IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at and

Examples of using a WAF in front of ROSA / OSD on AWS / OCP on AWS

Last Editor: Dustin Scott
Published Date: 17 June 2021
Modified Date: 25 May 2023

Problem Statement

  1. Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)

  2. Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF

Quick Introduction by Paul Czarkowski & Ryan Niksch on YouTube


Cloud Front -> WAF -> CustomDomain -> $APP

This is the preferred method and can also work with most third party WAF systems that act as a reverse proxy

Uses a custom domain, custom route, LE cert. CloudFront and WAF

Application Load Balancer -> ALB Operator -> $APP

Installs the ALB Operator, and uses the ALB to route via WAF, one ALB per app though!