Jump to content
Welcome to our new Citrix community!
  • NetScaler ADC with Google Anthos: App protection and policy enforcement for Kubernetes apps

    Konstantinos Kaltsas
    • Validation Status: Validated
      Has Video?: No

    This is the third post in our series on Citrix ADC with Google Anthos. In our first post, we talked about the importance of modern app deliver and security for hybrid multi-cloud, and in our second post, we focused on achieving consistent and reliable app delivery for Kubernetes apps and shared a lab on GitHub for readers to test.

    In this post, we’ll focus on security and demonstrate how:

    • Citrix ADC can strengthen your security posture across hybrid and multi-cloud.
    • Citrix Web App Firewall (WAF) works seamlessly with Google Anthos Policy Controller to provide protection for Kubernetes apps and APIs.
    • Citrix Web App Firewall with Google Anthos Policy Controller enforce app protection using configuration as code
    • GitOps enhances continuous configuration along with Google Anthos Config Management for automating security configuration.

    Protecting Web Apps and APIs

    When it comes to application delivery, security is a top priority. Web apps and APIs are often an organization’s most valuable but vulnerable assets, and to reach production and go live, there are several requirements that need to be met. From governance and compliance requirements to organization-specific requirements, the task is not an easy one.

    Citrix Web App Firewall has proven and robust security controls to protect apps against known and unknown application attacks. It defends apps and APIs against OWASP top 10 threats and zero-day attacks and provides security insights for faster remediation. To learn how Citrix Web App Firewall is designed to provide security, check out our product documentation. Our introduction to Citrix Web App Firewall, overview of security checks, and FAQs and deployment guide are great resources to help you get started.

    Citrix Web App Firewall is designed to be easily enabled and configured as code following the infrastructure and configuration as code paradigms. By providing WAF, bot management, CORS CRD for Kubernetes, security configurations are now possible from within a GKE cluster. You can now automate the configuration of both Tier-1 and Tier-2 Citrix Web App Firewalls easily.

    Common protections such as buffer overflow, cross site request forgery (CSRF), cross site scripting (XSS), SQL injection, URL allow lists and block lists, or more advanced ones can be easily enabled as policies using simple YAML files. Combining these capabilities with policy agents (as we’ll see in our lab) introduces an enterprise-grade practice of configuring and automating security.

    The key advantage of using Citrix WAF is that it uses a single code base across all Citrix ADC form factors (MPX and SDX, as well as VPX and CPX) so you can consistently apply and enforce security policies across any application environment. That gives you ease of deployment and simplicity in configurations which saves time and reduces configuration errors.

    Citrix Web App Firewall follows well-established principles that provide DevOps, CloudOps and SecOps teams with the tools they need to effectively do their job. By supporting both positive and negative security models Citrix Web App Firewall provides the widest protection possible. In addition to that, common event format (CEF) logging enables customers to easily collect and aggregate WAF data for analysis by an enterprise management system. Configuring and integrating a WAF has never been easier.

    Because security configurations can be part of the source code and stored in Git, different configurations can be created and maintained per environment. “Shifting Security Left” in the early stages of testing can become easier and Dev(Sec)Ops practices can be applied. Configurations are now closer to meeting the actual need, closer to the apps that need protection, and can eliminate false positives. And with a single point of truth, full visibility is achieved for both Operations and Audit teams, making it even easier to perform required audits.

    Deploying a Modern Application Architecture

    Here, we’ll focus on deploying a Tier-1 Citrix ADC (VPX) in front of a Google Anthos GKE cluster within GCP. We will leverage Google Anthos Configuration Management for consistent deployment of Citrix components into the Anthos GKE cluster. Additionally, we’ll leverage Google Anthos Policy Controller to ensure that Citrix Web App Firewall configurations exist to protect ingress objects within a cluster.

    ACM (Anthos Configuration Management) is a GitOps-centric tool that synchronizes configuration into a Anthos Kubernetes cluster from a Git repository. Policy Controller is a component of ACM that can audit or enforce configurations across the cluster. This lab automation has been written with GitHub as the git repository tool of choice.

    The following diagram illustrates the infrastructure used by our lab that will be deployed. (Click the image to view larger.)


    Citrix ADC VPX

    A single Citrix ADC VPX instance is deployed with two network interfaces:

    • nic0 provides access for management (NSIP) and access to back-end servers (SNIP).
    • nic1 provides access for deployed applications (VIPs).
    • Each interface is assigned an internal private IP address and an external public IP address.
    • The instance is deployed as a pre-emptible node to reduce lab costs.
    • The instance automatically configures the password with Terraform.
    • The instance is then automatically configured by the Citrix Ingress Controller and Citrix Node Controller deployed in the GKE cluster.

    VPCs and Firewall Rules

    Two VPCs are used in this deployment:

    • The default VPC and subnets are used for instance and GKE cluster deployment.
    • The vip-vpc is used only to host VIP addresses, which routes the traffic back to the services in the default VPC.
    • Default firewall rules apply to the default VPC.
    • Ports 80/443 are permitted into the vip-vpc.

    GKE Cluster with Anthos Configuration Management

    A single GKE cluster is deployed as a zonal cluster:

    • Autoscaling is enabled with a minimum of one node and a configurable maximum.
    • The Google Anthos Config Management (ACM) operator is deployed into the GKE cluster and configured to sync the cluster configuration from a GitHub repository.
    • Citrix Ingress Controller and Citrix Node Controller components are automatically installed via ACM into the ctx-ingress namespace.
    • Citrix Web App Firewall Custom Resource Definition (CRD) is installed via ACM to enable developers to create WAF configurations.
    • Worker nodes are deployed as pre-emptible nodes to reduce lab costs.
    • Policy Controller is installed to demonstrate constraints that enforce the presence of a WAF object in a namespace prior to accepting an Ingress resource.

    GitHub Repository

    A dedicated GitHub repository is created and loaded with a basic cluster configuration:

    • A basic hierarchical format is used for ease of navigation through namespaces and manifests.
    • Citrix Ingress Controller and Citrix Node Controller deployment manifests are built from templates and added to this repository, along with their other required roles / rolebindings / services / etc.
    • This repository is created and destroyed by Terraform.

    Online Boutique Demo Application

    The online boutique demo application provides a microservices-based application for our lab. It has been modified slightly for this environment:

    • An ingress resource has been added to receive all traffic through the Citrix VPX.
    • Application components are controlled through Anthos Config Management and the source git repo.

    To learn more about how to deploy this lab and see autoscaling in action, please visit Citrix ADC with Google Anthos – WAF with Policy Controller Lab on our Citrix Cloud Native Networking (CNN) hands-on guides.

    Additional Information

    Read more about how Citrix can help you on your application modernization journey in our Microservices App Delivery Best Practices library.

    Interested in learning more about Citrix application and API security? Check our Citrix Web App Firewall data sheet.

    Find out how a Citrix ADC solution helps manage, monitor, and secure your entire infrastructure and ensure application security efficacy on our e-book on the Top 6 WAF Essentials to Achieve Application Security Efficacy.

    In our app delivery and security developer docs, you’ll find guidance on configuring Citrix components to meet your specific requirements.

    Our e-book on six must-haves for app delivery in hybrid- and multi-cloud environments has details on why you need an application delivery controller along with a management and orchestration platform.

    You can learn more about the role of application delivery in the cloud-native journey in our white paper on seven key considerations for microservices-based application delivery.

    Finally, the ADC Guide to Managing Hybrid (IT and DevOps) Application Delivery covers how Citrix ADC bridges the gap between traditional and DevOps app delivery.

    What’s Next?

    Watch out for the next blog post in our series, where we will discuss how you can use Citrix ADC, with its extensive set of policies, as an API gateway for Kubernetes apps.

    Looking to get started or take the next step in your app modernization? Our team is now offering free consultations! Send an email to appmodernization@citrix.com to schedule your session or request a call and a specialist will promptly reply with options to connect.

    Want to join our Citrix cloud-native Slack channel? Sign up now to receive an invitation.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...