Secure an AKS Cluster
Learn how Panorama can secure inbound traffic to an AKS cluster.
To enable Panorama to connect to the load balancers in an Azure Kubernetes Services (AKS) cluster, you must configure the Azure plugin on Panorama to establish a connection with your AKS cluster. You must also configure the device groups and templates to which the firewalls belong so that Panorama can push configuration objects and policy rules to your managed firewalls.
Plan Your AKS Deployment
To secure a web application running as a service within a Kubernetes cluster you must first plan connectivity for your VNets, subnets, and UDRs. VM-Series firewalls and Panorama provide security for and visibility into your Kubernetes services.
- You must have AKS advanced networking to use the Palo Alto Networks AKS template. Review “How Does the Panorama Plugin for Azure Secure Kubernetes Services?”
- Design your AKS subnetsbeforeyou deploy AKS clusters. Plan your virtual networks and review “A Sample Hub-and-Spoke Topology to Secure AKS Clusters, and AKS Cluster Communication”.
- The template creates a single AKS cluster (a service) as a sample. You must specify CIDR ranges for the VNet, VNet subnet, and the service.The CIDR ranges must not overlap.
- Size your subnets to your requirements. Avoid unnecessarily large ranges, as they can affect performance.
- Plan how you want to peer your VNets. If you are peering AKS clusters, see AKS Cluster Communication.
- Think about the ways in which you want to identify traffic (and write rules).
- Address Groups—If you plan to use an address group on Outbound AKS traffic, see Add the Subnet Address Group to the Top-Level Policy and Create Separate Address Groups for Traffic from Workloads and AKS.
- Namespaces and Tags—If you have service names or tags that are not unique across namespaces, you can use the label selector to filter both a tag and a namespace so that you get a unique result.
Use the Template to Deploy an AKS Cluster
The Azure AKS template is a sample that provisions a cluster in a new VNet.
You must specify CIDR ranges for the VNet, VNet subnet, and the service. The CIDR ranges must not overlap.
- On GitHub, go to PaloAltoNetworks/azure-aks and locate the build package in the repository.
- Unzip the build package. Edit the filesazuredeploy.jsonandparameters.jsonfor your own deployment, and save.
- Issue the following Azure CLI commands to deploy the template.az group deployment validate --resource-group RG_NAME --template-file azuredeploy.json --parameters @parameters.jsonaz group deployment create --name DEPLOYMENT_NAME --resource-group RG_NAME --template-file azuredeploy.json --parameters @parameters.json
- Deploy your applications or services on the AKS cluster.
- Annotate your service YAML file so that the type is load balancer, and annotate it asservice.beta.kubernetes.io/azure-load-balancer-internal: "true". For example:apiVersion: v1kind: Servicemetadata: name: azure-vote-front labels: service: "azure-vote-front" tier: "stagingapp"annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true"spec:type: LoadBalancerports: - port: 80 selector: app: azure-vote-front
- If you have not done so, create AKS cluster authentication before continuing.
- Deploy your service on your AKS cluster.For example, you can deploy your application throughkubectl:kubectl apply -f myapplication.yaml
- Usekubectlto get the IP address for the deployed service.kubectl get services -o wideIn the EXTERNAL-IP column 10.240.0.97 is for the ILB, according to your annotation in Step a. Use the service IP address to create a user-defined route on Azure.
- Create a UDR rule to point your service to the Firewall ILB behind the Application Gateway.In Azure, go to your inbound spoke resource group, view the route table and add a new route based on the destination service IP address. In the following screen, the value in the tov1serviceADDRESS PREFIXcolumn is the service IP address.
Connect the AKS Cluster in Azure Plugin on Panorama
- Selectto view the auto scaling definition you created when you configured Auto Scaling. As shown below, ifPanoramaAzureAutoScalingAuto Program Routesis enabled, the firewall routes are programmed for you.
- In AKS, tag your Resource Groups. The tags are name/value pairs.
The templates deploy resources in separate VNets. If you manually deploy the AKS cluster and service in the same VNet as the spoke firewall set, you must manually create tags for the spoke resource group name.
- Selectand choose a resource group.HomeResource groups
- SelectTagsand define name/value pairs. As shown in the following figure, the tag names must beinboundgrouprgandHubRG:
The template takes the spoke resource group name as a parameter and uses it to tag the VNet and the AKS cluster so the Azure auto scaling plugin for Panorama can discover them.
- inboundgrouprg—Your spoke resource group name.
- HubRG—Your hub resource group name.
- In Panorama, selectPanoramaAzureSetup.
- On theGeneraltab, enable monitoring.
- On theNotify Groupstab,Adda notification group and select the device groups to be notified.
- On theService Principaltab,AddandValidatea service principal.Use the service principal you created when you configured auto scaling.
- On theAKS Clustertab,Addan AKS cluster.
- Enter the exact name of the AKS cluster.
- Enter the API server address. To find the address in Azure, view your AKS service and select Overview.
- Fill in the remaining fields andAddone or more tags.If you have service names or tags that are not unique across namespaces, use the label selector to filter both a tag and a namespace so that you get a unique result.
- SelectPanoramaAzureMonitoring Definition
- Add a Monitoring definition.
- Enter a name and description, and selectAKS Cluster Monitoring.
- Select anAKS Clusterand aNotify Group, checkEnable, and clickOK.
Set Up VNet Peering
Redirect Traffic to a Firewall ILB
You must manually create user defined routes (UDRs) and routing rules to redirect traffic to a particular ILB. For an example, see how the diagram in “How Does the Panorama Plugin for Azure Secure Kubernetes Services?” depicts an inbound UDR.
- Create URL routing rules that redirect web traffic to the appropriate backend pool.
- Update the UDR rules for the Application Gateway subnet to add a route for the service CIDR, with the next hop being the inbound firewall load balancer from the spoke firewall resource group.
Apply Policy to Your AKS Service
- In Panorama, selectPolicies.
- In theDevice Grouplist, choose the device group for your AKS service.
- Adda Security policy rule. Fill out the form, and on theDestinationtabAddthe destination address or address group.
Deploy and Secure AKS Services
These steps outline how you can secure inbound and outbound traffic traversing to Kubernetes services using VM-Series firewall and the Azure plugin for Panorama.
- In the application deployment environment, create a YAML file for the application or use a file that already exists.The following is a sample application YAML file:apiVersion: apps/v1 kind: Deployment metadata: name: azure-vote-back spec: replicas: 1 selector: matchLabels: app: azure-vote-back template: metadata: labels: app: azure-vote-back spec: containers: - name: azure-vote-back image: redis resources: requests: cpu: 100m memory: 128Mi limits: cpu: 250m memory: 256Mi ports: - containerPort: 6379 name: redis --- apiVersion: v1 kind: Service metadata: name: azure-vote-back labels: service: backend spec: ports: - port: 6379 selector: app: azure-vote-back --- apiVersion: apps/v1 kind: Deployment metadata: name: azure-vote-front spec: replicas: 5 selector: matchLabels: app: azure-vote-front template: metadata: labels: app: azure-vote-front spec: containers: - name: azure-vote-front image: microsoft/azure-vote-front:v1 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 250m memory: 256Mi ports: - containerPort: 80 env: - name: REDIS value: "azure-vote-back" ---apiVersion: v1 kind: Service metadata: name: azure-vote-front labels: service: "azure-vote-front" type: "production" providesecurity: "yes" a: "value" b: "value" c: "value" tier: "stagingapp" annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" spec: type: LoadBalancer ports: - port: 80 selector: app: azure-vote-front
- Edit your YAML file to label Kubernetes services.Labels enable the corresponding tag-to-IP mapping to be created when you use the Panorama plugin for AKS to connect to the cluster. For example, in the above sample file look for the application labels in the service metadata. They are:azure-vote-backandazure-vote-front.
- In your AKS cluster, apply the YAML file.
- In Panorama, create an address group using a resource group tag.
- On theObjectstab, select a device group from theDevice Grouplist.
- SelectAddress GroupsandAddan address group.
- Specify a name, and select theDynamictype.
- Addaddresses. Opens a window that lists detected addresses. Populating the list can take several minutes.
- You can choose one or more addresses for theMatchcriteria. SelectANDorORfor the criteria relationship.
- If you have many addresses, enter a string in the search box to filter the output, as shown in the following figure.
- In the address list, click the+to include the address in the address group match criteria.
- When theMatchcriteria is complete, clickOK.
- Show Policy using the address group.
- View secured AKS services.In, view your monitoring definition, and in thePanoramaAzureAutoScalingActioncolumn select theProtected Applications and Serviceslink.TheProtected?column summarizes the security status of your resource groups. It might take several minutes for the window to populate. If you have many resource groups, enter a string in the search box to filter the output.This output is based on the Azure resource group configuration; it does not query the device group or template stack membership.
Recommended For You
Recommended videos not found.