1. Answers
  2. Applying NSGs to Protect Azure Kubernetes Service (AKS) Nodes

How do I apply NSGs to protect Azure Kubernetes Service (AKS) nodes?

Network Security Groups (NSGs) are used to manage and enforce network traffic rules in Azure. Applying NSGs to Azure Kubernetes Service (AKS) nodes ensures that only approved traffic can reach your AKS nodes, enhancing security.

Below is a detailed example showing how to apply NSGs to AKS nodes.

Explanation

  1. Resource Group: A container that holds related resources for an Azure solution.
  2. Virtual Network: A representation of your network in the cloud. It is logically isolated from other virtual networks in Azure.
  3. Subnet: A range of IP addresses in your virtual network.
  4. Network Security Group (NSG): Contains a list of security rules that allow or deny network traffic to resources connected to Azure VNet.
  5. AKS Cluster: Managed Kubernetes service that lets you quickly deploy and manage a Kubernetes cluster in Azure.

Here’s the complete code to create these resources and apply the NSG to the AKS nodes:

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const example = new azure.core.ResourceGroup("example", {
    name: "example-resources",
    location: "East US",
});
const exampleVirtualNetwork = new azure.network.VirtualNetwork("example", {
    name: "example-vnet",
    addressSpaces: ["10.0.0.0/16"],
    location: example.location,
    resourceGroupName: example.name,
});
const exampleSubnet = new azure.network.Subnet("example", {
    name: "example-subnet",
    resourceGroupName: example.name,
    virtualNetworkName: exampleVirtualNetwork.name,
    addressPrefixes: ["10.0.2.0/24"],
    delegations: [{
        name: "aks-delegation",
        serviceDelegation: {
            name: "Microsoft.ContainerService/managedClusters",
            actions: ["Microsoft.Network/virtualNetworks/subnets/join/action"],
        },
    }],
});
const exampleNetworkSecurityGroup = new azure.network.NetworkSecurityGroup("example", {
    name: "example-nsg",
    location: example.location,
    resourceGroupName: example.name,
    securityRules: [
        {
            name: "allow_ssh",
            priority: 1001,
            direction: "Inbound",
            access: "Allow",
            protocol: "Tcp",
            sourcePortRange: "*",
            destinationPortRange: "22",
            sourceAddressPrefix: "*",
            destinationAddressPrefix: "*",
        },
        {
            name: "allow_https",
            priority: 1002,
            direction: "Inbound",
            access: "Allow",
            protocol: "Tcp",
            sourcePortRange: "*",
            destinationPortRange: "443",
            sourceAddressPrefix: "*",
            destinationAddressPrefix: "*",
        },
    ],
});
const exampleSubnetNetworkSecurityGroupAssociation = new azure.network.SubnetNetworkSecurityGroupAssociation("example", {
    subnetId: exampleSubnet.id,
    networkSecurityGroupId: exampleNetworkSecurityGroup.id,
});
const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", {
    name: "example-aks",
    location: example.location,
    resourceGroupName: example.name,
    dnsPrefix: "exampleaks",
    defaultNodePool: {
        name: "default",
        nodeCount: 1,
        vmSize: "Standard_DS2_v2",
        vnetSubnetId: exampleSubnet.id,
    },
    identity: {
        type: "SystemAssigned",
    },
});
export const resourceGroupName = example.name;
export const aksClusterName = exampleKubernetesCluster.name;

Summary

In this example, we created a Resource Group, a Virtual Network, and a Subnet. We then created an NSG with rules to allow SSH and HTTPS traffic, associated the NSG with the Subnet, and finally deployed an AKS cluster using the Subnet. The outputs indicate the names of the created Resource Group and AKS cluster.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up