildcard DNS CNAME’s to CloudFront and enable the CloudFront + WAF services to reverse proxy and inspect the traffic before sending it to the cluster.
-