1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set up the VM-Series Firewall on Azure
    5. Secure Kubernetes Services on Azure
    6. Secure an AKS Cluster

    Secure an AKS Cluster

    Learn how Panorama can secure inbound traffic to an AKS cluster.
    To enable Panorama to connect to the load balancers in an Azure Kubernetes Services (AKS) cluster, you must enable the Azure plugin on Panorama to establish a connection with your AKS cluster. Then, you must configure the device groups and templates to which the firewalls belong so that Panorama can push configuration objects and policy rules to your managed firewalls.

    Before You Begin

    To secure AKS you must first deploy the Azure Auto Scaling solution available on GitHub.
    To secure a web application running as a service within a Kubernetes cluster you must plan the VNets, subnets, and UDRs. VM-Series firewalls and Panorama provide you security and visibility of your Kubernetes services.

    Use the Template to Deploy an AKS Cluster

    The Azure AKS template is a sample that provisions a cluster in a new VNet.
    1. On GitHub, go to PaloAltoNetworks/azure-aks and locate the build package in the repository.
    2. Unzip the build package. Edit the files
      azuredeploy.json
       and
      parameters.json
       for your own deployment, and save.
    3. Issue the following Azure CLI commands to deploy the template.
      az group deployment validate --resource-group RG_NAME 
--template-file azuredeploy.json 
--parameters @parameters.json
      az group deployment create --name DEPLOYMENT_NAME 
--resource-group RG_NAME
--template-file azuredeploy.json 
--parameters @parameters.json
    4. Deploy your applications or services on the AKS Cluster.
      1. Annotate your service YAML file so that the type is load balancer, and annotate it as service.beta.kubernetes.io/azure-load-balancer-internal: "true". For example:
        
  apiVersion: v1

            kind: Service
        
  metadata:
   name: azure-vote-front
   labels:
     service: "azure-vote-front"
     tier: "stagingapp"
   
        annotations:
     service.beta.kubernetes.io/azure-load-balancer-internal: "true"
        
  spec:
   
        type: LoadBalancer
        
 ports:
 - port: 80
 selector:
  app: azure-vote-front
      2. If you have not done so, create AKS cluster authentication before continuing.
      3. Deploy your service on your AKS cluster.
        For example, you can deploy your application through kubectl:
        kubectl apply -f myapplication.yaml
      4. Use kubectl to get the service IP for the deployed service.
        kubectl get services -o wide
        In the EXTERNAL-IP column 10.240.0.97 is for the ILB, according to your annotation in Step a. Use the service IP to create a user defined route on Azure.
    5. Create a UDR rule to point your service to the Firewall ILB behind the Application Gateway.
      In Azure, go to your inbound spoke resource group, view the route table and add a new route based on the destination service IP. In the following screen, the value in the tov1service
      ADDRESS PREFIX
       column is the service IP.

    Connect the AKS Cluster in Azure Plugin for Panorama

    This task assumes you have deployed a Panorama orchestrated deployment, and that you have created templates, template stacks and device groups.
    See the Panorama online help for more on filling out each form.
    1. Select
      Panorama
      Azure
      Deployments
       to view the monitoring definition you created when you configured the deployment. As shown below, if
      Auto Program Routes
       is enabled, the firewall routes are programmed for you.
    2. In AKS, tag your Resource Groups. The tags are name/value pairs.
      1. Select
        Home
        Resource groups
         and choose a resource group.
      2. Select
        Tags
         and define name/value pairs. As shown in the following figure, the tag names must be inboundgrouprg and HubRG:
        • inboundgrouprg—your spoke resource group name
        • HubRG—your hub resource group name
        The template takes the name of the Spoke resource group as a parameter, and tags the VNet and AKS cluster with the Spoke resource group name so that it can be discovered by the Panorama plugin for Azure.
      The templates deploy resources in separate VNets. If you manually deploy the AKS cluster and service in the same VNet as the Spoke firewall set, you must manually create tags for the spoke resource group name.
    3. In Panorama, select
      Panorama
      Azure
      Setup.
      1. On the
        General
         tab, enable monitoring.
      2. On the
        Notify Groups
         tab,
        Add
         a notification group and select the device groups to be notified.
      3. On the
        Service Principal
         tab,
        Add
         and
        Validate
         a service principal.
        Use the Service Principal you created for the orchestrated deployment.
      4. On the
        AKS Cluster
         tab,
        Add
         an AKS cluster.
        • Enter the exact name of the AKS cluster.
        • Enter the API server address. To find the address in Azure, view your AKS service and select Overview.
        • Upload the AKS credential JSON file (see Create AKS Cluster Authentication).
      5. Fill in the remaining fields and
        Add
         one or more tags.
        If you have service names or tags that are not unique across namespaces, use the label selector to filter both a tag and a namespace so that you get a unique result.
    4. Select
      Panorama
      Azure
      Monitoring Definition
      1. Add a Monitoring definition.
      2. Enter a name and description, and select
        AKS Cluster Monitoring
        .
      3. Select an
        AKS Cluster
         and a
        Notify Group
        , check
        Enable
        , and click
        OK
        .

    Set Up VNet Peering

    If you plan to use an address group to identify traffic, be sure to add the subnet address group to your top-level Panorama plicy before you configure peering.
    After deploying an AKS cluster, set up VNet Peering from the Inbound VNet to your cluster, and from your cluster to the Firewall VNet.

    Redirect Traffic to a Firewall ILB

    You must manually create user defined routes (UDRs) and routing rules to redirect traffic to a particular ILB. For an example, see how the diagram in “How Does the Panorama Plugin for Azure Secure Kubernetes Services?” depicts an inbound UDR.
    1. Create URL routing rules that redirect web traffic to the appropriate backend pool.
    2. Update the UDR rules for the application gateway subnet to add a route for the service CIDR, with the next hop being the Inbound Firewall Load Balancer from the Spoke firewall resource group.