Cloud Experts Documentation

Examples of using a WAF in front of ROSA / OSD on AWS / OCP on AWS

Problem Statement

  1. Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)

  2. Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF

Quick Introduction by Paul Czarkowskiexternal link (opens in new tab) & Ryan Niksch on YouTubeexternal link (opens in new tab)

Solutions

Cloud Front -> WAF -> CustomDomain -> $APP

This is the preferred method and can also work with most third party WAF systems that act as a reverse proxy

Uses a custom domain, custom route, LE cert. CloudFront and WAF

Application Load Balancer -> ALB Operator -> $APP

Installs the ALB Operator, and uses the ALB to route via WAF, one ALB per app though!

Back to top

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2026 Red Hat