How Do I Apply NSGs to Protect Azure Kubernetes Service (AKS) Nodes?
Introduction
Network Security Groups (NSGs) are a vital component in managing and enforcing network traffic rules within Azure. By applying NSGs to Azure Kubernetes Service (AKS) nodes, you can ensure that only authorized traffic reaches your nodes, thereby enhancing the overall security of your Kubernetes clusters. This document provides a comprehensive guide on how to apply NSGs to AKS nodes using TypeScript.
Step-by-Step Explanation
To apply NSGs to AKS nodes, follow these steps:
- Create a Resource Group: This serves as a container for related resources in your Azure solution.
- Set Up a Virtual Network: This represents your network in the cloud, isolated from other networks.
- Define a Subnet: A specific range of IP addresses within your virtual network.
- Create a Network Security Group (NSG): Configure security rules to manage traffic to resources connected to your Azure Virtual Network.
- Deploy an AKS Cluster: Use Azure’s managed Kubernetes service to quickly deploy and manage a Kubernetes cluster.
Here is the complete code to create these resources and apply the NSG to the AKS nodes:
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "East US",
});
const exampleVirtualNetwork = new azure.network.VirtualNetwork("example", {
name: "example-vnet",
addressSpaces: ["10.0.0.0/16"],
location: example.location,
resourceGroupName: example.name,
});
const exampleSubnet = new azure.network.Subnet("example", {
name: "example-subnet",
resourceGroupName: example.name,
virtualNetworkName: exampleVirtualNetwork.name,
addressPrefixes: ["10.0.2.0/24"],
delegations: [{
name: "aks-delegation",
serviceDelegation: {
name: "Microsoft.ContainerService/managedClusters",
actions: ["Microsoft.Network/virtualNetworks/subnets/join/action"],
},
}],
});
const exampleNetworkSecurityGroup = new azure.network.NetworkSecurityGroup("example", {
name: "example-nsg",
location: example.location,
resourceGroupName: example.name,
securityRules: [
{
name: "allow_ssh",
priority: 1001,
direction: "Inbound",
access: "Allow",
protocol: "Tcp",
sourcePortRange: "*",
destinationPortRange: "22",
sourceAddressPrefix: "*",
destinationAddressPrefix: "*",
},
{
name: "allow_https",
priority: 1002,
direction: "Inbound",
access: "Allow",
protocol: "Tcp",
sourcePortRange: "*",
destinationPortRange: "443",
sourceAddressPrefix: "*",
destinationAddressPrefix: "*",
},
],
});
const exampleSubnetNetworkSecurityGroupAssociation = new azure.network.SubnetNetworkSecurityGroupAssociation("example", {
subnetId: exampleSubnet.id,
networkSecurityGroupId: exampleNetworkSecurityGroup.id,
});
const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", {
name: "example-aks",
location: example.location,
resourceGroupName: example.name,
dnsPrefix: "exampleaks",
defaultNodePool: {
name: "default",
nodeCount: 1,
vmSize: "Standard_DS2_v2",
vnetSubnetId: exampleSubnet.id,
},
identity: {
type: "SystemAssigned",
},
});
export const resourceGroupName = example.name;
export const aksClusterName = exampleKubernetesCluster.name;
Key Points
- Resource Group: Essential for organizing related Azure resources.
- Virtual Network and Subnet: Provide the necessary network infrastructure.
- Network Security Group: Controls traffic with specified rules.
- AKS Cluster: Enables easy deployment and management of Kubernetes clusters.
Conclusion
By following these steps, you can effectively apply Network Security Groups to your Azure Kubernetes Service nodes, ensuring that your cluster is protected from unauthorized access. This setup not only enhances security but also provides a structured approach to managing network traffic within your Azure environment.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.