/
Deploying WAF-as-a-Service Security Module as a Container on On-Premises Kubernetes Cluster

Deploying WAF-as-a-Service Security Module as a Container on On-Premises Kubernetes Cluster

The traffic processing engine of WAF-as-a-Service can be deployed as a container on a Kubernetes cluster that is hosted and managed by the customer.

Prerequisites

  • You must have a WAF-as-a-Service account enabled for custom container deployment. This requires a signed NDA with Barracuda Networks. Contact your Barracuda sales representative for more information on signing an NDA.

  • You must have a running kubernetes cluster.

  • You must have permission to create the required resources in your Kubernetes cluster.

  • Kubernetes command line tool kubectl should be installed on the workstation that is used to manage your kubernetes cluster.

  • Allow access to the following domains from the Kubernetes cluster:

Hostname

Port

TCP/UDP

Direction

Purpose

Hostname

Port

TCP/UDP

Direction

Purpose

container-api.waas.barracudanetworks.com

443

TCP

Outbound

Update configuration settings

waascontainerprod.blob.core.windows.net

443

TCP

Outbound

Storing troubleshooting information

wafaas-prod-eh.servicebus.windows.net

443

TCP

Outbound

Storing access and firewall logs 

waas-iot-hub-proxy-func-prod.azurewebsites.net

8883

AMQP

Inbound/Outbound

Exchange of configuration and other statistics

Configuring WAF-as-a-Service

Step 1. Create a Container Key

  1. Navigate to https://waas.barracudanetworks.com/ and log in with your Barracuda account credentials.

  2. If you do not already have a Barracuda account, click Free 30-Day Trial to sign up for a trial of WAF-as-a-Service.

  3. On the WAF-as-a-Service web interface, click Resources > WAF Containers > Container Keys.

  4. On the Container Keys page, click New Key.

  5. On the Create new key window:

    1. Key Name - Enter a name for the key.

    2. Select an option to create the key.

      1. If you select I will generate my own key and provide the public portion:

        1. Copy the UNIX command from the window and paste it into your UNIX-like system: ssh-keygen -f barracuda-wafaas-container-key

        2. Copy the contents of the barracuda-wafaas-container-key.pub file and paste them into the Public key box.

        3. Click Create.

      2. If you select I would like WAF-as-a-Service to generate a key for me:

        1. The Barracuda WAF-as-a-Service generates a key for the container.

        2. Click Download and download the key file.

        3. Click Create.

Step 2. Create a Container

  1. On the WAF-as-a-Service web interface, click Resources > WAF Containers > Container Management.

  2. On the Container Management page, click Add Container.

  3. On the Add Container window:

    1. Name - Enter a name for the container.

    2. Encryption Key – Select the key that you created in Step 1. Create a Container Key.

    3. Google reCAPTCHA is available for the applications in your container. An advanced risk analysis engine and adaptive CAPTCHAs are employed to challenge suspicious clients and protect against spam, BOTS, and other threats. Clients failing the challenge will not be able to further use your application. To enable this protection you must provide your own reCAPTCHA keys. Refer to the Google documentation for creating reCAPTCHA keys.

    4. If you leave these fields blank, or if reCAPTCHA is enabled, but the connection with Google is lost, WAF-as-a-Service's basic CAPTCHA will still challenge clients marked as suspicious.

    5. Click Add.

Step 3. Add an Application

  1. On the WAF-as-a-Service web interface, click Applications in the left panel.

  2. On the Applications page, click Add Application.

  3. On the Add Application window:

    1. Websites

      1. Application Name – Enter a name for the application.

      2. Domain Name – Enter the domain name of the application.

      3. Click Continue.

    2. Backend Server reachable from public network (internet)

      1. Backend Server Protocol - Select the protocol that needs to be used to access the server.

      2. IP Address/Hostname - Verify the IP address/hostname of the backend server.

      3. Port - Verify the port number on which the server is listening to.

      4. Click Test Connection.

        1.  

          1. If the backend server is reachable, the following message is displayed:



            1. Click Add.

          2. If the backend server is not reachable from the public network, the following message is displayed:



            1. Click Continue anyway and then click Add.

      5. Click Close.

Contact Us
Barracuda Campus
Barracuda Support