Skip to main content

Posts

Showing posts from 2018

Kubernetes best practices in Azure: AKS name space isolation and AAD integration

Once you have decided to run your workloads in AKS service in Azure, there are certain best practices to be followed during design and implementation. In this blog we will discuss two of these recommended practices and the practical aspects of their implementation- Azure AD integration and name space isolation While AAD helps to authenticate users to your AKS cluster using the existing users and groups in your Azure AD, name space isolation provides logical isolation of resources used by them. It is useful in multi tenant scenarios where the same cluster is being used by different teams/departments to run their workloads. It is also useful in running say a dev, test and QA environment for organization in the same cluster. Combining AAD integration with name spaces allow users to login to their namespace using their Azure AD credentials AAD integration with AKS : The following Microsoft document will get you started  with AAD integration of AKS cluster.: https://docs.microsof

Introducing Azure Firewall

Azure firewall is the latest addition to Azure security features portfolio. It was announced in preview last week along with Azure virtual WAN. Along with other features such as NSG and WAF , Azure Firewall enables additional protection for your applications hosted in Azure. We know that NSG offers network level protection(L3) and helps in implementing restrictions on incoming and outgoing traffic at network layer. WAF enables inbound security for web applications at Layer 7.Azure Network firewall provides outbound network layer(L3-L4) and application level (L7) protection for Http and Https traffic. There are two types of rules that can be created in Azure Firewall. Application rule and Network rule. As name indicates Network rule can be used to allow/deny traffic at network layer by defining the source IP & protocol + Destination IP& protocol. Application rules can be created to allow or restrict outbound traffic to specific FQDNs. If you want to play around with Azu