How Does the Panorama Plugin for Azure Secure Kubernetes Services?
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
-
- Activate Credits
- Transfer Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- Use Panorama-Based Software Firewall License Management
- What Happens When Licenses Expire?
- Install a Device Certificate on the VM-Series Firewall
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Add a New Host to Your NSX-V Deployment
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on GCP
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Locate VM-Series Firewall Images in the GCP Marketplace
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
How Does the Panorama Plugin for Azure Secure Kubernetes Services?
Learn how the Azure plugin for Panorama works to secure
Azure Kubernetes services.
You can use VM-Series firewalls to secure inbound traffic
for Azure Kubernetes Service (AKS) clusters. The VM-Series
firewall can only secure services exposed by a load balancer (such as
an Azure Load Balancer). Outbound traffic can only be monitored.
This chapter reviews different components that enable the Azure
Plugin for Panorama to connect to an AKS cluster.
Requirements
This solution requires the following components. See
the Panorama plugin information
in the Compatibility Matrix for the minimum version requirements.
- VM-Series firewalls.
- Panorama—Your Panorama version must be the same or higher than your VM-Series PAN-OS version.
- Panorama Plugin for Azure.
- Azure Auto Scaling template version 1.0—To support AKS, use this template to create an Auto Scale deployment in an Azure region that supports AKS.
- Azure AKS template version
1.0. This template creates an AKS cluster.You must enable AKS advanced networking (CNI) for the cluster.An AKS deployment requires advanced networking to configure VNet Peering for the hub and spoke VNets (see A Sample Hub-and-Spoke Topology to Secure AKS Clusters).
A Sample Hub-and-Spoke Topology to Secure AKS Clusters
The following diagram illustrates a sample
auto scale deployment that secures inbound traffic for Azure AKS
clusters. Let’s review some of the components.
- Auto Scaling Infrastructure—The Azure Auto Scaling templates create the messaging infrastructure and the basic hub and spoke architecture.
- AKS Clusters—The Palo Alto Networks AKS template creates an AKS cluster in a new VNet. Given the name of the Spoke resource group, the template tags the VNet and AKS cluster with the Spoke resource group name, so the resource group can be discovered by the Azure Auto Scaling plugin for Panorama. The Azure plugin for Panorama queries service IP addresses on the Staging ILB to learn about AKS cluster services.Only one Spoke firewall scale set can be associated with an AKS Cluster; if you expose multiple services in a single AKS cluster, they must be protected by the same Spoke.For each resource group, create a subnet-based address group. In the above diagram, for example, create an address group for 10.240.0.0/24 (AKS Cluster 1).
- VNet Peering—You must manually configure VNET peering to communicate with other VNets in the same region.Cross-region peering is not supported.You can use other automation tools to deploy AKS clusters. If you deploy in an existing VNet (the Hub Firewall VNet, for example) you must manually configure VNet peering to the inbound and outbound hub and spoke resource groups, and manually tag the VNet and AKS cluster with the resource group name.
- User Defined Routes and Rules—You must manually configure user-defined routes and rules (see User-Defined Routing). In the diagram above, incoming traffic can be redirected, according to UDR rules, to the Firewall ILB for inspection. Outbound traffic exiting an AKS Cluster is redirected to the Hub Firewall ILB with Azure user-defined routing (UDR) rules. The solution assumes Allow All as a default policy for Kubernetes orchestration to function as-is, but to apply policy you can use allow lists or deny lists to allow or deny outbound traffic.
User-Defined Routing
You must manually create user-defined routing and
routing rules to govern inbound or outbound traffic.
Inbound
In the above diagram, inbound traffic from the Application gateway
is driven to the backend pool, and based on UDR rules, redirected
to the Firewall ILB. For example, create a UDR pointing to the VNet
subnet so that the traffic for Kubernetes services is pointed to
the firewall ILB.
Outbound
On the Hub firewall set, for each AKS cluster being protected,
you must create static routes for the cluster subnet CIDR, with
the next hop being the gateway address of the Hub VNet trust subnet.
All outbound traffic for an AKS cluster is directed to the Hub
firewall set with a single UDR rule.
AKS Cluster Communication
The Panorama plugin for Azure can only communicate with
the AKS controller node for a given AKS cluster. For Outbound AKS
traffic, the next hop is the Hub Firewall ILB. Because Outbound
traffic is monitored, you must Allow All traffic. The following topics
emphasize common practices that help you establish connectivity.
Keep them in mind when you plan your networks and subnets.
- Add the Subnet Address Group to the Top-Level Policy
- Prevent Application Disruption when Workload and AKS Cluster VNets Are Peered
Create AKS Cluster Authentication
When you connect the AKS cluster
in Azure plugin for Panorama you must enter
a secret authorization token. Use Kubernetes commands to perform
the following steps.
- Create a ClusterRole.
- Create a ClusterRoleBinding.
- Create a .yaml file
for the ClusterRoleBinding. For example, create a text file named crb.yaml.
apiVersion: rbac.authorization.k8s.io kind: ClusterRoleBinding metadata: name: default-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: ServiceAccount name: default namespace: default
- Use Azure Cloud Shell to apply
the crb.yaml role binding.kubectl apply -f crb.yaml
- View the service account you just created.kubectl get serviceaccounts
- Create a .yaml file
for the ClusterRoleBinding. For example, create a text file named crb.yaml.
- Save the service account credential to a .json file.
- On your local machine, change to the directory in which you want to save the credential.
- Use kubectl commands to create the token.MY_SA_TOKEN=‘kubectl get serviceaccounts default -o jsonpath=’{.secrets[0].name}’‘
- View the token name.$ echo $MY_SA_TOKEN
- Display the credential.kubectl get secret $MY_SA_TOKEN -o json
You need the token when you connect the AKS cluster in Azure plugin for Panorama, in Step 3.d.
Use An Address Group to Identify Traffic
To create some granularity for monitored Outbound traffic,
create an address group specifically for the AKS cluster VNet subnet
(for example, 10.240.0.97/32 in the above diagram). You can then
write rules that allow incoming or returning traffic rather than
using Allow All.
If you create an address group, be careful to maintain the communication
between the AKS controller and any worker nodes. See Add the Subnet Address Group to the Top-Level Policy.
If communication is interrupted, application traffic can
be lost or your application deployment might have problems.
Add the Subnet Address Group to the Top-Level Policy
To maintain connectivity, the address group must be
part of the top-level policy in Panorama. You can configure the
cluster address group, or bootstrap the cluster to configure the
cluster address group.
Add the address group to the top-level policy before you
configure VNet peering or User-Defined Routing.
Prevent Application Disruption when Workload and AKS Cluster VNets Are Peered
If an AKS cluster co-exists with VM workloads that run
in separate VNets, and the VNet is peered with both the workload
spoke (Inbound) and the Hub (Outbound), you must create address
groups to differentiate the workloads and the AKS traffic, and add
the address group to Top-Level Policy as described above.
Dynamic Address Groups with Kubernetes Labels
When monitoring an AKS cluster resource, the Azure plugin
automatically generates the following IP tags for AKS services.
aks.<aks cluster name>.<aks service name>
Tags are not generated for nodes, pods, or other resources.
If the AKS service has any labels, the tag is as follows (one
per label):
aks.<aks cluster name>.svc.<label>.<value>
If a labelSelector tag is defined for a cluster, the plugin generates
the following IP tag:
aks_<labelSelector>.<aks cluster name>.<aks service name>