Learn AKS network security

Learn how to secure network communication in AKS/Kubernetes cluster

For an AKS cluster, there are two types of traffic. First one is the internal traffic between pods. The second one is the ingress and egress traffic that is between pods and the end users or the internet.

What you’ll learn

  • Learn AKS and Kubernetes network best practices.
  • Learn how to securely expose services in Kubernetes.
  • Learn how to secure pod to pod communication.
  • Learn to setup TLS certificates for pods and ingress.

Course Content

  • Kubernetes and AKS architecture –> 1 lecture • 21min.
  • Introduction to Kubernetes –> 9 lectures • 40min.
  • Comparing AKS public and private clusters –> 7 lectures • 23min.
  • Kubernetes CoreDNS –> 2 lectures • 12min.
  • Securing Ingress using TLS/HTTPS –> 5 lectures • 51min.
  • Securing inter Pod communication using TLS –> 2 lectures • 9min.
  • Implementing network policy using Calico –> 9 lectures • 24min.
  • Setting up AKS, ACR and VM in a private virtual network –> 4 lectures • 29min.

Learn AKS network security

Requirements

For an AKS cluster, there are two types of traffic. First one is the internal traffic between pods. The second one is the ingress and egress traffic that is between pods and the end users or the internet.

This course provides the tools and techniques to secure these networks using tools like Network Policies with Calico, TLS certificates, etc.

Microsoft provides the following recommendations to secure an AKS cluster and this course will try to go deeper with demonstration.

Recommendation 1: To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Compared to an Azure load balancer, ingress controllers provide extra features and can be managed as native Kubernetes resources.

 

Recommendation 2: To scan incoming traffic for potential attacks, use a web application firewall (WAF) such as Barracuda WAF for Azure or Azure Application Gateway. These more advanced network resources can also route traffic beyond just HTTP and HTTPS connections or basic TLS termination.

 

Recommendation 3: Use network policies to allow or deny traffic to pods. By default, all traffic is allowed between pods within a cluster. For improved security, define rules that limit pod communication.

 

Recommendation 4: Don’t expose remote connectivity to your AKS nodes. Create a bastion host, or jump box, in a management virtual network. Use the bastion host to securely route traffic into your AKS cluster to remote management tasks.

Get Tutorial