Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,001 questions
Unintentionally deletion of a WAF HTTP Listener Association with an AGW + AGIC + AKS. Meanwhile, the associcated AGW HTTP Listener still existing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 65%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
LyTien Dung
0
Reputation points
Here are existing components:
WAF Policy:
- Custome rule
- Associated application gateways: HTTP Listener, fl-2991a50d204b26a829717bbebe722d00
AGW + AGIC + AKS:
- AGW has fl-2991a50d204b26a829717bbebe722d00 -> rr-2991a50d204b26a829717bbebe722d00 -> a backend target which is AKS service
- AGIC standing in the middle of AGW -> AKS
- AKS has an USER node pool hosting service, pods that linked with fl-2991a50d204b26a829717bbebe722d00
The requirement is WAF policy allows only a list of IP addresses to access into this HTTP Listener fl-2991a50d204b26a829717bbebe722d00, the others HTTP Listener still be allowed to publicly be accessed.
Everything worked as expected until the HTTP Listener Association removed automatically after a period of time.
Even the Listener, Routing Rule, Backend Targets still persist in the AGW.
And it seems that the AGIC ingresscontroller pod did the removal of the association.
This issue forces me to "re-Add" the Association every time to have WAF policy rule applied.
Please! Could you share any idea on fixing this issue in AGW or WAF policy.
Huge thanks!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 94%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
Goncalo Correia 261 Reputation points Microsoft Employee2024-07-02T16:20:11.9233333+00:00 Hi @LyTien Dung
Thanks for posting your question here in Microsoft Q&A,
Regarding the architecture of the solution you are using, is the AGIC managing an Application Gateway and you have a second Application Gateway? Or are you manually configuring the WAF policies in the AGIC managed Application Gateway?From the behaviour you describe it seems to be the latter one, as the changes are probably being reverted by the reconcile loop of the AGIC (that assures that the App Gateway configuration matches the one on the AGIC, from the AKS perspective).
-
LyTien Dung 0 Reputation points
2024-07-03T02:43:52.57+00:00 Hi Goncalo Correia,
Thanks for your response,
Yes, the AGIC is managing the AGW via AKS AGIC add-on enabled and No secondary AGW among them.
No, I do not configure WAF policies in AGIC and I'm attempting to manage policies (custom rules and associations via HTTP Listener) in WAF individually.
In case that the AGIC add-on keep removing the configurations applied from the WAF policy's association. Do you have any further suggestion of what should be done to have effect of WAF policies applying Association's type - HTTP Listener on the AGW managed by AGIC add-on from AKS?
-
Goncalo Correia 261 Reputation points Microsoft Employee
2024-07-03T08:15:38.7033333+00:00 Hi @LyTien Dung
I see, thanks for the clarification.
Like I've mentioned, if the AGW is managed by AGIC all the manual configurations will be reverted back by AGIC. The way to apply custom configurations is through annotations in the ingress resource:
https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/annotations.mdPlease check out the annotation: https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/annotations.md#azure-waf-policy-for-path
I am not 100% sure it is inline with what you aim to achieve, but broadly speaking configurations to a AGW managed by AGIC have to be done this way.
If this does not allow you to implement what you want, you can also consider having a user manged AGW and expose the services in AKS to an private/internal IP (either through LoadBalancer services or even ingress with nginx ingress e.g.)
This way the public endpoint would still be in the AGW that you managed and the AKS endpoints would be private and only reachable through the AGW. It might be less dynamic, but it might be potentially more customizable.
-
LyTien Dung 0 Reputation points
2024-07-05T06:13:27.3966667+00:00 Hi Goncalo Correia,
Huge thanks for your recommendation.
I would try to update the annotation to see if the issue fixed.
And a good new update that my colleague and I added a Custom Rule with a condition: String - RequestHeaders - "Host" that Contains a Match value like "abc.xyz.net" so that satisfies the requirement. There is no need to create an Association to a specific HTTP Listener as I'd done before.
Sign in to comment