Skip to content

proposal: AFD + WAF + Private Link GLB#373

Draft
rchincha wants to merge 6 commits into
Azure:mainfrom
rchincha:rchinchani/afd-first-party-proposal
Draft

proposal: AFD + WAF + Private Link GLB#373
rchincha wants to merge 6 commits into
Azure:mainfrom
rchincha:rchinchani/afd-first-party-proposal

Conversation

@rchincha

Copy link
Copy Markdown

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Requirements:

How has this code been tested

Special notes for your reviewer

rchincha and others added 2 commits July 15, 2026 11:44
…NS253

Adds docs/first-party/ folder with an index README and proposal 001 outlining
how to extend fleet-networking beyond ATM to satisfy SFI-NS253 for
first-party AKS workloads via Azure Front Door Standard/Premium with an
attached WAF policy and Private Link origins.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
…osal 002)

Adds docs/first-party/002-afd-implementation-plan.md — the executable
companion to proposal 001. Covers guiding conventions extracted from
the existing ATM implementation, a complete file-by-file scope table
(add/modify/generated), Go type sketches with CEL rules, controller
skeletons, cmd/hub-net-controller-manager/main.go diff, a 5-phase
delivery plan, backward-compatibility notes, risks, and success
criteria.

Also updates docs/first-party/README.md to index proposal 002.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
@rchincha
rchincha marked this pull request as draft July 15, 2026 18:53
@rchincha rchincha changed the title proposal: add AFD support separate from ATM proposal: AFD + WAF + Private Link GLB Jul 15, 2026
rchincha and others added 4 commits July 15, 2026 15:30
Proposal 002: add new section 8 'East-west (MCS) compatibility'
covering guarantees for the ServiceExport/ServiceImport/EndpointSlice*
data plane, guardrails on the ExportMode transition, interaction with
the existing TrafficManagerBackend controller, and required
non-regression test coverage. Renumber subsequent sections.

Proposals 001 and 002: call out that AFD is L7-only (HTTP/HTTPS +
WebSockets-over-HTTPS) and that L4 first-party workloads are not
covered by this proposal — future L4 SFI-NS253 compliance likely
via Azure Cross-region Load Balancer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
Adds docs/first-party/003-pre-implementation-checklist.md — converts
the open design questions from proposal 001 and the unstated
assumptions in proposal 002 into a trackable list of gates:

- open design decisions (profile scope, WAF requiredness, custom
  domains phase, umbrella CRD, adding Spec to ServiceExport)
- external review / sign-off gates (maintainer, SFI, PM, security)
- spikes (AKS PLS status annotation, armcdn SDK compat,
  cross-sub PLS auto-approval, RBAC minimums, dev-sub, chart
  cloud-config interaction)
- overall readiness verdict with per-phase gating rules

Also indexes proposal 003 in the folder README.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
…profile scope

Proposal 001:
- 2.1: add explicit traffic-isolation property (AFD PoP → Microsoft
  backbone → PE → ILB → pod, no public internet leg, no public IP on
  origin) with ASCII flow diagram.
- 2.1: state AFD Premium (not Standard) as the required SKU.
- 2.3: expand the non-goal on non-Premium SKUs — Standard is out of
  scope because Private Link origins are Premium-only.
- 3.2: annotate the topology description with the backbone-isolation
  guarantee.

Proposal 003:
- 1.1: resolve profile scope as **namespaced**, with rationale
  tying ownership to the PLS/Service/namespace boundary and calling
  out that the per-flow isolation property does not require a
  cluster-scoped profile.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
…equiredness (1.2)

Proposal 002:
- 3.1: replace SKU enum with single-value Premium (Standard removed
  per proposal 001 2.3). Add a first-class
  spec.complianceMode: None | SFI-NS253 field (default None,
  immutable). CEL requires spec.wafPolicy when complianceMode is
  SFI-NS253.
- 4.2: describe the FrontDoorBackend reconciler's cross-check that
  refuses privateLink=false when the referenced profile is in SFI
  mode (surfaced as Accepted=False,
  Reason=SFIComplianceViolation). Closes the loophole of an
  SFI-compliant profile with a lax backend.

Proposal 003:
- 1.2: resolve as 'required when complianceMode == SFI-NS253',
  with rationale explaining why an explicit Spec field beats an
  annotation-based marker (auditable, mistype-safe, kubectl-
  discoverable, drives both profile and backend enforcement).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant