Securing Azure Kubernetes Service (AKS) Ingress with NSGs

Question

Pulumi · Accepted Answer

To secure an Azure Kubernetes Service (AKS) Ingress with Network Security Groups (NSGs), we will create a Kubernetes cluster using AKS and then set up a Network Security Group to control inbound and outbound network traffic to the Kubernetes nodes and the Ingress controller.

Here's how we'll achieve it:

1. **Create an AKS cluster**: We'll use the `ManagedCluster` class from the `azure-native.containerservice` module to create an AKS cluster.

2. **Set up a NSG**: Using the `NetworkSecurityGroup` class of the `azure-native.network` module, we'll define rules that allow or deny traffic to the AKS cluster.

3. **Associate NSG with AKS Node Subnet**: After creating the NSG, we'll associate it with the subnet of the AKS cluster's nodes using the `Subnet` class from the `azure-native.network` module.

This way, we can ensure proper network isolation and security. Here is the Pulumi program that accomplishes this:

```python
import pulumi
import pulumi_azure_native.network as network
import pulumi_azure_native.containerservice as containerservice
from pulumi_azure_native.network import NetworkSecurityGroupSecurityRuleArgs

# Create an AKS cluster
aks_cluster = containerservice.ManagedCluster(
    resource_name="myAksCluster",
    resource_group_name="myResourceGroup",
    location="eastus",
    identity=containerservice.ManagedClusterIdentityArgs(
        type="SystemAssigned",
    ),
    agent_pool_profiles=[containerservice.ManagedClusterAgentPoolProfileArgs(
        count=3,
        max_pods=110,
        mode="System",
        name="agentpool",
        os_type="Linux",
        vm_size="Standard_DS2_v2",
    )],
    dns_prefix="myAksDnsPrefix",
    kubernetes_version="1.18.14",
)

# Create a network security group for the AKS cluster
nsg = network.NetworkSecurityGroup(
    resource_name="myAksNsg",
    resource_group_name="myResourceGroup",
    location="eastus",
)

# Define a security rule to allow traffic to the Ingress controller
ingress_rule = network.SecurityRule(
    resource_name="IngressAllowRule",
    network_security_group_name=nsg.name,
    resource_group_name="myResourceGroup",
    properties=NetworkSecurityGroupSecurityRuleArgs(
        priority=100,
        protocol="Tcp",
        access="Allow",
        direction="Inbound",
        source_port_range="*",
        destination_port_range="80",
        source_address_prefix="*",
        destination_address_prefix="*",
    ),
)

# Get the default AKS node subnet
default_subnet = network.Subnet.get(
    resource_name="default",
    virtual_network_name="aksVnet",
    resource_group_name="myResourceGroup",
)

# Associate the NSG with the AKS node subnet
subnet_update = network.Subnet(
    resource_name=default_subnet.id,
    network_security_group=nsg.id
)

# Export the AKS cluster name and NSG id
pulumi.export("aks_cluster_name", aks_cluster.name)
pulumi.export("nsg_id", nsg.id)
```

Let's break down what the above code is doing:

- We begin by creating an AKS cluster using `containerservice.ManagedCluster`. *This is where your Kubernetes applications will be deployed.* Note that the `resource_group_name`, `location`, and `kubernetes_version` should be according to your requirements.

- To add a layer of security, we instantiate a `NetworkSecurityGroup` (NSG). *This NSG will contain the rules defining what traffic is allowed to and from the AKS cluster.*

- `SecurityRule` sets up a rule in your NSG to allow inbound traffic on port 80, which is the standard port for HTTP traffic. *This is essential for allowing access to web applications running in your AKS cluster.*

- We retrieve the default AKS node subnet using `Subnet.get`. *This subnet is automatically created when you provision an AKS cluster.*

- The AKS cluster's node subnet is then associated with the NSG, ensuring that all traffic to/from the nodes passes through the NSG.

- Finally, we export the AKS cluster name and the NSG id, which can be useful for other automated tasks or reference.

Make sure to replace `myResourceGroup`, `eastus`, and `aksVnet` with your actual resource group name, location, and virtual network name respectively.

Place this code in a Python file, and you can deploy it with Pulumi CLI. The NSG rules can be adjusted based on the ports and protocols your applications will use.