1. Securing Azure Kubernetes Service (AKS) Ingress with NSGs


    To secure an Azure Kubernetes Service (AKS) Ingress with Network Security Groups (NSGs), we will create a Kubernetes cluster using AKS and then set up a Network Security Group to control inbound and outbound network traffic to the Kubernetes nodes and the Ingress controller.

    Here's how we'll achieve it:

    1. Create an AKS cluster: We'll use the ManagedCluster class from the azure-native.containerservice module to create an AKS cluster.

    2. Set up a NSG: Using the NetworkSecurityGroup class of the azure-native.network module, we'll define rules that allow or deny traffic to the AKS cluster.

    3. Associate NSG with AKS Node Subnet: After creating the NSG, we'll associate it with the subnet of the AKS cluster's nodes using the Subnet class from the azure-native.network module.

    This way, we can ensure proper network isolation and security. Here is the Pulumi program that accomplishes this:

    import pulumi import pulumi_azure_native.network as network import pulumi_azure_native.containerservice as containerservice from pulumi_azure_native.network import NetworkSecurityGroupSecurityRuleArgs # Create an AKS cluster aks_cluster = containerservice.ManagedCluster( resource_name="myAksCluster", resource_group_name="myResourceGroup", location="eastus", identity=containerservice.ManagedClusterIdentityArgs( type="SystemAssigned", ), agent_pool_profiles=[containerservice.ManagedClusterAgentPoolProfileArgs( count=3, max_pods=110, mode="System", name="agentpool", os_type="Linux", vm_size="Standard_DS2_v2", )], dns_prefix="myAksDnsPrefix", kubernetes_version="1.18.14", ) # Create a network security group for the AKS cluster nsg = network.NetworkSecurityGroup( resource_name="myAksNsg", resource_group_name="myResourceGroup", location="eastus", ) # Define a security rule to allow traffic to the Ingress controller ingress_rule = network.SecurityRule( resource_name="IngressAllowRule", network_security_group_name=nsg.name, resource_group_name="myResourceGroup", properties=NetworkSecurityGroupSecurityRuleArgs( priority=100, protocol="Tcp", access="Allow", direction="Inbound", source_port_range="*", destination_port_range="80", source_address_prefix="*", destination_address_prefix="*", ), ) # Get the default AKS node subnet default_subnet = network.Subnet.get( resource_name="default", virtual_network_name="aksVnet", resource_group_name="myResourceGroup", ) # Associate the NSG with the AKS node subnet subnet_update = network.Subnet( resource_name=default_subnet.id, network_security_group=nsg.id ) # Export the AKS cluster name and NSG id pulumi.export("aks_cluster_name", aks_cluster.name) pulumi.export("nsg_id", nsg.id)

    Let's break down what the above code is doing:

    • We begin by creating an AKS cluster using containerservice.ManagedCluster. This is where your Kubernetes applications will be deployed. Note that the resource_group_name, location, and kubernetes_version should be according to your requirements.

    • To add a layer of security, we instantiate a NetworkSecurityGroup (NSG). This NSG will contain the rules defining what traffic is allowed to and from the AKS cluster.

    • SecurityRule sets up a rule in your NSG to allow inbound traffic on port 80, which is the standard port for HTTP traffic. This is essential for allowing access to web applications running in your AKS cluster.

    • We retrieve the default AKS node subnet using Subnet.get. This subnet is automatically created when you provision an AKS cluster.

    • The AKS cluster's node subnet is then associated with the NSG, ensuring that all traffic to/from the nodes passes through the NSG.

    • Finally, we export the AKS cluster name and the NSG id, which can be useful for other automated tasks or reference.

    Make sure to replace myResourceGroup, eastus, and aksVnet with your actual resource group name, location, and virtual network name respectively.

    Place this code in a Python file, and you can deploy it with Pulumi CLI. The NSG rules can be adjusted based on the ports and protocols your applications will use.