Shown here is a basic service diagram for the way traffic flows to an application deployed on OKE
The Oracle Cloud Infrastructure Domain Name System (DNS) service lets you create and manage your DNS zones. You can create zones, add records to zones, and allow Oracle Cloud Infrastructure's edge network to handle your domain's DNS queries.
โ๏ธ DNS Zone may also be used as part of Traffic Steering Policies
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules on the Ingress resource
Explore how this works...
First an ingress controller is installed
helm repo add stable https://kubernetes-charts.storage.googleapis.com
helm install nginx-ingress stable/nginx-ingress \
--namespace nginx-ingress
kubectl get svc -n nginx-ingress
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-controller LoadBalancer 10.96.89.25 129.146.192.154 80:32491/TCP,443:31240/TCP 5m
An EXTERNAL-IP
is assigned after a few seconds
Next verify the load balancer in OCI
oci lb load-balancer list \
--compartment-id <compartment> \
| jq '.data[] | {id: .id, name: .["display-name"], ipAddr: .["ip-addresses"][]["ip-address"]}'
{
"id": "ocid1.loadbalancer.oc1.phx.aaaaaaaaucgamttt3piveonxw5d6ssirzxprcbrcv7vf6tgswna7qxdnvnfa",
"name": "097f5359-9165-11e9-bfe8-0a580aed21e9",
"ipAddr": "129.146.192.154"
}
Notice ๐ ipAddr
matches EXTERNAL-IP
assigned to the controller ๐ค
Then deploy ingress on the cluster
kubectl apply -f deploy/complete/kubernetes/ingress/mushop-dev.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mushop-dev
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: edge
servicePort: 80
kubectl get ingress mushop-dev
The WAF service uses a layered approach to protect web applications against cyberattacks. This service includes over 250 predefined Open Web Access Security Project (OWASP), application, and compliance-specific rules.
OCI Web Application Acceleration and Security Services
WAF security added between DNS and load balance r
oci waas waas-policy list --compartment-id <compartment>
Applying protection to a WAF origin is done by choosing specific rules from OWASP Core Rule Set (CRS), where the action can be set to Detect, Block, or Off
Custom access rules can also be defined based on a set of specified condition(s). Choosing the associative action, error code, and handling are defined as well
โ๏ธ Here access from Ireland is blocked (sorry ๐, demo purposes)
๐ฟ Try It
curl -I -X GET https://mushop.ateam.cloud
content-type: text/html
vary: Accept-Encoding
x-cache-status: NOTCACHED
date: Sun, 23 Jun 2019 12:35:57 GMT
etag: W/"5d0b92c0-5fe5"
server: ZENEDGE
strict-transport-security: max-age=15724800; includeSubDomains
x-zen-fury: b9c90d1625d96f0414ad23c9562ea95ef6e80ed7
last-modified: Thu, 20 Jun 2019 14:05:52 GMT
x-cdn: Served-By-Zenedge
We see server: ZENEDGE
so WAF is working โ
For sake of demonstration, let's use the application search bar to attempt some attacks from the MuShop user interface. Try the following by entering text into the search field
โ ๏ธ It may also be useful to open Chrome Developer Tools Network tab
;DROP TABLE users
<script>alert('bad');</script>
Provides users with high frequency external monitoring to determine the availability and performance of any publicly facing service, including hosted websites, API endpoints, or externally facing load balancers
Configure policies to serve intelligent responses to DNS queries, meaning different answers (endpoints) may be served for the query depending on the logic the customer defines in the policy.
โ๏ธ Is directly connected to DNS and Health Check services!