nodebalancer firewall updates (linode#6760)

* ct-3705-loadbalancer-draft

* rebranded to Akamai Global Load Balancer

* rebranded Akamai Global Load Balancer

* Draft drop -June 14

* June 26-draft drop

* Rename _index.md to _index.md

* renamed folder to global-loadbalancer

* folder renamed

* Draft drop - July 10

* July 17th draft drop

* test

* comparison table updates

* comparison table updates

* Comparison table updates

* glb vs nb table updates

* includes changes for some of andys comments

* broken link

* removed broken link

* glb-2 update

* test

* test2

* Sep 11 take2

* misshing slash?

* fixed slash

* NodeBalanacer Firewall Updates - Draft

* small updates

* updates to Inbound firewall rules

* added comments from Tzafrir Nutkevitch

* ui testing & figure of traffic bypassing firewall

* small updates

* ui testing updates

* .

* small change.

* removed would

* nov1 again

* removed glb

* update graphic (`filtered` replaced `protected`)

* new note

* ..

* latest ui changes from pr-9831

* comments from: https://docs.google.com/document/d/1qFwJJEo4aFDohX6-dGfSlfcgOOymGEdCDGw_NC5qUl8/edit

* fixed bad links

* date change

Author: sandrajsalomone

docs/products/networking/nodebalancers/_index.md

@@ -9,7 +9,7 @@ tab_group_main:
 cascade:
     date: 2020-06-02
     product_description: "Managed cloud-based load balancing service that provides high availability and horizontal scaling to any application."
-modified: 2023-09-21
+modified: 2023-11-14
 aliases: ['/platform/nodebalancer/','/nodebalancers/','/guides/platform/nodebalancer/']
 ---
 
@@ -25,6 +25,8 @@ There are two main ways to scale an application to increase the performance and
 
 ## Additional Features
 
+- **Firewall Security:** [Cloud Firewall](/docs/products/networking/cloud-firewall/) provides enhanced security by allowing you to control who can access your NodeBalancer. The optional Cloud Firewall sits between your NodeBalancer and the internet to filter out unwanted network traffic before it reaches your NodeBalancer. When used in conjunction with NodeBalancers, a Cloud Firewall’s inbound rules only apply to the NodeBalancer’s public IP, not the IPs of the backend nodes. This means you may also want to add individual backend nodes to a Cloud Firewall to protect any additional exposed IP addresses.
+
 - **Managed:** NodeBalancers take the infrastructure management out of load balancing. They are designed to be maintenance free after initial configuration.
 
 - **Sticky Sessions:** NodeBalancers can route subsequent requests to the same backend, so all application sessions work correctly.
@@ -53,6 +55,8 @@ NodeBalancers are available across [all regions](https://www.linode.com/global-i
 
 Each NodeBalancer on an account starts at $10/mo ($0.015/hr). [Price](https://www.linode.com/pricing/) may vary by region.
 
+Cloud Firewall is available at no additional charge to customers.
+
 ## Technical Specifications
 
 - Managed cloud-based load balancing service
@@ -63,6 +67,7 @@ Each NodeBalancer on an account starts at $10/mo ($0.015/hr). [Price](https://ww
 - Supports HTTP and HTTPS (layer 7) load balancing through the HTTP/1.1 protocol (HTTP/2 is not yet available)
 - Supports both SSL termination (using the HTTPS protocol mode) and SSL pass-through (using the TCP protocol mode)
 - Equipped with both public IPv4 and IPv6 addresses
+- Supports inbound Cloud Firewall rules such as IPv4 and IPv6 access control lists (ACLs) to *Accept* or *Drop* ingress traffic.
 - Fully customizable health checks to ensure traffic lands on a functioning backend
 - 40 Gbps inbound network bandwidth
 - Free inbound network transfer
@@ -81,4 +86,10 @@ Each NodeBalancer on an account starts at $10/mo ($0.015/hr). [Price](https://ww
     - **TLS protocols:** TLS v1.2 and v1.3 are supported in **HTTPS** mode.
     - While operating in **HTTPS** mode, internal traffic sent to the backend Linodes will be unencrypted.
 
-    For applications that require a very high connection rate or otherwise need to overcome the above considerations present in **HTTPS** mode, consider operating in **TCP** mode and terminating TLS on the backend Linodes.
+    For applications that require a very high connection rate or otherwise need to overcome the above considerations present in **HTTPS** mode, consider operating in **TCP** mode and terminating TLS on the backend Linodes.
+
+- **Cloud Firewall support:** When a Cloud Firewall is assigned to a NodeBalancer, the firewall only looks at incoming requests, this means that only inbound Cloud Firewall rules apply and outbound rules are not applicable.
+
+    {{< note >}}
+    A service (Linode) can be accessed from other interfaces (not just the NodeBalancer). To filter traffic from other interfaces, backend Linodes require their own firewalls.
+    {{< /note >}}

docs/products/networking/nodebalancers/get-started/index.md

@@ -35,15 +35,33 @@ For advice on load balancing and high availability, review the following resourc
 
 ## Create the NodeBalancer
 
+If you are using a Cloud Firewall with this NodeBalancer, have the name of the firewall available. To see a listing of available firewalls, log in to the [Cloud Manager](https://cloud.linode.com) and select **Firewalls** from the navigation menu. If the firewall doesn't exist yet, [Create a Cloud Firewall](/docs/products/networking/cloud-firewall/guides/create-a-cloud-firewall/) and [Add Firewall Rules](/docs/products/networking/cloud-firewall/guides/manage-firewall-rules/).
+
 Once your application has been deployed on multiple Compute Instances, you are ready to create the NodeBalancer. Simple instructions have been provided below. For complete instructions, see the [Create a NodeBalancer](/docs/products/networking/nodebalancers/guides/create/) guide.
 
-1. Log in to the [Cloud Manager](https://cloud.linode.com), select NodeBalancers from the left menu, and click the **Create Nodebalancer** button. This displays the *NodeBalancer Create* form.
+1. Log in to [Cloud Manager](https://cloud.linode.com), select **NodeBalancers** from the left menu, and click the **Create NodeBalancer** button. This displays the *Nodebalancers Create* form.
 
 1. Enter a **Label** for the NodeBalancer, as well as any **Tags** that may help you organize this new NodeBalancer with other services on your account.
 
 1. Select a **Region** for this NodeBalancer. The NodeBalancer needs to be located in the same data center as your application's Compute Instances.
 
-1. Within the *NodeBalancer Settings* area, there is a single configuration block with sections for configuring the port, defining health checks, and attaching backend nodes. Additional ports can be added using the **Add another Configuration** button.
+1. If you are using a firewall, select a firewall from the **Assign Firewall** list. Only one Firewall can be selected, however you can attach the same Cloud Firewall to multiple NodeBalancers or other services (devices).
+
+    You can also create a new Firewall by clicking the **Create Firewall** button. This displays the *Create Firewall* drawer. Configure the required field.
+
+    | **Configuration** | **Description** |
+    | --------------- | --------------- |
+    | **Label** (Required)| The label is used as an identifier for this Cloud Firewall. |
+    | **Additional Linodes** (Optional)| The Linode(s) on which to apply this Firewall. A list of all Linodes on your account are visible. You can leave this blank if you do not yet wish to apply the Firewall to a Linode. |
+    | **Additional NodeBalancers** (Optional) | The NodeBalancers on which to apply this Firewall. A list of all created NodeBalancers on your account are visible. You can leave this blank if you do not want to apply this Cloud Firewall to other NodeBalancers.|
+
+    Click on the **Create Firewall** button to finish creating the Cloud Firewall and to returned to the the *Nodebalancers Create* form.
+
+    {{< note >}}
+    By default, a new Cloud Firewall accepts all inbound and outbound connections. Only inbound firewall rules apply to NodeBalancers, see [Cloud Firewall Inbound Rules for NodeBalancer](/docs/products/networking/nodebalancers/guides/create/#cloud-firewall-inbound-rules-for-nodebalancer). Custom rules can be added as needed in the Firewall application. See [Add New Cloud Firewall Rules](/docs/products/networking/cloud-firewall/guides/manage-firewall-rules/).
+    {{< /note >}}
+
+5. Within the *NodeBalancer Settings* area, there is a single configuration block with sections for configuring the port, defining health checks, and attaching backend nodes. Additional ports can be added using the **Add another Configuration** button.
 
     {{< note >}}
     The following recommended parameters can be used for deploying a website. For other applications or to learn more about these settings, see the [Configuration Options](/docs/products/networking/nodebalancers/guides/configure/) guide.

docs/products/networking/nodebalancers/guides/client-ip/index.md

@@ -20,7 +20,7 @@ You'll need to configure your web server software to use the XFF header.
 
 ### Apache
 
-If you're using the Apache web server, you can use the `mod_rpaf` to replace `REMOTE_ADDR` with the clent's IP address in the XFF header. After you install the module, you'll need to specify 192.168.255.0/24 as a proxy in `httpd.conf`.
+If you're using the Apache web server, you can use the `mod_rpaf` to replace `REMOTE_ADDR` with the client's IP address in the XFF header. After you install the module, you'll need to specify 192.168.255.0/24 as a proxy in `httpd.conf`.
 
 ### Nginx
 

docs/products/networking/nodebalancers/guides/configure/index.md

@@ -61,7 +61,7 @@ The *algorithm* controls how *new connections* are allocated across the backend
 
 - **Least Connections**: Tracks each backend's connection count and allocates new connections to the one with the least connections.
 
-- **Source IP**: Modulates the client's IP to allocate them to the same backend on subsequent requests. This works so long as the set of backend doesn't change, however the **Session Stickiness** setting (below) does affect this behavior.
+- **Source IP**: Modulates the client's IP to allocate them to the same backend on subsequent requests. This works so long as the set of backend nodes doesn't change, however the **Session Stickiness** setting (below) does affect this behavior.
 
 ### Session Stickiness
 

docs/products/networking/nodebalancers/guides/create/index.md

@@ -11,6 +11,7 @@ This guide walks you through creating a NodeBalancer through the Cloud Manager.
 1. [Open the Create NodeBalancer Form in the Cloud Manager](#open-the-create-nodebalancer-form-in-the-cloud-manager)
 1. [Set the Label](#set-the-label)
 1. [Select a Region](#select-a-region)
+1. [Assign a Cloud Firewall](#assign-a-cloud-firewall-optional)
 1. [Add and Configure Ports](#add-and-configure-ports)
 1. [Set Up Health Checks for Each Port](#set-up-health-checks-for-each-port)
 1. [Add Backend Nodes to Each Port](#add-backend-nodes-to-each-port)
@@ -32,9 +33,43 @@ Select the **region** where the NodeBalancer will reside. Regions correspond wit
 - [Speed Tests for Data Centers](https://www.linode.com/speed-test/)
 - [How to Choose a Data Center](/docs/products/platform/get-started/guides/choose-a-data-center/)
 
+## Assign a Cloud Firewall (Optional)
+
+A NodeBalancer can only be attached to one active (enabled) Cloud Firewall at a time. You can attach the same Cloud Firewall to multiple NodeBalancers or other devices.
+
+Select the Cloud Firewall from the **Assign Firewall** pull down to use with the NodeBalancer.
+
+If the firewall doesn't exist yet, you can create the firewall using either the Firewall application, or the NodeBalancer application. Rules for the firewall, can only be added in the Firewall application.
+
+To create a firewall and add rules using the Firewall application, see [Create a Cloud Firewall](/docs/products/networking/cloud-firewall/guides/create-a-cloud-firewall/) and [Add Firewall Rules](/docs/products/networking/cloud-firewall/guides/manage-firewall-rules/).
+
+To create a firewall using the NodeBalancer  application, in the *NodeBalancer Create* form click the **Create Firewall**. This displays the *Create Firewall* drawer. Configure the required field.
+
+| **Configuration** | **Description** |
+| --------------- | --------------- |
+| **Label** (Required)| The label is used as an identifier for this Cloud Firewall. |
+| **Additional Linodes** (Optional)| The Linode(s) on which to apply this Firewall. A list of all Linodes on your account are visible. You can leave this blank if you do not yet wish to apply the Firewall to a Linode. |
+| **Additional NodeBalancers** (Optional) | The NodeBalancers on which to apply this Firewall. A list of all created NodeBalancers on your account are visible. You can leave this blank if you do not want to apply this Cloud Firewall to other NodeBalancers.|
+
+Click on the **Create Firewall** button to finish creating the Cloud Firewall and to returned to the the *Nodebalancers Create* form.
+
+{{< note >}}
+By default, a new Cloud Firewall accepts all inbound and outbound connections. Only inbound firewall rules apply to NodeBalancers. Custom rules can be added in the Firewall application as needed. See [Add New Cloud Firewall Rules](/docs/products/networking/cloud-firewall/guides/manage-firewall-rules/).
+{{< /note >}}
+
+### Cloud Firewall Inbound Rules for NodeBalancer
+- Inbound rules limit incoming network connections to the NodeBalancer based on the port(s) and sources you configure.
+- The NodeBalancer accepts traffic and routes traffic on an internal network to backend targets. For this reason, only inbound firewall rules apply to NodeBalancer.
+- Inbound firewall rules such as IPv4 and IPv6 access control lists (ACLs) can be configured to *Accept* or *Drop* ingress traffic to the NodeBalancer.
+- NodeBalancers can accept TCP connections on all ports. When you add an inbound rule for a NodeBalancer in Cloud Firewall, select TCP as the transport layer protocol. UDP, ICMP, and IPENCAP are not currently supported on NodeBalancers.
+- The firewall is infront of the NodeBalancer and the assigned backend nodes. When both the NodeBalancer and its backend nodes have firewalls, the NodeBalancers inbound firewall rules are applied to incoming requests first, before the requests reach the backend nodes.
+- A backend node server (Linode) can have multiple IP addresses. The NodeBalancer firewall only controls inbound traffic to the backend nodes IPs that are assigned to the NodeBalancer. A service (Linode) can be accessed from any interface (not just the NodeBalancer). To filter traffic from other interfaces, backend Linodes require their own firewalls.
+
+![Figure of traffic going through firewall and NodeBalancer and traffic bypassing firewall and NodeBalancer](nb-firewall.jpg)
+
 ## Add and Configure Ports
 
-To start load balancing traffic, you need to define which ports the NodeBalancer should listen to and how the incoming traffic should be routed to the backend nodes. These ports can be configured within the **NodeBalancer Settings** area. By default, a single port configuration is visible in this area. Additional ports can be added by clicking the **Add another Configuration** button. See [Configuration Options](/docs/products/networking/nodebalancers/guides/configure/) for more details regarding each of these settings.
+To start load balancing traffic, you need to define which ports the NodeBalancer should listen to and how the incoming traffic should be routed to the backend nodes. These ports can be configured within the **NodeBalancer Settings** area. By default, a single port configuration is visible in this area. Additional ports can be added by clicking the **Add Another Configuration** button. See [Configuration Options](/docs/products/networking/nodebalancers/guides/configure/) for more details regarding each of these settings.
 
 - **Port:** Enter the *inbound* port the NodeBalancer should listen to. This can be any port from 1 through 65534 and should align with the port the client connects to. See [Configuration Options > Port](/docs/products/networking/nodebalancers/guides/configure/#port).
 - **Protocol:** Select *TCP*, *HTTP*, or *HTTPS*. For many applications, using *TCP* offers the most flexibility and allows for TLS pass through. Using *HTTP* and *HTTPS* offers some additional NodeBalancer options and allows for TLS termination. See [Configuration Options > Protocol](/docs/products/networking/nodebalancers/guides/configure/#protocol).

docs/products/networking/nodebalancers/guides/create/nb-firewall.jpg

@@ -40,4 +40,5 @@ The optimal solution for a highly available site or application is to have multi
 
 - [Health checks](/docs/products/networking/nodebalancers/guides/configure/#health-checks) are performed to make sure that requests are only routed to healthy Linodes.
 - Backend Linodes can be added or removed seamlessly without end users noticing any downtime.
-- Client requests can be routed to the same backend Linode through [sticky sessions](/docs/products/networking/nodebalancers/guides/configure/#session-stickiness).
+- Client requests can be routed to the same backend Linode through [sticky sessions](/docs/products/networking/nodebalancers/guides/configure/#session-stickiness).
+- [Cloud Firewall](/docs/products/networking/cloud-firewall/) provides enhanced security by allowing you to control who can access your NodeBalancer. The optional Cloud Firewall sits between your NodeBalancer and the internet to filter out unwanted network traffic before it reaches your NodeBalancer. When used in conjunction with NodeBalancers, a Cloud Firewall’s inbound rules only apply to the NodeBalancer’s public IP, not the IPs of the backend nodes. This means you may also want to add individual backend nodes to a Cloud Firewall to protect any additional exposed IP addresses.