Jobs to be done (optional)
The current DCGW network docs mix descriptions of edge components, like fronting/reachability (ALB, CDN) and securing the edge (WAF, IP restriction plugins, etc.). This applies to both private and public networks.
We need to be clearer what the options are and break the info out into probably two separate sections. There are some overlap areas between these and between public/private. See this Slack thread for more info: https://kongstrong.slack.com/archives/C070FKK6GBT/p1782866605418499
Here's also some info from my research with Claude (so take with a grain of salt):
ALB and CDN are reachability/architecture components. Their core function is "how does traffic physically get from the internet to Kong" — routing, TLS termination, re-origination. A bare ALB or a bare CDN with no WAF attached doesn't secure anything on its own; it just relocates where the public endpoint lives. A CDN in particular can actually widen your attack surface if left unsecured (now there's an additional edge component reachable from the internet, with its own config surface).
WAF, origin-header validation, and IP restriction are the actual security controls. These are what inspect, filter, or gate traffic once it's reachable.
Definition of done
Information
Due date (optional)
Size
Jobs to be done (optional)
The current DCGW network docs mix descriptions of edge components, like fronting/reachability (ALB, CDN) and securing the edge (WAF, IP restriction plugins, etc.). This applies to both private and public networks.
We need to be clearer what the options are and break the info out into probably two separate sections. There are some overlap areas between these and between public/private. See this Slack thread for more info: https://kongstrong.slack.com/archives/C070FKK6GBT/p1782866605418499
Here's also some info from my research with Claude (so take with a grain of salt):
Definition of done
Information
Due date (optional)
Size