Jump to content
Welcome to our new Citrix community!
  • NetScaler ADC with Google Anthos: App protection and policy enforcement for Kubernetes apps

    • Validation Status: Validated
      Has Video?: No

    NetScaler ADC with Google Anthos: App protection and policy enforcement for Kubernetes apps

    Submitted June 8, 2022

    Author: Konstantinos Kaltsas


    In this post, we’ll focus on security and demonstrate how:

    • NetScaler ADC can strengthen your security posture across hybrid and multi-cloud.
    • NetScaler's web app firewall works seamlessly with Google Anthos Policy Controller to provide protection for Kubernetes apps and APIs.
    • NetScaler's web app firewall with Google Anthos Policy Controller enforces app protection using configuration as code
    • GitOps enhances continuous configuration along with Google Anthos Config Management for automating security configuration.

    Protecting Web Apps and APIs

    When it comes to application delivery, security is a top priority. Web apps and APIs are often an organization’s most valuable but vulnerable assets, and to reach production and go live, there are several requirements that need to be met. From governance and compliance requirements to organization-specific requirements, the task is not an easy one.

    NetScaler's web app firewall has proven and robust security controls to protect apps against known and unknown application attacks. It defends apps and APIs against OWASP top 10 threats and zero-day attacks and provides security insights for faster remediation. To learn how NetScaler's web app firewall is designed to provide security, check out our product documentation. Our introduction to Citrix Web App Firewall, overview of security checks, and FAQs and deployment guide are great resources to help you get started.

    NetScaler's web app firewall is designed to be easily enabled and configured as code following the infrastructure and configuration as code paradigms. By providing WAF, bot management, CORS CRD for Kubernetes, security configurations are now possible from within a GKE cluster. You can now automate the configuration of both Tier-1 and Tier-2 web app firewalls easily.

    Common protections such as buffer overflow, cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection, URL allow lists and block lists, or more advanced ones can be easily enabled as policies using simple YAML files. Combining these capabilities with policy agents (as we’ll see in our lab) introduces an enterprise-grade practice of configuring and automating security.

    The key advantage of using a web app firewall is that it uses a single code base across all NetScaler ADC form factors (MPX and SDX, as well as VPX and CPX) so you can consistently apply and enforce security policies across any application environment. That gives you the ease of deployment and simplicity in configurations which saves time and reduces configuration errors.

    This web app firewall follows well-established principles that provide DevOps, CloudOps and SecOps teams with the tools they need to effectively do their job. By supporting both positive and negative security models, the web app firewall provides the widest protection possible. In addition to that, common event format (CEF) logging enables customers to easily collect and aggregate WAF data for analysis by an enterprise management system. Configuring and integrating a WAF has never been easier.

    Because security configurations can be part of the source code and stored in Git, different configurations can be created and maintained per environment. “Shifting Security Left” in the early stages of testing can become easier and Dev(Sec)Ops practices can be applied. Configurations are now closer to meeting the actual need, closer to the apps that need protection, and can eliminate false positives. And with a single point of truth, full visibility is achieved for both Operations and Audit teams, making it even easier to perform required audits.

    Deploying a Modern Application Architecture

    Here, we’ll focus on deploying a Tier-1 NetScaler ADC (VPX) in front of a Google Anthos GKE cluster within GCP. We will leverage Google Anthos Configuration Management for consistent deployment of NetScaler components into the Anthos GKE cluster. Additionally, we’ll leverage Google Anthos Policy Controller to ensure that NetScaler's web app firewall configurations exist to protect ingress objects within a cluster.

    ACM (Anthos Configuration Management) is a GitOps-centric tool that synchronizes configuration into a Anthos Kubernetes cluster from a Git repository. Policy Controller is a component of ACM that can audit or enforce configurations across the cluster. This lab automation has been written with GitHub as the git repository tool of choice.

    The following diagram illustrates the infrastructure used by our lab that will be deployed. (Click the image to view larger.)


    NetScaler ADC VPX

    A single NetScaler ADC VPX instance is deployed with two network interfaces:

    • nic0 provides access for management (NSIP) and access to back-end servers (SNIP).
    • nic1 provides access for deployed applications (VIPs).
    • Each interface is assigned an internal private IP address and an external public IP address.
    • The instance is deployed as a pre-emptible node to reduce lab costs.
    • The instance automatically configures the password with Terraform.
    • The instance is then automatically configured by the Ingress Controller and Node Controller deployed in the GKE cluster.

    VPCs and Firewall Rules

    Two VPCs are used in this deployment:

    • The default VPC and subnets are used for instance and GKE cluster deployment.
    • The vip-vpc is used only to host VIP addresses, which routes the traffic back to the services in the default VPC.
    • Default firewall rules apply to the default VPC.
    • Ports 80/443 are permitted into the vip-vpc.

    GKE Cluster with Anthos Configuration Management

    A single GKE cluster is deployed as a zonal cluster:

    • Autoscaling is enabled with a minimum of one node and a configurable maximum.
    • The Google Anthos Config Management (ACM) operator is deployed into the GKE cluster and configured to sync the cluster configuration from a GitHub repository.
    • Ingress and Node Controller components are automatically installed via ACM into the ctx-ingress namespace.
    • Web app firewall is installed via ACM to enable developers to create WAF configurations.
    • Worker nodes are deployed as pre-emptible nodes to reduce lab costs.
    • Policy Controller is installed to demonstrate constraints that enforce the presence of a WAF object in a namespace prior to accepting an Ingress resource.

    GitHub Repository

    A dedicated GitHub repository is created and loaded with a basic cluster configuration:

    • A basic hierarchical format is used for ease of navigation through namespaces and manifests.
    • Ingress Controller and Node Controller deployment manifests are built from templates and added to this repository, along with their other required roles / role bindings / services / etc.
    • This repository is created and destroyed by Terraform.

    Online Boutique Demo Application

    The online boutique demo application provides a microservices-based application for our lab. It has been modified slightly for this environment:

    • An ingress resource has been added to receive all traffic through the NetScaler VPX.
    • Application components are controlled through Anthos Config Management and the source git repo.

    What’s Next?

    Watch out for the next blog post in our series, where we will discuss how you can use NetScaler ADC, with its extensive set of policies, as an API gateway for Kubernetes apps.

    Want to join our Citrix cloud-native Slack channel? Sign up now to receive an invitation.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...