Google Cloud Armor can work with Traefik. However, it requires a few crucial changes to make it work.
- First you need to change the type of service how the ingress controller (e.g. Traefik) is deployed to Nodeport and assign the specific annotation that refers to backend config with Cloud armor rule.
- Then you need to obtain a global IP address from GCP.
- Then you need to create a catch-all Ingress rule with the annotation that matches the IP address obtained from the previous step. That rule should forward all traffic to the Traefik service created.
- Create security policy in Cloud Armor using Google console.
- Created backend config using backend CRD that matches the name from the first step.
- Create just regular Ingress and IngressRoute object and your network traffic will be protected through Google Cloud Armor.
The entire network flow looks like following;
Customer -> Internet -> Global GCE IP -> GCE ingress controller -> Catch all ingres -> traefik service -> traefik ingress controller -> whoami service -> whoami pod
I am about to create the blog post with all the necessary configuration and code snippets to make that process more readable.
Hope that helps,