How Does the Panorama Plugin for Amazon Secure Elastic Kubernetes Services?

Learn how the Elastic Kubernetes Service (EKS) plugin for Panorama works to secure Amazon EKS services.
You can use VM-Series firewalls to secure inbound traffic for Amazon Elastic Kubernetes Service (EKS) clusters. The Panorama plugin for Amazon EKS secures inbound traffic to Kubernetes clusters, and provides outbound monitoring for traffic exiting the cluster. Outbound traffic can return through the VM-Series firewall, provided firewall rules applied to outbound traffic permit Kubernetes control plane traffic to function.
You can use Palo Alto Networks templates to deploy your VM-Series firewall (or firewall set) in the same VPC as your EKS cluster. You can create up to 16 clusters in the same VPC and secure them with the same firewall or firewall set.
This chapter reviews different components that enable the AWS Plugin for Panorama to secure an EKS cluster.

System Architecture

The following diagram illustrates a sample deployment that secures inbound traffic for Amazon EKS clusters—a load balancer sandwich.
You can use one of the Palo Alto networks firewall templates to deploy the firewalls and the external load balancer (ELB). In the template you can set the
ELBType
variable to specify an application load balancer (ALB) or a network load balancer (NLB). The internal load balancer (ILB) for each service must be an NLB.
inbound.png
In the above diagram, the ELBs that face the internet are ALBs. The VM-Series firewall set is sandwiched between the ALBs and the internal NLBs to provide inbound security to the cluster.
Because this diagram uses ALBs, the inputs are a path—for example,
fqdn1/path1
. When the ELB is an NLB, the path must include the port. For example, if the default NLB path is
fqdn1:80
, an additional port is expressed as
fqdn1:81/path1
.

Inbound Security

To secure traffic without interrupting communication flows, the VM-Series firewall set is programmed with static routes that properly route traffic to the desired destination, and NAT rules to perform source and destination NATs on the inbound packets, ensuring that traffic to the application and return traffic from the application pass through the firewall set.
To register a service with the firewall, you must label each service with
panw-tg-port-<portname>
and a port value. This label is applied when the service launches. You must also configure a target group for the ALB with the destination of the firewall set and a destination port matching the service label. When the traffic hits the firewall, the port that receives it tells the firewall which NAT rule to apply.
Source and Destination NAT rules are programmed on the firewall to ensure the inbound traffic for the service goes through the firewall. The source changes from the ALB to the firewall trust interface, ensuring that return traffic hits the firewall for inspection. The destination then changes from the firewall untrust interface to the ILB.

Outbound Traffic

To route the traffic from the trust to untrust interface, The template ensures the virtual router on the VM-Series firewall has a default route pointed to untrust. Static routes are programmed for each cluster subnet so that traffic returning to the firewall is routed properly to its destination. To ensure return traffic passes through a single firewall, the outbound NAT rule does a source translation, redirecting the source from the Node IP address to the managed firewall’s untrust interface. If you have a firewall set, the return traffic must go through only one of the firewalls in the set.

AWS Plugin on Panorama

The AWS Plugin on Panorama manages the VM-Series firewall set for the services deployed in a cluster. It creates inbound NAT rules for services, outbound NAT rules (one for each cluster subnet), and static routes for each cluster subnet.
The plugin uses the Kubernetes Python SDK to retrieve information related to services deployed in your cluster. The plugin queries for services that are labeled
panw-tg-port-<portname>
and have been assigned a valid port value. The plugin uses the port to create an inbound NAT rule that is programmed on the VM-Series firewall. When traffic hits the firewall on that specified port, the firewall applies the inbound NAT rule for that port and routes the packet to its destination. For each service port the plugin creates:
  • An address object created with the FQDN of the service ILB.
  • A service object created for each port specified in the label.
  • An inbound NAT rule which creates source and destination NAT using the address object and service object just created.
The plugin is also responsible for adding configuration when a new cluster is added. The plugin uses the AWS API to retrieve cluster information, such as subnets, and VM-Series firewall information, such as the instance ID. The plugin uses the information to create one route per firewall, per cluster subnet. For example, if there are two Availability Zones (AZs), each containing firewalls, and three cluster subnets, the plugin creates six static routes.
Additionally, for every cluster subnet, the plugin creates an outbound NAT rule. The NAT rule is applied to any traffic originating from these subnets and it does a source NAT to change the source from the Node IP address to the firewall untrust interface.
In Panorama, the plugin provides visibility into discovered services and service ports that are currently protected.

EKS Components and Planning Checklist

Securing EKS requires the following components. Review these components before you plan your EKS deployment.
  • Consult the Compatibility Matrix for Panorama Plugins for Public Clouds.
    Panorama plugin for AWS from version 1.0.0 users must
    upgrade
    Panorama to the PAN-OS version in the Compatibility Matrix
    before
    upgrading the plugin from version 1.0.0 to version 2.0.0. If you do not, the upgrade occurs but the 1.0.0 configuration fails to migrate to 2.0.0 and it cannot be recovered.
  • Panorama
    —A Panorama virtual appliance or hardware-based appliance running the PAN-OS minimum version or later.
    Your Panorama PAN-OS version must be the same version or a later version than the VM-Series firewalls you want to manage. Panorama cannot manage firewalls that run a later PAN-OS version than the Panorama version.
    • Panorama Licenses
      —You need an active support license and a device management license for managing VM-Series firewalls.
    • AWS Plugin on Panorama v2.0.0
      —For an explanation of how the plugin secures EKS services, see AWS Plugin on Panorama.
    • Panorama HA
      —If you plan to configure Active/Passive HA or Active/Active HA for Panorama, make sure to install the plugin on
      BOTH
      Panorama appliances and do a commit
      immediately
      after each plugin installation.
    • VM-Series Plugin
      —Manually install the plugin version recommended in the Compatibility Matrix for Panorama Plugins for Public Clouds.
  • VM-Series firewalls
    —Managed VM-Series firewalls require a PAN-OS version that is the same or earlier than the Panorama version.
  • AWS components
    —You need an AWS account with sufficient permissions to deploy the firewalls, run the templates to create EKS clusters, and create policies and roles that permit Panorama to view EKS metadata. Depending on the security policies in your organization, you might have to work with other administrators to be granted the permissions you need.
    • AWS account
      —You must know your user name and password.
      You must also know your AWS Access Key, which is comprised of the access key ID and the secret access key.
      If you have an account but do not know your secret access key, you can create an access key and save the .csv file in a secure place.
    • Amazon EC2 Key Pair
      —A public-key cryptography pair allows you to encrypt and decrypt login information for an EC2 instance. If you do not have a key pair, create one using Amazon EC2.
    • AWS policies and roles
      —Your AWS account must be able to access the service policies for the EKS cluster creator and the Panorama administrator managing the firewall deployment.
      EKS cluster role
      —To deploy and manage an EKS cluster, create an IAM role and bind it to a cluster. This procedure, detailed in Set Up Kubectl and Configure Your Cluster, grants access to the Kubernetes APIs.
      Panorama administrator
      —To view and obtain EKS metadata, create an IAM role as described inIAM Roles and Permissions for Panorama.
    • AWS CLI
      —Most actions can be performed in the AWS console or the AWS CLI. If you prefer the CLI, install or update the AWS CLI, ensuring that you have a supported version of Python.
    • AWS Kubernetes and kubectl
      —View the available Amazon EKS versions and install kubectl for your local OS. The version you install must be within one minor version of the EKS version (you choose the Kubernetes version when you create the cluster).
  • Templates
    —Palo Alto networks supports the VM-Series firewall templates, while the EKS templates are community supported. See Templates for a description of each template from github.com/PaloAltoNetworks/aws-eks.

Templates

To simplify securing an EKS deployment, you can use templates to deploy the VM Series firewalls in a new VPC or existing VPC, create an EKS cluster, and configure an EKS node. You can download the templates from github.com/PaloAltoNetworks/aws-eks.
Palo Alto Networks supports the VM-Series firewall templates, while the EKS cluster and node templates are community supported.
The template files are as follows:
  • firewall-new-vpc-v1.0.template
    (greenfield deployment)
    Creates a new VPC and deploys a VM-Series firewall set that can be managed from Panorama.
  • firewall-existing-vpc-v1.0.template
    (brownfield deployment)
    Deploys a VM-Series firewall set in an existing VPC. To use this template you supply a VPC ID and an internet gateway ID (IGW ID).
    A brownfield deployment works with an existing VPC and related resources such as the IGW. It does not work with existing EKS clusters or nodes created before the VM-Series firewalls are deployed in the VPC.
  • eks-cluster-v1.0.template
    • Creates an EKS cluster.
    • Creates control plane security group.
    • Creates private cluster subnets.
    • Creates a route table associated with cluster subnets. The default route points to the IGW.
  • eks-node-v1.0.template
    • Creates nodes.
    • Adds node auto scaling group.
    • Adds node security group.
    • Configures access between the control plane security group and Kubernetes resources.

Recommended For You