NGINX App Protect Web Application Firewall Support

[mpstefan]

As a SecOps user responsible for Kubernetes environments running NGF
I want application firewall features applied at the ingress point for my clusters
So that I can secure my clusters from malicious attacks.

Background

As users scale their environments with NGF, those environments become a bigger target for attackers. In order to protect our users, we need to be able to offer an option for firewall and application protection. For Enterprise customers in particular, a WAF feature has become more table stakes, as less and less organizations feel comfortable with deploying their software on clusters without some kind of firewall protection.

This integration will require a NGINX One subscription with NGINX App Protect and gives NGF a strong story around security for Enterprise applications. The integration itself should work with Plus and OSS. NGF will be using the new App Protect v5 experience aiming to make the UX of deploying and configuring NAP superior to any previous version.

Acceptance

• NGINX One customers can deploy NAP WAF to their NGF environment and configure it with an extension to the Gateway API.
• When deployed and configured with a policy, WAF-enabled traffic will be subject to the security policies the user specified.
• NGF documentation is created that references NAP documentation and NGF specific integration details.

Outstanding Questions

• What exact steps will be required by the user to enable a NAP policy with NGF?
  • To be defined in design
• Does NAP require NGINX Plus?
  • No
• Do we integrate NAP with any of our Helm charts to make the UX easier? Might we provide these separately?
  • To be defined in design