Enabling WAF protection in Kyma running on AWS #1018
Description
Created on 2026-03-18 by Vladimir Andjelkoski @vandjelk.
Decision log
| Name | Description |
|---|---|
| Title | AWS WAF |
| Due date | 2026-03-31 |
| Status | Proposed |
| Decision type | Binary |
| Affected decisions | None |
Context
Enabling WAF protection in Kyma running on AWS.
Goal:
Introduce AWS WAF in front of workloads
Keep Istio as the primary ingress layer
Preserve existing Kyma networking model
Constraints:
AWS WAF can only be attached to ALB
Istio ingressgateway by default exposes a LoadBalancer service, which bypasses ALB
To integrate ALB with Istio, traffic must be routed via NodePort
Target traffic flow:
Client → ALB (+WAF) → NodePort (istio-ingressgateway) → Istio → Services
Setup
-
Enable ALB in Kyma shoot
-
Set:
spec: provider: controlPlaneConfig: loadBalancerController: enabled: true ingressClassName: alb
-
-
Switch Istio ingressgateway to NodePort
-
Change service type:
istio-ingressgateway: type: NodePort
-
Required so ALB can forward traffic to cluster nodes ([Amazon Web Services, Inc.][2])
-
-
Deploy ALB via Kubernetes Ingress
-
Use AWS Load Balancer Controller
-
Annotate Ingress with:
- WAF ACL
- TLS / listeners
- health checks (e.g.
/healthz/ready)
-
-
Update DNSEntry
- Point domain to ALB DNS / IP
- Replace previous direct exposure of Istio
Decision
Pending