Secure Your Kubernetes Clusters with New Machine Learning in NGINX App Protect WAF

Thelen Blum Thumbnail
Thelen Blum
Published June 02, 2022
Yaniv Sazman Thumbnail
Yaniv Sazman
Published June 02, 2022

Modern application teams are increasingly aware of the importance and benefits of “shifting security left” – that is, incorporating security controls early in the application development and deployment cycle. In a shift‑left world, each team chooses the security solutions and parameters best suited to its application. This is, of course, reasonable; we at NGINX advocate having a Platform Ops team that gives developers “choice with guardrails” by actively curating an appropriate set of security solutions. Developers are then tasked with configuring security for their apps, which generally includes deployment of a web application firewall (WAF), even for internal‑facing applications and microservices.

But shifting left becomes much more complicated in Kubernetes – the de facto standard container orchestration engine for modern app teams – with communications and coordination in particular presenting big challenges. Asking developers to manage communication across multiple clusters is not realistic. In addition, there are architectural and performance considerations around the placement of a WAF in Kubernetes. With NGINX App Protect WAF, you can either integrate the WAF with the NGINX Ingress Controller or place a separate WAF in front of specific microservices or applications.

Topology diagram showing NGINX App Protect WAF deployed in with a load balancer in front of the Kubernetes cluster, with NGINX Ingress Controller, and with individual pods or microservices

Both approaches are great, but each best suits different use cases. For developers and app teams focused on managing just their own applications, deploying NGINX App Protect WAF on an NGINX Plus load balancer in front of the apps is a perfect solution that gives them control and agility. For DevSecOps teams that want to manage security at the pod or service level for Kubernetes clusters and the applications running in them, running NGINX App Protect WAF on the NGINX Ingress Controller based on NGINX Plus is optimal, affording them all the benefits of Ingress control and native integration with the Kubernetes API.

As we mentioned, however, setting up communication between load balancers, Ingress controllers and WAFs across clusters and even within clusters is challenging. It requires detailed understanding of Layer 7 and Layer 4 networking and constant tuning. That said, robust and near real‑time communication is essential for maintaining a strong security posture. With proper communication, WAFs, load balancers, and Ingress controllers can quickly inform all applications and instances of new attacks and share data about the type of attack, targeted protocols and software, relevant IP address blocks, and more. The communication is even more powerful when machine learning (ML) is added for rapid pattern recognition.

The New Adaptive Violation Rating Feature in NGINX App Protect WAF

NGINX App Protect WAF contains a rich ML system that makes it easy for Platform Ops, DevSecOps, and SecOps teams to share attack trends and data across all WAFs managed under NGINX Plus or the NGINX Ingress Controller based on NGINX Plus in a single organization. We are working on a new capability in NGINX App Protect WAF, the Adaptive Violation Rating feature, which further leverages ML to improve security tuning by detecting when the behavior of a microservice changes. With this ML capability, NGINX App Protect WAF can continuously and automatically analyze attack trends even across thousands or tens of thousands of WAFs located around the globe. Findings from this analysis can be used to continuously tune security posture in near real time without requiring developers and other shift‑left teams to become security experts and fiddle with their WAFs. Even better, the more data shared among NGINX App Protect WAF instances, the more intelligent the WAFs become.

Diagram showing how NGINX App Protect WAF Adaptive Violation Rating feature works

ML capabilities become more and more important and valuable as enterprises expand use of microservices and the distinction between internal and external applications shrinks. With potentially thousands of microservices, each having its own lightweight WAF, networked and ML‑enabled NGINX App Protect WAF becomes the equivalent of a living security brain watching over your apps. Modern apps must be smarter to accommodate shift‑left teams and allow them to stay focused on shipping code and features without becoming security experts. DevSecOps teams, too, benefit from the peace of mind knowing that even without manual tuning all your WAFs across all clusters are on the same page.

Communication is the key. That’s a core feature we are building across all our products to continue delivering the best possible technology in this rapidly evolving era of massively distributed computing and modern apps.

For details and a demo of the new ML capabilities we are adding to NGINX App Protect WAF, come see us at booth #5771 in the North Hall of the Moscone Center at RSA Conference 2022 next week in San Francisco or contact us.

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"