Envoy Proxy as Web Application Firewall (WAF)

The Gloo Edge API Gateway now includes a custom filter for Envoy Proxy that enables a Web Application Firewall.

This blog series “5 Minutes with Gloo” will dig into a single feature, what it is used for and how to use it. In this post, we’ll continue our dive into security by looking at how the Gloo Edge API Gateway can be used as a Web Application Firewall (WAF) for microservices.

What is a Web Application Firewall (WAF)?

A web application firewall (WAF) protects web applications by monitoring, filtering and blocking potentially harmful traffic and attacks that can overtake or exploit them. WAFs do this by intercepting and inspecting the network packets and uses a set of rules to determine access to the web application. In enterprise security infrastructure, WAFs can be deployed to an application or group of applications to provide a layer of protection between the applications and the end users.

In microservices architecture, API Gateways act as a control point for the outside world to access the various application services running inside your environment. As the gateway authenticates and then routes the incoming end user request to the destination service, it can also serve as the point that also inspects the incoming traffic before it is routed. WAFs rule sets to inspect, process and filter the traffic packets.

Gloo Edge, the only Envoy Based Web Application Firewall

Gloo Edge is a next generation API Gateway and Kubernetes Ingress Controller built with Envoy Proxy, a leading cloud native edge and service proxy.

New in Gloo Edge Enterprise is the ability to enable WAF functionality to your API Gateway environment. We implemented this feature by writing a custom filter in Envoy Proxy that implements ModSecurity, a popular web application firewall framework and ruleset, to interpret and process the HTTP traffic (requests and responses).

Gloo Edge allows you to configure WAF rulesets in the following objects:

  • HTTPGateway: The gateway describes a single listener (address:port) and an associated set of virtual services.
  • Virtual Service: A set of route rules that live under a domain or set of domains.
  • Routes: A primary building block of the virtual service. A route contains a single matcher and one of: a single destination, or a list of weighted destinations.

Gloo Edge’s WAF includes, by default, the OWASP Core Rule Set (CRS), a set of generic attack detection rules including the OWASP Top Ten with minimal false alerts. These default rules are easily turned on or off and custom rule sets can be created and applied to suit your use case.

With the introduction of WAF, Gloo Edge continues to add to a set of security functionality including Rate Limiting, Authentication and mTLS, enabling IT admins to control who is allowed to access which applications, how they are accessed, at what rate and frequency and always under a secure connection.


Get Started with Web Application Firewalls in Gloo Edge Enterprise: