Blog

Case studies, strategies, and ideas shaping modern technology.

Securing Kubernetes Ingress with AWS WAFv2

Securing Kubernetes Ingress with AWS WAFv2

How do you protect your Kubernetes workloads when malicious traffic, bots, and automated attacks can reach your platform before application-level controls have a chance to respond?

As our clients’ platform continued to scale, the Kubernetes ingress layer became an increasingly critical component of the overall security posture. While workloads were already fronted by an AWS Application Load Balancer (ALB), protection against automated abuse, malicious traffic, and high-volume request spikes remained limited.

To address this, a dedicated AWS WAFv2 security layer was introduced to inspect and control inbound traffic before requests reached application services. The implementation combined AWS Managed Rules, rate limiting, and ingress integration to create a proactive defence mechanism that could be validated through controlled testing rather than relying solely on reactive incident response.


 

Vision

The goal was to establish a consistent and measurable security framework at the edge of the platform that would:

  • Reduce exposure of Kubernetes workloads to malicious traffic
  • Block abusive and automated requests before they reach application services
  • Improve resilience against traffic spikes and bot activity
  • Provide clear visibility into security events and traffic patterns
  • Enable repeatable validation of security controls through testing and monitoring

By moving protection closer to the point of entry, the client aimed to strengthen platform security while maintaining a seamless experience for legitimate users.

 

Scope

The project focused on securing ingress traffic across production Kubernetes environments through the implementation of AWS WAFv2 and associated infrastructure improvements.

Key areas of work included:

  • Deployment of AWS WAFv2 Web ACLs using Terraform
  • Integration of WAF protection with Kubernetes ingress resources and ALBs
  • Configuration of AWS Managed Rule Groups
  • Implementation of edge-based rate-limiting controls
  • Enablement of IP reputation and anonymous IP filtering
  • ALB timeout tuning and backend connection alignment
  • Validation through controlled load testing and security rule simulation
  • CloudWatch metrics and logging integration for observability

 

solution

 

Solution

 

AWS WAFv2 Implementation

A Regional AWS WAFv2 Web ACL was deployed and attached directly to the Application Load Balancer serving Kubernetes ingress traffic.

The solution leveraged AWS Managed Rule Groups to provide continuously updated protection against common web application threats, including:

  • SQL injection attempts
  • Cross-site scripting (XSS)
  • Protocol anomalies and malformed requests
  • Known malicious inputs
  • Traffic from IPs with poor reputations
  • Anonymous proxy and VPN sources

To strengthen protection against automated abuse, rate-limiting controls were introduced with a threshold of 300 requests per five-minute period per IP address. Requests exceeding this limit were automatically blocked before reaching backend services.

All WAF rules were configured with CloudWatch metrics and sampled request logging to provide operational visibility and support future tuning.

 

lightbulbstat

 

Kubernetes and ALB Integration

The Web ACL was associated with Kubernetes ingress resources through ALB annotations, ensuring consistent enforcement across all targeted endpoints.

Additional ingress improvements included:

  • Standardised WAF attachment across environments
  • ALB idle timeout increased to 90 seconds to support long-running requests
  • Backend keep-alive settings aligned with ALB behaviour to prevent connection mismatches and reduce the risk of HTTP 502 errors during periods of load.

These changes ensured that security enhancements did not compromise application stability or user experience.

 

Validation and Testing

A structured testing strategy was implemented to verify that protections behaved as expected under realistic conditions.

Testing activities included:

Rate Limit Validation

  • Simulated high-volume traffic using load testing tools to replicate realistic and peak load conditions
  • Confirmed that requests exceeding configured thresholds were correctly identified and blocked at the edge
  • Validation followed a structured software development lifecycle approach to ensure controlled and repeatable testing
  • Used both count mode and block mode to assess rule behaviour before and after enforcement
  • Verified progressive behaviour during rollout to ensure safe transition from monitoring to active blocking
  • Ensured rate limiting operated consistently under expected and stress conditions without impacting legitimate traffic

This testing approach provided evidence-based validation that security controls were functioning correctly before wider adoption.

softwaredev

Impact & Outcomes

The implementation delivered a significantly stronger ingress security posture while improving operational visibility and confidence in platform resilience.

Key outcomes included:

  • Successful edge-level blocking of abusive traffic before reaching Kubernetes workloads
  • Protection against a broad range of common web application attack patterns through AWS Managed Rules
  • Filtering of malicious and anonymised traffic using reputation-based controls
  • Reduced pressure on backend services by intercepting unwanted traffic at the ALB layer
  • Consistent security enforcement across all pre-production ingress endpoints
  • Enhanced observability through WAF metrics, logging, and CloudWatch integration
  • Simplicity of management through centralised policy enforcement, Infrastructure as Code, and reusable Terraform modules, reducing operational overhead and making security changes consistent and repeatable across environments

 

Looking Forward

The client now operates with a structured AWS WAFv2 security model integrated into Kubernetes ingress and AWS load balancing infrastructure. Future enhancements will focus on refining protection thresholds using production traffic insights, expanding coverage across additional environments, and further automating security validation processes.

Additional validation activities will include geographic traffic filtering tests to verify geo-based access controls and long-running request scenarios to further assess platform resilience and ingress behaviour under extended processing durations.

The result is a more secure, observable, and resilient ingress layer that aligns with AWS best practices while supporting the continued growth of the platform, alongside simplified management through centralised policy enforcement and Infrastructure as Code.

 


How Mesoform Can Help

We help organisations build secure, scalable cloud platforms by combining cloud-native architecture, infrastructure automation, and security best practices. 

Whether you're looking to strengthen Kubernetes security, implement AWS WAF protections, improve platform resilience, or modernise your cloud infrastructure, our team can help design and deliver solutions tailored to your business needs.

If you're looking to improve the security and reliability of your cloud environment, get in touch to discuss how Mesoform can help.