Ensure that Azure CNI Networking is enabled

Azure CNI networking for production allows for separation of control and management of resources. From a security perspective, you often want different teams to manage and secure those resources. With Azure CNI networking, you connect to existing Azure resources, on-premises resources, or other services directly via IP addresses assigned to each pod.

Risk Level: Low
Cloud Entity: Azure AKS
CloudGuard Rule ID: D9.AZU.AKS.06
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

AksCluster should have properties.networkProfile.networkPlugin='azure'

REMEDIATION

From Portal

  1. Log in to your Azure portal.
  2. Navigate to 'Kubernetes services'.
  3. Create Kubernetes cluster.
  4. Fill the required details and under the 'Networking' tab select 'Azure CNI' in 'Network configuration'.
  5. Click on 'Review + Create'.

From TF
Set the 'network_profile' argument under 'azurerm_kubernetes_cluster' as below:

resource "azurerm_kubernetes_cluster" "example" {
	...
	network_profile = {
		...
		network_plugin = "azure"
		network_policy = "azure"
		...
	}
	...
}

From Command Line
Run

az aks create --resource-group RESOURCEGROUP --name CLUSTERNAME --network-plugin azure

References

  1. https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#configure-networking
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#network_plugin

Azure AKS

AKS is an open-source fully managed container orchestration service that became available in June 2018 and is available on the Microsoft Azure public cloud that can be used to deploy, scale and manage Docker containers and container-based applications in a cluster environment.

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • CloudGuard Azure All Rules Ruleset