Skip to content

proposal: AFD + WAF + Private Link GLB#373

Draft
rchincha wants to merge 4 commits into
Azure:mainfrom
rchincha:rchinchani/afd-first-party-proposal
Draft

proposal: AFD + WAF + Private Link GLB#373
rchincha wants to merge 4 commits into
Azure:mainfrom
rchincha:rchinchani/afd-first-party-proposal

Conversation

@rchincha

Copy link
Copy Markdown

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Requirements:

How has this code been tested

Special notes for your reviewer

rchincha and others added 2 commits July 15, 2026 11:44
…NS253

Adds docs/first-party/ folder with an index README and proposal 001 outlining
how to extend fleet-networking beyond ATM to satisfy SFI-NS253 for
first-party AKS workloads via Azure Front Door Standard/Premium with an
attached WAF policy and Private Link origins.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
…osal 002)

Adds docs/first-party/002-afd-implementation-plan.md — the executable
companion to proposal 001. Covers guiding conventions extracted from
the existing ATM implementation, a complete file-by-file scope table
(add/modify/generated), Go type sketches with CEL rules, controller
skeletons, cmd/hub-net-controller-manager/main.go diff, a 5-phase
delivery plan, backward-compatibility notes, risks, and success
criteria.

Also updates docs/first-party/README.md to index proposal 002.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
@rchincha rchincha marked this pull request as draft July 15, 2026 18:53
@rchincha rchincha changed the title proposal: add AFD support separate from ATM proposal: AFD + WAF + Private Link GLB Jul 15, 2026
rchincha and others added 2 commits July 15, 2026 15:30
Proposal 002: add new section 8 'East-west (MCS) compatibility'
covering guarantees for the ServiceExport/ServiceImport/EndpointSlice*
data plane, guardrails on the ExportMode transition, interaction with
the existing TrafficManagerBackend controller, and required
non-regression test coverage. Renumber subsequent sections.

Proposals 001 and 002: call out that AFD is L7-only (HTTP/HTTPS +
WebSockets-over-HTTPS) and that L4 first-party workloads are not
covered by this proposal — future L4 SFI-NS253 compliance likely
via Azure Cross-region Load Balancer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
Adds docs/first-party/003-pre-implementation-checklist.md — converts
the open design questions from proposal 001 and the unstated
assumptions in proposal 002 into a trackable list of gates:

- open design decisions (profile scope, WAF requiredness, custom
  domains phase, umbrella CRD, adding Spec to ServiceExport)
- external review / sign-off gates (maintainer, SFI, PM, security)
- spikes (AKS PLS status annotation, armcdn SDK compat,
  cross-sub PLS auto-approval, RBAC minimums, dev-sub, chart
  cloud-config interaction)
- overall readiness verdict with per-phase gating rules

Also indexes proposal 003 in the folder README.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 10282cca-4848-413e-a12a-f6cf963a72ec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant