How can i use cloud armor on nginx ingress controller?

Question

First of all, I am using an Nginx ingress controller with the helm for the gke and I am using ModSecurity as a waf. Nevertheless, I was researching for a new kind of waf to display the results of prevention, and cloud armor looks like what I am looking for. Unfortunately, it works only with HTTP/HTTPS Load Balancers but my Nginx ingress external load balancer is a TCP load balancer. As far as I research, I can't convert this load balancer's protocol TCP to HTTP/HTTPS.

- First Question, Is this conversation possible and if it is possible, Can I use cloud armor on it.

Secondly, I tried to create a new cloud load balancer to route traffic through it. Unhappily, Even I can active cloud armor on it, Routing is not working as I expected because it returned me 502 anyway even if it health checks look okay.

Finally, i tried to use BackendConfig with yaml :

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: armor-backendconfig
spec:
  securityPolicy:
    name: "bla-armor"

---

apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/backend-config: '{"ports": {"443":"bla-backendconfig"}}'
spec:
  clusterIP: xx.xx.xx.xx
  externalTrafficPolicy: Local
  healthCheckNodePort: xxxxxxx
  loadBalancerIP: xx.xx.xxxx.xx
  ports:
   - name: http
     nodePort: 31000
     port: 80
     protocol: TCP
     targetPort: http

And it doesn't work again. That was my last hope. Is there any advice for here?

Answer 1

Directly integrating Cloud Armor with the NGINX ingress controller isn't feasible. The alternative approach involves leveraging Google Cloud HTTP Load Balancer (GLB) and employing Network Endpoint Groups (NEGs) as the backend for the load balancer instead.

To create the NEGs, an annotation in the Kubernetes service was essential, such as:

cloud.google.com/neg: '{"exposed_ports": {"PORT_NUMBER":{"name": "NEG_NAME"}}}'

Additionally, for HTTPS backends, ensure to include the SSL certificate and specify the HTTPS backend in the GLB and also port 443 in the annotation.

Please take note: The NEG backends will initially appear in an unknown state, and the GLB backends will show as 0 until you designate them as the backend for the GLB. Once the GLB health checks pass, the NEG Backends will become healthy, and the GLB backends will reflect the number of NGINX ingress instances marked as healthy.

Answer 2

I was facing the same problem as you that we have an ingress with nginx ingress controller and we want to protect our ingress with cloud Armor which is impossible actually. The solution was to create a google cloud http Load balancer and create network endpoint groups (Negs) as backends for our Lb.

To create our Negs it's done via adding an annotation in the kubernetes service like this :

cloud.google.com/neg: '{"exposed_ports": {"PORT_NUMBER":{"name": "NEG_NAME"}}}'

You have to check in the firewell rules that the PORT_NUMBER is allowed for tcp protocol and for source ip ranges: 130.211.0.0/22 35.191.0.0/16 for LB. You can check the doc for the google cloud lb and that's it. Hope that can help

Cheers