Hi, I have GKE Autopilot cluster up-and-running with Traefik ingress controller in-place. I would like to enable and configure Cloud Armour but it seems like it only can be used with HTTP(S) Load Balancer. Traefik ingress is using TCP Load Balancer. What are the options for me to enable Cloud Armour?
Thank you.
Google Cloud Armor can work with Traefik. However, it requires a few crucial changes to make it work.
The entire network flow looks like following;
Customer -> Internet -> Global GCE IP -> GCE ingress controller -> Catch all ingres -> traefik service -> traefik ingress controller -> whoami service -> whoami pod
I am about to create the blog post with all the necessary configuration and code snippets to make that process more readable.
Hope that helps,
Jakub
@jakubhajek would that be a lot of latency added since it go through so many layers of proxying ?
Hi @WLun001
Well, this is the way how I managed to configure Cloud Armor with Ingress controller, I believe that the same is also true for another ingress controller.
If you have some insights to share please let me know, thank you 
Hi @jakubhajek yeah that a decent solution. I don't have better alternative, just a thought about the latency. But yeah need to perform load test to find out the actual latency.
Hi @WLun001
I would love to see the results of your tests. Please let me know
Thank you
Jakub, thank you for a detailed reply. I will give it a try. Much appreciated.
You are welcome @stashordiyenko - let us know the results of your tests, the feedback, and improvements concerning that integration are more than welcome Thank you 
@jakubhajek, @stashordiyenko I have write a blog post on this matter, let me know what you all think
Thanks a lot for you blog post. You didn't mention how to change the service type of Traefik service as by default it is installed with tcp load balancer in front. Jakub mentioned that the service type should be changed to NodePort. Could you add this information to your article?
I didn't progress with Cloud Armor and was looking to other WAF solutions with terraform support in the market. Going to come back to evaluation later next month.
@stashordiyenko I was using Container native load balancing, which is default for new GKE version, not need change to NodePort.
hello @jakubhajek @WLun001
i am using traefik in GKE as ingress controller , Now i want to apply cloud armor policy rules on traefik Load Balancer.
by reading this post i am confused .
@cs111 what is your confusion?
Thanks for your quick reply.
i created an ingress over traefik service by using backend service of traefik with port 8080.
Then i get global IP. when i visit that ip its not hitting traefik admin panel.
My goal is to apply clous armor policy rule on that ip.
Should use port 80 instead of 8080, as shown in my blog posts too
Because the ingress is calling traefik service within kubernetes cluster
seems like your backend service is not healthy, what is the error message?
can we meet on zoom? right now
unfortunately i do not offer such service, you should get some information on the error message from backend service
