Featured image

Introduction to AKS Network Policies and Security

Azure Kubernetes Service (AKS) has become a cornerstone for organizations adopting cloud-native, microservices architectures. As Kubernetes clusters grow in complexity and scale, securing pod-to-pod communication becomes critical. Network policies in AKS enable fine-grained control over traffic flow between pods, namespaces, and external IP ranges, helping you enforce security boundaries within your cluster.

This comprehensive guide delves into the practical aspects of AKS network policies, best practices to secure your cluster, and detailed examples to implement effective network segmentation. We focus on using the Azure Portal for straightforward policy creation and management, empowering DevOps engineers and security teams to safeguard their cloud-native environments.

Understanding Kubernetes Network Policies in AKS

Kubernetes network policies define how groups of pods are allowed to communicate with each other and with external endpoints. They operate at the IP address or port level (Layers 3 and 4) and are critical for implementing zero-trust security models in a Kubernetes cluster.

In AKS, network policies rely on a network policy engine such as Azure CNI network policies or Cilium to enforce rules. Without a policy engine installed, network policies exist only as configuration and have no effect on traffic.

Key Concepts

  • Pod Selector: Defines which pods the policy applies to using labels.
  • Namespace Selector: Targets pods in specific namespaces.
  • Ingress and Egress Rules: Control inbound and outbound traffic respectively.
  • Allowed Sources and Destinations: Specify which pods, namespaces, or IP blocks are allowed.

Prerequisites for Working with AKS Network Policies

Before creating or managing network policies in AKS, ensure:

  • Your AKS cluster has a network policy engine installed. This can be verified via the Azure Portal under Networking in your AKS resource.
  • You have appropriate permissions to modify Kubernetes resources in your cluster.

If you do not have a network policy engine enabled, AKS supports enabling Azure CNI network policies or Cilium. Refer to Enable a network policy engine on an AKS cluster for setup instructions.

Creating Network Policies in the Azure Portal: Step-by-Step

Managing network policies through the Azure Portal simplifies the process by providing a GUI that abstracts complex YAML configurations. Here’s how to create a network policy:

1. Navigate to Your AKS Cluster

  • Open the Azure portal and locate your AKS cluster resource.
  • From the service menu, under Kubernetes resources, select Network policies.

2. Define Policy Scope

  • Click + Create > Network policy.
  • Fill in the Name and Namespace fields.
  • Specify a Pod selector to determine which pods the policy will govern. If left blank, all pods in the namespace are affected.

3. Add Policy Rules

  • Click + Add rule to specify ingress or egress traffic controls.
  • Choose the Rule type (Ingress or Egress) and select a Rule preset such as:
    • Allow all
    • Deny all
    • Allow custom traffic

For granular control, select “Allow custom traffic”.

4. Configure Allowed Sources or Destinations

Depending on rule type:

  • Ingress rules: Define allowed sources.
  • Egress rules: Define allowed destinations.

You can choose from:

  • Pods in the same namespace
  • Pods in other namespaces
  • External IP blocks (CIDRs)

Use pod and namespace selectors to precisely target traffic. Avoid using pod IPs directly, as they are ephemeral.

5. Specify Allowed Ports

By default, all ports are allowed. To restrict:

  • Uncheck Allow all ports.
  • Select the protocol (TCP/UDP).
  • Specify port number or range.

Important: Ensure that required Azure and AKS system communications are explicitly allowed, especially when restricting egress.

6. Save and Apply

  • Click Add to finalize the rule.
  • After adding all required rules, save the network policy.

Practical Examples of AKS Network Policies

Example 1: Restrict Ingress to Database Pods

Suppose you have a namespace production with a set of pods labeled app=database. You want to allow ingress traffic only from pods labeled app=backend within the same namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-restrict-ingress
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: database
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: backend

This policy ensures that only backend pods can communicate with database pods, tightening security.

Example 2: Allow Egress to External APIs on Specific Ports

For pods in namespace frontend, allow outbound HTTPS traffic (TCP port 443) to an external API IP range 203.0.113.0/24.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-api
  namespace: frontend
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 203.0.113.0/24
    ports:
    - protocol: TCP
      port: 443

This policy restricts egress to only the specified external API, improving control over outbound traffic.

Best Practices for AKS Network Policies

  1. Start with Deny-All Defaults: When creating policies, if no ingress rules are specified, all ingress traffic is denied by default. Use this to your advantage by implementing “deny all” and selectively allowing required traffic.

  2. Use Labels Wisely: Apply consistent, meaningful labels to pods and namespaces to simplify selectors and maintain clear policies.

  3. Avoid Pod IPs: Because pod IPs can change, use label selectors instead of IP addresses to identify pods in rules.

  4. Test Policies in Staging: Network policies can inadvertently block critical traffic. Always test in a staging environment before applying in production.

  5. Combine Multiple Policies: Kubernetes network policies are additive. Use multiple policies to segment traffic logically without complex monolithic rules.

  6. Monitor Network Traffic: Use tools like Azure Monitor and Azure Network Watcher to observe traffic patterns and verify enforcement.

  7. Maintain Documentation: Document your network policies alongside application architecture to ease troubleshooting and onboarding.

Managing and Monitoring Network Policies

In the Azure Portal, you can view existing policies under your AKS cluster’s Network policies section. Here you can:

  • Create new policies
  • Edit or delete existing policies
  • View detailed policy configurations

Monitoring enforcement and network traffic is crucial. Azure provides insights through Azure Monitor, and you can integrate with third-party tools for advanced network security analytics.

Common FAQs

What if multiple network policies apply with conflicting rules?

Kubernetes network policies are additive. If any policy allows a traffic flow, it’s permitted. Deny rules are implicit; only traffic allowed by at least one policy is allowed.

Are advanced Cilium network policies supported in the Azure portal?

Currently, the Azure portal supports only standard Kubernetes NetworkPolicy resources (Layer 3 and 4). For advanced Layer 7 policy features, you need to use Cilium CLI or manifests.

Can I create policies without a network policy engine?

Yes, but policies won’t be enforced until a network policy engine is installed on your cluster.

Conclusion

Effective network policy management is fundamental to securing AKS clusters running microservices. Leveraging the Azure Portal simplifies the creation and maintenance of these policies while enabling granular control over pod communication.

By following the detailed procedures and best practices outlined in this guide, you can implement strong security boundaries, minimize attack surfaces, and ensure compliance with organizational policies.

For extended reading and examples, review the Kubernetes Network Policies documentation and Azure’s best practices for AKS network policies.

References

Author: Joseph Perez