Skip to content

DCGW: Describe fronting vs securing the edge #5869

Description

@cloudjumpercat

Jobs to be done (optional)

The current DCGW network docs mix descriptions of edge components, like fronting/reachability (ALB, CDN) and securing the edge (WAF, IP restriction plugins, etc.). This applies to both private and public networks.

We need to be clearer what the options are and break the info out into probably two separate sections. There are some overlap areas between these and between public/private. See this Slack thread for more info: https://kongstrong.slack.com/archives/C070FKK6GBT/p1782866605418499

Here's also some info from my research with Claude (so take with a grain of salt):

ALB and CDN are reachability/architecture components. Their core function is "how does traffic physically get from the internet to Kong" — routing, TLS termination, re-origination. A bare ALB or a bare CDN with no WAF attached doesn't secure anything on its own; it just relocates where the public endpoint lives. A CDN in particular can actually widen your attack surface if left unsecured (now there's an additional edge component reachable from the internet, with its own config surface).
WAF, origin-header validation, and IP restriction are the actual security controls. These are what inspect, filter, or gate traffic once it's reachable.

Definition of done

Information

Due date (optional)

Size

Metadata

Metadata

Assignees

No one assigned

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions