This guide walks through deploying NGINX Plus Ingress Controller 5.4.1 on Azure Kubernetes Service (AKS), exposing a workload over HTTPS using a Let’s Encrypt certificate via cert-manager, and protecting it with F5 NGINX App Protect WAF. Every step is in sequence so you can reproduce the full stack from scratch.<\/p>\n
The final stack consists of:<\/p>\n
kubectl<\/code> configured)<\/li>\n- NGINX Plus license JWT token<\/li>\n
- Access to
private-registry.nginx.com<\/code> (F5\/NGINX entitlement)<\/li>\n- A DNS A record pointing your domain to the LoadBalancer public IP<\/li>\n
- Helm 3 installed locally<\/li>\n<\/ul>\n
\nStep 1 \u2014 Create the Namespace<\/h2>\nkubectl create namespace nic-perf<\/code><\/pre>\n
\nStep 2 \u2014 Create the Image Pull Secret<\/h2>\n
NGINX Plus images are hosted on a private registry. Create a Kubernetes secret with your registry credentials:<\/p>\n
kubectl create secret docker-registry regcred \\\n --docker-server=private-registry.nginx.com \\\n --docker-username=<YOUR_NGINX_REGISTRY_USER> \\\n --docker-password=<YOUR_NGINX_REGISTRY_PASSWORD> \\\n -n nic-perf<\/code><\/pre>\n
\nStep 3 \u2014 Create the NGINX Plus License Secret<\/h2>\n
Store your NGINX Plus JWT license as a Kubernetes secret:<\/p>\n
kubectl create secret generic nplus-license \\\n --from-literal=license.jwt=\"<YOUR_JWT_TOKEN>\" \\\n -n nic-perf<\/code><\/pre>\n
\nStep 4 \u2014 Install NGINX Plus Ingress Controller via Helm<\/h2>\n
Add the NGINX Helm repository and install NIC 5.4.1 with the NAP-enabled image:<\/p>\n
helm repo add nginx-stable https:\/\/helm.nginx.com\/stable\nhelm repo update\n\nhelm install nginx-plus-nic nginx-stable\/nginx-ingress \\\n --namespace nic-perf \\\n --version 2.5.1 \\\n --set controller.image.repository=private-registry.nginx.com\/nginx-ic-nap\/nginx-plus-ingress \\\n --set controller.image.tag=5.4.1 \\\n --set controller.nginxplus=true \\\n --set controller.appprotect.enable=true \\\n --set controller.ingressClass.name=nginx-perf \\\n --set controller.ingressClass.create=true \\\n --set controller.ingressClass.setAsDefaultIngress=false \\\n --set controller.service.type=LoadBalancer \\\n --set controller.serviceAccount.imagePullSecretName=regcred \\\n --set controller.mgmt.licenseTokenSecretName=nplus-license<\/code><\/pre>\nWait for the controller to be ready:<\/p>\n
kubectl rollout status deployment\/nginx-plus-nic-nginx-ingress-controller -n nic-perf<\/code><\/pre>\nGet the public IP assigned by Azure:<\/p>\n
kubectl get svc -n nic-perf nginx-plus-nic-nginx-ingress-controller<\/code><\/pre>\nMap this IP to your domain in your DNS provider before proceeding.<\/p>\n
\nStep 5 \u2014 Deploy WordPress and MariaDB<\/h2>\n
Create persistent storage and deploy the backend workload.<\/p>\n
MariaDB PVC and Deployment<\/h3>\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: mariadb-pvc\n namespace: nic-perf\nspec:\n accessModes: [ReadWriteOnce]\n storageClassName: managed-csi\n resources:\n requests:\n storage: 5Gi\n---\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n name: mariadb\n namespace: nic-perf\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: mariadb\n template:\n metadata:\n labels:\n app: mariadb\n spec:\n containers:\n - name: mariadb\n image: mariadb:11.4\n env:\n - name: MYSQL_ROOT_PASSWORD\n value: \"<YOUR_ROOT_PASSWORD>\"\n - name: MYSQL_DATABASE\n value: wordpress\n - name: MYSQL_USER\n value: wordpress\n - name: MYSQL_PASSWORD\n value: \"<YOUR_DB_PASSWORD>\"\n ports:\n - containerPort: 3306\n volumeMounts:\n - name: data\n mountPath: \/var\/lib\/mysql\n volumes:\n - name: data\n persistentVolumeClaim:\n claimName: mariadb-pvc\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: mariadb\n namespace: nic-perf\nspec:\n selector:\n app: mariadb\n ports:\n - port: 3306<\/code><\/pre>\nWordPress PVC and Deployment<\/h3>\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: wordpress-pvc\n namespace: nic-perf\nspec:\n accessModes: [ReadWriteOnce]\n storageClassName: managed-csi\n resources:\n requests:\n storage: 5Gi\n---\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n name: wordpress\n namespace: nic-perf\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: wordpress\n template:\n metadata:\n labels:\n app: wordpress\n spec:\n containers:\n - name: wordpress\n image: wordpress:6.7-apache\n env:\n - name: WORDPRESS_DB_HOST\n value: mariadb\n - name: WORDPRESS_DB_USER\n value: wordpress\n - name: WORDPRESS_DB_PASSWORD\n value: \"<YOUR_DB_PASSWORD>\"\n - name: WORDPRESS_DB_NAME\n value: wordpress\n ports:\n - containerPort: 80\n volumeMounts:\n - name: data\n mountPath: \/var\/www\/html\n volumes:\n - name: data\n persistentVolumeClaim:\n claimName: wordpress-pvc\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: wordpress\n namespace: nic-perf\nspec:\n selector:\n app: wordpress\n ports:\n - port: 80<\/code><\/pre>\nApply both files:<\/p>\n
kubectl apply -f mariadb.yaml -n nic-perf\nkubectl apply -f wordpress.yaml -n nic-perf<\/code><\/pre>\n
\nStep 6 \u2014 Create the Ingress (HTTP only first)<\/h2>\n
Start with HTTP only. TLS will be added after the certificate is issued.<\/p>\n
apiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n name: wordpress-ingress\n namespace: nic-perf\n annotations:\n nginx.org\/proxy-connect-timeout: \"60s\"\n nginx.org\/proxy-read-timeout: \"60s\"\n nginx.org\/client-max-body-size: \"64m\"\n nginx.org\/proxy-buffering: \"false\"\nspec:\n ingressClassName: nginx-perf\n rules:\n - host: your-domain.example.com\n http:\n paths:\n - path: \/\n pathType: Prefix\n backend:\n service:\n name: wordpress\n port:\n number: 80<\/code><\/pre>\nVerify the site is reachable over HTTP before proceeding.<\/p>\n
\nStep 7 \u2014 Install cert-manager<\/h2>\nkubectl apply -f https:\/\/github.com\/cert-manager\/cert-manager\/releases\/download\/v1.16.3\/cert-manager.yaml\n\nkubectl rollout status deployment\/cert-manager -n cert-manager\nkubectl rollout status deployment\/cert-manager-webhook -n cert-manager\nkubectl rollout status deployment\/cert-manager-cainjector -n cert-manager<\/code><\/pre>\n
\nStep 8 \u2014 Create Let’s Encrypt ClusterIssuer<\/h2>\n
The key setting here is ingress.name: wordpress-ingress<\/code>. NGINX Plus NIC enforces exclusive host ownership per ingress \u2014 if cert-manager creates a separate ingress for the ACME challenge it will be rejected with “All hosts are taken by other resources”<\/em>. Referencing the existing ingress by name tells cert-manager to inject the challenge path into it instead.<\/p>\napiVersion: cert-manager.io\/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt-prod\nspec:\n acme:\n server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n email: your-email@example.com\n privateKeySecretRef:\n name: letsencrypt-prod-key\n solvers:\n - http01:\n ingress:\n ingressClassName: nginx-perf\n name: wordpress-ingress<\/code><\/pre>\n
\nStep 9 \u2014 Add TLS to the Ingress<\/h2>\n
Update the ingress to request a certificate and enable HTTPS. Do not add an HTTP-to-HTTPS redirect at this stage \u2014 Let’s Encrypt must be able to reach the HTTP-01 challenge path over plain HTTP during initial issuance.<\/p>\n
apiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n name: wordpress-ingress\n namespace: nic-perf\n annotations:\n cert-manager.io\/cluster-issuer: \"letsencrypt-prod\"\n nginx.org\/proxy-connect-timeout: \"60s\"\n nginx.org\/proxy-read-timeout: \"60s\"\n nginx.org\/client-max-body-size: \"64m\"\n nginx.org\/proxy-buffering: \"false\"\nspec:\n ingressClassName: nginx-perf\n tls:\n - hosts:\n - your-domain.example.com\n secretName: your-domain-tls\n rules:\n - host: your-domain.example.com\n http:\n paths:\n - path: \/\n pathType: Prefix\n backend:\n service:\n name: wordpress\n port:\n number: 80<\/code><\/pre>\nWatch the certificate until it is ready:<\/p>\n
kubectl get certificate -n nic-perf -w<\/code><\/pre>\nYou should see READY: True<\/code> within 60-90 seconds. Once the certificate is issued you can optionally re-enable the HTTP redirect by patching the NIC ConfigMap:<\/p>\nkubectl patch configmap nginx-plus-nic-nginx-ingress -n nic-perf \\\n --type=merge -p '{\"data\":{\"ssl-redirect\":\"true\"}}'<\/code><\/pre>\n
\nStep 10 \u2014 Create the WAF Log Profile<\/h2>\napiVersion: appprotect.f5.com\/v1beta1\nkind: APLogConf\nmetadata:\n name: waf-logconf\n namespace: nic-perf\nspec:\n content:\n format: default\n max_message_size: 64k\n max_request_size: any\n filter:\n request_type: illegal<\/code><\/pre>\n
\nStep 11 \u2014 Create the WAF Policy<\/h2>\n
This policy uses the NGINX base template with blocking mode enabled, all attack signatures active, and bot defense turned on.<\/p>\n
apiVersion: appprotect.f5.com\/v1beta1\nkind: APPolicy\nmetadata:\n name: waf-policy\n namespace: nic-perf\nspec:\n policy:\n name: waf-policy\n description: \"OWASP Top 10 protection - blocking mode\"\n template:\n name: POLICY_TEMPLATE_NGINX_BASE\n applicationLanguage: utf-8\n enforcementMode: blocking\n blocking-settings:\n violations:\n - name: VIOL_BOT_CLIENT\n alarm: true\n block: true\n - name: VIOL_EVASION\n alarm: true\n block: true\n - name: VIOL_HTTP_PROTOCOL\n alarm: true\n block: true\n - name: VIOL_RATING_THREAT\n alarm: true\n block: true\n - name: VIOL_THREAT_CAMPAIGN\n alarm: true\n block: true\n - name: VIOL_PARAMETER\n alarm: true\n block: false\n - name: VIOL_URL\n alarm: true\n block: false\n evasions:\n - description: \"Bad unescape\"\n enabled: true\n - description: \"Directory traversals\"\n enabled: true\n - description: \"Bare byte decoding\"\n enabled: true\n - description: \"Multiple decoding\"\n enabled: true\n maxDecodingPasses: 2\n signature-sets:\n - name: All Signatures\n block: true\n signatureSet:\n filter:\n minRevision: \"2020-01-01\"\n bot-defense:\n settings:\n isEnabled: true\n mitigations:\n classes:\n - name: malicious-bot\n action: block\n - name: untrusted-bot\n action: alarm\n - name: trusted-bot\n action: detect\n response-pages:\n - responsePageType: default\n responseContent: |\n <html><head><title>Request Rejected<\/title><\/head>\n <body><h1>Request Rejected<\/h1>\n <p>Your request has been blocked by the Web Application Firewall.<\/p>\n <p>Support ID: <%TS.request.ID()%><\/p><\/body><\/html>\n responseHeader: \"HTTP\/1.1 403 Forbidden\\r\\nContent-Type: text\/html; charset=utf-8\"<\/code><\/pre>\n
\nStep 12 \u2014 Enable WAF on the Ingress<\/h2>\n
Add the App Protect annotations to the ingress. The log destination is set to stderr<\/code> so events appear in kubectl logs<\/code> without needing a separate syslog server.<\/p>\napiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n name: wordpress-ingress\n namespace: nic-perf\n annotations:\n cert-manager.io\/cluster-issuer: \"letsencrypt-prod\"\n nginx.org\/proxy-connect-timeout: \"60s\"\n nginx.org\/proxy-read-timeout: \"60s\"\n nginx.org\/client-max-body-size: \"64m\"\n nginx.org\/proxy-buffering: \"false\"\n appprotect.f5.com\/app-protect-enable: \"True\"\n appprotect.f5.com\/app-protect-policy: \"nic-perf\/waf-policy\"\n appprotect.f5.com\/app-protect-security-log-enable: \"True\"\n appprotect.f5.com\/app-protect-security-log: \"nic-perf\/waf-logconf\"\n appprotect.f5.com\/app-protect-security-log-destination: \"stderr\"\nspec:\n ingressClassName: nginx-perf\n tls:\n - hosts:\n - your-domain.example.com\n secretName: your-domain-tls\n rules:\n - host: your-domain.example.com\n http:\n paths:\n - path: \/\n pathType: Prefix\n backend:\n service:\n name: wordpress\n port:\n number: 80<\/code><\/pre>\n
\nStep 13 \u2014 Verify Everything Works<\/h2>\nTest HTTPS<\/h3>\ncurl -I https:\/\/your-domain.example.com<\/code><\/pre>\nExpected: HTTP\/2 200<\/code><\/p>\nTest WAF blocking<\/h3>\n# SQL injection - should return 403\ncurl -sk \"https:\/\/your-domain.example.com\/?id=1'+OR+'1'='1\" -o \/dev\/null -w \"%{http_code}\"\n\n# XSS - should return 403\ncurl -sk \"https:\/\/your-domain.example.com\/?q=<script>alert(1)<\/script>\" -o \/dev\/null -w \"%{http_code}\"\n\n# Directory traversal - should return 403\ncurl -sk \"https:\/\/your-domain.example.com\/..\/..\/etc\/passwd\" -o \/dev\/null -w \"%{http_code}\"\n\n# Normal request - should return 200\ncurl -sk \"https:\/\/your-domain.example.com\/\" -o \/dev\/null -w \"%{http_code}\"<\/code><\/pre>\nView WAF logs<\/h3>\nNIC_POD=$(kubectl get pods -n nic-perf -l app=nginx-plus-nic-nginx-ingress \\\n -o jsonpath='{.items[0].metadata.name}')\n\n# Stream all security events\nkubectl logs -n nic-perf $NIC_POD -f | grep 'request_status'\n\n# Stream only blocked requests\nkubectl logs -n nic-perf $NIC_POD -f | grep 'request_status=\"blocked\"'\n\n# Pretty-print key fields\nkubectl logs -n nic-perf $NIC_POD \\\n | grep 'request_status=\"blocked\"' \\\n | grep -oP '(date_time|ip_client|attack_type|violations|support_id|severity)=\"[^\"]*\"'<\/code><\/pre>\n
\nKey Gotchas<\/h2>\n\n- NGINX Plus NIC host ownership<\/strong> \u2014 NIC rejects any ingress that tries to claim a hostname already owned by another ingress. This breaks the default cert-manager HTTP-01 solver which creates a new ingress. Fix: set
ingress.name<\/code> in the ClusterIssuer solver to reuse the existing ingress.<\/li>\n- SSL redirect blocks ACME challenge<\/strong> \u2014 If HTTP-to-HTTPS redirect is enabled when the certificate is first requested, the Let’s Encrypt HTTP-01 challenge will be redirected to HTTPS and fail. Disable the redirect until the certificate is issued.<\/li>\n
- WAF violation names<\/strong> \u2014 The APPolicy CRD validates violation names strictly.
VIOL_ATTACK_SIGNATURE<\/code> is not a valid blocking-settings violation name in current versions. Use VIOL_RATING_THREAT<\/code> and VIOL_THREAT_CAMPAIGN<\/code> for signature-based blocking control.<\/li>\n- Bot defense actions<\/strong> \u2014 The
allow<\/code> action is not valid for bot-defense mitigations. Use detect<\/code> for trusted bots instead.<\/li>\n- cert-manager auto-renewal<\/strong> \u2014 cert-manager renews the certificate automatically 30 days before expiry. No manual intervention needed.<\/li>\n<\/ol>\n
\nComponent Versions Used<\/h2>\n\n- NGINX Plus Ingress Controller: 5.4.1<\/strong> (Helm chart nginx-ingress-2.5.1)<\/li>\n
- NGINX Plus: R36-P3<\/strong><\/li>\n
- NGINX App Protect: 5.12.0<\/strong><\/li>\n
- cert-manager: v1.16.3<\/strong><\/li>\n
- AKS: Azure Kubernetes Service (any recent version)<\/li>\n
- WordPress: 6.7-apache<\/strong><\/li>\n
- MariaDB: 11.4<\/strong><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
This guide walks through deploying NGINX Plus Ingress Controller 5.4.1 on Azure Kubernetes Service (AKS), exposing a workload over HTTPS using a Let’s Encrypt certificate via cert-manager, and protecting it with F5 NGINX App Protect WAF. Every step is in sequence so you can reproduce the full stack from scratch. Architecture Overview The final stack […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/posts\/10","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/comments?post=10"}],"version-history":[{"count":0,"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/posts\/10\/revisions"}],"wp:attachment":[{"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/media?parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/categories?post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ganesh.ltm.publicvm.com\/index.php\/wp-json\/wp\/v2\/tags?post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}