Configure Cloud Armor with Traefik Proxy

Configure Cloud Armor with Traefik Proxy

Enable DDoS defense service and WAF

·

3 min read

Cover image is taken from unsplash

Google Cloud Armor is a service that help to protect infrastructure and applications from Layer 3/Layer 4 network or protocol-based volumetric distributed denial-of-service (DDoS) attacks, volumetric Layer 7 attacks, and other targeted application attacks.

Assuming you have a Traefik Proxy running and wanted to enable protection with Cloud Armor, here are some of the ways that can configure with. If you haven't install Traefik Proxy, may checkout my previous post or official docs

In order to use Cloud Armor, the traffic must serve from Cloud Load Balancing

All projects that include HTTP(S) Load Balancing, TCP Proxy Load Balancing, or SSL Proxy Load Balancing are automatically enrolled in Google Cloud Armor Standard. Learn more about managed protection

It will show the protection plan on the Cloud console if you have Load Balancing configured Screenshot 2021-06-26 at 5.54.39 PM.png

The following approaches only show configuration with Cloud Armor. Configuration with TLS, reserved IP and domain binding for production setup are not shown here

If Traefik Proxy is installed in GKE

This approach is inspired from community post

The network flow would be something like this image.png

The Ingress configuration would look like this

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    # required here because we have two ingress controller installed
    kubernetes.io/ingress.class: gce
spec:
  defaultBackend:
    service:
      name: traefik
      port:
        number: 80

Using port 80 here because traefik expose port 80 within cluster

If Traefik Proxy is installed elsewhere

If Trafix Proxy is installed elsewhere (other clouds, VM or own server), Cloud Armor can be configure with Internet network endpoint also known as custom origins.

The network flow would be something like this image.png

Simple benchmark

Notice that there are extra layer of network forwarding with approaches stated above, let's find out it will cause how many percentage of performance drop

To make comparison, I deploy a hello world Go http server, and test against it.

Source code is available at cncf-demo/traefik-cloud-armor

Cloud Armor with one policy (xss protection) is enabled image.png

Note that I am running the test on local terminal, so the factor of internet speed is ignored. Benchmark is tested with k6 with k6 run bench.js

Here is the result

TypeAvg RPSAvg latencyRequest count
Cloud Armor GKE735.4567.78ms44139
Cloud Armor custom origin718.1069.41ms43098
Traefik2275.4721.70ms137234
service type Load Balancer1088.9245.51ms65673

We can see that there will be some performance penalty with Cloud Armor enabled, but the protection may worth if you think the performance drop is acceptable. It depends what you trying to achieve.

Source code is available at cncf-demo/traefik-cloud-armor

Did you find this article valuable?

Support Wei Lun by becoming a sponsor. Any amount is appreciated!