How to configure GCP Cloud Armour with Traefik ingress in GKE Autopilot?

Hi, I have GKE Autopilot cluster up-and-running with Traefik ingress controller in-place. I would like to enable and configure Cloud Armour but it seems like it only can be used with HTTP(S) Load Balancer. Traefik ingress is using TCP Load Balancer. What are the options for me to enable Cloud Armour?

Thank you.

1 Like

Hi @stashordiyenko

Google Cloud Armor can work with Traefik. However, it requires a few crucial changes to make it work.

  1. First you need to change the type of service how the ingress controller (e.g. Traefik) is deployed to Nodeport and assign the specific annotation that refers to backend config with Cloud armor rule.
  2. Then you need to obtain a global IP address from GCP.
  3. Then you need to create a catch-all Ingress rule with the annotation that matches the IP address obtained from the previous step. That rule should forward all traffic to the Traefik service created.
  4. Create security policy in Cloud Armor using Google console.
  5. Created backend config using backend CRD that matches the name from the first step.
  6. Create just regular Ingress and IngressRoute object and your network traffic will be protected through Google Cloud Armor.

The entire network flow looks like following;

Customer -> Internet -> Global GCE IP -> GCE ingress controller -> Catch all ingres -> traefik service -> traefik ingress controller -> whoami service -> whoami pod

I am about to create the blog post with all the necessary configuration and code snippets to make that process more readable.

Hope that helps,

@jakubhajek would that be a lot of latency added since it go through so many layers of proxying ?

Hi @WLun001

Well, this is the way how I managed to configure Cloud Armor with Ingress controller, I believe that the same is also true for another ingress controller.

If you have some insights to share please let me know, thank you :wink:

1 Like

Hi @jakubhajek yeah that a decent solution. I don't have better alternative, just a thought about the latency. But yeah need to perform load test to find out the actual latency.

Hi @WLun001

I would love to see the results of your tests. Please let me know :wink:
Thank you

1 Like

Jakub, thank you for a detailed reply. I will give it a try. Much appreciated.

You are welcome @stashordiyenko - let us know the results of your tests, the feedback, and improvements concerning that integration are more than welcome Thank you :slight_smile:

@jakubhajek, @stashordiyenko I have write a blog post on this matter, let me know what you all think

1 Like

Thanks a lot for you blog post. You didn't mention how to change the service type of Traefik service as by default it is installed with tcp load balancer in front. Jakub mentioned that the service type should be changed to NodePort. Could you add this information to your article?

I didn't progress with Cloud Armor and was looking to other WAF solutions with terraform support in the market. Going to come back to evaluation later next month.

@stashordiyenko I was using Container native load balancing, which is default for new GKE version, not need change to NodePort.

hello @jakubhajek @WLun001

i am using traefik in GKE as ingress controller , Now i want to apply cloud armor policy rules on traefik Load Balancer.

by reading this post i am confused .

@cs111 what is your confusion?

Thanks for your quick reply.

i created an ingress over traefik service by using backend service of traefik with port 8080.
Then i get global IP. when i visit that ip its not hitting traefik admin panel.
My goal is to apply clous armor policy rule on that ip.

Should use port 80 instead of 8080, as shown in my blog posts too
Because the ingress is calling traefik service within kubernetes cluster

1 Like

this is ingress details and its getting error

here my ingress yaml file

seems like your backend service is not healthy, what is the error message?

can we meet on zoom? right now

unfortunately i do not offer such service, you should get some information on the error message from backend service